feat(auth,privacy,web): step-by-step login, privacy settings persistence, TOTP QR, and API docs

app/users/models.py

@@ -24,6 +24,9 @@ class User(Base):
     bio: Mapped[str | None] = mapped_column(String(500), nullable=True)
     email_verified: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False, index=True)
     allow_private_messages: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False, server_default="true")
+    privacy_last_seen: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
+    privacy_avatar: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
+    privacy_group_invites: Mapped[str] = mapped_column(String(16), nullable=False, default="everyone", server_default="everyone")
     twofa_enabled: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False, server_default="false")
     twofa_secret: Mapped[str | None] = mapped_column(String(64), nullable=True)
     created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now(), nullable=False)

app/users/router.py

@@ -65,6 +65,9 @@ async def update_profile(
         bio=payload.bio,
         avatar_url=payload.avatar_url,
         allow_private_messages=payload.allow_private_messages,
+        privacy_last_seen=payload.privacy_last_seen,
+        privacy_avatar=payload.privacy_avatar,
+        privacy_group_invites=payload.privacy_group_invites,
     )
     return updated
 

app/users/schemas.py

@@ -1,6 +1,11 @@
 from datetime import datetime
 
 from pydantic import BaseModel, ConfigDict, EmailStr, Field
+from typing import Literal
+
+
+PrivacyLevel = Literal["everyone", "contacts", "nobody"]
+GroupInvitePrivacyLevel = Literal["everyone", "contacts"]
 
 
 class UserBase(BaseModel):
@@ -21,6 +26,9 @@ class UserRead(UserBase):
     bio: str | None = None
     email_verified: bool
     allow_private_messages: bool
+    privacy_last_seen: PrivacyLevel = "everyone"
+    privacy_avatar: PrivacyLevel = "everyone"
+    privacy_group_invites: GroupInvitePrivacyLevel = "everyone"
     twofa_enabled: bool = False
     created_at: datetime
     updated_at: datetime
@@ -32,6 +40,9 @@ class UserProfileUpdate(BaseModel):
     bio: str | None = Field(default=None, max_length=500)
     avatar_url: str | None = Field(default=None, max_length=512)
     allow_private_messages: bool | None = None
+    privacy_last_seen: PrivacyLevel | None = None
+    privacy_avatar: PrivacyLevel | None = None
+    privacy_group_invites: GroupInvitePrivacyLevel | None = None
 
 
 class UserSearchRead(BaseModel):

app/users/service.py

@@ -41,6 +41,9 @@ async def update_user_profile(
     bio: str | None = None,
     avatar_url: str | None = None,
     allow_private_messages: bool | None = None,
+    privacy_last_seen: str | None = None,
+    privacy_avatar: str | None = None,
+    privacy_group_invites: str | None = None,
 ) -> User:
     if name is not None:
         user.name = name
@@ -52,6 +55,12 @@ async def update_user_profile(
         user.avatar_url = avatar_url
     if allow_private_messages is not None:
         user.allow_private_messages = allow_private_messages
+    if privacy_last_seen is not None:
+        user.privacy_last_seen = privacy_last_seen
+    if privacy_avatar is not None:
+        user.privacy_avatar = privacy_avatar
+    if privacy_group_invites is not None:
+        user.privacy_group_invites = privacy_group_invites
     await db.commit()
     await db.refresh(user)
     return user