Skip to content

feat(db): persist users + resource selection — Part of #586#973

Open
skypank-coder wants to merge 4 commits into
OWASP:mainfrom
skypank-coder:feat/586-users
Open

feat(db): persist users + resource selection — Part of #586#973
skypank-coder wants to merge 4 commits into
OWASP:mainfrom
skypank-coder:feat/586-users

Conversation

@skypank-coder

Copy link
Copy Markdown
Contributor

What & why

First increment of #586 ("Add support for users"): login-first user
persistence. OIDC login existed but nothing was persisted — no User table,
nowhere to hang per-user data. This adds that foundation so per-user resource
filtering (PR2–PR4) can be built on it. Aligns with auth RFC #876 (TODO 1/2).

Changes

  • users table anchored on the immutable OIDC sub (google_sub); email
    and display_name refreshed on each login.
  • user_resource_selection table: one row per selected standard,
    UNIQUE(user_id, standard_name), FK → users.id ON DELETE CASCADE.
  • Login callback upserts the User and sets session['user_id'] — gated on
    CRE_ENABLE_LOGIN, wrapped so it never blocks login. Existing session keys
    and the anonymous 401 are unchanged (intentionally narrower than RFC RFC: User Authentication and Online MyOpenCRE Mapping #876's
    login_required rewrite).
  • Node_collection methods: upsert_user, get_user_by_sub,
    get_user_resource_selection, set_user_resource_selection. These back the
    /rest/v1/user resource endpoints coming in PR2.
  • Migrations: a dedicated merge revision collapses the two pre-existing
    open heads (ab12cd34ef56, 9b1c2d3e4f50), then a revision creates the two
    tables — keeping the head single-parent so flask db downgrade is
    unambiguous.

Testing

  • 12 new tests: idempotent upsert (no dup row), selection round-trip / replace /
    dedup / per-user isolation, unique constraint, cascade delete, callback upsert,
    and the flag-off no-op path.
  • Verified on real Postgres (prod parity), not just SQLite: single head,
    ON DELETE CASCADE enforced at the DB level (rows 1 → 0), both unique
    constraints created cleanly, migration upgrade → downgrade → upgrade
    deterministic, alembic revision guardrail green. 12/12 pass on Postgres.
  • black clean; no new mypy errors vs. baseline.

Scope boundaries

No new endpoints, no server-side filtering, no frontend, no login_required
rewrite — those are the follow-up PRs in #586.

Unrelated pre-existing issue (out of scope, flagging for visibility)

flask db upgrade from a blank DB fails on Postgres before reaching my
revisions: migrations 3c65127871a6 / 7bf4eac76958 reuse the constraint name
uq_pair (authored via SQLite batch_alter_table), which collides on a
from-base replay. Postgres rolls the whole thing back cleanly (transactional
DDL). This predates this branch and doesn't affect the prod path (apply-onto-
existing-schema), so it's out of scope here — but worth a separate fix, since
anyone bootstrapping a fresh Postgres DB will hit it.

skypank-coder and others added 2 commits July 9, 2026 20:18
…WASP#586)

Persist accounts on OIDC login and store a per-user resource (standard) selection. Additive to the existing session auth: the callback upserts the User row and sets session['user_id'] only when CRE_ENABLE_LOGIN is on; the existing session keys and 401 behaviour are unchanged.

- User(google_sub UNIQUE, email, display_name, created_at, last_seen_at)
- UserResourceSelection(user_id FK CASCADE, standard_name, UNIQUE(user_id, name))
- Node_collection: upsert_user / get_user_by_sub / get_user_resource_selection / set_user_resource_selection
- Alembic: dedicated merge of the two open heads + create tables (up/down verified on Postgres; guardrail green)
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@skypank-coder, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 7 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cd1a99c4-13f0-40ff-ac44-0b5d8bb0ad4c

📥 Commits

Reviewing files that changed from the base of the PR and between 780a40a and 9d9a62a.

📒 Files selected for processing (3)
  • application/database/db.py
  • application/tests/web_main_test.py
  • application/web/web_main.py
📝 Walkthrough

Walkthrough

Adds SQLAlchemy User and UserResourceSelection models with Node_collection methods for upserting users and managing per-user resource selections. Wires these into the OAuth /rest/v1/callback handler, adds corresponding Alembic migrations (including a head-merge migration), and adds unit tests for the models and callback behavior.

Changes

User persistence and resource selection feature

Layer / File(s) Summary
User and UserResourceSelection models and CRUD helpers
application/database/db.py
Adds User and UserResourceSelection SQLAlchemy models with cascade/unique constraints, plus upsert_user, get_user_by_sub, get_user_resource_selection, and set_user_resource_selection methods on Node_collection.
Database migrations for users and resource selection tables
migrations/versions/a1b2c3d4e5f6_add_users_and_resource_selection.py, migrations/versions/f0e1d2c3b4a5_merge_heads_before_users.py
Adds Alembic migration creating users and user_resource_selection tables with foreign key/unique constraints, plus a no-op merge migration unifying two prior heads.
OAuth callback persistence wiring
application/web/web_main.py, application/tests/web_main_test.py
Callback handler upserts the user and stores user_id in session when login is enabled, catching persistence errors; tests confirm persistence occurs when enabled and is skipped when disabled.
User model unit tests
application/tests/user_model_test.py
New test module covering upsert creation/idempotency, missing-field tolerance, lookup by sub, resource selection round-trips, replacement, deduplication, per-user isolation, unique constraint enforcement, and cascade deletion.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • OWASP/OpenCRE#876: Implements the underlying "MyOpenCRE" identity model that this PR's User/google_sub persistence and OAuth callback user_id storage build on.

Suggested reviewers: Pa04rth, northdpole

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: persisting users and resource selections in the database.
Description check ✅ Passed The description matches the changeset and explains the new user persistence, selection storage, callback, and migration work.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@application/database/db.py`:
- Around line 264-277: The User model defines google_sub with both column-level
unique=True and a separate UniqueConstraint in __table_args__, which creates
duplicate unique constraints during schema creation. Update the User model in
db.py to keep only the single named UniqueConstraint on google_sub and remove
the column-level unique flag so the SQLAlchemy metadata matches the Alembic
migration and avoids schema drift.
- Around line 1038-1067: `upsert_user` has a check-then-act race that can cause
a duplicate insert and leave the session in a failed state. Update `upsert_user`
to follow the same concurrency-safe pattern used by `add_node`: attempt the
insert, catch `IntegrityError`, call `rollback()`, then re-query the existing
`User` by `google_sub` and apply the updates. Keep the existing refresh behavior
for `email`, `display_name`, and `last_seen_at`, and make sure the method always
returns a valid `User` after the retry path.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 7acbdb65-8751-46e1-89bc-1022ff1cc976

📥 Commits

Reviewing files that changed from the base of the PR and between 0dd3823 and 780a40a.

📒 Files selected for processing (6)
  • application/database/db.py
  • application/tests/user_model_test.py
  • application/tests/web_main_test.py
  • application/web/web_main.py
  • migrations/versions/a1b2c3d4e5f6_add_users_and_resource_selection.py
  • migrations/versions/f0e1d2c3b4a5_merge_heads_before_users.py

Comment thread application/database/db.py
Comment thread application/database/db.py

@northdpole northdpole left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alembic / deploy

Verified migration graph locally; prod alembic_version confirmed — both embedding heads (ab12cd34ef56, 9b1c2d3e4f50) present. This PR correctly merges them (no-op) then adds two new tables. Deploy path is additive only.

Prod impact

Low. Runtime change is flag-gated (CRE_ENABLE_LOGIN) and failure-safe on callback. No user-facing behavior in PR1. LGTM on scope for #586 / RFC #876 TODO 1.

Approved. A few non-blocking nits inline — address now or track for a follow-up.



revision = "f0e1d2c3b4a5"
down_revision = ("ab12cd34ef56", "9b1c2d3e4f50")

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call merging the two embedding heads before adding users — keeps downgrade unambiguous and matches prod's two-row alembic_version state. No concerns on the no-op merge pattern.

sa.Column("user_id", sa.String(), nullable=False),
sa.Column("standard_name", sa.String(), nullable=False),
sa.Column("created_at", sa.DateTime(), nullable=False),
sa.ForeignKeyConstraint(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean additive migration. ON DELETE CASCADE on user_id matches the model and tests.

Comment thread application/database/db.py Outdated

__tablename__ = "users"
id = sqla.Column(sqla.String, primary_key=True, default=generate_uuid)
google_sub = sqla.Column(sqla.String, nullable=False, unique=True)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: google_sub has both unique=True on the column and UniqueConstraint(..., name="uq_users_google_sub") in __table_args__. The Alembic migration only creates the named constraint, so sqla.create_all() in tests may diverge (double unique). Suggest dropping the column-level unique=True and keeping only the named constraint.

Comment thread application/database/db.py Outdated
from datetime import datetime, timezone

now = datetime.now(timezone.utc)
user = self.session.query(User).filter(User.google_sub == google_sub).first()

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor robustness: check-then-insert can race on concurrent logins for the same google_sub. Second commit() would raise IntegrityError and leave the session dirty. Worth mirroring the add_node pattern: catch IntegrityError, rollback(), re-query by google_sub, update profile fields, return. Low urgency for PR1 but cheap to add now.

Comment thread application/web/web_main.py Outdated
# unchanged if this no-ops (flag off) or fails.
if is_login_enabled():
try:
user = db.Node_collection().upsert_user(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like the flag gate + broad try/except — login must not break if persistence fails. Two small notes:

  1. id_info.get("sub") can be None; consider bailing early (log + skip upsert) rather than hitting a NOT NULL violation.
  2. Node_collection() initializes NEO_DB.instance() unless NO_LOAD_GRAPH_DB=1. Probably fine (singleton), but a lighter login path could avoid pulling Neo4j into the auth callback. Non-blocking for PR1.


@patch("application.web.web_main.id_token")
@patch("application.web.web_main.CREFlow")
def test_callback_upserts_user_and_sets_session(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good coverage for flag-on persist and flag-off no-op. Small addition: assert session['user_id'] equals the persisted User.id in the flag-on test — catches session/DB mismatch before PR2 wires /rest/v1/user resource endpoints.

@@ -0,0 +1,164 @@
"""Tests for user persistence and per-user resource selection (issue #586, RFC #876 TODO 1/2)."""

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid SQL-layer coverage: idempotent upsert, selection round-trip/replace/dedup/isolation, unique constraint, cascade delete. Postgres verification in the PR description is the right bar for prod parity.

skypank-coder and others added 2 commits July 9, 2026 21:10
…int (OWASP#586)

Address PR review:
- upsert_user now mirrors add_node: catch IntegrityError, rollback, re-query
  by google_sub, update profile — safe under concurrent logins.
- Drop column-level unique=True on User.google_sub; keep only the named
  constraint so create_all matches the Alembic migration (no schema drift).
- Login callback skips persistence when the OIDC 'sub' claim is missing.
- Callback test asserts session['user_id'] equals the persisted User.id.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants