Compare revisions

98fe5690 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690 · 98fe5690
--- a/tests/views/test_user.py
+++ b/tests/views/test_user.py
-from flask import url_for
+from flask import url_for, request

 from uffd.database import db
-from uffd.models import User, UserEmail, Group, Role, Service, ServiceUser, FeatureFlag
+from uffd.models import User, UserEmail, Group, Role, Service, ServiceUser, FeatureFlag, MFAMethod, RecoveryCodeMethod, TOTPMethod

 from tests.utils import dump, UffdTestCase

@@ -353,12 +353,46 @@ class TestUserViews(UffdTestCase):
 		dump('user_show', r)
 		self.assertEqual(r.status_code, 200)

+	def test_show_self(self):
+		r = self.client.get(path=url_for('user.show', id=self.get_admin().id), follow_redirects=True)
+		dump('user_show_self', r)
+		self.assertEqual(r.status_code, 200)
+
 	def test_delete(self):
 		r = self.client.get(path=url_for('user.delete', id=self.get_user().id), follow_redirects=True)
 		dump('user_delete', r)
 		self.assertEqual(r.status_code, 200)
 		self.assertIsNone(self.get_user())

+	def test_deactivate(self):
+		r = self.client.get(path=url_for('user.deactivate', id=self.get_user().id), follow_redirects=True)
+		dump('user_deactivate', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertTrue(self.get_user().is_deactivated)
+
+	def test_activate(self):
+		self.get_user().is_deactivated = True
+		db.session.commit()
+		r = self.client.get(path=url_for('user.activate', id=self.get_user().id), follow_redirects=True)
+		dump('user_activate', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertFalse(self.get_user().is_deactivated)
+
+	def test_disable_mfa(self):
+		db.session.add(RecoveryCodeMethod(user=self.get_admin()))
+		user = self.get_user()
+		for _ in range(10):
+			db.session.add(RecoveryCodeMethod(user=user))
+		db.session.add(TOTPMethod(user=self.get_user(), name='My phone'))
+		db.session.commit()
+		self.login_as('admin')
+		admin_methods = len(MFAMethod.query.filter_by(user=self.get_admin()).all())
+		r = self.client.get(path=url_for('user.disable_mfa', id=self.get_user().id), follow_redirects=True)
+		dump('user_disable_mfa', r)
+		self.assertEqual(r.status_code, 200)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_user()).all()), 0)
+		self.assertEqual(len(MFAMethod.query.filter_by(user=self.get_admin()).all()), admin_methods)
+
 	def test_csvimport(self):
 		role1 = Role(name='role1')
 		db.session.add(role1)

--- a/uffd/__init__.py
+++ b/uffd/__init__.py
@@ -8,7 +8,7 @@ from babel.dates import LOCALTZ
 from werkzeug.exceptions import Forbidden
 from flask_migrate import Migrate

-from .database import db, SQLAlchemyJSON, customize_db_engine
+from .database import db, customize_db_engine
 from .template_helper import register_template_helper
 from .navbar import setup_navbar
 from .csrf import bp as csrf_bp
@@ -46,13 +46,13 @@ def init_config(app: Flask, test_config):
 			if load_config_file(app, os.path.join(app.instance_path, filename), silent=True):
 				break

-	if app.env == "production" and app.secret_key is None:
-		raise Exception("SECRET_KEY not configured and we are running in production mode!")
-	app.config.setdefault("SECRET_KEY", secrets.token_hex(128))
+	if app.secret_key is None:
+		if app.env == "production":
+			raise Exception("SECRET_KEY not configured and we are running in production mode!")
+		app.secret_key = secrets.token_hex(128)

 def create_app(test_config=None): # pylint: disable=too-many-locals,too-many-statements
 	app = Flask(__name__, instance_relative_config=False)
-	app.json_encoder = SQLAlchemyJSON

 	init_config(app, test_config)


--- a/uffd/babel.cfg
+++ b/uffd/babel.cfg
 [python: **.py]
 [jinja2: **/templates/**.html]
-extensions=jinja2.ext.autoescape,jinja2.ext.with_
--- a/uffd/commands/user.py
+++ b/uffd/commands/user.py
@@ -12,7 +12,7 @@ user_command = AppGroup('user', help='Manage users')

 def update_attrs(user, mail=None, displayname=None, password=None,
                 prompt_password=False, clear_roles=False,
-                 add_role=tuple(), remove_role=tuple()):
+                 add_role=tuple(), remove_role=tuple(), deactivate=None):
 	if password is None and prompt_password:
 		password = click.prompt('Password', hide_input=True, confirmation_prompt='Confirm password')
 	if mail is not None and not user.set_primary_email_address(mail):
@@ -21,6 +21,8 @@ def update_attrs(user, mail=None, displayname=None, password=None,
 		raise click.ClickException('Invalid displayname')
 	if password is not None and not user.set_password(password):
 		raise click.ClickException('Invalid password')
+	if deactivate is not None:
+		user.is_deactivated = deactivate
 	if clear_roles:
 		user.roles.clear()
 	for role_name in add_role:
@@ -49,6 +51,7 @@ def show(loginname):
 		if user is None:
 			raise click.ClickException(f'User {loginname} not found')
 		click.echo(f'Loginname: {user.loginname}')
+		click.echo(f'Deactivated: {user.is_deactivated}')
 		click.echo(f'Displayname: {user.displayname}')
 		click.echo(f'Mail: {user.primary_email.address}')
 		click.echo(f'Service User: {user.is_service_user}')
@@ -65,7 +68,8 @@ def show(loginname):
 @click.option('--password', help='Password for SSO login. Login disabled if unset.')
 @click.option('--prompt-password', is_flag=True, flag_value=True, default=False, help='Read password interactively from terminal.')
 @click.option('--add-role', multiple=True, help='Add role to user. Repeat to add multiple roles.', metavar='ROLE_NAME')
-def create(loginname, mail, displayname, service, password, prompt_password, add_role):
+@click.option('--deactivate', is_flag=True, flag_value=True, default=None, help='Deactivate account.')
+def create(loginname, mail, displayname, service, password, prompt_password, add_role, deactivate):
 	with current_app.test_request_context():
 		if displayname is None:
 			displayname = loginname
@@ -74,7 +78,7 @@ def create(loginname, mail, displayname, service, password, prompt_password, add
 			raise click.ClickException('Invalid loginname')
 		try:
 			db.session.add(user)
-			update_attrs(user, mail, displayname, password, prompt_password, add_role=add_role)
+			update_attrs(user, mail, displayname, password, prompt_password, add_role=add_role, deactivate=deactivate)
 			db.session.commit()
 		except IntegrityError:
 			# pylint: disable=raise-missing-from
@@ -89,13 +93,14 @@ def create(loginname, mail, displayname, service, password, prompt_password, add
 @click.option('--clear-roles', is_flag=True, flag_value=True, default=False, help='Remove all roles from user. Executed before --add-role.')
 @click.option('--add-role', multiple=True, help='Add role to user. Repeat to add multiple roles.')
 @click.option('--remove-role', multiple=True, help='Remove role from user. Repeat to remove multiple roles.')
-def update(loginname, mail, displayname, password, prompt_password, clear_roles, add_role, remove_role):
+@click.option('--deactivate/--activate', default=None, help='Deactivate or reactivate account.')
+def update(loginname, mail, displayname, password, prompt_password, clear_roles, add_role, remove_role, deactivate):
 	with current_app.test_request_context():
 		user = User.query.filter_by(loginname=loginname).one_or_none()
 		if user is None:
 			raise click.ClickException(f'User {loginname} not found')
 		try:
-			update_attrs(user, mail, displayname, password, prompt_password, clear_roles, add_role, remove_role)
+			update_attrs(user, mail, displayname, password, prompt_password, clear_roles, add_role, remove_role, deactivate)
 			db.session.commit()
 		except IntegrityError:
 			# pylint: disable=raise-missing-from

--- a/uffd/database.py
+++ b/uffd/database.py
-from collections import OrderedDict
-
 from sqlalchemy import MetaData, event
 from sqlalchemy.types import TypeDecorator, Text
 from sqlalchemy.ext.mutable import MutableList
 from flask_sqlalchemy import SQLAlchemy
-from flask.json import JSONEncoder

 convention = {
 	'ix': 'ix_%(column_0_label)s',
@@ -48,15 +45,6 @@ def customize_db_engine(engine):
 			cursor.execute('SET NAMES utf8mb4 COLLATE utf8mb4_nopad_bin')
 			cursor.close()

-class SQLAlchemyJSON(JSONEncoder):
-	def default(self, o):
-		if isinstance(o, db.Model):
-			result = OrderedDict()
-			for key in o.__mapper__.c.keys():
-				result[key] = getattr(o, key)
-			return result
-		return JSONEncoder.default(self, o)
-
 class CommaSeparatedList(TypeDecorator):
 	# For some reason TypeDecorator.process_literal_param and
 	# TypeEngine.python_type are abstract but not actually required

--- a/uffd/fido2_compat.py
+++ b/uffd/fido2_compat.py
 # pylint: skip-file

-import fido2 as __fido2
+from flask_babel import gettext as _
+from warnings import warn
+from flask import request, current_app
+import urllib.parse

-if __fido2.__version__.startswith('0.5.'):
-	from fido2.client import ClientData
-	from fido2.server import Fido2Server, RelyingParty as __PublicKeyCredentialRpEntity
-	from fido2.ctap2 import AttestationObject, AuthenticatorData, AttestedCredentialData
-	from fido2 import cbor
-	cbor.encode = cbor.dumps
-	cbor.decode = lambda arg: cbor.loads(arg)[0]
-	class PublicKeyCredentialRpEntity(__PublicKeyCredentialRpEntity):
-		def __init__(self, name, id):
-			super().__init__(id, name)
-elif __fido2.__version__.startswith('0.9.'):
-	from fido2.client import ClientData
-	from fido2.webauthn import PublicKeyCredentialRpEntity
-	from fido2.server import Fido2Server
-	from fido2.ctap2 import AttestationObject, AuthenticatorData, AttestedCredentialData
-	from fido2 import cbor
-elif __fido2.__version__.startswith('1.'):
-	from fido2.webauthn import PublicKeyCredentialRpEntity, CollectedClientData as ClientData, AttestationObject, AuthenticatorData, AttestedCredentialData
-	from fido2.server import Fido2Server
-	from fido2 import cbor
-else:
-	raise ImportError(f'Unsupported fido2 version: {__fido2.__version__}')
+
+# WebAuthn support is optional because fido2 has a pretty unstable
+# interface and might be difficult to install with the correct version
+
+try:
+	import fido2 as __fido2
+
+	if __fido2.__version__.startswith('0.5.'):
+		from fido2.client import ClientData
+		from fido2.server import Fido2Server, RelyingParty as __PublicKeyCredentialRpEntity
+		from fido2.ctap2 import AttestationObject, AuthenticatorData, AttestedCredentialData
+		from fido2 import cbor
+		cbor.encode = cbor.dumps
+		cbor.decode = lambda arg: cbor.loads(arg)[0]
+		class PublicKeyCredentialRpEntity(__PublicKeyCredentialRpEntity):
+			def __init__(self, name, id):
+				super().__init__(id, name)
+	elif __fido2.__version__.startswith('0.9.'):
+		from fido2.client import ClientData
+		from fido2.webauthn import PublicKeyCredentialRpEntity
+		from fido2.server import Fido2Server
+		from fido2.ctap2 import AttestationObject, AuthenticatorData, AttestedCredentialData
+		from fido2 import cbor
+	elif __fido2.__version__.startswith('1.'):
+		from fido2.webauthn import PublicKeyCredentialRpEntity, CollectedClientData as ClientData, AttestationObject, AuthenticatorData, AttestedCredentialData
+		from fido2.server import Fido2Server
+		from fido2 import cbor
+	else:
+		raise ImportError(f'Unsupported fido2 version: {__fido2.__version__}')
+
+	def get_webauthn_server():
+		hostname = urllib.parse.urlsplit(request.url).hostname
+		return Fido2Server(PublicKeyCredentialRpEntity(id=current_app.config.get('MFA_RP_ID', hostname),
+		                                               name=current_app.config['MFA_RP_NAME']))
+
+	WEBAUTHN_SUPPORTED = True
+except ImportError as err:
+	warn(_('2FA WebAuthn support disabled because import of the fido2 module failed (%s)')%err)
+	WEBAUTHN_SUPPORTED = False
--- a/uffd/migrations/versions/01fdd7820f29_openid_connect_support.py
+++ b/uffd/migrations/versions/01fdd7820f29_openid_connect_support.py
+"""OpenID Connect Support
+
+Revision ID: 01fdd7820f29
+Revises: a9b449776953
+Create Date: 2023-11-09 16:52:20.860871
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+import datetime
+import secrets
+import math
+import logging
+
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend # Only required for Buster
+import jwt
+
+# pyjwt v1.7.x compat (Buster/Bullseye)
+if not hasattr(jwt, 'get_algorithm_by_name'):
+	jwt.get_algorithm_by_name = lambda name: jwt.algorithms.get_default_algorithms()[name]
+
+# revision identifiers, used by Alembic.
+revision = '01fdd7820f29'
+down_revision = 'a9b449776953'
+branch_labels = None
+depends_on = None
+
+logger = logging.getLogger('alembic.runtime.migration.01fdd7820f29')
+
+def token_with_alphabet(alphabet, nbytes=None):
+	'''Return random text token that consists of characters from `alphabet`'''
+	if nbytes is None:
+		nbytes = max(secrets.DEFAULT_ENTROPY, 32)
+	nbytes_per_char = math.log(len(alphabet), 256)
+	nchars = math.ceil(nbytes / nbytes_per_char)
+	return ''.join([secrets.choice(alphabet) for _ in range(nchars)])
+
+def token_urlfriendly(nbytes=None):
+	'''Return random text token that is urlsafe and works around common parsing bugs'''
+	alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+	return token_with_alphabet(alphabet, nbytes=nbytes)
+
+def upgrade():
+	logger.info('Generating 3072 bit RSA key pair (RS256) for OpenID Connect support ...')
+	private_key = rsa.generate_private_key(public_exponent=65537, key_size=3072, backend=default_backend())
+
+	meta = sa.MetaData(bind=op.get_bind())
+	oauth2_key = op.create_table('oauth2_key',
+		sa.Column('id', sa.String(length=64), nullable=False),
+		sa.Column('created', sa.DateTime(), nullable=False),
+		sa.Column('active', sa.Boolean(create_constraint=False), nullable=False),
+		sa.Column('algorithm', sa.String(length=32), nullable=False),
+		sa.Column('private_key_jwk', sa.Text(), nullable=False),
+		sa.Column('public_key_jwk', sa.Text(), nullable=False),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth2_key'))
+	)
+	algorithm = jwt.get_algorithm_by_name('RS256')
+	op.bulk_insert(oauth2_key, [{
+		'id': token_urlfriendly(),
+		'created': datetime.datetime.utcnow(),
+		'active': True,
+		'algorithm': 'RS256',
+		'private_key_jwk': algorithm.to_jwk(private_key),
+		'public_key_jwk': algorithm.to_jwk(private_key.public_key()),
+	}])
+
+	with op.batch_alter_table('oauth2grant', schema=None) as batch_op:
+		batch_op.drop_index(batch_op.f('ix_oauth2grant_code'))
+	oauth2grant = sa.Table('oauth2grant', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('client_db_id', sa.Integer(), nullable=False),
+		sa.Column('code', sa.String(length=255), nullable=False),
+		sa.Column('redirect_uri', sa.String(length=255), nullable=False),
+		sa.Column('expires', sa.DateTime(), nullable=False),
+		sa.Column('_scopes', sa.Text(), nullable=False),
+		sa.ForeignKeyConstraint(['client_db_id'], ['oauth2client.db_id'], name=op.f('fk_oauth2grant_client_db_id_oauth2client'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_oauth2grant_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth2grant'))
+	)
+	with op.batch_alter_table('oauth2grant', copy_from=oauth2grant) as batch_op:
+		batch_op.add_column(sa.Column('nonce', sa.Text(), nullable=True))
+		batch_op.add_column(sa.Column('claims', sa.Text(), nullable=True))
+		batch_op.alter_column('redirect_uri', existing_type=sa.VARCHAR(length=255), nullable=True)
+
+	oauth2token = sa.Table('oauth2token', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('client_db_id', sa.Integer(), nullable=False),
+		sa.Column('token_type', sa.String(length=40), nullable=False),
+		sa.Column('access_token', sa.String(length=255), nullable=False),
+		sa.Column('refresh_token', sa.String(length=255), nullable=False),
+		sa.Column('expires', sa.DateTime(), nullable=False),
+		sa.Column('_scopes', sa.Text(), nullable=False),
+		sa.ForeignKeyConstraint(['client_db_id'], ['oauth2client.db_id'], name=op.f('fk_oauth2token_client_db_id_oauth2client'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_oauth2token_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth2token')),
+		sa.UniqueConstraint('access_token', name=op.f('uq_oauth2token_access_token')),
+		sa.UniqueConstraint('refresh_token', name=op.f('uq_oauth2token_refresh_token'))
+	)
+	with op.batch_alter_table('oauth2token', copy_from=oauth2token) as batch_op:
+		batch_op.add_column(sa.Column('claims', sa.Text(), nullable=True))
+
+def downgrade():
+	meta = sa.MetaData(bind=op.get_bind())
+
+	oauth2token = sa.Table('oauth2token', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('client_db_id', sa.Integer(), nullable=False),
+		sa.Column('token_type', sa.String(length=40), nullable=False),
+		sa.Column('access_token', sa.String(length=255), nullable=False),
+		sa.Column('refresh_token', sa.String(length=255), nullable=False),
+		sa.Column('expires', sa.DateTime(), nullable=False),
+		sa.Column('_scopes', sa.Text(), nullable=False),
+		sa.Column('claims', sa.Text(), nullable=True),
+		sa.ForeignKeyConstraint(['client_db_id'], ['oauth2client.db_id'], name=op.f('fk_oauth2token_client_db_id_oauth2client'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_oauth2token_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth2token')),
+		sa.UniqueConstraint('access_token', name=op.f('uq_oauth2token_access_token')),
+		sa.UniqueConstraint('refresh_token', name=op.f('uq_oauth2token_refresh_token'))
+	)
+	with op.batch_alter_table('oauth2token', copy_from=oauth2token) as batch_op:
+		batch_op.drop_column('claims')
+
+	oauth2grant = sa.Table('oauth2grant', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('client_db_id', sa.Integer(), nullable=False),
+		sa.Column('code', sa.String(length=255), nullable=False),
+		sa.Column('redirect_uri', sa.String(length=255), nullable=True),
+		sa.Column('nonce', sa.Text(), nullable=True),
+		sa.Column('expires', sa.DateTime(), nullable=False),
+		sa.Column('_scopes', sa.Text(), nullable=False),
+		sa.Column('claims', sa.Text(), nullable=True),
+		sa.ForeignKeyConstraint(['client_db_id'], ['oauth2client.db_id'], name=op.f('fk_oauth2grant_client_db_id_oauth2client'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_oauth2grant_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth2grant'))
+	)
+	with op.batch_alter_table('oauth2grant', copy_from=oauth2grant) as batch_op:
+		batch_op.alter_column('redirect_uri', existing_type=sa.VARCHAR(length=255), nullable=False)
+		batch_op.drop_column('claims')
+		batch_op.drop_column('nonce')
+		batch_op.create_index(batch_op.f('ix_oauth2grant_code'), ['code'], unique=False)
+
+	op.drop_table('oauth2_key')
--- a/uffd/migrations/versions/23293f32b503_deactivate_users.py
+++ b/uffd/migrations/versions/23293f32b503_deactivate_users.py
+"""Deactivate users
+
+Revision ID: 23293f32b503
+Revises: e249233e2a31
+Create Date: 2022-11-10 02:06:27.766520
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = '23293f32b503'
+down_revision = 'e249233e2a31'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+	meta = sa.MetaData(bind=op.get_bind())
+	with op.batch_alter_table('service', schema=None) as batch_op:
+		batch_op.add_column(sa.Column('hide_deactivated_users', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()))
+	service = sa.Table('service', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('name', sa.String(length=255), nullable=False),
+		sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('access_group_id', sa.Integer(), nullable=True),
+		sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode'), nullable=False),
+		sa.Column('enable_email_preferences', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('hide_deactivated_users', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()),
+		sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
+		sa.UniqueConstraint('name', name=op.f('uq_service_name'))
+	)
+	with op.batch_alter_table('service', copy_from=service) as batch_op:
+		batch_op.alter_column('hide_deactivated_users', server_default=None)
+	with op.batch_alter_table('user', schema=None) as batch_op:
+		batch_op.add_column(sa.Column('is_deactivated', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()))
+	user = sa.Table('user', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('unix_uid', sa.Integer(), nullable=False),
+		sa.Column('loginname', sa.String(length=32), nullable=False),
+		sa.Column('displayname', sa.String(length=128), nullable=False),
+		sa.Column('primary_email_id', sa.Integer(), nullable=False),
+		sa.Column('recovery_email_id', sa.Integer(), nullable=True),
+		sa.Column('pwhash', sa.Text(), nullable=True),
+		sa.Column('is_service_user', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('is_deactivated', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()),
+		sa.ForeignKeyConstraint(['primary_email_id'], ['user_email.id'], name=op.f('fk_user_primary_email_id_user_email'), onupdate='CASCADE'),
+		sa.ForeignKeyConstraint(['recovery_email_id'], ['user_email.id'], name=op.f('fk_user_recovery_email_id_user_email'), onupdate='CASCADE', ondelete='SET NULL'),
+		sa.ForeignKeyConstraint(['unix_uid'], ['uid_allocation.id'], name=op.f('fk_user_unix_uid_uid_allocation')),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_user')),
+		sa.UniqueConstraint('loginname', name=op.f('uq_user_loginname')),
+		sa.UniqueConstraint('unix_uid', name=op.f('uq_user_unix_uid'))
+	)
+	with op.batch_alter_table('user', copy_from=user) as batch_op:
+		batch_op.alter_column('is_deactivated', server_default=None)
+
+def downgrade():
+	meta = sa.MetaData(bind=op.get_bind())
+	user = sa.Table('user', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('unix_uid', sa.Integer(), nullable=False),
+		sa.Column('loginname', sa.String(length=32), nullable=False),
+		sa.Column('displayname', sa.String(length=128), nullable=False),
+		sa.Column('primary_email_id', sa.Integer(), nullable=False),
+		sa.Column('recovery_email_id', sa.Integer(), nullable=True),
+		sa.Column('pwhash', sa.Text(), nullable=True),
+		sa.Column('is_service_user', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('is_deactivated', sa.Boolean(create_constraint=True), nullable=False),
+		sa.ForeignKeyConstraint(['primary_email_id'], ['user_email.id'], name=op.f('fk_user_primary_email_id_user_email'), onupdate='CASCADE'),
+		sa.ForeignKeyConstraint(['recovery_email_id'], ['user_email.id'], name=op.f('fk_user_recovery_email_id_user_email'), onupdate='CASCADE', ondelete='SET NULL'),
+		sa.ForeignKeyConstraint(['unix_uid'], ['uid_allocation.id'], name=op.f('fk_user_unix_uid_uid_allocation')),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_user')),
+		sa.UniqueConstraint('loginname', name=op.f('uq_user_loginname')),
+		sa.UniqueConstraint('unix_uid', name=op.f('uq_user_unix_uid'))
+	)
+	with op.batch_alter_table('user', schema=None) as batch_op:
+		batch_op.drop_column('is_deactivated')
+	service = sa.Table('service', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('name', sa.String(length=255), nullable=False),
+		sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('access_group_id', sa.Integer(), nullable=True),
+		sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode'), nullable=False),
+		sa.Column('enable_email_preferences', sa.Boolean(create_constraint=True), nullable=False),
+		sa.Column('hide_deactivated_users', sa.Boolean(create_constraint=True), nullable=False),
+		sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
+		sa.UniqueConstraint('name', name=op.f('uq_service_name'))
+	)
+	with op.batch_alter_table('service', copy_from=service) as batch_op:
+		batch_op.drop_column('hide_deactivated_users')
--- a/uffd/migrations/versions/2b68f688bec1_remailer_v2.py
+++ b/uffd/migrations/versions/2b68f688bec1_remailer_v2.py
@@ -15,22 +15,22 @@ depends_on = None

 def upgrade():
 	with op.batch_alter_table('service', schema=None) as batch_op:
-		batch_op.add_column(sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', name='remailermode'), nullable=False, server_default='DISABLED'))
+		batch_op.add_column(sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode'), nullable=False, server_default='DISABLED'))
 	service = sa.table('service',
 		sa.column('id', sa.Integer),
-		sa.column('use_remailer', sa.Boolean),
-		sa.column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', name='remailermode')),
+		sa.column('use_remailer', sa.Boolean(create_constraint=True)),
+		sa.column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode')),
 	)
 	op.execute(service.update().values(remailer_mode='ENABLED_V1').where(service.c.use_remailer))
 	meta = sa.MetaData(bind=op.get_bind())
 	service = sa.Table('service', meta,
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('limit_access', sa.Boolean(), nullable=False),
+    sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
    sa.Column('access_group_id', sa.Integer(), nullable=True),
-    sa.Column('use_remailer', sa.Boolean(), nullable=False),
-    sa.Column('enable_email_preferences', sa.Boolean(), nullable=False),
-    sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', name='remailermode'), nullable=False, server_default='DISABLED'),
+    sa.Column('use_remailer', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('enable_email_preferences', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode'), nullable=False, server_default='DISABLED'),
    sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
    sa.UniqueConstraint('name', name=op.f('uq_service_name'))
@@ -44,19 +44,19 @@ def downgrade():
 		batch_op.add_column(sa.Column('use_remailer', sa.BOOLEAN(), nullable=False, server_default=sa.false()))
 	service = sa.table('service',
 		sa.column('id', sa.Integer),
-		sa.column('use_remailer', sa.Boolean),
-		sa.column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', name='remailermode')),
+		sa.column('use_remailer', sa.Boolean(create_constraint=True)),
+		sa.column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode')),
 	)
 	op.execute(service.update().values(use_remailer=sa.true()).where(service.c.remailer_mode != 'DISABLED'))
 	meta = sa.MetaData(bind=op.get_bind())
 	service = sa.Table('service', meta,
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('limit_access', sa.Boolean(), nullable=False),
+    sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
    sa.Column('access_group_id', sa.Integer(), nullable=True),
-    sa.Column('use_remailer', sa.Boolean(), nullable=False, server_default=sa.false()),
-    sa.Column('enable_email_preferences', sa.Boolean(), nullable=False),
-    sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', name='remailermode'), nullable=False),
+    sa.Column('use_remailer', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()),
+    sa.Column('enable_email_preferences', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('remailer_mode', sa.Enum('DISABLED', 'ENABLED_V1', 'ENABLED_V2', create_constraint=True, name='remailermode'), nullable=False),
    sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
    sa.UniqueConstraint('name', name=op.f('uq_service_name'))

--- a/uffd/migrations/versions/468995a9c9ee_unique_email_addresses.py
+++ b/uffd/migrations/versions/468995a9c9ee_unique_email_addresses.py
@@ -37,16 +37,16 @@ def iter_rows_paged(table, pk='id', limit=1000):
 def upgrade():
 	with op.batch_alter_table('user_email', schema=None) as batch_op:
 		batch_op.add_column(sa.Column('address_normalized', sa.String(length=128), nullable=True))
-		batch_op.add_column(sa.Column('enable_strict_constraints', sa.Boolean(), nullable=True))
-		batch_op.alter_column('verified', existing_type=sa.Boolean(), nullable=True)
+		batch_op.add_column(sa.Column('enable_strict_constraints', sa.Boolean(create_constraint=True), nullable=True))
+		batch_op.alter_column('verified', existing_type=sa.Boolean(create_constraint=True), nullable=True)
 	meta = sa.MetaData(bind=op.get_bind())
 	user_email_table = sa.Table('user_email', meta,
 		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
 		sa.Column('user_id', sa.Integer(), nullable=True),
 		sa.Column('address', sa.String(length=128), nullable=False),
 		sa.Column('address_normalized', sa.String(length=128), nullable=True),
-		sa.Column('enable_strict_constraints', sa.Boolean(), nullable=True),
-		sa.Column('verified', sa.Boolean(), nullable=True),
+		sa.Column('enable_strict_constraints', sa.Boolean(create_constraint=True), nullable=True),
+		sa.Column('verified', sa.Boolean(create_constraint=True), nullable=True),
 		sa.Column('verification_legacy_id', sa.Integer(), nullable=True),
 		sa.Column('verification_secret', sa.Text(), nullable=True),
 		sa.Column('verification_expires', sa.DateTime(), nullable=True),
@@ -81,8 +81,8 @@ def downgrade():
 		sa.Column('user_id', sa.Integer(), nullable=True),
 		sa.Column('address', sa.String(length=128), nullable=False),
 		sa.Column('address_normalized', sa.String(length=128), nullable=False),
-		sa.Column('enable_strict_constraints', sa.Boolean(), nullable=True),
-		sa.Column('verified', sa.Boolean(), nullable=True),
+		sa.Column('enable_strict_constraints', sa.Boolean(create_constraint=True), nullable=True),
+		sa.Column('verified', sa.Boolean(create_constraint=True), nullable=True),
 		sa.Column('verification_legacy_id', sa.Integer(), nullable=True),
 		sa.Column('verification_secret', sa.Text(), nullable=True),
 		sa.Column('verification_expires', sa.DateTime(), nullable=True),
@@ -96,7 +96,7 @@ def downgrade():
 	with op.batch_alter_table('user_email', copy_from=user_email_table) as batch_op:
 		batch_op.drop_constraint('uq_user_email_user_id_address_normalized', type_='unique')
 		batch_op.drop_constraint('uq_user_email_address_normalized_verified', type_='unique')
-		batch_op.alter_column('verified', existing_type=sa.Boolean(), nullable=False)
+		batch_op.alter_column('verified', existing_type=sa.Boolean(create_constraint=True), nullable=False)
 		batch_op.drop_column('enable_strict_constraints')
 		batch_op.drop_column('address_normalized')
 	op.drop_table('feature_flag')
--- a/uffd/migrations/versions/4bd316207e59_unified_password_hashing_for_recovery_codes.py
+++ b/uffd/migrations/versions/4bd316207e59_unified_password_hashing_for_recovery_codes.py
+"""Unified password hashing for recovery codes
+
+Revision ID: 4bd316207e59
+Revises: e71e29cc605a
+Create Date: 2024-05-22 03:13:55.917641
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = '4bd316207e59'
+down_revision = 'e71e29cc605a'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+	meta = sa.MetaData(bind=op.get_bind())
+	mfa_method = sa.Table('mfa_method', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='mfatype', create_constraint=True), nullable=False),
+		sa.Column('created', sa.DateTime(), nullable=False),
+		sa.Column('name', sa.String(length=128), nullable=True),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('recovery_salt', sa.String(length=64), nullable=True),
+		sa.Column('recovery_hash', sa.String(length=256), nullable=True),
+		sa.Column('totp_key', sa.String(length=64), nullable=True),
+		sa.Column('totp_last_counter', sa.Integer(), nullable=True),
+		sa.Column('webauthn_cred', sa.Text(), nullable=True),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_mfa_method_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_mfa_method'))
+	)
+	# This field was already unused before the change to unified password hashing. So this is unrelated cleanup.
+	with op.batch_alter_table('mfa_method', copy_from=mfa_method) as batch_op:
+		batch_op.drop_column('recovery_salt')
+	op.execute(mfa_method.update().values(recovery_hash=('{crypt}' + mfa_method.c.recovery_hash)).where(mfa_method.c.type == 'RECOVERY_CODE'))
+
+def downgrade():
+	meta = sa.MetaData(bind=op.get_bind())
+	mfa_method = sa.Table('mfa_method', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='mfatype', create_constraint=True), nullable=False),
+		sa.Column('created', sa.DateTime(), nullable=False),
+		sa.Column('name', sa.String(length=128), nullable=True),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('recovery_hash', sa.String(length=256), nullable=True),
+		sa.Column('totp_key', sa.String(length=64), nullable=True),
+		sa.Column('totp_last_counter', sa.Integer(), nullable=True),
+		sa.Column('webauthn_cred', sa.Text(), nullable=True),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_mfa_method_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_mfa_method'))
+	)
+	with op.batch_alter_table('mfa_method', copy_from=mfa_method) as batch_op:
+		batch_op.add_column(sa.Column('recovery_salt', sa.VARCHAR(length=64), nullable=True))
+	op.execute(
+		mfa_method.delete().where(sa.and_(
+			mfa_method.c.type == 'RECOVERY_CODE',
+			sa.not_(mfa_method.c.recovery_hash.ilike('{crypt}%'))
+		))
+	)
+	op.execute(
+		mfa_method.update().values(
+			recovery_hash=sa.func.substr(mfa_method.c.recovery_hash, len('{crypt}') + 1)
+		).where(sa.and_(
+			mfa_method.c.type == 'RECOVERY_CODE',
+			mfa_method.c.recovery_hash.ilike('{crypt}%')
+		))
+	)
--- a/uffd/migrations/versions/54b2413586fd_invite_pk_change.py
+++ b/uffd/migrations/versions/54b2413586fd_invite_pk_change.py
@@ -38,10 +38,10 @@ def upgrade():
 		sa.Column('token', sa.String(length=128), nullable=False),
 		sa.Column('created', sa.DateTime(), nullable=False),
 		sa.Column('valid_until', sa.DateTime(), nullable=False),
-		sa.Column('single_use', sa.Boolean(name=op.f('ck_invite_single_use')), nullable=False),
-		sa.Column('allow_signup', sa.Boolean(name=op.f('ck_invite_allow_signup')), nullable=False),
-		sa.Column('used', sa.Boolean(name=op.f('ck_invite_used')), nullable=False),
-		sa.Column('disabled', sa.Boolean(name=op.f('ck_invite_disabled')), nullable=False),
+		sa.Column('single_use', sa.Boolean(create_constraint=True, name=op.f('ck_invite_single_use')), nullable=False),
+		sa.Column('allow_signup', sa.Boolean(create_constraint=True, name=op.f('ck_invite_allow_signup')), nullable=False),
+		sa.Column('used', sa.Boolean(create_constraint=True, name=op.f('ck_invite_used')), nullable=False),
+		sa.Column('disabled', sa.Boolean(create_constraint=True, name=op.f('ck_invite_disabled')), nullable=False),
 		sa.PrimaryKeyConstraint('token', name=op.f('pk_invite'))
 	)
 	with op.batch_alter_table('invite_grant', schema=None) as batch_op:
@@ -115,10 +115,10 @@ def downgrade():
 		sa.Column('token', sa.String(length=128), nullable=False),
 		sa.Column('created', sa.DateTime(), nullable=False),
 		sa.Column('valid_until', sa.DateTime(), nullable=False),
-		sa.Column('single_use', sa.Boolean(name=op.f('ck_invite_single_use')), nullable=False),
-		sa.Column('allow_signup', sa.Boolean(name=op.f('ck_invite_allow_signup')), nullable=False),
-		sa.Column('used', sa.Boolean(name=op.f('ck_invite_used')), nullable=False),
-		sa.Column('disabled', sa.Boolean(name=op.f('ck_invite_disabled')), nullable=False),
+		sa.Column('single_use', sa.Boolean(create_constraint=True, name=op.f('ck_invite_single_use')), nullable=False),
+		sa.Column('allow_signup', sa.Boolean(create_constraint=True, name=op.f('ck_invite_allow_signup')), nullable=False),
+		sa.Column('used', sa.Boolean(create_constraint=True, name=op.f('ck_invite_used')), nullable=False),
+		sa.Column('disabled', sa.Boolean(create_constraint=True, name=op.f('ck_invite_disabled')), nullable=False),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_invite')),
 		sa.UniqueConstraint('token', name=op.f('uq_invite_token'))
 	)

--- a/uffd/migrations/versions/704d1245331c_remailer_setting_and_api_permission.py
+++ b/uffd/migrations/versions/704d1245331c_remailer_setting_and_api_permission.py
@@ -21,19 +21,19 @@ def upgrade():
 	# table. To keep the resulting database consistent, we remove the
 	# server_default afterwards.
 	with op.batch_alter_table('api_client') as batch_op:
-		batch_op.add_column(sa.Column('perm_remailer', sa.Boolean(), nullable=False, server_default=sa.false()))
+		batch_op.add_column(sa.Column('perm_remailer', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()))
 	with op.batch_alter_table('service') as batch_op:
-		batch_op.add_column(sa.Column('use_remailer', sa.Boolean(), nullable=False, server_default=sa.false()))
+		batch_op.add_column(sa.Column('use_remailer', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()))
 	meta = sa.MetaData(bind=op.get_bind())
 	api_client = sa.Table('api_client', meta,
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
    sa.Column('service_id', sa.Integer(), nullable=False),
    sa.Column('auth_username', sa.String(length=40), nullable=False),
    sa.Column('auth_password', sa.Text(), nullable=False),
-    sa.Column('perm_users', sa.Boolean(), nullable=False),
-    sa.Column('perm_checkpassword', sa.Boolean(), nullable=False),
-    sa.Column('perm_mail_aliases', sa.Boolean(), nullable=False),
-    sa.Column('perm_remailer', sa.Boolean(), nullable=False, server_default=sa.false()),
+    sa.Column('perm_users', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_checkpassword', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_mail_aliases', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_remailer', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()),
    sa.ForeignKeyConstraint(['service_id'], ['service.id'], name=op.f('fk_api_client_service_id_service'), onupdate='CASCADE', ondelete='CASCADE'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_api_client')),
    sa.UniqueConstraint('auth_username', name=op.f('uq_api_client_auth_username'))
@@ -41,9 +41,9 @@ def upgrade():
 	service = sa.Table('service', meta,
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('limit_access', sa.Boolean(), nullable=False),
+    sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
    sa.Column('access_group_id', sa.Integer(), nullable=True),
-    sa.Column('use_remailer', sa.Boolean(), nullable=False, server_default=sa.false()),
+    sa.Column('use_remailer', sa.Boolean(create_constraint=True), nullable=False, server_default=sa.false()),
    sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
    sa.UniqueConstraint('name', name=op.f('uq_service_name'))
@@ -60,10 +60,10 @@ def downgrade():
    sa.Column('service_id', sa.Integer(), nullable=False),
    sa.Column('auth_username', sa.String(length=40), nullable=False),
    sa.Column('auth_password', sa.Text(), nullable=False),
-    sa.Column('perm_users', sa.Boolean(), nullable=False),
-    sa.Column('perm_checkpassword', sa.Boolean(), nullable=False),
-    sa.Column('perm_mail_aliases', sa.Boolean(), nullable=False),
-    sa.Column('perm_remailer', sa.Boolean(), nullable=False),
+    sa.Column('perm_users', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_checkpassword', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_mail_aliases', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('perm_remailer', sa.Boolean(create_constraint=True), nullable=False),
    sa.ForeignKeyConstraint(['service_id'], ['service.id'], name=op.f('fk_api_client_service_id_service'), onupdate='CASCADE', ondelete='CASCADE'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_api_client')),
    sa.UniqueConstraint('auth_username', name=op.f('uq_api_client_auth_username'))
@@ -71,9 +71,9 @@ def downgrade():
 	service = sa.Table('service', meta,
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
    sa.Column('name', sa.String(length=255), nullable=False),
-    sa.Column('limit_access', sa.Boolean(), nullable=False),
+    sa.Column('limit_access', sa.Boolean(create_constraint=True), nullable=False),
    sa.Column('access_group_id', sa.Integer(), nullable=True),
-    sa.Column('use_remailer', sa.Boolean(), nullable=False),
+    sa.Column('use_remailer', sa.Boolean(create_constraint=True), nullable=False),
    sa.ForeignKeyConstraint(['access_group_id'], ['group.id'], name=op.f('fk_service_access_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
    sa.PrimaryKeyConstraint('id', name=op.f('pk_service')),
    sa.UniqueConstraint('name', name=op.f('uq_service_name'))

--- a/uffd/migrations/versions/878b25c4fae7_ldap_to_db.py
+++ b/uffd/migrations/versions/878b25c4fae7_ldap_to_db.py
@@ -205,7 +205,7 @@ def upgrade():
 		sa.Column('displayname', sa.String(length=128), nullable=False),
 		sa.Column('mail', sa.String(length=128), nullable=False),
 		sa.Column('pwhash', sa.String(length=256), nullable=True),
-		sa.Column('is_service_user', sa.Boolean(name=op.f('ck_user_is_service_user')), nullable=False),
+		sa.Column('is_service_user', sa.Boolean(create_constraint=True, name=op.f('ck_user_is_service_user')), nullable=False),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_user')),
 		sa.UniqueConstraint('loginname', name=op.f('uq_user_loginname')),
 		sa.UniqueConstraint('unix_uid', name=op.f('uq_user_unix_uid'))
@@ -337,10 +337,10 @@ def upgrade():
 		sa.Column('creator_id', sa.Integer(), nullable=True),
 		sa.Column('creator_dn', sa.String(length=128), nullable=True),
 		sa.Column('valid_until', sa.DateTime(), nullable=False),
-		sa.Column('single_use', sa.Boolean(name=op.f('ck_invite_single_use')), nullable=False),
-		sa.Column('allow_signup', sa.Boolean(name=op.f('ck_invite_allow_signup')), nullable=False),
-		sa.Column('used', sa.Boolean(name=op.f('ck_invite_used')), nullable=False),
-		sa.Column('disabled', sa.Boolean(name=op.f('ck_invite_disabled')), nullable=False),
+		sa.Column('single_use', sa.Boolean(create_constraint=True, name=op.f('ck_invite_single_use')), nullable=False),
+		sa.Column('allow_signup', sa.Boolean(create_constraint=True, name=op.f('ck_invite_allow_signup')), nullable=False),
+		sa.Column('used', sa.Boolean(create_constraint=True, name=op.f('ck_invite_used')), nullable=False),
+		sa.Column('disabled', sa.Boolean(create_constraint=True, name=op.f('ck_invite_disabled')), nullable=False),
 		sa.ForeignKeyConstraint(['creator_id'], ['user.id'], name=op.f('fk_invite_creator_id_user'), onupdate='CASCADE'),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_invite')),
 		sa.UniqueConstraint('token', name=op.f('uq_invite_token'))
@@ -373,7 +373,7 @@ def upgrade():
 		batch_op.create_foreign_key(batch_op.f('fk_mfa_method_user_id_user'), 'user', ['user_id'], ['id'])
 	mfa_method = sa.Table('mfa_method', meta,
 		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
-		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='ck_mfa_method_type'), nullable=True),
+		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', create_constraint=True, name='ck_mfa_method_type'), nullable=True),
 		sa.Column('created', sa.DateTime(), nullable=True),
 		sa.Column('name', sa.String(length=128), nullable=True),
 		sa.Column('user_id', sa.Integer(), nullable=True),
@@ -390,7 +390,7 @@ def upgrade():
 	with op.batch_alter_table('mfa_method', copy_from=mfa_method) as batch_op:
 		batch_op.alter_column('user_id', nullable=False, existing_type=sa.Integer())
 		batch_op.alter_column('created', existing_type=sa.DateTime(), nullable=False)
-		batch_op.alter_column('type', existing_type=sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='ck_mfa_method_type'), nullable=False)
+		batch_op.alter_column('type', existing_type=sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', create_constraint=True, name='ck_mfa_method_type'), nullable=False)
 		batch_op.drop_constraint('fk_mfa_method_user_id_user', type_='foreignkey')
 		batch_op.create_foreign_key(batch_op.f('fk_mfa_method_user_id_user'), 'user', ['user_id'], ['id'], onupdate='CASCADE', ondelete='CASCADE')
 		batch_op.drop_column('dn')
@@ -457,8 +457,8 @@ def upgrade():
 		sa.Column('description', sa.Text(), nullable=True),
 		sa.Column('moderator_group_id', sa.Integer(), nullable=True),
 		sa.Column('moderator_group_dn', sa.String(length=128), nullable=True),
-		sa.Column('locked', sa.Boolean(name=op.f('ck_role_locked')), nullable=False),
-		sa.Column('is_default', sa.Boolean(name=op.f('ck_role_is_default')), nullable=False),
+		sa.Column('locked', sa.Boolean(create_constraint=True, name=op.f('ck_role_locked')), nullable=False),
+		sa.Column('is_default', sa.Boolean(create_constraint=True, name=op.f('ck_role_is_default')), nullable=False),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_role')),
 		sa.UniqueConstraint('name', name=op.f('uq_role_name'))
 	)
@@ -630,7 +630,7 @@ def downgrade():
 		sa.Column('displayname', sa.String(length=128), nullable=False),
 		sa.Column('mail', sa.String(length=128), nullable=False),
 		sa.Column('pwhash', sa.String(length=256), nullable=True),
-		sa.Column('is_service_user', sa.Boolean(name=op.f('ck_user_is_service_user')), nullable=False),
+		sa.Column('is_service_user', sa.Boolean(create_constraint=True, name=op.f('ck_user_is_service_user')), nullable=False),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_user')),
 		sa.UniqueConstraint('loginname', name=op.f('uq_user_loginname')),
 		sa.UniqueConstraint('unix_uid', name=op.f('uq_user_unix_uid'))
@@ -742,8 +742,8 @@ def downgrade():
 		sa.Column('description', sa.Text(), nullable=True),
 		sa.Column('moderator_group_id', sa.Integer(), nullable=True),
 		sa.Column('moderator_group_dn', sa.String(length=128), nullable=True),
-		sa.Column('locked', sa.Boolean(name=op.f('ck_role_locked')), nullable=False),
-		sa.Column('is_default', sa.Boolean(name=op.f('ck_role_is_default')), nullable=False),
+		sa.Column('locked', sa.Boolean(create_constraint=True, name=op.f('ck_role_locked')), nullable=False),
+		sa.Column('is_default', sa.Boolean(create_constraint=True, name=op.f('ck_role_is_default')), nullable=False),
 		sa.ForeignKeyConstraint(['moderator_group_id'], ['group.id'], name=op.f('fk_role_moderator_group_id_group'), onupdate='CASCADE', ondelete='SET NULL'),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_role')),
 		sa.UniqueConstraint('name', name=op.f('uq_role_name'))
@@ -813,7 +813,7 @@ def downgrade():
 		batch_op.add_column(sa.Column('dn', sa.String(length=128), nullable=True))
 	mfa_method = sa.Table('mfa_method', meta,
 		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
-		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='ck_mfa_method_type'), nullable=False),
+		sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', create_constraint=True, name='ck_mfa_method_type'), nullable=False),
 		sa.Column('created', sa.DateTime(), nullable=False),
 		sa.Column('name', sa.String(length=128), nullable=True),
 		sa.Column('user_id', sa.Integer(), nullable=False),
@@ -829,7 +829,7 @@ def downgrade():
 	op.execute(mfa_method.delete().where(mfa_method.c.dn==None))
 	with op.batch_alter_table('mfa_method', copy_from=mfa_method) as batch_op:
 		batch_op.drop_constraint('fk_mfa_method_user_id_user', 'foreignkey')
-		batch_op.alter_column('type', existing_type=sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='ck_mfa_method_type'), nullable=True)
+		batch_op.alter_column('type', existing_type=sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', create_constraint=True, name='ck_mfa_method_type'), nullable=True)
 		batch_op.alter_column('created', existing_type=sa.DateTime(), nullable=True)
 		batch_op.drop_column('user_id')

@@ -861,10 +861,10 @@ def downgrade():
 		sa.Column('creator_id', sa.Integer(), nullable=True),
 		sa.Column('creator_dn', sa.String(length=128), nullable=True),
 		sa.Column('valid_until', sa.DateTime(), nullable=False),
-		sa.Column('single_use', sa.Boolean(name=op.f('ck_invite_single_use')), nullable=False),
-		sa.Column('allow_signup', sa.Boolean(name=op.f('ck_invite_allow_signup')), nullable=False),
-		sa.Column('used', sa.Boolean(name=op.f('ck_invite_used')), nullable=False),
-		sa.Column('disabled', sa.Boolean(name=op.f('ck_invite_disabled')), nullable=False),
+		sa.Column('single_use', sa.Boolean(create_constraint=True, name=op.f('ck_invite_single_use')), nullable=False),
+		sa.Column('allow_signup', sa.Boolean(create_constraint=True, name=op.f('ck_invite_allow_signup')), nullable=False),
+		sa.Column('used', sa.Boolean(create_constraint=True, name=op.f('ck_invite_used')), nullable=False),
+		sa.Column('disabled', sa.Boolean(create_constraint=True, name=op.f('ck_invite_disabled')), nullable=False),
 		sa.ForeignKeyConstraint(['creator_id'], ['user.id'], name=op.f('fk_invite_creator_id_user')),
 		sa.PrimaryKeyConstraint('id', name=op.f('pk_invite')),
 		sa.UniqueConstraint('token', name=op.f('uq_invite_token'))

--- a/uffd/migrations/versions/87cb93a329bf_server_side_sessions.py
+++ b/uffd/migrations/versions/87cb93a329bf_server_side_sessions.py
+"""Server-side sessions
+
+Revision ID: 87cb93a329bf
+Revises: 01fdd7820f29
+Create Date: 2024-03-23 23:57:44.019456
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = '87cb93a329bf'
+down_revision = '01fdd7820f29'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+	op.create_table('session',
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('secret', sa.Text(), nullable=True),
+		sa.Column('user_id', sa.Integer(), nullable=False),
+		sa.Column('created', sa.DateTime(), nullable=False),
+		sa.Column('last_used', sa.DateTime(), nullable=False),
+		sa.Column('user_agent', sa.Text(), nullable=False),
+		sa.Column('ip_address', sa.Text(), nullable=True),
+		sa.Column('mfa_done', sa.Boolean(create_constraint=True), nullable=False),
+		sa.ForeignKeyConstraint(['user_id'], ['user.id'], name=op.f('fk_session_user_id_user'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_session'))
+	)
+
+def downgrade():
+	op.drop_table('session')
--- a/uffd/migrations/versions/99df71f0f4a0_migrate_device_login_from_user_to_session.py
+++ b/uffd/migrations/versions/99df71f0f4a0_migrate_device_login_from_user_to_session.py
+"""Migrate device login from user to session
+
+Revision ID: 99df71f0f4a0
+Revises: 87cb93a329bf
+Create Date: 2024-05-18 16:41:33.923207
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = '99df71f0f4a0'
+down_revision = '87cb93a329bf'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+	op.drop_table('device_login_confirmation')
+	op.create_table('device_login_confirmation',
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('initiation_id', sa.Integer(), nullable=False),
+		sa.Column('session_id', sa.Integer(), nullable=False),
+		sa.Column('code0', sa.String(length=32), nullable=False),
+		sa.Column('code1', sa.String(length=32), nullable=False),
+		sa.ForeignKeyConstraint(['initiation_id'], ['device_login_initiation.id'], name='fk_device_login_confirmation_initiation_id_', onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['session_id'], ['session.id'], name=op.f('fk_device_login_confirmation_session_id_session'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_device_login_confirmation')),
+		sa.UniqueConstraint('initiation_id', 'code0', name='uq_device_login_confirmation_initiation_id_code0'),
+		sa.UniqueConstraint('initiation_id', 'code1', name='uq_device_login_confirmation_initiation_id_code1'),
+		sa.UniqueConstraint('session_id', name=op.f('uq_device_login_confirmation_session_id'))
+	)
+
+def downgrade():
+	# We don't drop and recreate the table here to improve fuzzy migration test coverage
+	with op.batch_alter_table('device_login_confirmation', schema=None) as batch_op:
+		batch_op.add_column(sa.Column('user_id', sa.Integer(), nullable=True))
+	meta = sa.MetaData(bind=op.get_bind())
+	device_login_confirmation = sa.Table('device_login_confirmation', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('initiation_id', sa.Integer(), nullable=False),
+		sa.Column('session_id', sa.Integer(), nullable=False),
+		sa.Column('user_id', sa.Integer(), nullable=True),
+		sa.Column('code0', sa.String(length=32), nullable=False),
+		sa.Column('code1', sa.String(length=32), nullable=False),
+		sa.ForeignKeyConstraint(['initiation_id'], ['device_login_initiation.id'], name='fk_device_login_confirmation_initiation_id_', onupdate='CASCADE', ondelete='CASCADE'),
+		sa.ForeignKeyConstraint(['session_id'], ['session.id'], name=op.f('fk_device_login_confirmation_session_id_session'), onupdate='CASCADE', ondelete='CASCADE'),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_device_login_confirmation')),
+		sa.UniqueConstraint('initiation_id', 'code0', name='uq_device_login_confirmation_initiation_id_code0'),
+		sa.UniqueConstraint('initiation_id', 'code1', name='uq_device_login_confirmation_initiation_id_code1'),
+		sa.UniqueConstraint('session_id', name=op.f('uq_device_login_confirmation_session_id'))
+	)
+	session = sa.table('session',
+		sa.column('id', sa.Integer),
+		sa.column('user_id', sa.Integer()),
+	)
+	op.execute(device_login_confirmation.update().values(user_id=sa.select([session.c.user_id]).where(device_login_confirmation.c.session_id==session.c.id).as_scalar()))
+	op.execute(device_login_confirmation.delete().where(device_login_confirmation.c.user_id==None))
+	with op.batch_alter_table('device_login_confirmation', copy_from=device_login_confirmation) as batch_op:
+		batch_op.alter_column('user_id', nullable=False, existing_type=sa.Integer())
+		batch_op.create_foreign_key('fk_device_login_confirmation_user_id_user', 'user', ['user_id'], ['id'], onupdate='CASCADE', ondelete='CASCADE')
+		batch_op.create_unique_constraint('uq_device_login_confirmation_user_id', ['user_id'])
+		batch_op.drop_constraint(batch_op.f('fk_device_login_confirmation_session_id_session'), type_='foreignkey')
+		batch_op.drop_constraint(batch_op.f('uq_device_login_confirmation_session_id'), type_='unique')
+		batch_op.drop_column('session_id')
--- a/uffd/migrations/versions/a29870f95175_initial_migration.py
+++ b/uffd/migrations/versions/a29870f95175_initial_migration.py
@@ -21,10 +21,10 @@ def upgrade():
    sa.Column('token', sa.String(length=128), nullable=False),
    sa.Column('created', sa.DateTime(), nullable=False),
    sa.Column('valid_until', sa.DateTime(), nullable=False),
-    sa.Column('single_use', sa.Boolean(), nullable=False),
-    sa.Column('allow_signup', sa.Boolean(), nullable=False),
-    sa.Column('used', sa.Boolean(), nullable=False),
-    sa.Column('disabled', sa.Boolean(), nullable=False),
+    sa.Column('single_use', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('allow_signup', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('used', sa.Boolean(create_constraint=True), nullable=False),
+    sa.Column('disabled', sa.Boolean(create_constraint=True), nullable=False),
    sa.PrimaryKeyConstraint('token')
    )
    op.create_table('mailToken',
@@ -36,7 +36,7 @@ def upgrade():
    )
    op.create_table('mfa_method',
    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
-    sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', name='mfatype'), nullable=True),
+    sa.Column('type', sa.Enum('RECOVERY_CODE', 'TOTP', 'WEBAUTHN', create_constraint=True, name='mfatype'), nullable=True),
    sa.Column('created', sa.DateTime(), nullable=True),
    sa.Column('name', sa.String(length=128), nullable=True),
    sa.Column('dn', sa.String(length=128), nullable=True),

--- a/uffd/migrations/versions/a594d3b3e05b_added_role_locked.py
+++ b/uffd/migrations/versions/a594d3b3e05b_added_role_locked.py
@@ -16,8 +16,20 @@ depends_on = None

 def upgrade():
 	with op.batch_alter_table('role', schema=None) as batch_op:
-		batch_op.add_column(sa.Column('locked', sa.Boolean(name=op.f('ck_role_locked')), nullable=False, default=False))
+		batch_op.add_column(sa.Column('locked', sa.Boolean(create_constraint=True, name=op.f('ck_role_locked')), nullable=False, default=False))

 def downgrade():
-	with op.batch_alter_table('role', schema=None) as batch_op:
+	meta = sa.MetaData(bind=op.get_bind())
+	table = sa.Table('role', meta,
+		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+		sa.Column('name', sa.String(length=32), nullable=True),
+		sa.Column('description', sa.Text(), nullable=True),
+		sa.Column('moderator_group_dn', sa.String(length=128), nullable=True),
+		sa.Column('locked', sa.Boolean(create_constraint=False), nullable=False),
+		sa.CheckConstraint('locked IN (0, 1)', name=op.f('ck_role_locked')),
+		sa.PrimaryKeyConstraint('id', name=op.f('pk_role')),
+		sa.UniqueConstraint('name', name=op.f('uq_role_name'))
+	)
+	with op.batch_alter_table('role', copy_from=table) as batch_op:
+		batch_op.drop_constraint(op.f('ck_role_locked'), 'check')
 		batch_op.drop_column('locked')
--- a/uffd/migrations/versions/a60ce68b9214_fix_not_null_on_role_groups_group_id.py
+++ b/uffd/migrations/versions/a60ce68b9214_fix_not_null_on_role_groups_group_id.py
@@ -22,7 +22,7 @@ def upgrade():
 	role_groups = sa.Table('role_groups', meta,
 		sa.Column('role_id', sa.Integer(), nullable=False),
 		sa.Column('group_id', sa.Integer(), nullable=True),
-		sa.Column('requires_mfa', sa.Boolean(), nullable=False),
+		sa.Column('requires_mfa', sa.Boolean(create_constraint=True), nullable=False),
 		sa.ForeignKeyConstraint(['group_id'], ['group.id'], name=op.f('fk_role_groups_group_id_group'), onupdate='CASCADE', ondelete='CASCADE'),
 		sa.ForeignKeyConstraint(['role_id'], ['role.id'], name=op.f('fk_role_groups_role_id_role'), onupdate='CASCADE', ondelete='CASCADE'),
 		sa.PrimaryKeyConstraint('role_id', 'group_id', name=op.f('pk_role_groups'))
@@ -35,7 +35,7 @@ def downgrade():
 	role_groups = sa.Table('role_groups', meta,
 		sa.Column('role_id', sa.Integer(), nullable=False),
 		sa.Column('group_id', sa.Integer(), nullable=False),
-		sa.Column('requires_mfa', sa.Boolean(), nullable=False),
+		sa.Column('requires_mfa', sa.Boolean(create_constraint=True), nullable=False),
 		sa.ForeignKeyConstraint(['group_id'], ['group.id'], name=op.f('fk_role_groups_group_id_group'), onupdate='CASCADE', ondelete='CASCADE'),
 		sa.ForeignKeyConstraint(['role_id'], ['role.id'], name=op.f('fk_role_groups_role_id_role'), onupdate='CASCADE', ondelete='CASCADE'),
 		sa.PrimaryKeyConstraint('role_id', 'group_id', name=op.f('pk_role_groups'))

--- a/uffd/migrations/versions/a8c6b6e91c28_device_login.py
+++ b/uffd/migrations/versions/a8c6b6e91c28_device_login.py
@@ -17,7 +17,7 @@ depends_on = None
 def upgrade():
 	op.create_table('device_login_initiation',
 		sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
-		sa.Column('type', sa.Enum('OAUTH2', name='devicelogintype'), nullable=False),
+		sa.Column('type', sa.Enum('OAUTH2', create_constraint=True, name='devicelogintype'), nullable=False),
 		sa.Column('code0', sa.String(length=32), nullable=False),
 		sa.Column('code1', sa.String(length=32), nullable=False),
 		sa.Column('secret', sa.String(length=128), nullable=False),
No results found