Added invite-based user creation flow and updated models

Author: Uttam Singh

backend/app/database.py

@@ -1,19 +1,14 @@
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker, declarative_base
 import os
+from dotenv import load_dotenv
+
+load_dotenv()
 
 DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///./app.db")
 
-engine = create_engine(
-    DATABASE_URL,
-    connect_args={"check_same_thread": False} if DATABASE_URL.startswith("sqlite") else {}
-)
+engine = create_engine(DATABASE_URL, pool_pre_ping=True)
 SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
-Base = declarative_base()
 
-def get_db():
-    db = SessionLocal()
-    try:
-        yield db
-    finally:
-        db.close()
+# Global Base for ALL models
+Base = declarative_base()

backend/app/main.py

@@ -1,27 +1,26 @@
 from fastapi import FastAPI, UploadFile, File, Depends, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
-from sqlalchemy import create_engine, Column, Integer, String, Date, Text
-from sqlalchemy.orm import sessionmaker, declarative_base, Session
+from sqlalchemy import Column, Integer, String, Date, Text
+from sqlalchemy.orm import Session
 from datetime import date
 from dotenv import load_dotenv
-from pydantic import BaseModel
-import os, shutil
+import os
+import shutil
 
 # ================================================
-# 1️⃣ Load Environment Variables & Database Setup
+# 1️⃣ Load Environment Variables + Shared Database
 # ================================================
 load_dotenv()
 
-DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///./app.db")
-engine = create_engine(DATABASE_URL, pool_pre_ping=True)
-SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
-Base = declarative_base()
+# ❗ IMPORT SHARED BASE + ENGINE (do NOT create Base here)
+from app.database import Base, engine, SessionLocal
 
 # ================================================
-# 2️⃣ Local Models for Internal Tables (Task + Audit Log)
+# 2️⃣ Models (Task + AuditLog) using shared Base
 # ================================================
 class Task(Base):
     __tablename__ = "tasks"
+
     id = Column(Integer, primary_key=True, index=True)
     title = Column(String(255), nullable=False)
     department = Column(String(100), nullable=True)
@@ -35,26 +34,29 @@ class Task(Base):
 
 class AuditLog(Base):
     __tablename__ = "audit_logs"
+
     id = Column(Integer, primary_key=True)
     action = Column(String(50))
     detail = Column(Text)
 
 
 # ================================================
-# 3️⃣ FastAPI App Initialization
+# 3️⃣ FastAPI App Init
 # ================================================
 app = FastAPI(title="FAT-EIBL (Edme) – API")
 
-# Enable CORS for the frontend
-allow = os.getenv("ALLOW_ORIGINS", "*").split(",")
+# CORS setup
+allowed_origins = os.getenv("ALLOW_ORIGINS", "*").split(",")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=allow,
+    allow_origins=allowed_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
 
+
 # ================================================
 # 4️⃣ Database Dependency
 # ================================================
@@ -65,63 +67,60 @@ def get_db():
     finally:
         db.close()
 
+
 # ================================================
-# 5️⃣ Import Routers (Users, Forgot Password)
+# 5️⃣ Routers
 # ================================================
 from app.routers import users, forgot_password
 
 app.include_router(users.router, prefix="/users", tags=["Users"])
-app.include_router(forgot_password.router, prefix="/users", tags=["Forgot Password"])
+app.include_router(forgot_password.router, prefix="/auth", tags=["Forgot Password"])
+
 
 # ================================================
-# 6️⃣ Health Check Endpoint
+# 6️⃣ Health Check
 # ================================================
 @app.get("/health")
 def health_check():
-    """Simple endpoint to verify backend health"""
-    return {"status": "ok", "message": "Backend is running properly"}
+    return {"status": "ok", "message": "Backend running"}
+
 
 # ================================================
-# 7️⃣ File Upload Handler (Optional)
+# 7️⃣ File Upload
 # ================================================
 UPLOAD_DIR = os.path.join(os.getcwd(), "uploads")
 os.makedirs(UPLOAD_DIR, exist_ok=True)
 
+
 @app.post("/upload/{task_id}")
 async def upload_file(task_id: int, file: UploadFile = File(...), db: Session = Depends(get_db)):
-    """Attach a file to a specific task"""
-    obj = db.get(Task, task_id)
-    if not obj:
+    task = db.get(Task, task_id)
+    if not task:
         raise HTTPException(status_code=404, detail="Task not found")
 
-    safe_name = f"task_{task_id}_" + os.path.basename(file.filename)
-    dest = os.path.join(UPLOAD_DIR, safe_name)
+    filename = f"task_{task_id}_" + os.path.basename(file.filename)
+    path = os.path.join(UPLOAD_DIR, filename)
 
-    with open(dest, "wb") as buffer:
+    with open(path, "wb") as buffer:
         shutil.copyfileobj(file.file, buffer)
 
-    obj.attachment = safe_name
-    db.add(AuditLog(action="upload", detail=f"Task ID {task_id} uploaded file {safe_name}"))
+    task.attachment = filename
+    db.add(AuditLog(action="upload", detail=f"File uploaded for task {task_id}"))
     db.commit()
 
-    return {"task_id": task_id, "filename": safe_name}
+    return {"ok": True, "filename": filename}
+
 
 # ================================================
-# 8️⃣ Database Initialization Endpoint (/create-db)
+# 8️⃣ Create All Tables
 # ================================================
 from app.models.user import User
 from app.models.otp import OtpModel
-from app.database import Base as DBBase, engine as DBEngine
 
 @app.get("/create-db")
-def create_database():
-    """
-    🔧 Create all database tables if they don't exist.
-    Run this once on Render or local after migrations.
-    """
+def create_db():
     try:
-        DBBase.metadata.create_all(bind=DBEngine)
         Base.metadata.create_all(bind=engine)
-        return {"ok": True, "message": "✅ All database tables created successfully"}
+        return {"ok": True, "message": "Tables created"}
     except Exception as e:
         return {"ok": False, "error": str(e)}

backend/app/models/user.py

@@ -1,18 +1,21 @@
-# app/models/user.py (SQLAlchemy)
-from sqlalchemy import Column, Integer, String, Boolean, DateTime
-from datetime import datetime
+from sqlalchemy import Column, Integer, String, DateTime
+from app.database import Base
 
 class User(Base):
     __tablename__ = "users"
+
     id = Column(Integer, primary_key=True, index=True)
-    name = Column(String(255))
+    name = Column(String(255), nullable=False)
     email = Column(String(255), unique=True, index=True, nullable=False)
-    password = Column(String(255), nullable=False)  # hashed
-    department = Column(String(100))
-    manager_email = Column(String(255))
-    role = Column(String(50), default="auditee")
 
-    # OTP + reset fields
-    otp_code = Column(String(10), nullable=True)
-    otp_expires_at = Column(DateTime, nullable=True)
-    first_login = Column(Boolean, default=True)
+    # New: password saved ONLY after invite is accepted
+    hashed_password = Column(String(255), nullable=True)
+
+    department = Column(String(255), nullable=True)
+    role = Column(String(50), nullable=False, default="auditee")
+    manager_email = Column(String(255), nullable=True)
+
+    # NEW FIELDS FOR INVITE FLOW
+    status = Column(String(50), nullable=False, default="invited")  # invited / active
+    invite_token_hash = Column(String(255), nullable=True)
+    invite_expires_at = Column(DateTime, nullable=True)

backend/app/routers/users.py

@@ -1,51 +1,117 @@
-# app/routers/users.py (or your existing users router)
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 from app.database import get_db
 from app.models.user import User
-from app.utils.auth import hash_password, generate_otp, otp_expiry, send_otp_email
-from datetime import datetime
+from app.utils.auth import hash_password, send_invite_email
+from datetime import datetime, timedelta
+import secrets, hashlib
 
 router = APIRouter()
 
-@router.post("/")
-def create_user(
+
+# ------------------------------------------------------
+# 1. SEND INVITE (called from frontend AdminUsers.jsx)
+# ------------------------------------------------------
+@router.post("/invite")
+def invite_user(
     name: str,
     email: str,
-    password: str,
     department: str = None,
     manager_email: str = None,
     role: str = "auditee",
     db: Session = Depends(get_db),
 ):
-    # check exist
+    # Check if user exists
     if db.query(User).filter(User.email == email).first():
         raise HTTPException(status_code=400, detail="Email already registered")
 
-    hashed = hash_password(password)
-    otp = generate_otp()
-    expiry = otp_expiry(10)
+    # Generate invite token
+    raw_token = secrets.token_urlsafe(32)
+    hashed_token = hashlib.sha256(raw_token.encode()).hexdigest()
+    expiry = datetime.utcnow() + timedelta(hours=24)
 
+    # Create user
     user = User(
         name=name,
         email=email,
-        password=hashed,
         department=department,
         manager_email=manager_email,
         role=role,
-        otp_code=otp,
-        otp_expires_at=expiry,
+        status="invited",
+        invite_token_hash=hashed_token,
+        invite_expires_at=expiry,
         first_login=True,
     )
     db.add(user)
     db.commit()
     db.refresh(user)
 
-    # send mail (async if you prefer background task)
+    # Invite link
+    invite_link = f"https://{YOUR_RENDER_FRONTEND_DOMAIN}/set-password?token={raw_token}&email={email}"
+
+    # Send invite email
     try:
-        send_otp_email(email, otp)
+        send_invite_email(email, invite_link)
     except Exception as e:
-        # log error but user exists now — you can rollback if you prefer
-        print("Warning: failed to send OTP", e)
+        print("Failed to send invite email:", e)
+
+    return {"ok": True, "message": "Invite sent successfully"}
+
+
+# ------------------------------------------------------
+# 2. COMPLETE INVITATION (User sets password)
+# ------------------------------------------------------
+@router.post("/complete-invite")
+def complete_invite(
+    email: str,
+    token: str,
+    password: str,
+    db: Session = Depends(get_db),
+):
+    user = db.query(User).filter(User.email == email).first()
+
+    if not user or user.status != "invited":
+        raise HTTPException(status_code=400, detail="Invalid invitation")
+
+    # Check expiry
+    if datetime.utcnow() > user.invite_expires_at:
+        raise HTTPException(status_code=400, detail="Invite expired")
+
+    # Verify token
+    hashed_input = hashlib.sha256(token.encode()).hexdigest()
+    if hashed_input != user.invite_token_hash:
+        raise HTTPException(status_code=400, detail="Invalid token")
+
+    # Set password & activate
+    user.password = hash_password(password)
+    user.status = "active"
+    user.invite_token_hash = None
+    user.invite_expires_at = None
+
+    db.commit()
+    db.refresh(user)
+
+    return {"ok": True, "message": "Password set successfully. You may login now."}
+
+
+# ------------------------------------------------------
+# 3. GET USERS (Used by AdminUsers.jsx)
+# ------------------------------------------------------
+@router.get("/")
+def get_users(db: Session = Depends(get_db)):
+    return db.query(User).all()
+
+
+# ------------------------------------------------------
+# 4. DELETE USER (Used by AdminUsers.jsx)
+# ------------------------------------------------------
+@router.delete("/{user_id}")
+def delete_user(user_id: int, db: Session = Depends(get_db)):
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(status_code=404, detail="User not found")
+
+    db.delete(user)
+    db.commit()
 
-    return {"ok": True, "message": "User created and OTP sent"}
+    return {"ok": True, "message": "User deleted"}