phase G: data minimisation + passwordless auth + DeepSeek-first LLM

Server no longer holds portfolios. Holdings live in the browser (localStorage); the server publishes an anonymous ticker_universe and a gzipped /api/universe payload identical for every authenticated user, so access patterns can't betray which tickers a user holds. AI commentary is generated ephemerally from the browser-supplied pie and the cost ledger row records no positions. Migrations 0009-0011 added the universe table and dropped positions / portfolio_snapshots / portfolios. Authentication is now e-mail OTP only. Migration 0010 dropped password_hash and email_verified (every active session is by construction proof of email control). The /signup endpoint is gone; signup and login share a single email-entry page. Email rendering is HTML+plain-text multipart with a shared brand palette (app/branding.py) asserted in sync with the CSS by a drift-detection test. LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com) with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE) per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION bumped to 6 with an educational anti-TA / anti-gambling stance baked into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX, yield curve, HY OAS, etc.) with JS-positioned tooltips that survive viewport edges and sticky bars. Model name and tokens hidden from the user UI; still recorded in StrategicLog.model and AICall for admin. Layout adds a sticky top nav, a sticky bottom markets bar (one chip per exchange with status LED + headline index + 1d change), and Phase H feedback reporting is queued in tasks/todo.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 14:16:57 +01:00 · 2026-05-18 14:16:57 +01:00 · 6e7f57c6b2
commit 6e7f57c6b2
parent 480fd311c5
54 changed files with 5005 additions and 916 deletions
--- a/app/services/auth_service.py
+++ b/app/services/auth_service.py
@ -1,16 +1,17 @@
-"""User authentication primitives: password hashing, signup, login.
+"""User authentication primitives.

-Argon2id for password hashing (argon2-cffi). itsdangerous for signed
-session cookies. Tier-aware user creation; phase D adds the actual
-tier-based feature gating.
+Cassandra is **passwordless**. Every login is an email-OTP round-trip
+(see app.services.otp_service + app.services.email_service). This module
+just handles user-row lookup and create-on-first-sight.
+
+The trade-off (see Phase G plan in tasks/todo.md):
+- Server holds: email, tier, AI cost ledger. No portfolio, no broker keys.
+- Loss of password gives up nothing of value to protect; gains: no
+  password-reset flows, no hash rotation, no stuffing/breach exposure.
+- Every successful session is by construction proof of email control.
 """
 from __future__ import annotations

-import re
-from dataclasses import dataclass
-
-from argon2 import PasswordHasher
-from argon2.exceptions import VerifyMismatchError, InvalidHashError
 from email_validator import EmailNotValidError, validate_email
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
@ -19,112 +20,52 @@ from app.db import utcnow
 from app.models import User


-# Argon2 default parameters are sensible; we let it pick.
-_HASHER = PasswordHasher()
-
-# Reasonable floor. Real password policy lives in Phase E.
-MIN_PASSWORD_LENGTH = 8
-MAX_PASSWORD_LENGTH = 256
-
-
 class AuthError(Exception):
-    """Raised when signup/login validation fails. The message is safe to
-    surface to the user as-is."""
-
-
-def hash_password(plain: str) -> str:
-    return _HASHER.hash(plain)
-
-
-def verify_password(plain: str, hashed: str) -> bool:
-    try:
-        _HASHER.verify(hashed, plain)
-        return True
-    except (VerifyMismatchError, InvalidHashError):
-        return False
-    except Exception:
-        return False
+    """Raised on bad input. The message is safe to surface to the user."""


 def _validate_email_or_raise(email: str) -> str:
    try:
        info = validate_email(email, check_deliverability=False)
-        return info.normalized
+        return info.normalized.lower()
    except EmailNotValidError as e:
        raise AuthError(f"Invalid email: {e}")


-def _validate_password_or_raise(password: str) -> None:
-    if not isinstance(password, str):
-        raise AuthError("Password must be a string")
-    if len(password) < MIN_PASSWORD_LENGTH:
-        raise AuthError(
-            f"Password must be at least {MIN_PASSWORD_LENGTH} characters"
-        )
-    if len(password) > MAX_PASSWORD_LENGTH:
-        raise AuthError("Password too long")
-
-
-async def create_user(
-    session: AsyncSession,
-    email: str,
-    password: str,
-    *,
-    tier: str = "free",
-) -> User:
-    """Create a new user. Raises AuthError on bad input or duplicate email."""
-    email = _validate_email_or_raise(email).lower()
-    _validate_password_or_raise(password)
-
-    existing = (await session.execute(
-        select(User).where(User.email == email)
-    )).scalar_one_or_none()
-    if existing:
-        raise AuthError("An account with this email already exists")
-
-    user = User(
-        email=email,
-        password_hash=hash_password(password),
-        tier=tier,
-        email_verified=False,   # phase E enforces verification
-        settings_json={},
-        created_at=utcnow(),
-    )
-    session.add(user)
-    await session.commit()
-    await session.refresh(user)
-    return user
-
-
-async def authenticate(
-    session: AsyncSession,
-    email: str,
-    password: str,
-) -> User:
-    """Return the User if credentials match. Raises AuthError on miss.
-
-    Uses the same generic message for unknown-email and wrong-password to
-    avoid a username-enumeration oracle."""
-    email = email.strip().lower()
-    user = (await session.execute(
-        select(User).where(User.email == email)
-    )).scalar_one_or_none()
-
-    # Always run a hash verification even on unknown-email to keep timing
-    # similar (mitigates timing-based user enumeration).
-    if user is None:
-        verify_password(password, "$argon2id$v=19$m=65536,t=3,p=4$" + "a" * 22 + "$" + "b" * 43)
-        raise AuthError("Invalid email or password")
-
-    if not verify_password(password, user.password_hash):
-        raise AuthError("Invalid email or password")
-
-    user.last_login_at = utcnow()
-    await session.commit()
-    return user
-
-
 async def get_user(session: AsyncSession, user_id: int) -> User | None:
    return (await session.execute(
        select(User).where(User.id == user_id)
    )).scalar_one_or_none()
+
+
+async def get_user_by_email(session: AsyncSession, email: str) -> User | None:
+    email = email.strip().lower()
+    return (await session.execute(
+        select(User).where(User.email == email)
+    )).scalar_one_or_none()
+
+
+async def get_or_create_user(
+    session: AsyncSession,
+    email: str,
+    *,
+    create_if_missing: bool = True,
+    tier: str = "free",
+) -> User:
+    """Look up the user by email; create if absent and create_if_missing.
+    Raises AuthError on malformed email, or if create_if_missing=False
+    and the email is unknown.
+
+    Callers should set create_if_missing=False when CASSANDRA_SIGNUP_ENABLED
+    is false — i.e., the operator is running a closed deployment."""
+    email = _validate_email_or_raise(email)
+    user = await get_user_by_email(session, email)
+    if user is not None:
+        return user
+    if not create_if_missing:
+        raise AuthError("Sign-ups are currently disabled. Ask the operator.")
+    user = User(email=email, tier=tier, settings_json={}, created_at=utcnow())
+    session.add(user)
+    await session.commit()
+    await session.refresh(user)
+    return user