piotr/innercontext
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
innercontext/.sisyphus/notepads/multi-user-authelia-oidc/learnings.md
Piotr Oleszczyk dac787b81b test(auth): add multi-user regression coverage 
- Enable backend tests in CI (remove if: false)
- Fix test_products_helpers.py to pass current_user parameter
- Fix test_routines_helpers.py to include short_id in products
- Fix llm_context.py to use product_effect_profile correctly
- All 221 tests passing
2026-03-12 16:42:00 +01:00

2.7 KiB
Raw Blame History

  • For ownership rollout without API auth wiring, user_id columns can be added as nullable to avoid breaking existing write paths and tests.
  • Alembic is needed for SQLite-safe ownership column/FK addition and later non-null enforcement across legacy tables.
  • Correction: Alembic batch_alter_table is required for SQLite-safe ownership column/FK addition and non-null enforcement across legacy tables.
  • New tenant helpers should keep unauthorized lookups indistinguishable from missing rows by raising 404 with model-not-found detail.
  • Product visibility and inventory access are separate checks: household-shared inventory can grant view access without granting update rights.
  • Products should be visible when user is owner, admin, or in the same household as at least one household-shared inventory row; inventory payloads must still be filtered to shared rows only for non-owners.
  • Shared inventory update rules differ from create/delete: household members in the same household can PATCH shared rows, but POST/DELETE inventory stays owner/admin only.
  • Product summary ownership should use Product.user_id (is_owned) rather than active inventory presence, so shared products render as accessible-but-not-owned.
  • SvelteKit can keep PKCE server-only by storing the verifier/state in a short-lived encrypted HTTP-only cookie and storing the refreshed app session in a separate encrypted HTTP-only cookie.
  • handleFetch is enough to attach bearer tokens for server loads/actions that hit PUBLIC_API_BASE, but browser-direct $lib/api calls to /api still need follow-up proxy/auth plumbing outside this task.
  • 2026-03-12 T6: Domain routers now enforce per-user ownership by default with explicit ?user_id= admin override in profile/health/routines/skincare/ai-logs; routine suggestion product pool is constrained to owned+household-shared visibility and uses current user profile context.
  • 2026-03-12 T6: QA evidence generated at .sisyphus/evidence/task-T6-domain-tenancy.txt and .sisyphus/evidence/task-T6-routine-scope.txt with passing scenarios.
  • 2026-03-12 T9: Admin household management can stay backend-only by listing synced local users plus current membership state, creating bare households, and handling assign/move/remove as explicit membership operations.
  • 2026-03-12 T9: Unsynced identities should fail assignment via local User lookup rather than implicit creation, keeping Authelia as the only identity source and preserving the v1 one-household-per-user rule.
  • 2026-03-12 T8: Server-side frontend API helpers should call PUBLIC_API_BASE directly with the access token from event.locals.session; same-origin SvelteKit endpoints are still the right bridge for browser-only interactions like AI modals and inline PATCHes.