chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1397254dfda8a4e3f736e18f54ec3ea99be57bad
resolutionflow/backend/app/core/service_account.py
chihlasm 8fa6ee1801 fix: create system account for service user to satisfy account_id NOT NULL on prod (#91) 
The prod users table has account_id NOT NULL. The backfill migration and
ensure_service_account() now create a 'ResolutionFlow System' account
(display_code RF-SYS-1) before inserting the service user, satisfying the
constraint on all environments.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 23:52:48 -05:00

88 lines
2.7 KiB
Python
Raw Blame History

"""ResolutionFlow system service account.
This module manages the platform-level service account used as the author
for system/default content (seeded trees, synced step library entries, etc.).
The service account ID is resolved once at startup and cached on app.state
so that sync operations can use it without a DB query per request.
"""
from __future__ import annotations
import uuid
import logging
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
logger = logging.getLogger(__name__)
SERVICE_ACCOUNT_EMAIL = "noreply@resolutionflow.com"
SERVICE_ACCOUNT_NAME = "ResolutionFlow"
SYSTEM_ACCOUNT_NAME = "ResolutionFlow System"
SYSTEM_ACCOUNT_DISPLAY_CODE = "RF-SYS-1"
async def _ensure_system_account(db: AsyncSession) -> uuid.UUID:
"""Get or create the ResolutionFlow system account. Returns its ID."""
from app.models.account import Account
from sqlalchemy import text
result = await db.execute(
select(Account).where(Account.display_code == SYSTEM_ACCOUNT_DISPLAY_CODE)
)
account = result.scalar_one_or_none()
if account is not None:
return account.id
new_account = Account(
id=uuid.uuid4(),
name=SYSTEM_ACCOUNT_NAME,
display_code=SYSTEM_ACCOUNT_DISPLAY_CODE,
)
db.add(new_account)
await db.flush()
logger.info(f"[service_account] Created system account (id={new_account.id})")
return new_account.id
async def ensure_service_account(db: AsyncSession) -> uuid.UUID:
"""Ensure the ResolutionFlow service account exists and return its ID.
Idempotent — safe to call on every startup. Creates the account if it
does not exist. The account has no usable password and is_service_account=True
so it can never log in via normal auth flows.
"""
from app.models.user import User
result = await db.execute(
select(User).where(User.email == SERVICE_ACCOUNT_EMAIL)
)
user = result.scalar_one_or_none()
if user is not None:
if not user.is_service_account:
user.is_service_account = True
await db.commit()
return user.id
account_id = await _ensure_system_account(db)
new_user = User(
id=uuid.uuid4(),
email=SERVICE_ACCOUNT_EMAIL,
name=SERVICE_ACCOUNT_NAME,
password_hash="!service-account-no-login", # bcrypt can't produce this prefix
role="engineer",
is_super_admin=False,
is_team_admin=False,
is_active=True,
is_service_account=True,
must_change_password=False,
account_id=account_id,
account_role="engineer",
)
db.add(new_user)
await db.commit()
logger.info(f"[service_account] Created service account (id={new_user.id})")
return new_user.id
Reference in New Issue View Git Blame Copy Permalink