"""Auth tables: users and refresh_tokens Revision ID: 0002 Revises: 0001 Create Date: 2024-01-01 00:01:00.000000 """ from typing import Sequence, Union from alembic import op import sqlalchemy as sa from sqlalchemy.dialects import postgresql revision: str = "0002" down_revision: Union[str, None] = "0001" branch_labels: Union[str, Sequence[str], None] = None depends_on: Union[str, Sequence[str], None] = None def upgrade() -> None: # ── users ───────────────────────────────────────────────────────────────── op.create_table( "users", sa.Column("id", postgresql.UUID(as_uuid=True), primary_key=True, server_default=sa.text("gen_random_uuid()")), sa.Column("tenant_id", postgresql.UUID(as_uuid=True), sa.ForeignKey("accounts.id", ondelete="SET NULL"), nullable=True), sa.Column("email", sa.String(255), nullable=False), sa.Column("password_hash", sa.String(255), nullable=False), sa.Column("first_name", sa.String(100), nullable=False), sa.Column("last_name", sa.String(100), nullable=False), sa.Column("role", sa.String(50), nullable=False, server_default="staff"), sa.Column("status", sa.String(50), nullable=False, server_default="invited"), sa.Column("avatar_url", sa.Text, nullable=True), sa.Column("last_login_at", sa.DateTime(timezone=True), nullable=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.text("NOW()")), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.text("NOW()")), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), ) op.create_index("ix_users_tenant_id", "users", ["tenant_id"]) op.create_index("ix_users_email", "users", ["email"]) op.create_index("ix_users_role", "users", ["role"]) # Unique email per tenant (NULL tenant_id = site_admin, unique globally) op.execute(""" CREATE UNIQUE INDEX uq_users_email_tenant ON users (email, tenant_id) WHERE deleted_at IS NULL; """) # ── refresh_tokens ──────────────────────────────────────────────────────── op.create_table( "refresh_tokens", sa.Column("id", postgresql.UUID(as_uuid=True), primary_key=True, server_default=sa.text("gen_random_uuid()")), sa.Column("user_id", postgresql.UUID(as_uuid=True), sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False), sa.Column("token_hash", sa.String(512), nullable=False), sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False), sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.text("NOW()")), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.text("NOW()")), ) op.create_index("ix_refresh_tokens_user_id", "refresh_tokens", ["user_id"]) op.create_index("ix_refresh_tokens_token_hash", "refresh_tokens", ["token_hash"], unique=True) # Grant to application role op.execute("GRANT SELECT, INSERT, UPDATE, DELETE ON users TO indelis_app") op.execute("GRANT SELECT, INSERT, UPDATE, DELETE ON refresh_tokens TO indelis_app") def downgrade() -> None: op.drop_table("refresh_tokens") op.drop_table("users")