Implement Phase 2: Refresh tokens, 2FA, password reset, and audit logging

Co-authored-by: mblanke <9078342+mblanke@users.noreply.github.com>
2026-03-01 14:00:20 -05:00 · 2025-12-09 17:30:12 +00:00
parent ddf287cde7
commit c8c0c762c5
15 changed files with 716 additions and 9 deletions
--- a/backend/app/schemas/audit.py
+++ b/backend/app/schemas/audit.py
@@ -0,0 +1,29 @@
+from pydantic import BaseModel
+from typing import Optional, Dict, Any
+from datetime import datetime
+
+
+class AuditLogBase(BaseModel):
+    """Base audit log schema"""
+    action: str
+    resource_type: str
+    resource_id: Optional[int] = None
+    details: Optional[Dict[str, Any]] = None
+
+
+class AuditLogCreate(AuditLogBase):
+    """Schema for creating an audit log entry"""
+    pass
+
+
+class AuditLogRead(AuditLogBase):
+    """Schema for reading audit log data"""
+    id: int
+    user_id: Optional[int]
+    tenant_id: int
+    ip_address: Optional[str]
+    user_agent: Optional[str]
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
--- a/backend/app/schemas/auth.py
+++ b/backend/app/schemas/auth.py
@@ -1,10 +1,11 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr
 from typing import Optional


 class Token(BaseModel):
    """Token response schema"""
    access_token: str
+    refresh_token: Optional[str] = None
    token_type: str = "bearer"


@@ -19,11 +20,40 @@ class UserLogin(BaseModel):
    """User login request schema"""
    username: str
    password: str
+    totp_code: Optional[str] = None


 class UserRegister(BaseModel):
    """User registration request schema"""
    username: str
    password: str
+    email: Optional[EmailStr] = None
    tenant_id: Optional[int] = None
    role: str = "user"
+
+
+class RefreshTokenRequest(BaseModel):
+    """Refresh token request schema"""
+    refresh_token: str
+
+
+class PasswordResetRequest(BaseModel):
+    """Password reset request schema"""
+    email: EmailStr
+
+
+class PasswordResetConfirm(BaseModel):
+    """Password reset confirmation schema"""
+    token: str
+    new_password: str
+
+
+class TwoFactorSetup(BaseModel):
+    """2FA setup response schema"""
+    secret: str
+    qr_code_uri: str
+
+
+class TwoFactorVerify(BaseModel):
+    """2FA verification schema"""
+    code: str
--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -1,4 +1,4 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr
 from typing import Optional
 from datetime import datetime

@@ -6,6 +6,7 @@ from datetime import datetime
 class UserBase(BaseModel):
    """Base user schema"""
    username: str
+    email: Optional[EmailStr] = None
    role: str = "user"
    tenant_id: int

@@ -18,15 +19,18 @@ class UserCreate(UserBase):
 class UserUpdate(BaseModel):
    """Schema for updating a user"""
    username: Optional[str] = None
+    email: Optional[EmailStr] = None
    password: Optional[str] = None
    role: Optional[str] = None
    is_active: Optional[bool] = None


 class UserRead(UserBase):
-    """Schema for reading user data (excludes password_hash)"""
+    """Schema for reading user data (excludes password_hash and secrets)"""
    id: int
    is_active: bool
+    email_verified: bool
+    totp_enabled: bool
    created_at: datetime

    class Config: