"""ORM models for users and refresh tokens.""" import datetime as dt import uuid from sqlalchemy import Boolean, DateTime, ForeignKey, String from sqlalchemy.orm import Mapped, mapped_column from app.infrastructure.db.base import Base from app.infrastructure.db.models.mixins import TimestampMixin, UUIDPrimaryKeyMixin class UserModel(UUIDPrimaryKeyMixin, TimestampMixin, Base): __tablename__ = "users" username: Mapped[str] = mapped_column(String(64), unique=True, index=True, nullable=False) password_hash: Mapped[str] = mapped_column(String(255), nullable=False) # Admin is a single flag in Phase 1 — no role system (plan §3.5). is_superuser: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False) is_active: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False) # Recoverable Subsonic app-password, Fernet-encrypted at rest. NULL until the # user generates one. Never the argon2 login password — see core.security. subsonic_password_enc: Mapped[str | None] = mapped_column(String(255), nullable=True) class RefreshTokenModel(UUIDPrimaryKeyMixin, Base): """A persisted, revocable refresh token (offline-first sessions). Stores only a *hash* of the token, never the raw JWT. Rotated on every refresh (old jti revoked, new row added); logout revokes the current jti. """ __tablename__ = "refresh_tokens" user_id: Mapped[uuid.UUID] = mapped_column( ForeignKey("users.id", ondelete="CASCADE"), index=True, nullable=False, ) jti: Mapped[uuid.UUID] = mapped_column(unique=True, index=True, nullable=False) token_hash: Mapped[str] = mapped_column(String(64), nullable=False) expires_at: Mapped[dt.datetime] = mapped_column(DateTime(timezone=True), nullable=False) revoked_at: Mapped[dt.datetime | None] = mapped_column(DateTime(timezone=True), nullable=True) created_at: Mapped[dt.datetime] = mapped_column( DateTime(timezone=True), default=lambda: dt.datetime.now(dt.UTC), nullable=False, )