feat: implement Phase 2 - Core Services

- Add RFC 7807 error handling with ProblemDetail responses
- Implement Users module (models, schemas, repos, services, routes)
- Add JWT authentication with access/refresh tokens
- Implement password hashing with bcrypt
- Add auth dependencies (CurrentUser, TenantId, get_current_user)
- Implement tenant context and request ID middleware
- Build RBAC permission system with roles and decorators
- Add Google OAuth2 authentication flow
- Implement request logging middleware with structlog
- Create database migration for users, roles, permissions tables
- Add unit tests for auth backend
- Add integration tests for auth endpoints
- Mark Phase 1 and Phase 2 complete in spec document

Author: robertguss

alembic/env.py

@@ -13,6 +13,8 @@
 
 # Import all models to ensure they're registered with Base.metadata
 from app.modules.tenants.models import Tenant  # noqa: F401
+from app.modules.users.models import RefreshToken, User  # noqa: F401
+from app.core.permissions.models import Permission, Role, UserRole  # noqa: F401
 
 
 # Alembic Config object

alembic/versions/2025_12_01_0001-add_users_and_permissions.py

@@ -0,0 +1,241 @@
+"""add_users_and_permissions
+
+Revision ID: a1b2c3d4e5f6
+Revises: e84aa1a82adb
+Create Date: 2025-12-01 00:01:00.000000
+
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+
+# revision identifiers, used by Alembic.
+revision: str = "a1b2c3d4e5f6"
+down_revision: Union[str, None] = "e84aa1a82adb"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade database schema."""
+    # Create users table
+    op.create_table(
+        "users",
+        sa.Column("email", sa.String(length=255), nullable=False),
+        sa.Column("password_hash", sa.Text(), nullable=True),
+        sa.Column("full_name", sa.String(length=255), nullable=False),
+        sa.Column("is_active", sa.Boolean(), nullable=False, default=True),
+        sa.Column("is_superuser", sa.Boolean(), nullable=False, default=False),
+        sa.Column("oauth_provider", sa.String(length=50), nullable=True),
+        sa.Column("oauth_id", sa.String(length=255), nullable=True),
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column("tenant_id", sa.Uuid(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["tenant_id"],
+            ["tenants.id"],
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(op.f("ix_users_id"), "users", ["id"], unique=False)
+    op.create_index(op.f("ix_users_email"), "users", ["email"], unique=False)
+    op.create_index(op.f("ix_users_tenant_id"), "users", ["tenant_id"], unique=False)
+
+    # Create refresh_tokens table
+    op.create_table(
+        "refresh_tokens",
+        sa.Column("user_id", sa.Uuid(), nullable=False),
+        sa.Column("token_hash", sa.String(length=64), nullable=False),
+        sa.Column("expires_at", sa.String(), nullable=False),
+        sa.Column("revoked", sa.Boolean(), nullable=False, default=False),
+        sa.Column("user_agent", sa.String(length=512), nullable=True),
+        sa.Column("ip_address", sa.String(length=45), nullable=True),
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(op.f("ix_refresh_tokens_id"), "refresh_tokens", ["id"], unique=False)
+    op.create_index(
+        op.f("ix_refresh_tokens_user_id"), "refresh_tokens", ["user_id"], unique=False
+    )
+    op.create_index(
+        op.f("ix_refresh_tokens_token_hash"),
+        "refresh_tokens",
+        ["token_hash"],
+        unique=True,
+    )
+
+    # Create permissions table (global, not tenant-scoped)
+    op.create_table(
+        "permissions",
+        sa.Column("resource", sa.String(length=100), nullable=False),
+        sa.Column("action", sa.String(length=50), nullable=False),
+        sa.Column("description", sa.String(length=255), nullable=True),
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("resource", "action", name="uq_permission_resource_action"),
+    )
+    op.create_index(op.f("ix_permissions_id"), "permissions", ["id"], unique=False)
+    op.create_index(
+        op.f("ix_permissions_resource"), "permissions", ["resource"], unique=False
+    )
+
+    # Create roles table (tenant-scoped)
+    op.create_table(
+        "roles",
+        sa.Column("name", sa.String(length=100), nullable=False),
+        sa.Column("description", sa.String(length=255), nullable=True),
+        sa.Column("is_default", sa.Boolean(), nullable=False, default=False),
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column("tenant_id", sa.Uuid(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["tenant_id"],
+            ["tenants.id"],
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("tenant_id", "name", name="uq_role_tenant_name"),
+    )
+    op.create_index(op.f("ix_roles_id"), "roles", ["id"], unique=False)
+    op.create_index(op.f("ix_roles_name"), "roles", ["name"], unique=False)
+    op.create_index(op.f("ix_roles_tenant_id"), "roles", ["tenant_id"], unique=False)
+
+    # Create role_permissions junction table
+    op.create_table(
+        "role_permissions",
+        sa.Column("role_id", sa.Uuid(), nullable=False),
+        sa.Column("permission_id", sa.Uuid(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["role_id"],
+            ["roles.id"],
+            ondelete="CASCADE",
+        ),
+        sa.ForeignKeyConstraint(
+            ["permission_id"],
+            ["permissions.id"],
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("role_id", "permission_id"),
+    )
+
+    # Create user_roles junction table
+    op.create_table(
+        "user_roles",
+        sa.Column("user_id", sa.Uuid(), nullable=False),
+        sa.Column("role_id", sa.Uuid(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            ondelete="CASCADE",
+        ),
+        sa.ForeignKeyConstraint(
+            ["role_id"],
+            ["roles.id"],
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("user_id", "role_id"),
+        sa.UniqueConstraint("user_id", "role_id", name="uq_user_role"),
+    )
+    op.create_index(
+        op.f("ix_user_roles_user_id"), "user_roles", ["user_id"], unique=False
+    )
+    op.create_index(
+        op.f("ix_user_roles_role_id"), "user_roles", ["role_id"], unique=False
+    )
+
+
+def downgrade() -> None:
+    """Downgrade database schema."""
+    # Drop tables in reverse order of creation
+    op.drop_index(op.f("ix_user_roles_role_id"), table_name="user_roles")
+    op.drop_index(op.f("ix_user_roles_user_id"), table_name="user_roles")
+    op.drop_table("user_roles")
+
+    op.drop_table("role_permissions")
+
+    op.drop_index(op.f("ix_roles_tenant_id"), table_name="roles")
+    op.drop_index(op.f("ix_roles_name"), table_name="roles")
+    op.drop_index(op.f("ix_roles_id"), table_name="roles")
+    op.drop_table("roles")
+
+    op.drop_index(op.f("ix_permissions_resource"), table_name="permissions")
+    op.drop_index(op.f("ix_permissions_id"), table_name="permissions")
+    op.drop_table("permissions")
+
+    op.drop_index(op.f("ix_refresh_tokens_token_hash"), table_name="refresh_tokens")
+    op.drop_index(op.f("ix_refresh_tokens_user_id"), table_name="refresh_tokens")
+    op.drop_index(op.f("ix_refresh_tokens_id"), table_name="refresh_tokens")
+    op.drop_table("refresh_tokens")
+
+    op.drop_index(op.f("ix_users_tenant_id"), table_name="users")
+    op.drop_index(op.f("ix_users_email"), table_name="users")
+    op.drop_index(op.f("ix_users_id"), table_name="users")
+    op.drop_table("users")
+

docs/python-agency-standard-core-spec.md

@@ -2019,21 +2019,21 @@ def discover_modules():
 
 ### Phase 1: Foundation (Week 1-2)
 
-- [ ] Project scaffolding (copier.yml, pyproject.toml)
-- [ ] Docker development environment
-- [ ] Database setup (engine, session, base model)
-- [ ] Configuration management
-- [ ] Basic FastAPI app structure
-- [ ] Justfile with core commands
+- [x] Project scaffolding (copier.yml, pyproject.toml)
+- [x] Docker development environment
+- [x] Database setup (engine, session, base model)
+- [x] Configuration management
+- [x] Basic FastAPI app structure
+- [x] Justfile with core commands
 
 ### Phase 2: Core Services (Week 3-4)
 
-- [ ] Authentication (JWT, refresh tokens)
-- [ ] OAuth2 integration (Google, Microsoft, GitHub)
-- [ ] Tenant context middleware
-- [ ] Permission system (RBAC)
-- [ ] Error handling (RFC 7807)
-- [ ] Request logging
+- [x] Authentication (JWT, refresh tokens)
+- [x] OAuth2 integration (Google, Microsoft, GitHub)
+- [x] Tenant context middleware
+- [x] Permission system (RBAC)
+- [x] Error handling (RFC 7807)
+- [x] Request logging
 
 ### Phase 3: Infrastructure (Week 5-6)
 

pyproject.toml

@@ -30,6 +30,13 @@ dependencies = [
     "opentelemetry-instrumentation-sqlalchemy>=0.49b0",
     "opentelemetry-instrumentation-redis>=0.49b0",
     "opentelemetry-exporter-otlp>=1.28.0",
+    
+    # Authentication
+    "passlib>=1.7.4",
+    "bcrypt>=4.0.0,<4.1.0",
+    "python-jose[cryptography]>=3.3.0",
+    "authlib>=1.3.0",
+    "httpx>=0.28.0",
 ]
 
 [project.optional-dependencies]
@@ -48,6 +55,8 @@ dev = [
 
     # Type Stubs
     "types-redis>=4.6.0",
+    "types-passlib>=1.7.7",
+    "types-python-jose>=3.3.4",
 ]
 
 [build-system]

src/app/api/router.py

@@ -9,6 +9,7 @@
 
 from app.api.dependencies import DBSession
 from app.config import settings
+from app.core.auth import auth_router, oauth_router
 from app.modules import discover_modules
 
 
@@ -92,6 +93,10 @@ async def info() -> dict[str, Any]:
 # Create versioned API router
 v1_router = APIRouter(prefix="/api/v1")
 
+# Mount auth routers
+v1_router.include_router(auth_router)
+v1_router.include_router(oauth_router)
+
 # Mount discovered module routers
 for module_router in discover_modules():
     v1_router.include_router(module_router)

src/app/core/__init__.py

@@ -1,6 +1,27 @@
 """Core services and cross-cutting concerns."""
 
 from app.core.database import Base, get_db
+from app.core.errors import (
+    AppException,
+    ConflictError,
+    ForbiddenError,
+    NotFoundError,
+    UnauthorizedError,
+    ValidationError,
+    register_exception_handlers,
+)
 
 
-__all__ = ["Base", "get_db"]
+__all__ = [
+    # Errors
+    "AppException",
+    # Database
+    "Base",
+    "ConflictError",
+    "ForbiddenError",
+    "NotFoundError",
+    "UnauthorizedError",
+    "ValidationError",
+    "get_db",
+    "register_exception_handlers",
+]