fix(auth): require email authentication every login

CRITICAL SECURITY FIX: - Email code required EVERY login (authentication, not verification) - DNS TXT check cached separately (domain verification) - New auth_sessions table for per-login state - Codes hashed with SHA-256, constant-time comparison - Max 3 attempts, 10-minute session expiry - OAuth params stored server-side (security improvement) New files: - services/auth_session.py - migrations 004, 005 - ADR-010: domain verification vs user authentication 312 tests passing, 86.21% coverage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 15:16:26 -07:00
parent 9b50f359a6
commit 9135edfe84
17 changed files with 3457 additions and 529 deletions
--- a/src/gondulf/database/migrations/005_add_last_checked_column.sql
+++ b/src/gondulf/database/migrations/005_add_last_checked_column.sql
@@ -0,0 +1,12 @@
+-- Migration 005: Add last_checked column to domains table
+-- Enables cache expiration for DNS verification (separate from user authentication)
+-- See ADR-010 for the domain verification vs user authentication distinction
+
+-- Add last_checked column for DNS verification cache expiration
+ALTER TABLE domains ADD COLUMN last_checked TIMESTAMP;
+
+-- Update existing verified domains to set last_checked = verified_at
+UPDATE domains SET last_checked = verified_at WHERE verified = 1;
+
+-- Record this migration
+INSERT INTO migrations (version, description) VALUES (5, 'Add last_checked column to domains table for DNS verification cache');