implement initial backend structure with authentication, user management, and database integration

backend/app/services/users.py

@@ -0,0 +1,86 @@
+"""User management service: CRUD helpers against DuckDB."""
+from typing import Any
+
+from backend.app.db import get_conn, get_write_lock
+from backend.app.services.auth import hash_password
+
+
+async def get_user(user_id: str) -> dict[str, Any] | None:
+    conn = get_conn()
+    row = conn.execute(
+        "SELECT id, email, role FROM users WHERE id = ?", [user_id]
+    ).fetchone()
+    if row is None:
+        return None
+    return {"id": str(row[0]), "email": row[1], "role": row[2]}
+
+
+async def list_users() -> list[dict[str, Any]]:
+    conn = get_conn()
+    rows = conn.execute(
+        "SELECT id, email, role FROM users ORDER BY email").fetchall()
+    return [{"id": str(r[0]), "email": r[1], "role": r[2]} for r in rows]
+
+
+async def update_user(
+    user_id: str,
+    email: str | None = None,
+    password: str | None = None,
+) -> dict[str, Any] | None:
+    """Update email and/or password. Returns updated user or None if not found."""
+    conn = get_conn()
+    lock = get_write_lock()
+
+    if email is None and password is None:
+        return await get_user(user_id)
+
+    async with lock:
+        if email is not None:
+            existing = conn.execute(
+                "SELECT id FROM users WHERE email = ? AND id != ?", [
+                    email, user_id]
+            ).fetchone()
+            if existing:
+                raise ValueError("Email already in use.")
+            conn.execute(
+                "UPDATE users SET email = ?, updated_at = now() WHERE id = ?",
+                [email, user_id],
+            )
+        if password is not None:
+            conn.execute(
+                "UPDATE users SET password_hash = ?, updated_at = now() WHERE id = ?",
+                [hash_password(password), user_id],
+            )
+        row = conn.execute(
+            "SELECT id, email, role FROM users WHERE id = ?", [user_id]
+        ).fetchone()
+
+    if row is None:
+        return None
+    return {"id": str(row[0]), "email": row[1], "role": row[2]}
+
+
+async def set_user_role(user_id: str, role: str) -> dict[str, Any] | None:
+    conn = get_conn()
+    lock = get_write_lock()
+    async with lock:
+        conn.execute(
+            "UPDATE users SET role = ?, updated_at = now() WHERE id = ?",
+            [role, user_id],
+        )
+        row = conn.execute(
+            "SELECT id, email, role FROM users WHERE id = ?", [user_id]
+        ).fetchone()
+    if row is None:
+        return None
+    return {"id": str(row[0]), "email": row[1], "role": row[2]}
+
+
+async def delete_user(user_id: str) -> bool:
+    """Delete user and their refresh tokens. Returns True if a row was removed."""
+    conn = get_conn()
+    lock = get_write_lock()
+    async with lock:
+        conn.execute("DELETE FROM refresh_tokens WHERE user_id = ?", [user_id])
+        conn.execute("DELETE FROM users WHERE id = ?", [user_id])
+    return True