feat: Add Single User authentication to Selfhosted (#870)

* Single user/password for selfhosted * fix revision id latest migration
2026-04-20 04:06:54 +00:00 · 2026-02-23 11:10:27 -05:00
parent 2ba0d965e8
commit c8db37362b
31 changed files with 1333 additions and 163 deletions
--- a/server/reflector/db/users.py
+++ b/server/reflector/db/users.py
@@ -1,4 +1,4 @@
-"""User table for storing Authentik user information."""
+"""User table for storing user information."""

 from datetime import datetime, timezone

@@ -15,6 +15,7 @@ users = sqlalchemy.Table(
    sqlalchemy.Column("id", sqlalchemy.String, primary_key=True),
    sqlalchemy.Column("email", sqlalchemy.String, nullable=False),
    sqlalchemy.Column("authentik_uid", sqlalchemy.String, nullable=False),
+    sqlalchemy.Column("password_hash", sqlalchemy.String, nullable=True),
    sqlalchemy.Column("created_at", sqlalchemy.DateTime(timezone=True), nullable=False),
    sqlalchemy.Column("updated_at", sqlalchemy.DateTime(timezone=True), nullable=False),
    sqlalchemy.Index("idx_user_authentik_uid", "authentik_uid", unique=True),
@@ -26,6 +27,7 @@ class User(BaseModel):
    id: NonEmptyString = Field(default_factory=generate_uuid4)
    email: NonEmptyString
    authentik_uid: NonEmptyString
+    password_hash: str | None = None
    created_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))
    updated_at: datetime = Field(default_factory=lambda: datetime.now(timezone.utc))

@@ -51,22 +53,29 @@ class UserController:

    @staticmethod
    async def create_or_update(
-        id: NonEmptyString, authentik_uid: NonEmptyString, email: NonEmptyString
+        id: NonEmptyString,
+        authentik_uid: NonEmptyString,
+        email: NonEmptyString,
+        password_hash: str | None = None,
    ) -> User:
        existing = await UserController.get_by_authentik_uid(authentik_uid)
        now = datetime.now(timezone.utc)

        if existing:
+            update_values: dict = {"email": email, "updated_at": now}
+            if password_hash is not None:
+                update_values["password_hash"] = password_hash
            query = (
                users.update()
                .where(users.c.authentik_uid == authentik_uid)
-                .values(email=email, updated_at=now)
+                .values(**update_values)
            )
            await get_database().execute(query)
            return User(
                id=existing.id,
                authentik_uid=authentik_uid,
                email=email,
+                password_hash=password_hash or existing.password_hash,
                created_at=existing.created_at,
                updated_at=now,
            )
@@ -75,6 +84,7 @@ class UserController:
                id=id,
                authentik_uid=authentik_uid,
                email=email,
+                password_hash=password_hash,
                created_at=now,
                updated_at=now,
            )
@@ -82,6 +92,16 @@ class UserController:
            await get_database().execute(query)
            return user

+    @staticmethod
+    async def set_password_hash(user_id: NonEmptyString, password_hash: str) -> None:
+        now = datetime.now(timezone.utc)
+        query = (
+            users.update()
+            .where(users.c.id == user_id)
+            .values(password_hash=password_hash, updated_at=now)
+        )
+        await get_database().execute(query)
+
    @staticmethod
    async def list_all() -> list[User]:
        query = users.select().order_by(users.c.created_at.desc())