mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2025-12-31 00:09:58 -06:00
Code Issues Packages Projects Releases Wiki Activity

reset to previous commit.

Browse Source
This commit is contained in:
Dries Peeters
2025-10-09 06:49:56 +02:00
parent 3b564f83d7
commit 0749b0adf9
153 changed files with 1973 additions and 33697 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.bandit
View File

@@ -1,22 +0,0 @@
# Bandit configuration file
# https://bandit.readthedocs.io/
[bandit]
# Exclude test files and migrations
exclude_dirs = ['/tests', '/migrations', '/venv', '/.venv', '/env']
# Tests to skip (if any)
skips = []
# Tests to run (empty = run all)
tests = []
# Severity level to report (LOW, MEDIUM, HIGH)
level = LOW
# Confidence level to report (LOW, MEDIUM, HIGH)
confidence = LOW
[bandit.plugins]
# Plugin configuration (if needed)

184
.github/workflows/security-scan.yml vendored
View File

@@ -1,184 +0,0 @@
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch:
permissions:
contents: read
security-events: write
actions: read
jobs:
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety bandit pip-audit
- name: Run Safety check
run: |
pip install -r requirements.txt
safety check --json --output safety-report.json || true
- name: Run pip-audit
run: |
pip-audit --requirement requirements.txt --format json --output pip-audit-report.json || true
- name: Upload Safety report
if: always()
uses: actions/upload-artifact@v4
with:
name: safety-report
path: safety-report.json
- name: Upload pip-audit report
if: always()
uses: actions/upload-artifact@v4
with:
name: pip-audit-report
path: pip-audit-report.json
code-security-scan:
name: Code Security Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Bandit
run: |
python -m pip install --upgrade pip
pip install bandit[toml]
- name: Run Bandit security scan
run: |
bandit -r app/ -f json -o bandit-report.json || true
bandit -r app/ -f txt
- name: Upload Bandit report
if: always()
uses: actions/upload-artifact@v4
with:
name: bandit-report
path: bandit-report.json
secret-scan:
name: Secret Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better secret detection
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_SUMMARY: true
docker-scan:
name: Docker Image Security Scan
runs-on: ubuntu-latest
if: github.event_name != 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image
run: |
docker build -t timetracker:security-scan .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'timetracker:security-scan'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: python, javascript
queries: security-extended
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
security-report:
name: Generate Security Report
runs-on: ubuntu-latest
needs: [dependency-scan, code-security-scan, secret-scan]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
- name: Generate summary
run: |
echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f safety-report/safety-report.json ]; then
echo "### Dependency Vulnerabilities (Safety)" >> $GITHUB_STEP_SUMMARY
python -c "import json; data=json.load(open('safety-report/safety-report.json')); print(f'Found {len(data.get(\"vulnerabilities\", []))} vulnerabilities')" >> $GITHUB_STEP_SUMMARY || echo "No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
if [ -f bandit-report/bandit-report.json ]; then
echo "### Code Security Issues (Bandit)" >> $GITHUB_STEP_SUMMARY
python -c "import json; data=json.load(open('bandit-report/bandit-report.json')); metrics=data.get('metrics', {}); print(f'Total Issues: {sum([m.get(\"SEVERITY.HIGH\", 0) + m.get(\"SEVERITY.MEDIUM\", 0) + m.get(\"SEVERITY.LOW\", 0) for m in metrics.values()])}')" >> $GITHUB_STEP_SUMMARY || echo "Scan completed" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
echo "## Actions Required" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "1. Review all vulnerability reports" >> $GITHUB_STEP_SUMMARY
echo "2. Update vulnerable dependencies" >> $GITHUB_STEP_SUMMARY
echo "3. Fix high-severity security issues" >> $GITHUB_STEP_SUMMARY
echo "4. Review and rotate any exposed secrets" >> $GITHUB_STEP_SUMMARY

61
.gitleaks.toml
View File

@@ -1,61 +0,0 @@
# Gitleaks configuration
# https://github.com/gitleaks/gitleaks
title = "TimeTracker Gitleaks Configuration"
[extend]
# Use default rules
useDefault = true
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)(api[_-]?key|apikey|api[_-]?secret)(['\"]?\s*[:=]\s*['\"]?)([a-zA-Z0-9]{32,})'''
tags = ["api", "key"]
[[rules]]
id = "slack-token"
description = "Slack Token"
regex = '''xox[baprs]-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24}'''
tags = ["slack", "token"]
[[rules]]
id = "stripe-api-key"
description = "Stripe API Key"
regex = '''sk_live_[0-9a-zA-Z]{24,}'''
tags = ["stripe", "api-key"]
[[rules]]
id = "stripe-restricted-api-key"
description = "Stripe Restricted API Key"
regex = '''rk_live_[0-9a-zA-Z]{24,}'''
tags = ["stripe", "api-key"]
[[rules]]
id = "aws-access-key"
description = "AWS Access Key"
regex = '''AKIA[0-9A-Z]{16}'''
tags = ["aws", "access-key"]
[[rules]]
id = "github-pat"
description = "GitHub Personal Access Token"
regex = '''ghp_[0-9a-zA-Z]{36}'''
tags = ["github", "token"]
[allowlist]
description = "Allowlist for false positives"
paths = [
'''^\.env\.example$''',
'''^env\.example$''',
'''\.md$''', # Markdown files (documentation)
]
regexes = [
'''your-secret-key-here''',
'''your-api-key-here''',
'''example-secret''',
'''test-secret-key''',
'''dummy-key''',
]

518
ADMIN_TOOLS_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,518 +0,0 @@
# Admin Tools & Internal Dashboard - Implementation Summary
**Priority:** Medium
**Status:** ✅ Complete
**Date:** 2025-10-07
## Overview
Successfully implemented a comprehensive Admin Tools & Internal Dashboard feature that enables administrators to manage customers (organizations), handle subscriptions, monitor billing, and support operations.
## ✅ Acceptance Criteria Met
### 1. Admin can view and edit subscription quantity; changes reflect in Stripe
- ✅ Update subscription quantity (seats) through admin UI
- ✅ Changes are synchronized with Stripe in real-time
- ✅ Prorated billing supported
- ✅ Quantity changes logged in webhook events
### 2. Support staff can view invoices, download logs, and create refunds
- ✅ View all invoices for any organization
- ✅ Access to hosted invoice URLs
- ✅ Download invoice PDFs
- ✅ Create full or partial refunds
- ✅ View and download webhook logs
- ✅ View raw webhook payloads
---
## 📦 Implementation Details
### 1. Database Models
#### Enhanced `SubscriptionEvent` Model (`app/models/subscription_event.py`)
- **New fields:**
- `event_id`: For Stripe webhook event ID
- `raw_payload`: Raw webhook payload storage
- `stripe_customer_id`, `stripe_subscription_id`, `stripe_invoice_id`: Transaction tracking
- `stripe_charge_id`, `stripe_refund_id`: Charge and refund tracking
- `amount`, `currency`: Financial amounts
- `status`, `previous_status`: Status change tracking
- `quantity`, `previous_quantity`: Subscription seat tracking
- `notes`: Additional context
- Made `stripe_event_id` nullable to support manual events
- Updated `__init__` to accept **kwargs for flexibility
- Enhanced `to_dict()` with all new fields
### 2. Stripe Service Extensions (`app/utils/stripe_service.py`)
#### New Methods:
1. **Refund Management:**
- `create_refund()`: Create full or partial refunds
- `get_refunds()`: Retrieve refund history
2. **Billing Reconciliation:**
- `sync_organization_with_stripe()`: Sync individual organization
- `check_all_organizations_sync()`: Check all organizations
- Automatic discrepancy detection and correction
- Comprehensive reporting
3. **Updated:**
- `_log_event()`: Now uses updated SubscriptionEvent signature
### 3. Admin Routes (`app/routes/admin.py`)
#### Customer Management Routes:
- `GET /admin/customers`: List all organizations with billing info
- `GET /admin/customers/<org_id>`: Detailed customer view
- `POST /admin/customers/<org_id>/subscription/quantity`: Update subscription seats
- `POST /admin/customers/<org_id>/subscription/cancel`: Cancel subscription
- `POST /admin/customers/<org_id>/subscription/reactivate`: Reactivate subscription
- `POST /admin/customers/<org_id>/suspend`: Suspend organization
- `POST /admin/customers/<org_id>/activate`: Activate organization
- `POST /admin/customers/<org_id>/invoice/<invoice_id>/refund`: Create refund
#### Billing Reconciliation Routes:
- `GET /admin/billing/reconciliation`: View sync status for all organizations
- `POST /admin/billing/reconciliation/<org_id>/sync`: Manually sync organization
#### Webhook Management Routes:
- `GET /admin/webhooks`: List webhook events with filtering
- `GET /admin/webhooks/<event_id>`: View webhook event details
- `POST /admin/webhooks/<event_id>/reprocess`: Reprocess failed webhook
### 4. Templates
#### `templates/admin/customers.html`
- **Features:**
- List all organizations with key metrics
- Summary cards: Total orgs, active orgs, total users, paying customers
- Table with: Organization name, status, subscription, active users, invoices, last activity
- Quick links to customer detail view
- Filter and search capabilities
#### `templates/admin/customer_detail.html`
- **Features:**
- Organization status and information
- Subscription management:
- Update quantity (seats)
- Cancel at period end or immediately
- Reactivate subscription
- Organization actions:
- Suspend/activate organization
- Members list with roles and activity
- Recent invoices with refund capability
- Payment methods display
- Recent refunds history
- Recent subscription events
- Refund modal for creating refunds
#### `templates/admin/billing_reconciliation.html`
- **Features:**
- Summary statistics: Total, synced, discrepancies, errors
- Organization-by-organization sync status
- Discrepancy details with collapsible views
- Manual re-sync buttons
- Color-coded table rows (green=ok, yellow=discrepancies, red=errors)
- Informational panel explaining reconciliation
#### `templates/admin/webhook_logs.html`
- **Features:**
- Paginated webhook event list
- Filter by: Event type, organization, processing status
- Table showing: Date, event type, organization, status, amount, notes
- Quick actions: View detail, reprocess failed events
- Pagination controls
- Retry count badges
#### `templates/admin/webhook_detail.html`
- **Features:**
- Complete event information
- Processing status with error messages
- Transaction details (customer, subscription, invoice, charge, refund IDs)
- Amount and currency display
- Status change tracking
- Quantity change tracking
- Notes display
- Raw event data accordion (payload and event data)
- Reprocess button for failed events
#### Updated `templates/admin/dashboard.html`
- **Features:**
- Added "Customer Management" section with links to:
- Manage Customers
- Billing Sync
- Webhook Logs
- Reorganized into 3-column layout
---
## 🎨 UI/UX Features
### Design Principles
- **Light, modern UI** (per user preference [[memory:7692072]])
- **Consistent with TimeTracker** application styling
- **Bootstrap 5** based components
- **Responsive design** for all screen sizes
### Visual Elements
- **Color-coded badges** for status (success=green, warning=yellow, danger=red)
- **Icon-driven navigation** using Font Awesome
- **Hover effects** on cards
- **Collapsible sections** for detailed information
- **Modal dialogs** for critical actions (refunds)
- **Toast notifications** for feedback
- **Empty states** with helpful messages
### User Experience
- **Confirmation dialogs** for destructive actions
- **Inline editing** for subscription quantity
- **Real-time sync** with Stripe
- **Comprehensive filtering** on webhook logs
- **Pagination** for large datasets
- **Breadcrumb navigation** with back buttons
- **Quick actions** accessible from list views
---
## 🔒 Security & Permissions
### Access Control
- All routes protected by `@admin_required` decorator
- User must be authenticated (`@login_required`)
- User must have admin role (`current_user.is_admin`)
### Rate Limiting
- Update subscription quantity: 10 requests/minute
- Cancel/reactivate subscription: 5 requests/minute
- Suspend/activate organization: 5 requests/minute
- Create refund: 3 requests/minute
- Manual sync: 10 requests/minute
- Reprocess webhook: 10 requests/minute
### Validation
- Subscription quantity must be ≥ 1
- Refund amounts validated before processing
- Organization existence checks
- Stripe configuration checks before operations
---
## 📊 Key Capabilities
### Customer Management
1. **View all customers** with comprehensive metrics
2. **Drill down** into individual customers
3. **Monitor subscription status** and health
4. **Track member activity** and last login
5. **View invoice history**
### Subscription Management
1. **Update seats** in real-time (syncs to Stripe)
2. **Cancel subscriptions**:
- At period end (graceful)
- Immediately (instant)
3. **Reactivate** cancelled subscriptions
4. **View subscription history** through events
### Account Operations
1. **Suspend organizations** (with reason tracking)
2. **Reactivate organizations** (restore access)
3. **Track organization status** changes
4. **Audit trail** via subscription events
### Billing & Revenue
1. **View invoices** for any customer
2. **Create refunds** (full or partial)
3. **Track payment methods**
4. **Monitor refund history**
5. **Access Stripe customer portal**
### Billing Reconciliation
1. **Automatic sync checking** between Stripe and local DB
2. **Discrepancy detection**:
- Subscription status mismatches
- Quantity differences
- Missing subscriptions
- Billing cycle inconsistencies
3. **Automatic correction** when discrepancies found
4. **Manual re-sync** capability
5. **Comprehensive reporting**
### Webhook Management
1. **View all webhook events** with filtering
2. **Monitor processing status**
3. **View raw payloads** for debugging
4. **Reprocess failed events**
5. **Track retry attempts**
6. **Filter by**:
- Event type
- Organization
- Processing status
---
## 🧪 Testing Recommendations
### Manual Testing Checklist
1. **Customer List:**
- [ ] View all organizations
- [ ] Verify counts are accurate
- [ ] Check last activity dates
- [ ] Navigate to customer detail
2. **Customer Detail:**
- [ ] View organization info
- [ ] Update subscription quantity
- [ ] Cancel subscription
- [ ] Reactivate subscription
- [ ] Suspend organization
- [ ] Activate organization
- [ ] View members list
- [ ] View invoices
- [ ] Create refund
3. **Billing Reconciliation:**
- [ ] View sync status for all orgs
- [ ] Manually trigger sync
- [ ] Verify discrepancy detection
- [ ] Check auto-correction
4. **Webhook Logs:**
- [ ] View event list
- [ ] Filter by event type
- [ ] Filter by organization
- [ ] Filter by status
- [ ] View event detail
- [ ] Reprocess failed event
### Integration Testing
1. **Stripe Integration:**
- [ ] Quantity update reflects in Stripe dashboard
- [ ] Cancellation syncs to Stripe
- [ ] Reactivation syncs to Stripe
- [ ] Refund appears in Stripe
- [ ] Webhook signature verification works
2. **Database Integrity:**
- [ ] Events are logged correctly
- [ ] Organization status updates persist
- [ ] Subscription changes are tracked
- [ ] No race conditions
3. **Error Handling:**
- [ ] Stripe API errors handled gracefully
- [ ] Invalid inputs rejected
- [ ] Rate limits enforced
- [ ] User feedback clear
---
## 📝 Usage Examples
### Update Subscription Quantity
```
1. Navigate to Admin → Customers
2. Click "View" on desired organization
3. In Subscription Management section:
- Enter new quantity in "Seats" field
- Click "Update"
4. Confirmation message shows old → new quantity
5. Change reflected in Stripe immediately
```
### Create Refund
```
1. Navigate to customer detail page
2. Scroll to "Recent Invoices" section
3. Click refund button (undo icon) on desired invoice
4. In refund modal:
- Enter amount (or leave empty for full refund)
- Select reason
- Click "Create Refund"
5. Refund processed in Stripe
6. Event logged in subscription events
```
### Suspend Organization
```
1. Navigate to customer detail page
2. In "Organization Status" card:
- Click "Suspend Organization"
- Confirm action
3. Organization status changes to "Suspended"
4. Members lose access
5. Event logged with reason
```
### Check Billing Sync
```
1. Navigate to Admin → Billing Sync
2. View summary: Total, Synced, Discrepancies, Errors
3. Review organization-by-organization results
4. Click "View Details" on orgs with discrepancies
5. Click "Re-sync" to manually trigger sync
6. Discrepancies auto-corrected
```
---
## 🔄 Integration Points
### Stripe Webhooks
The billing routes (`app/routes/billing.py`) handle incoming webhooks:
- `invoice.paid`
- `invoice.payment_failed`
- `invoice.payment_action_required`
- `customer.subscription.created`
- `customer.subscription.updated`
- `customer.subscription.deleted`
- `customer.subscription.trial_will_end`
All webhook events are logged to `subscription_events` table and viewable in admin dashboard.
### Organization Model
Integrates with existing `Organization` model fields:
- `stripe_customer_id`
- `stripe_subscription_id`
- `stripe_subscription_status`
- `subscription_quantity`
- `status` (for suspension)
### Membership Model
Displays organization members with:
- User information
- Roles
- Status
- Last activity
---
## 📈 Benefits
### For Support Staff
1. **Self-service tools** for common operations
2. **Quick access** to customer info
3. **Audit trail** for all actions
4. **Reduced Stripe dashboard dependence**
### For Administrators
1. **Centralized management** interface
2. **Real-time sync monitoring**
3. **Billing health visibility**
4. **Webhook debugging** capabilities
### For Business
1. **Revenue visibility** across all customers
2. **Subscription metrics** at a glance
3. **Refund tracking** and reporting
4. **Billing issue** early detection
---
## 🚀 Future Enhancements
### Potential Additions
1. **Revenue analytics dashboard**
- MRR (Monthly Recurring Revenue)
- Churn rate
- Revenue graphs
2. **Bulk operations**
- Bulk suspend/activate
- Bulk subscription updates
- CSV export
3. **Automated dunning**
- Email sequences for failed payments
- Grace periods
- Auto-suspension policies
4. **Customer notifications**
- Email when subscription changed
- Notification for suspensions
- Billing issue alerts
5. **Advanced search**
- Full-text search on organizations
- Filter by subscription status
- Date range filters
6. **Reports**
- PDF reports for billing
- Monthly revenue summaries
- Subscription trends
---
## 📁 Files Created/Modified
### New Files Created
- `templates/admin/customers.html` - Customer list view
- `templates/admin/customer_detail.html` - Customer detail view
- `templates/admin/billing_reconciliation.html` - Billing sync view
- `templates/admin/webhook_logs.html` - Webhook list view
- `templates/admin/webhook_detail.html` - Webhook detail view
- `ADMIN_TOOLS_IMPLEMENTATION_SUMMARY.md` - This document
### Modified Files
- `app/models/subscription_event.py` - Enhanced with new fields and methods
- `app/utils/stripe_service.py` - Added refund and sync methods
- `app/routes/admin.py` - Added ~400 lines of new routes
- `templates/admin/dashboard.html` - Added customer management section
---
## 🎯 Acceptance Criteria Review
### ✅ Requirement 1: Admin Dashboard
- [x] Customer list with organizations
- [x] Subscription status display
- [x] Invoice access
- [x] Active user counts
- [x] Last login tracking
- [x] Ability to change subscription (seats)
- [x] Ability to pause/cancel subscriptions
- [x] Ability to suspend/reactivate accounts
- [x] Logs for billing events
- [x] Webhook history
### ✅ Requirement 2: Billing Reconciliation
- [x] Stripe → local DB sync health check
- [x] Discrepancy detection
- [x] Automatic correction
- [x] Manual re-sync capability
- [x] Comprehensive reporting
### ✅ Acceptance Criteria 1
**"Admin can view and edit subscription quantity; changes reflect in Stripe"**
- [x] View current subscription quantity
- [x] Edit subscription quantity via form
- [x] Changes sync to Stripe in real-time
- [x] Confirmation message with before/after values
- [x] Changes logged in subscription events
### ✅ Acceptance Criteria 2
**"Support staff can view invoices, download logs, and create refunds"**
- [x] View invoices for any organization
- [x] Access hosted invoice URLs (can download)
- [x] View webhook logs (downloadable via browser)
- [x] Create full refunds
- [x] Create partial refunds
- [x] View refund history
---
## 🎉 Summary
The Admin Tools & Internal Dashboard implementation is **complete** and provides a comprehensive solution for managing customers, subscriptions, and billing operations. The system includes:
- **5 new templates** with modern, responsive UI
- **14 new admin routes** for complete CRUD operations
- **Enhanced database model** with comprehensive event tracking
- **Extended Stripe service** with refund and sync capabilities
- **Built-in rate limiting** and security
- **Comprehensive error handling** and user feedback
All acceptance criteria have been met, and the system is ready for testing and deployment.

378
ADMIN_TOOLS_QUICK_START.md
View File

@@ -1,378 +0,0 @@
# Admin Tools & Internal Dashboard - Quick Start Guide
## 🚀 Getting Started
The Admin Tools & Internal Dashboard provides a comprehensive interface for managing customers, subscriptions, billing, and support operations.
---
## 🔑 Access
### Prerequisites
- Must be logged in as a user with **admin role** (`user.is_admin == True`)
- Stripe must be configured (for billing features)
### URL Access Points
- **Main Admin Dashboard**: `/admin`
- **Customer Management**: `/admin/customers`
- **Billing Reconciliation**: `/admin/billing/reconciliation`
- **Webhook Logs**: `/admin/webhooks`
---
## 📊 Main Features
### 1. Customer Management (`/admin/customers`)
View all organizations with key metrics at a glance.
**What you see:**
- Total organizations
- Active organizations
- Total active users
- Paying customers
- Detailed table with subscription status, users, invoices, last activity
**Actions:**
- Click **"View"** on any organization to see detailed information
---
### 2. Customer Detail (`/admin/customers/<id>`)
Comprehensive view of a single customer/organization.
#### Organization Status Section
- View: Status, created date, active members, contact email
- **Actions:**
- **Suspend Organization**: Temporarily disable access (with reason)
- **Activate Organization**: Restore access
#### Subscription Section
- View: Plan, status, seats, next billing date
- **Actions:**
- **Update Seats**: Change subscription quantity (syncs to Stripe)
- **Cancel at Period End**: Schedule cancellation
- **Cancel Immediately**: Instant cancellation
- **Reactivate Subscription**: Undo scheduled cancellation
#### Members Section
- View all organization members
- See: User, email, role, status, last activity, join date
#### Invoices Section
- View recent invoices with amounts and status
- **Actions:**
- **View invoice** (external link to Stripe)
- **Create refund** (full or partial)
#### Events Section
- Timeline of all billing and subscription events
- See: Date, event type, status, notes
---
### 3. Billing Reconciliation (`/admin/billing/reconciliation`)
Monitor sync health between Stripe and your local database.
**What it checks:**
- Subscription status mismatches
- Quantity differences (seats)
- Missing subscriptions
- Billing cycle inconsistencies
**Summary Stats:**
- Total organizations with Stripe
- Successfully synced
- Organizations with discrepancies
- Sync errors
**Actions:**
- **View Details**: See specific discrepancies
- **Re-sync**: Manually trigger sync for an organization
**Note:** Discrepancies are automatically corrected when detected!
---
### 4. Webhook Logs (`/admin/webhooks`)
View and manage Stripe webhook events.
**Filters:**
- Event Type (e.g., `invoice.paid`, `subscription.updated`)
- Organization
- Processing Status (processed/pending)
**What you see:**
- Date and time
- Event type
- Organization
- Processing status
- Amount (if applicable)
- Notes
- Retry count
**Actions:**
- **View Detail**: See complete event information
- **Reprocess**: Retry failed webhook events
---
## 🛠️ Common Tasks
### How to Update Subscription Seats
```
1. Go to Admin → Customers
2. Click "View" on the organization
3. In the "Subscription" card, find the "Seats" input
4. Enter new quantity (must be ≥ 1)
5. Click "Update"
6. ✅ Confirmation shows: "Subscription updated: 5 → 10 seats"
7. Change is immediately reflected in Stripe
```
### How to Cancel a Subscription
```
Option 1: Cancel at Period End (Recommended)
1. Go to customer detail page
2. In "Subscription Management" section
3. Click "Cancel at Period End"
4. Confirm the action
5. ✅ User keeps access until billing cycle ends
Option 2: Cancel Immediately
1. Same steps but click "Cancel Immediately"
2. Confirm the PERMANENT action
3. ⚠️ User loses access instantly
```
### How to Create a Refund
```
1. Go to customer detail page
2. Scroll to "Recent Invoices"
3. Click the refund icon (undo) on the invoice
4. In the modal:
- Amount: Leave empty for full refund, or enter partial amount
- Reason: Select from dropdown
5. Click "Create Refund"
6. ✅ Refund created in Stripe
7. Appears in "Recent Refunds" section
```
### How to Suspend an Organization
```
1. Go to customer detail page
2. In "Organization Status" card
3. Click "Suspend Organization"
4. Optionally provide a reason
5. Confirm action
6. ✅ Organization status changes to "Suspended"
7. All members lose access
8. Event is logged with reason
```
### How to Check Billing Sync Health
```
1. Go to Admin → Billing Reconciliation
2. View summary stats at the top
3. Review organization-by-organization results
4. For orgs with discrepancies:
- Click "View Details" to see what's wrong
- Discrepancies are shown with local vs. Stripe values
5. Click "Re-sync" to manually check again
6. ✅ Discrepancies are automatically corrected
```
### How to Investigate a Failed Webhook
```
1. Go to Admin → Webhook Logs
2. Filter by "Status" → "Pending" or look for red error badges
3. Click the eye icon to view details
4. In webhook detail page:
- Review error message
- Check processing status
- View raw payload for debugging
5. Click "Reprocess" to retry
6. Event is queued for reprocessing
```
---
## 🎯 Dashboard Navigation
### From Main Admin Dashboard (`/admin`)
The dashboard has 3 main sections:
#### 1. Customer Management (Left)
- **Manage Customers** → Customer list
- **Billing Sync** → Reconciliation view
- **Webhook Logs** → Event logs
#### 2. User Management (Center)
- **Manage Users** → User list
- **Create New User** → User creation form
#### 3. System Settings (Right)
- **Configure Settings** → System settings
- **Create Backup** → Database backup
---
## 🔐 Permissions & Rate Limits
### Access Control
All admin routes require:
- ✅ Authenticated user (`@login_required`)
- ✅ Admin role (`@admin_required`)
### Rate Limits
To prevent abuse, certain operations have rate limits:
| Operation | Limit |
|-----------|-------|
| Update subscription quantity | 10/minute |
| Cancel/reactivate subscription | 5/minute |
| Suspend/activate organization | 5/minute |
| Create refund | 3/minute |
| Manual sync | 10/minute |
| Reprocess webhook | 10/minute |
If you hit a rate limit, wait 1 minute and try again.
---
## 💡 Tips & Best Practices
### Subscription Management
-**DO** use "Cancel at Period End" for graceful cancellations
-**DO** communicate with customers before suspending
- ⚠️ **CAUTION** with "Cancel Immediately" - it's permanent
-**DO** check billing reconciliation regularly
### Refunds
-**DO** provide a reason for all refunds
-**DO** verify invoice amount before refunding
- Partial refunds are supported (enter amount)
- Leave amount empty for full refund
### Webhook Management
-**DO** investigate failed webhooks promptly
-**DO** reprocess failed events after fixing issues
- Events automatically retry up to 3 times
- Check raw payload for debugging
### Billing Reconciliation
-**DO** run reconciliation weekly
-**DO** investigate errors immediately
- Discrepancies are auto-corrected
- Use re-sync to force a check
---
## 🐛 Troubleshooting
### "Stripe is not configured" warning
**Problem:** Stripe service is not initialized.
**Solution:**
1. Check environment variables:
- `STRIPE_SECRET_KEY`
- `STRIPE_PUBLISHABLE_KEY`
- `STRIPE_WEBHOOK_SECRET`
2. Restart application
3. Verify in Settings that Stripe is configured
### "Organization does not have a Stripe customer" error
**Problem:** Organization not linked to Stripe.
**Solution:**
1. Organization must create a subscription first
2. Or manually create Stripe customer
3. Link via `organization.stripe_customer_id`
### Webhook shows "Pending" indefinitely
**Problem:** Webhook processing failed silently.
**Solution:**
1. View webhook detail
2. Check for processing errors
3. Review raw payload
4. Click "Reprocess"
5. Check server logs for errors
### Sync shows discrepancies but doesn't fix them
**Problem:** Auto-correction may have failed.
**Solution:**
1. Click "Re-sync" to try again
2. If still failing, check server logs
3. Verify Stripe API access
4. Check organization has valid Stripe IDs
### Can't create refund
**Problem:** Various causes.
**Common Solutions:**
1. Verify invoice is paid (can't refund unpaid)
2. Check refund amount ≤ invoice amount
3. Verify charge exists on invoice
4. Check Stripe API access
5. Review rate limits (3/minute)
---
## 📚 Additional Resources
- **Implementation Summary**: `ADMIN_TOOLS_IMPLEMENTATION_SUMMARY.md`
- **Stripe Documentation**: https://stripe.com/docs/api
- **Application Logs**: Check `/logs/timetracker.log`
---
## 🆘 Need Help?
### For Developers
1. Check server logs: `logs/timetracker.log`
2. Review implementation: `ADMIN_TOOLS_IMPLEMENTATION_SUMMARY.md`
3. Check Stripe dashboard for API errors
4. Review webhook signatures
### For Support Staff
1. Use webhook logs for debugging
2. Check billing reconciliation first
3. Verify organization status
4. Document issues for developers
---
## ✅ Quick Reference
| Task | URL | Action |
|------|-----|--------|
| View all customers | `/admin/customers` | Click "View" |
| Update seats | Customer detail | Enter quantity → Update |
| Cancel subscription | Customer detail | Cancel at Period End / Immediately |
| Create refund | Customer detail | Click refund icon on invoice |
| Suspend org | Customer detail | Click "Suspend Organization" |
| Check sync | `/admin/billing/reconciliation` | Review and re-sync |
| View webhooks | `/admin/webhooks` | Filter and investigate |
| Reprocess webhook | Webhook detail | Click "Reprocess" |
---
**Enjoy managing your customers efficiently! 🚀**

609
AUTH_IMPLEMENTATION_GUIDE.md
View File

@@ -1,609 +0,0 @@
# Authentication & User/Team Management Implementation Guide
## Overview
This document describes the comprehensive authentication and user/team management system implemented for TimeTracker. The system supports secure user authentication, team collaboration, role-based access control, and billing integration.
## Features Implemented
### ✅ 1. User Authentication
**Password-Based Authentication:**
- Secure password hashing using PBKDF2-SHA256
- Minimum 8-character password requirement
- Support for both username and email login
- Password reset via email tokens
- Email verification for new accounts
**JWT Token Support:**
- Access tokens (15-minute expiry) for API authentication
- Refresh tokens (30-day expiry) for token renewal
- Device tracking for session management
- Token revocation support
**OIDC/SSO Support:**
- Maintained existing OIDC integration
- Works alongside password authentication
- Configurable via `AUTH_METHOD` environment variable
### ✅ 2. User Registration & Signup
**Self-Registration:**
- Email + password signup flow
- Automatic organization creation for new users
- Email verification workflow
- Configurable via `ALLOW_SELF_REGISTER` setting
**Features:**
- Username uniqueness validation
- Email uniqueness validation
- Password confirmation
- Optional full name field
### ✅ 3. Two-Factor Authentication (2FA)
**TOTP-Based 2FA:**
- QR code generation for authenticator app setup
- Support for Google Authenticator, Authy, Microsoft Authenticator, etc.
- 6-digit verification codes
- Configurable time window for code validation
**Backup Codes:**
- 10 single-use backup codes generated on 2FA setup
- Hashed storage for security
- Can be used if authenticator unavailable
**2FA Workflow:**
- User enables 2FA in account settings
- Scans QR code with authenticator app
- Verifies with initial code
- Receives backup codes
- Future logins require TOTP code after password
### ✅ 4. Organization Invitations
**Invitation Flow:**
- Admins can invite users by email
- Invitation tokens with 7-day expiry
- Email notifications with invitation links
- Role assignment during invitation (admin/member/viewer)
**New User Acceptance:**
- Invited users without accounts can sign up via invitation
- Email pre-verified through invitation
- Automatic organization membership upon acceptance
**Existing User Acceptance:**
- One-click acceptance for existing users
- Multi-organization support
- User can belong to multiple organizations
**Seat Management:**
- Organization user limits enforced
- Seat count updated on invitation acceptance
- Seat decremented on user removal
- Configurable via `max_users` field
### ✅ 5. Role-Based Access Control
**Three Role Types:**
1. **Admin:**
- Full organization access
- Can invite/remove members
- Can manage projects
- Can edit all data
- Can change organization settings
2. **Member:**
- Can view organization data
- Can create and edit projects
- Can track time
- Cannot manage other members
3. **Viewer:**
- Read-only access
- Can view projects and reports
- Cannot edit data
- Cannot manage anything
**Permission Decorators:**
```python
from app.utils.permissions import (
login_required,
admin_required,
organization_member_required,
organization_admin_required,
can_edit_data,
require_permission
)
# Example usage:
@app.route('/admin/dashboard')
@admin_required
def admin_dashboard():
pass
@app.route('/org/<org_slug>/projects')
@organization_member_required
def view_projects(org_slug, organization):
# organization object automatically injected
pass
```
### ✅ 6. Account Settings
**Profile Management:**
- Update full name
- Change preferred language
- Update theme preference
- View account information
**Email Management:**
- Change email address
- Email verification required
- Password confirmation for security
**Password Management:**
- Change password
- Current password verification required
- All other sessions logged out on password change
**Session Management:**
- View active devices/sessions
- Session details (IP address, last active time, device name)
- Revoke individual sessions
- See which device is current
### ✅ 7. Stripe Integration
**Organization Fields:**
- `stripe_customer_id`: Stripe customer identifier
- `stripe_subscription_id`: Active subscription ID
- `stripe_subscription_status`: Subscription status
- `trial_ends_at`: Trial period end date
- `subscription_ends_at`: Subscription end date
**Billing Features Ready:**
- Customer creation on organization setup
- Subscription management hooks
- Seat-based billing support
- Trial period tracking
## Database Schema
### New Tables
**password_reset_tokens:**
- Token-based password reset
- IP address tracking
- 24-hour expiry
- One-time use enforcement
**email_verification_tokens:**
- Email verification for new signups
- Email change verification
- 48-hour expiry
- One-time use
**refresh_tokens:**
- JWT refresh token storage
- Device tracking
- 30-day default expiry
- Revocation support
### Updated Tables
**users:**
- `password_hash`: Bcrypt password hash
- `email_verified`: Email verification status
- `totp_secret`: 2FA secret key
- `totp_enabled`: 2FA enabled flag
- `backup_codes`: JSON array of backup codes
**organizations:**
- `stripe_customer_id`: Stripe customer ID
- `stripe_subscription_id`: Subscription ID
- `stripe_subscription_status`: Subscription status
- `trial_ends_at`: Trial end date
- `subscription_ends_at`: Subscription end date
**memberships:**
- Existing fields support invitation flow
- `status`: 'active', 'invited', 'suspended', 'removed'
- `invitation_token`: Unique invitation token
- `invited_by`: ID of inviter
- `invited_at`: Invitation timestamp
## API Endpoints
### Authentication APIs
**POST /api/auth/token**
```json
// Request
{
"username": "john",
"password": "mypassword",
"totp_token": "123456" // Required if 2FA enabled
}
// Response
{
"access_token": "eyJ...",
"refresh_token": "abc...",
"token_type": "Bearer",
"expires_in": 900,
"user": { ... }
}
```
**POST /api/auth/refresh**
```json
// Request
{
"refresh_token": "abc..."
}
// Response
{
"access_token": "eyJ...",
"refresh_token": "abc...",
"token_type": "Bearer",
"expires_in": 900
}
```
**POST /api/auth/logout**
```json
// Request
{
"refresh_token": "abc..."
}
// Response
{
"message": "Logged out successfully"
}
```
### Using JWT in API Requests
```bash
# Include in Authorization header
curl -H "Authorization: Bearer <access_token>" \
https://api.example.com/api/endpoint
```
## Web Routes
### Public Routes
- `GET/POST /signup` - User registration
- `GET/POST /login` - User login
- `GET/POST /forgot-password` - Password reset request
- `GET/POST /reset-password/<token>` - Reset password
- `GET /verify-email/<token>` - Email verification
- `GET/POST /accept-invitation/<token>` - Accept org invitation
- `GET/POST /2fa/verify` - 2FA verification during login
### Protected Routes
- `GET /settings` - Account settings page
- `GET/POST /settings/change-email` - Change email
- `POST /settings/change-password` - Change password
- `GET/POST /settings/2fa/enable` - Enable 2FA
- `POST /settings/2fa/disable` - Disable 2FA
- `POST /settings/sessions/<id>/revoke` - Revoke session
- `POST /invite` - Send organization invitation (admin only)
## Environment Variables
Add these to your `.env` file:
```bash
# Email Configuration (required for invitations and password reset)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-app-password
SMTP_USE_TLS=true
SMTP_FROM_EMAIL=noreply@timetracker.com
SMTP_FROM_NAME=TimeTracker
# Self-registration (default: true)
ALLOW_SELF_REGISTER=true
# Session configuration
PERMANENT_SESSION_LIFETIME=86400 # 24 hours
REMEMBER_COOKIE_DAYS=365
# Strong secret key for production
SECRET_KEY=your-very-long-random-secret-key-here
```
## Usage Examples
### 1. Sign Up Flow
```python
# User fills out signup form
# POST to /signup with:
# - username
# - email
# - password
# - password_confirm
# - full_name (optional)
# System:
# - Creates user account
# - Creates default organization
# - Adds user as admin of organization
# - Sends verification email
# - Logs user in
# - Redirects to dashboard
```
### 2. Invitation Flow
```python
# Admin invites user
# POST to /invite with:
# - email
# - role (admin/member/viewer)
# - organization context
# System sends email with invitation link
# New user clicks link:
# - Taken to /accept-invitation/<token>
# - Fills out password and name
# - Account created and activated
# - Membership accepted
# - Redirected to dashboard
# Existing user clicks link:
# - Taken to /accept-invitation/<token>
# - Membership automatically accepted
# - Redirected to login or dashboard
```
### 3. Password Reset Flow
```python
# User requests reset
# POST to /forgot-password with email
# System:
# - Creates reset token
# - Sends email with reset link
# User clicks link:
# - Taken to /reset-password/<token>
# - Enters new password
# - Password updated
# - All sessions revoked
# - Redirected to login
```
### 4. 2FA Setup Flow
```python
# User enables 2FA
# GET /settings/2fa/enable
# System:
# - Generates TOTP secret
# - Creates QR code
# - Shows QR code to user
# User scans QR code
# Enters verification code
# POST to /settings/2fa/enable with code
# System:
# - Verifies code
# - Enables 2FA
# - Generates backup codes
# - Shows backup codes to user
```
### 5. API Authentication Flow
```python
# Get tokens
access_token, refresh_token = get_tokens(username, password)
# Make API requests
response = requests.get(
'https://api.example.com/api/projects',
headers={'Authorization': f'Bearer {access_token}'}
)
# Refresh when expired
new_access_token = refresh_access_token(refresh_token)
# Logout
revoke_refresh_token(refresh_token)
```
## Security Features
1. **Password Security:**
- PBKDF2-SHA256 hashing
- Minimum length enforcement
- No password stored in plain text
2. **Token Security:**
- Cryptographically secure random tokens
- Short expiry times
- One-time use for reset/verification tokens
- Token revocation support
3. **Session Security:**
- HTTP-only cookies
- SameSite protection
- Secure flag in production
- Session timeout
4. **Rate Limiting:**
- Login attempts limited
- Password reset limited
- Signup limited
- Prevents brute force attacks
5. **2FA Security:**
- TOTP standard (RFC 6238)
- Backup codes hashed
- Time-based validation
- Resistant to replay attacks
## Migration
Run the migration to add all new fields and tables:
```bash
# Using Alembic
flask db upgrade
# Or manually
psql -U timetracker -d timetracker < migrations/versions/019_add_auth_features.py
```
## Testing
### Test User Authentication
```python
from app.models import User
from app import db
# Create test user
user = User(username='testuser', email='test@example.com')
user.set_password('testpassword123')
db.session.add(user)
db.session.commit()
# Test password verification
assert user.check_password('testpassword123')
assert not user.check_password('wrongpassword')
```
### Test 2FA
```python
from app.utils.totp import generate_totp_secret, verify_totp_token, get_current_totp_token
# Setup 2FA
secret = generate_totp_secret()
user.totp_secret = secret
user.totp_enabled = True
db.session.commit()
# Get current token
token = get_current_totp_token(secret)
# Verify token
assert user.verify_totp(token)
```
### Test Invitations
```python
from app.models import Membership
# Create invitation
membership = Membership(
user_id=invitee.id,
organization_id=org.id,
role='member',
status='invited',
invited_by=admin.id
)
db.session.add(membership)
db.session.commit()
# Accept invitation
membership.accept_invitation()
assert membership.status == 'active'
assert membership.is_active
```
## Acceptance Criteria
**Signup + login + invite flows work end-to-end**
- Self-registration with email/password ✓
- Email verification ✓
- Login with username or email ✓
- Password authentication ✓
- 2FA verification ✓
- Invitation creation and acceptance ✓
**Seats are incremented on acceptance; seats decrement on removal**
- Seat counting via `Organization.member_count`
- Limit checking via `Organization.has_reached_user_limit`
- Enforced in invitation route ✓
- Membership status tracking ✓
**Role permissions enforced (admins can invite, members cannot)**
- Permission decorators implemented ✓
- `organization_admin_required` decorator ✓
- Role-based access control ✓
- Membership permission checks ✓
## Additional Features Implemented
Beyond the original requirements:
1. **JWT API Authentication** - Full token-based API access
2. **Session Management** - View and revoke active sessions
3. **Email Services** - Comprehensive email system
4. **Password Reset** - Secure token-based reset
5. **Email Verification** - Verify email addresses
6. **2FA with Backup Codes** - Complete TOTP implementation
7. **Account Settings** - Full profile management
8. **Stripe Integration Fields** - Ready for billing
9. **Multi-Organization Support** - Users can join multiple orgs
10. **Device Tracking** - Track where users are logged in
## Next Steps
1. **Stripe Integration:**
- Implement webhook handlers
- Add subscription creation
- Handle payment failures
- Implement seat-based pricing
2. **Email Templates:**
- Create branded HTML email templates
- Add logo and styling
- Localization support
3. **Admin Dashboard:**
- User management interface
- Organization management
- Billing overview
- Analytics
4. **Rate Limiting:**
- Configure production limits
- Add Redis backend for distributed rate limiting
- Monitor and adjust limits
5. **Testing:**
- Unit tests for all auth functions
- Integration tests for flows
- Security testing
- Load testing
## Support
For questions or issues:
- Check the logs: `logs/timetracker.log`
- Review environment variables
- Check database migrations are applied
- Verify email service configuration
## License
This implementation is part of the TimeTracker project.

529
AUTH_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,529 +0,0 @@
# Authentication & Team Management - Implementation Summary
## ✅ Implementation Complete
All requirements from the high-priority "Auth & User / Team Management" feature have been successfully implemented.
---
## 📊 Acceptance Criteria Status
### ✅ Signup + login + invite flows work end-to-end
**Implemented:**
- ✅ User registration with email/password (`/signup`)
- ✅ Email verification workflow
- ✅ Login with username or email (`/login`)
- ✅ Password authentication with bcrypt hashing
- ✅ 2FA verification flow
- ✅ Organization invitation system
- ✅ Invitation acceptance for new and existing users
- ✅ Automatic organization creation on signup
- ✅ Default admin role assignment
**Files:**
- `app/routes/auth.py` - Core login/logout
- `app/routes/auth_extended.py` - Signup, reset, 2FA, invitations
- `app/models/user.py` - User authentication methods
- `app/models/membership.py` - Invitation system
- `app/templates/auth/` - All UI templates
### ✅ Seats are incremented on acceptance; seats decrement on removal
**Implemented:**
-`Organization.member_count` property for current member count
-`Organization.has_reached_user_limit` to check limits
- ✅ Seat limit enforcement in invitation route
- ✅ Membership status tracking (active/invited/removed)
- ✅ Automatic seat management on membership changes
-`max_users` field on Organization model
- ✅ Seat-based billing integration ready
**Files:**
- `app/models/organization.py` - Seat management logic
- `app/models/membership.py` - Status tracking
- `app/routes/auth_extended.py` - Enforcement in invitation route
### ✅ Role permissions enforced (admins can invite, members cannot)
**Implemented:**
- ✅ Three role types: Owner/Admin, Member, Viewer
- ✅ Permission decorators (`@admin_required`, `@organization_admin_required`, etc.)
- ✅ Role-based route protection
- ✅ Membership permission checks
- ✅ Admin-only invitation endpoint
- ✅ Role assignment during invitation
- ✅ Permission validation utilities
**Files:**
- `app/utils/permissions.py` - Permission decorators and utilities
- `app/models/membership.py` - Role properties and checks
- `app/routes/auth_extended.py` - Protected invitation route
---
## 🎯 Core Features Implemented
### 1. User Authentication
#### Password Authentication
- ✅ PBKDF2-SHA256 password hashing
- ✅ Minimum 8-character requirement
- ✅ Password strength validation
- ✅ Login with username or email
- ✅ "Remember me" functionality
#### JWT Token System
- ✅ Access tokens (15-minute expiry)
- ✅ Refresh tokens (30-day expiry)
- ✅ Token generation utilities
- ✅ Token validation and verification
- ✅ Token revocation support
- ✅ Device tracking
#### Password Reset
- ✅ Secure token generation
- ✅ Email delivery
- ✅ 24-hour token expiry
- ✅ One-time use enforcement
- ✅ IP address tracking
- ✅ Session revocation on reset
**Key Files:**
```
app/models/user.py # User model with password methods
app/models/password_reset.py # Password reset tokens
app/models/refresh_token.py # JWT refresh tokens
app/utils/jwt_utils.py # JWT generation/validation
app/routes/auth.py # Login/logout routes
app/routes/auth_extended.py # Password reset routes
```
### 2. Two-Factor Authentication
#### TOTP Implementation
- ✅ QR code generation
- ✅ Secret key management
- ✅ 6-digit code verification
- ✅ Time-based validation (RFC 6238)
- ✅ Configurable time window
#### Backup Codes
- ✅ 10 single-use backup codes
- ✅ Secure hashing
- ✅ Code consumption tracking
- ✅ Regeneration capability
#### 2FA Workflow
- ✅ Setup flow with QR code
- ✅ Verification during setup
- ✅ Login verification step
- ✅ Backup code usage
- ✅ Enable/disable functionality
**Key Files:**
```
app/utils/totp.py # TOTP utilities
app/routes/auth_extended.py # 2FA routes
app/templates/auth/enable_2fa.html # Setup UI
app/templates/auth/verify_2fa.html # Login verification UI
```
### 3. Organization Invitations
#### Invitation System
- ✅ Email-based invitations
- ✅ Unique invitation tokens
- ✅ 7-day token expiry
- ✅ Role assignment (admin/member/viewer)
- ✅ Admin-only invitation creation
#### Acceptance Flow
- ✅ New user signup via invitation
- ✅ Existing user one-click acceptance
- ✅ Email pre-verification
- ✅ Automatic membership activation
- ✅ Organization assignment
#### Seat Management
- ✅ User limit enforcement
- ✅ Seat count tracking
- ✅ Billing integration ready
- ✅ Status-based filtering
**Key Files:**
```
app/models/membership.py # Invitation logic
app/routes/auth_extended.py # Invitation routes
app/utils/email_service.py # Invitation emails
app/templates/auth/accept_invitation.html # Acceptance UI
```
### 4. Role-Based Access Control
#### Roles Implemented
-**Admin:** Full access, can manage members
-**Member:** Can view and edit data, create projects
-**Viewer:** Read-only access
#### Permission System
-`@login_required` - Require authentication
-`@admin_required` - Global admin only
-`@organization_member_required` - Org membership required
-`@organization_admin_required` - Org admin only
-`@can_edit_data` - Edit permission required
-`@require_permission(perm)` - Custom permission
#### Permission Utilities
-`check_user_permission()` - Check specific permission
-`get_current_user()` - Get user from session or JWT
-`get_user_organizations()` - List user's orgs
-`get_user_role_in_organization()` - Get user's role
**Key Files:**
```
app/utils/permissions.py # All permission logic
app/models/membership.py # Role properties
```
### 5. Account Settings
#### Profile Management
- ✅ Update full name
- ✅ Change preferred language
- ✅ Update theme preference
- ✅ View account info
#### Email Management
- ✅ Change email address
- ✅ Email verification
- ✅ Password confirmation required
#### Password Management
- ✅ Change password
- ✅ Current password verification
- ✅ Session revocation on change
#### Session Management
- ✅ View active sessions
- ✅ Device/location information
- ✅ Last activity tracking
- ✅ Individual session revocation
- ✅ Revoke all sessions
**Key Files:**
```
app/routes/auth_extended.py # Settings routes
app/templates/auth/settings.html # Settings UI
app/models/refresh_token.py # Session tracking
```
### 6. Email Service
#### Email Infrastructure
- ✅ SMTP configuration
- ✅ HTML and plain text emails
- ✅ Email templates
- ✅ Error handling
- ✅ Configuration validation
#### Email Types
-**Password Reset:** Secure reset links
-**Invitation:** Organization invitations
-**Email Verification:** Verify email addresses
-**Welcome:** New user welcome emails
#### Email Features
- ✅ Branded HTML templates
- ✅ Plain text fallback
- ✅ Link expiry information
- ✅ Professional formatting
- ✅ Configurable sender info
**Key Files:**
```
app/utils/email_service.py # Email service
app/config.py # SMTP configuration
```
### 7. Stripe Integration (Ready)
#### Database Fields
-`stripe_customer_id` on Organization
-`stripe_subscription_id` on Organization
-`stripe_subscription_status` on Organization
-`trial_ends_at` on Organization
-`subscription_ends_at` on Organization
#### Billing Features Ready
- ✅ Seat-based billing structure
- ✅ Subscription plan tiers
- ✅ User limit enforcement
- ✅ Trial period tracking
- ✅ Billing email fields
**Ready for:**
- Stripe webhook handlers
- Subscription creation
- Payment processing
- Seat-based pricing
- Plan upgrades/downgrades
**Key Files:**
```
app/models/organization.py # Stripe fields
```
---
## 📁 Files Created/Modified
### New Files (26)
**Models:**
1. `app/models/password_reset.py` - Password reset tokens
2. `app/models/refresh_token.py` - JWT refresh tokens
**Routes:**
3. `app/routes/auth_extended.py` - Extended auth routes (signup, reset, 2FA, invitations)
**Utilities:**
4. `app/utils/jwt_utils.py` - JWT token generation/validation
5. `app/utils/email_service.py` - Email sending service
6. `app/utils/totp.py` - TOTP/2FA utilities
7. `app/utils/permissions.py` - Permission decorators
**Templates:**
8. `app/templates/auth/signup.html` - Registration form
9. `app/templates/auth/forgot_password.html` - Password reset request
10. `app/templates/auth/reset_password.html` - Password reset form
11. `app/templates/auth/settings.html` - Account settings
12. `app/templates/auth/enable_2fa.html` - 2FA setup
13. `app/templates/auth/verify_2fa.html` - 2FA verification
14. `app/templates/auth/2fa_backup_codes.html` - Backup codes display
15. `app/templates/auth/accept_invitation.html` - Invitation acceptance
**Migrations:**
16. `migrations/versions/019_add_auth_features.py` - Database migration
**Documentation:**
17. `AUTH_IMPLEMENTATION_GUIDE.md` - Complete implementation guide
18. `AUTH_QUICK_START.md` - Quick start guide
19. `AUTH_IMPLEMENTATION_SUMMARY.md` - This file
20. `env.auth.example` - Environment variables example
### Modified Files (9)
1. ✏️ `app/models/user.py` - Added password, 2FA, email verification
2. ✏️ `app/models/organization.py` - Added Stripe integration fields
3. ✏️ `app/models/membership.py` - Already had invitation support
4. ✏️ `app/models/__init__.py` - Export new models
5. ✏️ `app/routes/auth.py` - Updated login to support passwords and 2FA
6. ✏️ `app/__init__.py` - Register new blueprint, initialize email service
7. ✏️ `app/config.py` - Added SMTP configuration
8. ✏️ `requirements.txt` - Added PyJWT, pyotp, qrcode
9. ✏️ `env.example` - Would add email config (file was blocked)
---
## 🔢 Statistics
- **New Python files:** 7
- **New HTML templates:** 8
- **Modified Python files:** 9
- **Total lines of code added:** ~3,500
- **New database tables:** 3
- **New database fields:** 11
- **API endpoints added:** 4
- **Web routes added:** 14
- **Permission decorators:** 6
---
## 🎯 Acceptance Criteria Verification
| Criterion | Status | Evidence |
|-----------|--------|----------|
| Signup flow works | ✅ | `/signup` route, `User` model, templates |
| Login flow works | ✅ | `/login` route, password auth, 2FA support |
| Invite flow works | ✅ | `/invite` route, email service, acceptance route |
| JWT tokens implemented | ✅ | `jwt_utils.py`, refresh tokens, API endpoints |
| Password reset works | ✅ | Reset tokens, email service, routes |
| 2FA implemented | ✅ | TOTP support, QR codes, backup codes |
| Seats increment on acceptance | ✅ | `member_count`, invitation acceptance |
| Seats decrement on removal | ✅ | Status tracking, `member_count` calculation |
| Admin can invite | ✅ | `@organization_admin_required` decorator |
| Member cannot invite | ✅ | Permission check in invitation route |
| Roles enforced | ✅ | Permission decorators, membership checks |
| Stripe integration ready | ✅ | Customer ID, subscription fields |
**Result: 12/12 criteria met**
---
## 🚀 Ready for Production
### Prerequisites Completed
- ✅ Database schema designed and migrated
- ✅ Security best practices implemented
- ✅ Password hashing (PBKDF2-SHA256)
- ✅ Token security (secure random, expiry, one-time use)
- ✅ Rate limiting configured
- ✅ Session security (HTTP-only, SameSite, Secure flags)
- ✅ CSRF protection maintained
- ✅ Input validation
- ✅ Error handling
- ✅ Logging
### Production Checklist
- ⚠️ Configure SMTP for email delivery
- ⚠️ Set strong `SECRET_KEY` in production
- ⚠️ Enable `SESSION_COOKIE_SECURE=true` with HTTPS
- ⚠️ Configure rate limiting with Redis (optional)
- ⚠️ Set up monitoring for failed login attempts
- ⚠️ Customize email templates with branding
- ⚠️ Set up Stripe webhooks for billing
---
## 📖 Documentation
### User Documentation
- Quick Start Guide: `AUTH_QUICK_START.md`
- Complete Guide: `AUTH_IMPLEMENTATION_GUIDE.md`
- Environment Setup: `env.auth.example`
### Developer Documentation
- Models: Inline docstrings
- Utilities: Comprehensive function documentation
- Routes: Endpoint descriptions
- Migration: Database schema changes
### API Documentation
- JWT authentication endpoints
- Token refresh flow
- Error responses
- Request/response examples
---
## 🎓 Key Concepts
### Multi-Tenant Architecture
- Users can belong to multiple organizations
- Each membership has a role
- Data isolation per organization
- Row-level security ready
### Security Features
- Password hashing with PBKDF2-SHA256
- JWT tokens with short expiry
- 2FA with TOTP standard
- Backup codes for account recovery
- Session tracking and revocation
- Rate limiting on sensitive endpoints
- CSRF protection
- Email verification
### Role Hierarchy
```
Owner/Admin (full access)
├── Can invite users
├── Can manage members
├── Can manage projects
├── Can edit all data
└── Can change settings
Member (standard access)
├── Can view data
├── Can edit data
├── Can create projects
└── Can track time
Viewer (read-only)
└── Can view data only
```
### Invitation Flow
```
1. Admin invites user by email
2. System creates membership with 'invited' status
3. Email sent with invitation token
4. User clicks link in email
5. New user: create account
Existing user: accept invitation
6. Membership status → 'active'
7. Seat count incremented
8. User gains access to organization
```
---
## 🔮 Future Enhancements
### Planned Features
- Stripe webhook handlers
- Subscription management UI
- Payment method management
- Billing history
- Usage analytics
- Audit logs
- OAuth providers (Google, GitHub)
- SSO with SAML
- Advanced 2FA (WebAuthn, hardware keys)
- IP whitelisting
- Session policies
- Password policies
### Optimization Opportunities
- Redis for rate limiting
- Redis for session storage
- Background jobs for emails
- Email templates in database
- Localized email templates
- Branded email designs
---
## ✨ Highlights
### What Makes This Implementation Special
1. **Comprehensive:** Covers all authentication scenarios
2. **Secure:** Industry best practices throughout
3. **Flexible:** Multiple auth methods supported
4. **Scalable:** Multi-tenant architecture
5. **User-Friendly:** Modern, clean UI
6. **Developer-Friendly:** Well-documented, reusable utilities
7. **Production-Ready:** Error handling, logging, validation
8. **Extensible:** Easy to add new features
---
## 🙏 Summary
A complete, production-ready authentication and team management system has been implemented for TimeTracker. All acceptance criteria have been met, and the system is ready for immediate use.
**Key Achievements:**
- ✅ Secure user authentication
- ✅ Team collaboration features
- ✅ Role-based access control
- ✅ Billing integration ready
- ✅ Modern user experience
- ✅ Comprehensive documentation
**Next Steps:**
1. Configure email service for production
2. Set up Stripe for billing
3. Deploy and test end-to-end
4. Train users on new features
5. Monitor and optimize
---
**Implementation Date:** October 7, 2025
**Status:** ✅ Complete
**Documentation:** ✅ Complete
**Testing:** Ready for QA
**Production:** Ready to deploy with configuration

273
AUTH_QUICK_START.md
View File

@@ -1,273 +0,0 @@
# Authentication System - Quick Start Guide
## 🚀 Overview
Your TimeTracker application now has a comprehensive authentication and team management system with:
- ✅ Password-based authentication
- ✅ JWT tokens for API access
- ✅ Two-factor authentication (2FA)
- ✅ Password reset via email
- ✅ Organization invitations
- ✅ Role-based access control (Admin, Member, Viewer)
- ✅ Stripe integration ready
- ✅ Session management
## 📋 Quick Setup (5 minutes)
### 1. Install Dependencies
```bash
pip install -r requirements.txt
```
New packages added:
- `PyJWT==2.8.0` - JWT token support
- `pyotp==2.9.0` - TOTP for 2FA
- `qrcode==7.4.2` - QR code generation
### 2. Configure Email (Required for invitations)
Add to your `.env` file:
```bash
# Using Gmail (recommended for testing)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-app-password
SMTP_USE_TLS=true
SMTP_FROM_EMAIL=noreply@timetracker.com
SMTP_FROM_NAME=TimeTracker
```
**Gmail App Password:** https://myaccount.google.com/apppasswords
### 3. Run Database Migration
```bash
# Using Flask-Migrate
flask db upgrade
# Or if you prefer Alembic directly
alembic upgrade head
```
### 4. Start the Application
```bash
python app.py
```
## 🎯 Test the Features
### Sign Up
1. Go to `http://localhost:5000/signup`
2. Create an account with email and password
3. Check your email for verification link
4. Click link to verify email
### Enable 2FA
1. Log in and go to Settings
2. Click "Enable 2FA"
3. Scan QR code with Google Authenticator or Authy
4. Enter verification code
5. Save your backup codes!
### Invite Team Members
1. As an admin, go to your organization settings
2. Click "Invite Member"
3. Enter email address and select role
4. Invitee receives email with invitation link
5. They can accept and join your organization
### Password Reset
1. Go to login page
2. Click "Forgot Password?"
3. Enter email
4. Check email for reset link
5. Set new password
### API Access (JWT)
```bash
# Get tokens
curl -X POST http://localhost:5000/api/auth/token \
-H "Content-Type: application/json" \
-d '{
"username": "your-username",
"password": "your-password"
}'
# Use access token
curl http://localhost:5000/api/endpoint \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
# Refresh token
curl -X POST http://localhost:5000/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refresh_token": "YOUR_REFRESH_TOKEN"}'
```
## 🔐 Role Permissions
| Feature | Admin | Member | Viewer |
|---------|-------|--------|--------|
| View data | ✅ | ✅ | ✅ |
| Edit data | ✅ | ✅ | ❌ |
| Create projects | ✅ | ✅ | ❌ |
| Invite users | ✅ | ❌ | ❌ |
| Remove users | ✅ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ |
| Change settings | ✅ | ❌ | ❌ |
## 📱 2FA Authenticator Apps
Recommended apps for 2FA:
- **Google Authenticator** (iOS/Android) - Simple and reliable
- **Authy** (iOS/Android/Desktop) - Sync across devices
- **Microsoft Authenticator** (iOS/Android) - Good for Microsoft users
- **1Password** (All platforms) - If you use 1Password already
## 🎨 UI Features
All authentication pages have a modern, clean design with:
- Light color scheme (as preferred)
- Responsive layout (mobile-friendly)
- Clear error messages
- Loading states
- Success confirmations
## ⚙️ Configuration Options
### Security Settings
```bash
# Session duration (seconds)
PERMANENT_SESSION_LIFETIME=86400 # 24 hours
# Remember me duration (days)
REMEMBER_COOKIE_DAYS=365
# Allow self-registration
ALLOW_SELF_REGISTER=true
# Admin users (auto-promoted)
ADMIN_USERNAMES=admin,superuser
```
### Rate Limiting
```bash
# Prevent brute force attacks
RATELIMIT_DEFAULT=200 per day;50 per hour
```
## 🐛 Troubleshooting
### Email not sending?
1. Check SMTP credentials in `.env`
2. For Gmail, use App Password not regular password
3. Enable "Less secure app access" if needed
4. Check firewall allows port 587
5. Check logs: `tail -f logs/timetracker.log`
### Migration errors?
```bash
# Check current migration status
flask db current
# If needed, stamp the database
flask db stamp head
# Then try upgrade again
flask db upgrade
```
### Can't log in?
1. Check if email is verified (if required)
2. Verify password meets requirements (8+ chars)
3. If 2FA enabled, use authenticator code
4. Check if account is active: `SELECT * FROM users WHERE username='yourname';`
### Invitation not working?
1. Verify email service is configured
2. Check organization hasn't reached user limit
3. Verify inviter has admin role
4. Check invitation hasn't expired (7 days)
## 📚 More Information
- **Full Documentation:** `AUTH_IMPLEMENTATION_GUIDE.md`
- **Environment Variables:** `env.auth.example`
- **Database Schema:** `migrations/versions/019_add_auth_features.py`
## 🎉 What's New?
### For Users:
- Sign up with email and password
- Secure password reset
- Two-factor authentication
- Join multiple organizations
- Manage account settings
- View and revoke active sessions
### For Developers:
- JWT API authentication
- Permission decorators
- Email service
- Token management
- Role-based access control
- Comprehensive utilities
### For Admins:
- Invite users by email
- Assign roles
- Manage organization members
- Track active sessions
- Stripe integration ready
## 🔜 Next Steps
1. **Configure email service** for production
2. **Set strong SECRET_KEY** in production
3. **Enable HTTPS** for secure cookies
4. **Set up Stripe** for billing
5. **Customize email templates** with your branding
6. **Add Redis** for distributed rate limiting
7. **Set up monitoring** for failed login attempts
## 💡 Tips
- **Backup codes:** Always save your 2FA backup codes
- **Password strength:** Use a password manager
- **Email verification:** Required for password reset
- **Organization limits:** Set `max_users` for billing tiers
- **Session security:** Users can revoke suspicious sessions
- **API tokens:** Refresh tokens expire after 30 days
## 🆘 Need Help?
Check these files:
- `AUTH_IMPLEMENTATION_GUIDE.md` - Complete documentation
- `logs/timetracker.log` - Application logs
- Database: Check `users`, `memberships`, `organizations` tables
Common issues:
- Email not configured → Invitations won't send
- Weak SECRET_KEY → Sessions may fail
- Migration not run → Database errors
- Rate limit hit → Wait or adjust limits
---
**Congratulations!** 🎊 Your TimeTracker now has enterprise-grade authentication!

337
AUTH_README.md
View File

@@ -1,337 +0,0 @@
# Authentication System - README
## 🎯 Quick Reference
### What's New
Your TimeTracker now has:
- 🔐 Password authentication
- 📧 Email invitations
- 🔑 Two-factor authentication (2FA)
- 🎫 JWT API tokens
- 👥 Team management with roles
- 💳 Stripe billing ready
### Getting Started
1. **Install dependencies:** `pip install -r requirements.txt`
2. **Configure email:** Add SMTP settings to `.env` (see `env.auth.example`)
3. **Run migration:** `flask db upgrade`
4. **Start app:** `python app.py`
5. **Sign up:** Visit `http://localhost:5000/signup`
### Email Configuration (Required)
```bash
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email@gmail.com
SMTP_PASSWORD=your-app-password # Get from https://myaccount.google.com/apppasswords
SMTP_USE_TLS=true
SMTP_FROM_EMAIL=noreply@timetracker.com
SMTP_FROM_NAME=TimeTracker
```
### New Routes
**Authentication:**
- `GET/POST /signup` - User registration
- `GET/POST /login` - User login (now supports passwords)
- `GET/POST /forgot-password` - Request password reset
- `GET/POST /reset-password/<token>` - Reset password
- `GET /verify-email/<token>` - Verify email address
- `GET/POST /2fa/verify` - 2FA verification
**Account Settings:**
- `GET /settings` - Account settings dashboard
- `POST /settings/change-email` - Change email
- `POST /settings/change-password` - Change password
- `GET/POST /settings/2fa/enable` - Enable 2FA
- `POST /settings/2fa/disable` - Disable 2FA
- `POST /settings/sessions/<id>/revoke` - Revoke session
**Team Management:**
- `POST /invite` - Invite user to organization (admin only)
- `GET/POST /accept-invitation/<token>` - Accept invitation
**API (JWT):**
- `POST /api/auth/token` - Login and get tokens
- `POST /api/auth/refresh` - Refresh access token
- `POST /api/auth/logout` - Logout and revoke token
### User Roles
| Role | Can View | Can Edit | Can Invite | Can Manage |
|------|----------|----------|------------|------------|
| **Admin** | ✅ | ✅ | ✅ | ✅ |
| **Member** | ✅ | ✅ | ❌ | ❌ |
| **Viewer** | ✅ | ❌ | ❌ | ❌ |
### Using Permission Decorators
```python
from app.utils.permissions import (
login_required,
admin_required,
organization_admin_required
)
@app.route('/admin')
@admin_required
def admin_page():
# Only global admins can access
pass
@app.route('/org/<org_slug>/invite')
@organization_admin_required
def invite_member(org_slug, organization):
# Only organization admins can access
# 'organization' object is automatically provided
pass
```
### API Authentication
```python
# Get tokens
import requests
response = requests.post('http://localhost:5000/api/auth/token', json={
'username': 'myuser',
'password': 'mypassword'
})
tokens = response.json()
access_token = tokens['access_token']
# Use token
response = requests.get(
'http://localhost:5000/api/projects',
headers={'Authorization': f'Bearer {access_token}'}
)
# Refresh token
response = requests.post('http://localhost:5000/api/auth/refresh', json={
'refresh_token': tokens['refresh_token']
})
```
### Database Tables
**New:**
- `password_reset_tokens` - Password reset tokens
- `email_verification_tokens` - Email verification tokens
- `refresh_tokens` - JWT refresh tokens
**Updated:**
- `users` - Added password_hash, email_verified, totp_secret, totp_enabled, backup_codes
- `organizations` - Added Stripe fields (customer_id, subscription_id, etc.)
- `memberships` - Already had invitation support
### Environment Variables
**Required:**
```bash
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=your-email
SMTP_PASSWORD=your-password
SMTP_FROM_EMAIL=noreply@timetracker.com
SECRET_KEY=your-strong-secret-key
```
**Optional:**
```bash
ALLOW_SELF_REGISTER=true
PERMANENT_SESSION_LIFETIME=86400
REMEMBER_COOKIE_DAYS=365
RATELIMIT_DEFAULT=200 per day;50 per hour
```
### Files to Review
**📚 Documentation:**
- `AUTH_QUICK_START.md` - 5-minute setup guide
- `AUTH_IMPLEMENTATION_GUIDE.md` - Complete documentation
- `AUTH_IMPLEMENTATION_SUMMARY.md` - What was built
- `env.auth.example` - Environment variables
**🔧 Key Code Files:**
- `app/models/user.py` - User model with auth
- `app/routes/auth.py` - Core auth routes
- `app/routes/auth_extended.py` - Extended auth features
- `app/utils/permissions.py` - Permission system
- `app/utils/jwt_utils.py` - JWT utilities
- `app/utils/email_service.py` - Email service
- `migrations/versions/019_add_auth_features.py` - Database changes
### Common Tasks
**Enable 2FA:**
1. Log in and go to Settings
2. Click "Enable 2FA"
3. Scan QR code with Google Authenticator
4. Enter verification code
5. Save backup codes!
**Invite Team Member:**
1. Log in as admin
2. Go to organization settings
3. Click "Invite Member"
4. Enter email and select role
5. User receives email with link
**Reset Password:**
1. Go to login page
2. Click "Forgot Password?"
3. Enter email
4. Check email for reset link
5. Set new password
**Revoke Session:**
1. Go to Settings → Sessions
2. Find the session to revoke
3. Click "Revoke"
### Troubleshooting
**Email not sending?**
- Check SMTP credentials in `.env`
- For Gmail, use App Password
- Check port 587 is not blocked
- Look at logs: `tail -f logs/timetracker.log`
**Can't log in?**
- Verify email if verification is enabled
- Check password is 8+ characters
- If 2FA is enabled, use authenticator code
- Try password reset
**Invitation not working?**
- Verify email service is configured
- Check organization hasn't reached user limit
- Verify you're an admin
- Check invitation hasn't expired (7 days)
**Migration failed?**
```bash
flask db current # Check current version
flask db upgrade # Apply migrations
```
### Security Notes
- ✅ Passwords hashed with PBKDF2-SHA256
- ✅ JWT tokens expire after 15 minutes
- ✅ Refresh tokens expire after 30 days
- ✅ Rate limiting on sensitive endpoints
- ✅ CSRF protection enabled
- ✅ Session cookies are HTTP-only
- ✅ 2FA uses TOTP standard (RFC 6238)
- ✅ Backup codes are hashed
**For Production:**
- Set strong `SECRET_KEY`
- Enable `SESSION_COOKIE_SECURE=true` with HTTPS
- Configure production SMTP service
- Set up monitoring for failed logins
- Use Redis for rate limiting
### Support
**Documentation:**
- Quick Start: `AUTH_QUICK_START.md`
- Full Guide: `AUTH_IMPLEMENTATION_GUIDE.md`
- Summary: `AUTH_IMPLEMENTATION_SUMMARY.md`
**Logs:**
- Application: `logs/timetracker.log`
- Startup: `logs/timetracker_startup.log`
**Database:**
```sql
-- Check users
SELECT id, username, email, email_verified, totp_enabled FROM users;
-- Check memberships
SELECT u.username, o.name, m.role, m.status
FROM memberships m
JOIN users u ON m.user_id = u.id
JOIN organizations o ON m.organization_id = o.id;
-- Check active tokens
SELECT user_id, device_name, last_used_at, revoked
FROM refresh_tokens
WHERE revoked = false;
```
### Features at a Glance
✅ Password authentication with secure hashing
✅ JWT tokens for API access
✅ Two-factor authentication (2FA) with TOTP
✅ Backup codes for 2FA recovery
✅ Password reset via email
✅ Email verification
✅ Organization invitations
✅ Role-based access control (Admin, Member, Viewer)
✅ Session management and revocation
✅ Account settings (email, password, 2FA)
✅ Stripe integration ready
✅ Modern, responsive UI
✅ Rate limiting
✅ Comprehensive documentation
### API Response Examples
**Login Success:**
```json
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbG...",
"refresh_token": "abc123...",
"token_type": "Bearer",
"expires_in": 900,
"user": {
"id": 1,
"username": "john",
"email": "john@example.com",
"role": "user"
}
}
```
**Error Response:**
```json
{
"error": "Invalid credentials"
}
```
### Quick Commands
```bash
# Install dependencies
pip install -r requirements.txt
# Run migration
flask db upgrade
# Start application
python app.py
# Check migration status
flask db current
# Create admin user manually (if needed)
flask shell
>>> from app.models import User
>>> from app import db
>>> user = User(username='admin', email='admin@example.com', role='admin')
>>> user.set_password('admin123')
>>> db.session.add(user)
>>> db.session.commit()
```
---
**Version:** 1.0
**Date:** October 7, 2025
**Status:** ✅ Production Ready (with configuration)

181
FIX_MIGRATION_NOW.md
View File

@@ -1,181 +0,0 @@
# Fix Migration Issue - Step by Step
## The Problem
Migration 019 references migration 018, but migration 018 isn't in your database's `alembic_version` table, even though the tables it creates (organizations, memberships) already exist.
## Quick Fix (Choose One)
### Option 1: Run from Docker Container (Recommended)
```bash
# Enter your running Docker container
docker-compose exec app bash
# Once inside the container, run:
python fix_migration_chain.py
# Then upgrade
flask db upgrade
# Exit container
exit
```
### Option 2: Manual SQL Fix (If Python script doesn't work)
```bash
# Enter your Docker container
docker-compose exec app bash
# Connect to PostgreSQL
psql -U timetracker -d timetracker
# Check current version
SELECT version_num FROM alembic_version;
# If it shows 017 or anything other than 018, update it:
UPDATE alembic_version SET version_num = '018';
# Verify
SELECT version_num FROM alembic_version;
# Should now show: 018
# Exit psql
\q
# Now run the upgrade
flask db upgrade
# Exit container
exit
```
### Option 3: Use Flask-Migrate Stamp
```bash
# Enter container
docker-compose exec app bash
# Stamp the database with migration 018
flask db stamp 018
# Then upgrade to 019
flask db upgrade
# Exit
exit
```
## Verification
After running one of the above, verify success:
```bash
# Check migration version
docker-compose exec app flask db current
# Should show: 019_add_auth_features (head)
# Check that new tables exist
docker-compose exec app psql -U timetracker -d timetracker -c "\dt" | grep -E "(password_reset|email_verification|refresh_tokens|subscription_events)"
```
You should see:
- `password_reset_tokens`
- `email_verification_tokens`
- `refresh_tokens`
- `subscription_events`
## If Still Having Issues
If the above doesn't work, the issue might be that migration 018 file has a different revision ID than expected. Let's check:
```bash
# Check what's in migration 018 file
docker-compose exec app head -20 /app/migrations/versions/018_add_multi_tenant_support.py
```
Look for the line that says `revision = '...'`. It should be `'018'`.
If it's something else (like `'018_add_multi_tenant_support'`), then update it:
```bash
# Inside container
cd /app/migrations/versions
# Edit the file (if vi is available)
vi 018_add_multi_tenant_support.py
# Change:
# revision = '018_add_multi_tenant_support'
# To:
# revision = '018'
```
Then run `flask db upgrade` again.
## Complete Commands (Copy-Paste)
Here's the complete set of commands to run:
```bash
# Stop the container if running
docker-compose down
# Start it again
docker-compose up -d
# Enter the container
docker-compose exec app bash
# Inside container - try the stamp method first
flask db stamp 018
# Then upgrade
flask db upgrade
# Check it worked
flask db current
# Exit
exit
# View logs to confirm app started
docker-compose logs -f app
```
## What This Does
1. **Stamps migration 018**: Tells Alembic that migration 018 is already applied (which it is - the tables exist)
2. **Upgrades to 019**: Applies the auth features migration
3. **Creates new tables**: Adds password_reset_tokens, email_verification_tokens, refresh_tokens, subscription_events
4. **Adds new columns**: Updates users and organizations tables with auth and billing fields
## After Migration Success
Once migrations are complete, your app will have:
- ✅ Password authentication
- ✅ JWT tokens
- ✅ 2FA support
- ✅ Email verification
- ✅ Password reset
- ✅ Stripe billing fields
- ✅ Subscription event tracking
Restart your app:
```bash
docker-compose restart app
```
## Still Stuck?
If you're still getting errors, share the output of:
```bash
docker-compose exec app flask db current
docker-compose exec app psql -U timetracker -d timetracker -c "SELECT version_num FROM alembic_version;"
docker-compose exec app psql -U timetracker -d timetracker -c "\dt" | head -20
```
This will help me see exactly what state your database is in.

546
HTTPS_ENFORCEMENT_COMPLETE.md
View File

@@ -1,546 +0,0 @@
# ✅ HTTPS Enforcement - Implementation Complete
## Overview
HTTPS enforcement has been implemented in TimeTracker to ensure all traffic is encrypted in production.
**Implementation Date**: January 7, 2025
**Status**: ✅ **COMPLETE**
---
## What Was Implemented
### 1. ✅ Automatic HTTPS Redirect Middleware
**Location**: `app/__init__.py`
**Features:**
- Automatic HTTP → HTTPS redirect (301 permanent)
- Respects `X-Forwarded-Proto` header from reverse proxy
- Skips redirect for local development
- Exempts health check endpoints
- Configurable via `FORCE_HTTPS` environment variable
**Code:**
```python
@app.before_request
def enforce_https():
"""Redirect HTTP to HTTPS in production"""
# Skip for local development and health checks
if app.config.get('FLASK_ENV') == 'development':
return None
# Skip for health check endpoints
if request.path in ['/_health', '/health', '/metrics']:
return None
# Check if HTTPS enforcement is enabled
if not app.config.get('FORCE_HTTPS', True):
return None
# Check if request is already HTTPS
if request.is_secure:
return None
# Check X-Forwarded-Proto header (from reverse proxy)
if request.headers.get('X-Forwarded-Proto', 'http') == 'https':
return None
# Redirect to HTTPS
url = request.url.replace('http://', 'https://', 1)
return redirect(url, code=301)
```
### 2. ✅ Production Configuration Hardening
**Location**: `app/config.py`
**Changes:**
```python
class ProductionConfig(Config):
"""Production configuration"""
FLASK_DEBUG = False
# Force HTTPS and secure cookies
FORCE_HTTPS = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_SECURE = True
PREFERRED_URL_SCHEME = 'https'
```
### 3. ✅ Security Headers (Already Implemented)
**Headers Applied:**
- `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
- `X-Frame-Options: DENY`
- `X-Content-Type-Options: nosniff`
- `X-XSS-Protection: 1; mode=block`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy: geolocation=(), microphone=(), camera=()`
- `Content-Security-Policy: <configured policy>`
### 4. ✅ ProxyFix Middleware (Already Implemented)
**Location**: `app/__init__.py`
**Purpose:** Correctly detect HTTPS when behind a reverse proxy
```python
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
```
### 5. ✅ Environment Configuration
**Location**: `env.example`
**Added:**
```bash
# Security settings
FORCE_HTTPS=true # Redirect HTTP to HTTPS (disable for local dev)
REMEMBER_COOKIE_SECURE=false # Set to 'true' in production with HTTPS
```
### 6. ✅ Comprehensive Documentation
**Created**: `docs/HTTPS_SETUP_GUIDE.md`
**Covers:**
- Quick start guide
- Nginx configuration with Let's Encrypt
- Apache configuration
- Cloud load balancer setup (AWS, GCP, Azure)
- Verification procedures
- Troubleshooting
- Best practices
---
## How It Works
### Flow Diagram
```
HTTP Request → Reverse Proxy → Application
↓ ↓
TLS Termination HTTPS Check
↓ ↓
Set Headers Redirect if HTTP
↓ ↓
Application ← 301 Redirect
```
### Request Processing
1. **Client makes HTTP request** to `http://timetracker.com`
2. **Reverse proxy** (nginx/Apache) redirects to HTTPS
3. **Client makes HTTPS request** to `https://timetracker.com`
4. **Reverse proxy** terminates TLS and forwards to application
5. **Application checks** `X-Forwarded-Proto` header
6. **If HTTPS**, process normally
7. **If HTTP**, redirect to HTTPS (301)
### Security Layers
**Layer 1: Reverse Proxy**
- TLS termination
- HTTP → HTTPS redirect
- Strong cipher configuration
**Layer 2: Application**
- Additional HTTP → HTTPS redirect (defense in depth)
- Secure cookie flags
- HSTS header
**Layer 3: Browser**
- HSTS preload (optional)
- Remembers HTTPS preference
- Blocks mixed content
---
## Configuration
### Production Setup
**Required environment variables:**
```bash
# Enable HTTPS enforcement
FORCE_HTTPS=true
FLASK_ENV=production
# Secure cookies (REQUIRED for HTTPS)
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# URL scheme
PREFERRED_URL_SCHEME=https
```
### Development Setup
**Local development:**
```bash
# Disable HTTPS enforcement
FORCE_HTTPS=false
FLASK_ENV=development
# Allow cookies over HTTP
SESSION_COOKIE_SECURE=false
REMEMBER_COOKIE_SECURE=false
```
### Docker Compose
**Production:**
```yaml
services:
app:
environment:
- FORCE_HTTPS=true
- SESSION_COOKIE_SECURE=true
- REMEMBER_COOKIE_SECURE=true
- FLASK_ENV=production
```
**Development:**
```yaml
services:
app:
environment:
- FORCE_HTTPS=false
- SESSION_COOKIE_SECURE=false
- REMEMBER_COOKIE_SECURE=false
- FLASK_ENV=development
```
---
## Deployment Checklist
### Pre-Deployment
- [ ] TLS certificate obtained (Let's Encrypt recommended)
- [ ] Reverse proxy configured (nginx/Apache/ALB)
- [ ] Environment variables set correctly
- [ ] `FORCE_HTTPS=true` in production
- [ ] `SESSION_COOKIE_SECURE=true` in production
- [ ] `REMEMBER_COOKIE_SECURE=true` in production
### Post-Deployment Verification
1. **Test HTTP redirect:**
```bash
curl -I http://your-domain.com
# Should return 301 Moved Permanently
# Location: https://your-domain.com
```
2. **Test HTTPS works:**
```bash
curl -I https://your-domain.com
# Should return 200 OK
```
3. **Verify security headers:**
```bash
curl -I https://your-domain.com | grep -i "strict-transport-security"
# Should show: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
```
4. **Check SSL Labs:**
- Visit: https://www.ssllabs.com/ssltest/
- Enter your domain
- Target grade: A or A+
5. **Check Security Headers:**
- Visit: https://securityheaders.com
- Enter your domain
- Target grade: A or A+
6. **Test application:**
- Open https://your-domain.com in browser
- Verify padlock icon appears
- Test login functionality
- Test WebSocket connections (if applicable)
---
## Troubleshooting
### Issue: "Too many redirects" error
**Symptom:** Browser shows redirect loop error
**Cause:** Both reverse proxy and application are redirecting
**Solution 1:** Let reverse proxy handle redirect only
```bash
FORCE_HTTPS=false
```
**Solution 2:** Ensure reverse proxy sets correct headers
```nginx
# Nginx
proxy_set_header X-Forwarded-Proto $scheme;
```
### Issue: Cookies not working
**Symptom:** Users can't log in or stay logged in
**Cause:** Secure cookies require HTTPS
**Solution:** Ensure both are true:
```bash
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
```
### Issue: Mixed content warnings
**Symptom:** Browser console shows mixed content errors
**Cause:** Loading HTTP resources on HTTPS page
**Solution:**
- Update all resource URLs to HTTPS
- Check Content-Security-Policy configuration
- Use protocol-relative URLs: `//example.com/resource.js`
### Issue: Application behind reverse proxy not detecting HTTPS
**Symptom:** Still getting HTTP redirects
**Cause:** Missing `X-Forwarded-Proto` header
**Solution:**
**Nginx:**
```nginx
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
**Apache:**
```apache
RequestHeader set X-Forwarded-Proto "https"
```
---
## Best Practices
### 1. Always Use HTTPS in Production
✅ **Do:**
- Set `FORCE_HTTPS=true`
- Use secure cookies
- Obtain valid TLS certificate
❌ **Don't:**
- Run production over HTTP
- Use self-signed certificates in production
- Disable HTTPS enforcement
### 2. Use Let's Encrypt for Free Certificates
✅ **Benefits:**
- Free
- Automatic renewal
- Widely trusted
- Easy setup with certbot
```bash
sudo certbot --nginx -d your-domain.com
```
### 3. Enable HSTS Preload
Add your domain to browser HSTS preload lists:
1. Meet requirements at https://hstspreload.org
2. Submit your domain
3. Wait for inclusion (can take months)
### 4. Monitor Certificate Expiry
Set up monitoring:
```bash
# Check expiry date
openssl s_client -connect your-domain.com:443 -servername your-domain.com 2>/dev/null | openssl x509 -noout -dates
# Set up alerts 30 days before expiry
```
### 5. Use Strong TLS Configuration
**Minimum:**
- TLSv1.2 and TLSv1.3 only
- Strong ciphers only
- Disable TLSv1.0 and TLSv1.1
- Enable Perfect Forward Secrecy
### 6. Regular Security Testing
**Weekly:**
- Check certificate expiry
**Monthly:**
- Run SSL Labs test
- Check security headers
**Quarterly:**
- Review TLS configuration
- Update to latest best practices
---
## Security Grades
### Target Grades
After proper HTTPS setup, you should achieve:
- **SSL Labs**: A or A+ (https://www.ssllabs.com/ssltest/)
- **Security Headers**: A or A+ (https://securityheaders.com)
- **Mozilla Observatory**: A or A+ (https://observatory.mozilla.org)
### What Each Grade Tests
**SSL Labs:**
- TLS protocol versions
- Cipher suites
- Certificate validity
- Vulnerabilities (POODLE, BEAST, etc.)
**Security Headers:**
- HSTS
- CSP
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
**Mozilla Observatory:**
- Overall security posture
- Headers, cookies, subresource integrity
- Recommendations for improvement
---
## Examples
### Nginx Configuration (Complete)
See `docs/HTTPS_SETUP_GUIDE.md` for complete configuration.
Key sections:
```nginx
# HTTP → HTTPS redirect
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# Proxy to application
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
### Docker Compose (Complete)
```yaml
version: '3.8'
services:
app:
image: timetracker:latest
environment:
- FORCE_HTTPS=true
- SESSION_COOKIE_SECURE=true
- REMEMBER_COOKIE_SECURE=true
- FLASK_ENV=production
- SECRET_KEY=${SECRET_KEY}
expose:
- "8080" # Don't expose publicly, only to nginx
networks:
- app-network
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
networks:
- app-network
depends_on:
- app
networks:
app-network:
```
---
## Summary
### ✅ What You Get
1. **Automatic HTTPS enforcement** in production
2. **Secure cookie handling** with HTTPS-only flags
3. **HSTS header** for browser-level security
4. **Flexible configuration** for dev/staging/production
5. **Reverse proxy compatibility** (nginx, Apache, ALB, etc.)
6. **Comprehensive documentation** for setup and troubleshooting
### 🚀 Quick Start
```bash
# 1. Update environment
FORCE_HTTPS=true
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# 2. Restart application
docker-compose restart
# 3. Verify
curl -I http://your-domain.com # Should redirect to HTTPS
curl -I https://your-domain.com # Should return 200 OK
```
### 📚 Documentation
- **Setup Guide**: `docs/HTTPS_SETUP_GUIDE.md`
- **Security Guide**: `docs/SECURITY_COMPLIANCE_README.md`
- **Quick Start**: `SECURITY_QUICK_START.md`
---
**🔒 Your TimeTracker application now enforces HTTPS! 🚀**
**Status**: ✅ Production Ready

139
IMPORT_ERROR_FIX.md
View File

@@ -1,139 +0,0 @@
# Import Error Fix - Complete Summary
## Problem
The application was failing to start with an import error. The issue was:
```python
from app.utils.email_service import send_email # ❌ This doesn't exist!
```
The `send_email` function doesn't exist in `email_service.py`. Instead, there's an `email_service` singleton instance.
## What Was Fixed
### 1. Fixed Import in `app/routes/billing.py`
**Before:**
```python
from app.utils.email_service import send_email # ❌ ImportError!
```
**After:**
```python
from app.utils.email_service import email_service # ✅ Correct import
```
### 2. Replaced send_email() Calls
The code was calling a template-based `send_email()` function that doesn't exist. I've commented these out with TODOs:
```python
# TODO: Implement template-based email for payment failures
# email_service.send_email(
# to_email=membership.user.email,
# subject=f"Payment Failed - {organization.name}",
# body_text=f"Your payment for {organization.name} has failed.",
# body_html=None
# )
pass
```
This was done for 4 email functions:
- Payment failed notifications
- Action required notifications
- Subscription cancelled notifications
- Trial ending notifications
## Complete Fix History
### Issue 1: StripeService Initialization ✅ FIXED
- **Problem:** `StripeService.__init__()` accessed `current_app` at import time
- **Solution:** Implemented lazy initialization with `_ensure_initialized()`
- **File:** `app/utils/stripe_service.py`
### Issue 2: Import Error ✅ FIXED
- **Problem:** `billing.py` tried to import non-existent `send_email` function
- **Solution:** Changed import to `email_service` singleton
- **File:** `app/routes/billing.py`
### Issue 3: Template Emails ✅ TEMPORARY FIX
- **Problem:** Code called template-based `send_email()` that doesn't exist
- **Solution:** Commented out with TODOs for future implementation
- **File:** `app/routes/billing.py`
## Files Modified
1.`app/utils/stripe_service.py` - Lazy initialization
2.`app/routes/billing.py` - Fixed imports and email calls
## Application Should Now Start
The application should now start successfully without import errors. Run:
```bash
# Docker
docker-compose up
# Local
flask run
```
## Still Need to Fix
### 1. Database Migration
See `MIGRATION_FIX_SUMMARY.md` for instructions:
```bash
python fix_migration_chain.py
flask db upgrade
```
### 2. Template-Based Emails (Future Enhancement)
The billing notification emails are currently disabled. To implement them:
1. Create email templates in `app/templates/email/billing/`:
- `payment_failed.html`
- `action_required.html`
- `subscription_cancelled.html`
- `trial_ending.html`
2. Add a method to `EmailService` class:
```python
def send_template_email(self, to_email, subject, template_name, **context):
# Render template with context
html = render_template(f'email/{template_name}', **context)
# Send email
self.send_email(to_email, subject, body_text, html)
```
3. Uncomment the email calls in `billing.py` and use the new method
## Verification
To verify everything is working:
```bash
# 1. Application starts
docker-compose up
# Should see: "TimeTracker Docker Container Starting"
# Should NOT see: RuntimeError or ImportError
# 2. Check logs
docker-compose logs -f app
# Should see successful initialization
# 3. Test endpoint
curl http://localhost:5000/health
# Should return 200 OK
```
## Summary
**Fixed:** Stripe service lazy initialization
**Fixed:** Import error in billing routes
**Fixed:** Removed invalid send_email calls
**TODO:** Database migration (separate issue)
**TODO:** Implement template-based emails (future)
The application is now ready to start! 🎉

303
LOCAL_DEVELOPMENT_SETUP.md
View File

@@ -1,303 +0,0 @@
# Local Development Setup
## Issue: SSL/HTTPS Error on Localhost
If you see an error like:
- `PR_END_OF_FILE_ERROR`
- "Secure connection failed"
- "SSL protocol error"
This means you're trying to access `https://localhost:8080` but the application is running on HTTP.
---
## Quick Fix
### Option 1: Use HTTP (Recommended for Local Dev)
**Access the application via HTTP:**
```
http://localhost:8080
```
**NOT:**
```
https://localhost:8080 ❌
```
### Option 2: Configure Local Environment
1. **Copy the local development environment file:**
```bash
cp .env.local .env
```
2. **Or create `.env` manually with these settings:**
```bash
# Critical for local development
FLASK_ENV=development
FORCE_HTTPS=false
SESSION_COOKIE_SECURE=false
REMEMBER_COOKIE_SECURE=false
```
3. **Restart the application:**
```bash
# If using Docker
docker-compose restart app
# If running directly
flask run
```
4. **Access via HTTP:**
```
http://localhost:8080
```
---
## Environment Configuration
### Local Development (.env)
```bash
# Flask settings
FLASK_ENV=development
FLASK_DEBUG=true
# Security - DISABLED for local HTTP
FORCE_HTTPS=false
SESSION_COOKIE_SECURE=false
REMEMBER_COOKIE_SECURE=false
# Rate limiting - DISABLED for easier testing
RATELIMIT_ENABLED=false
# Password policy - RELAXED for testing
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_UPPERCASE=false
PASSWORD_REQUIRE_LOWERCASE=false
PASSWORD_REQUIRE_DIGITS=false
PASSWORD_REQUIRE_SPECIAL=false
```
### Production (.env)
```bash
# Flask settings
FLASK_ENV=production
FLASK_DEBUG=false
# Security - ENABLED for production HTTPS
FORCE_HTTPS=true
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# Rate limiting - ENABLED for security
RATELIMIT_ENABLED=true
RATELIMIT_STORAGE_URI=redis://localhost:6379
# Password policy - STRICT for security
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_DIGITS=true
PASSWORD_REQUIRE_SPECIAL=true
```
---
## Docker Compose Local Development
If you're using Docker Compose, update `docker-compose.yml` or create `docker-compose.override.yml`:
**docker-compose.override.yml** (for local development):
```yaml
version: '3.8'
services:
app:
environment:
- FLASK_ENV=development
- FORCE_HTTPS=false
- SESSION_COOKIE_SECURE=false
- REMEMBER_COOKIE_SECURE=false
- RATELIMIT_ENABLED=false
```
Then restart:
```bash
docker-compose up -d
```
---
## Troubleshooting
### Issue: Browser automatically redirects to HTTPS
**Cause:** Browser cached the HTTPS redirect or HSTS header
**Solution:**
1. **Clear browser cache and cookies for localhost**
2. **Clear HSTS settings:**
**Chrome:**
- Go to: `chrome://net-internals/#hsts`
- Query: `localhost`
- Delete domain security policies: `localhost`
**Firefox:**
- Go to: `about:permissions`
- Search for `localhost`
- Remove permissions
3. **Access via HTTP explicitly:**
```
http://localhost:8080
```
### Issue: Still getting SSL error
**Check your configuration:**
```bash
# Verify FORCE_HTTPS is false
grep FORCE_HTTPS .env
# Should show:
# FORCE_HTTPS=false
```
**Restart application:**
```bash
docker-compose restart app
# or
flask run
```
### Issue: Application won't start
**Check for syntax errors:**
```bash
python app.py
```
**Check logs:**
```bash
docker-compose logs app
# or
tail -f logs/timetracker.log
```
---
## Testing HTTPS Locally (Optional)
If you want to test HTTPS locally, you can:
### Option 1: Generate Self-Signed Certificate
```bash
# Generate certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# Run Flask with TLS
flask run --cert=cert.pem --key=key.pem --host=0.0.0.0 --port=8080
```
Then access: `https://localhost:8080` (you'll see a security warning - click "Advanced" → "Proceed")
### Option 2: Use mkcert (Trusted Local Certificates)
```bash
# Install mkcert
# macOS
brew install mkcert
# Windows (with Chocolatey)
choco install mkcert
# Generate local CA and certificate
mkcert -install
mkcert localhost 127.0.0.1 ::1
# Run Flask with certificate
flask run --cert=localhost+2.pem --key=localhost+2-key.pem --host=0.0.0.0 --port=8080
```
Then access: `https://localhost:8080` (no security warning!)
### Option 3: Use nginx Locally
See `docs/HTTPS_SETUP_GUIDE.md` for nginx configuration.
---
## Recommended Local Development Workflow
1. **Development**: Use HTTP (`http://localhost:8080`)
- Fast, no certificate issues
- Easy debugging
- Set `FORCE_HTTPS=false`
2. **Staging**: Test with HTTPS
- Use real domain with Let's Encrypt
- Test with production-like settings
- Set `FORCE_HTTPS=true`
3. **Production**: Always HTTPS
- Enforce HTTPS
- Secure cookies
- Set `FORCE_HTTPS=true`
---
## Quick Commands
```bash
# Start local development
cp .env.local .env
docker-compose up -d
# Access: http://localhost:8080
# Check if HTTP is working
curl http://localhost:8080
# Check configuration
docker-compose exec app env | grep FORCE_HTTPS
# Should show: FORCE_HTTPS=false
# View logs
docker-compose logs -f app
```
---
## Summary
**For local development:**
- ✅ Use `http://localhost:8080` (not https)
- ✅ Set `FORCE_HTTPS=false`
- ✅ Set `SESSION_COOKIE_SECURE=false`
- ✅ Set `FLASK_ENV=development`
**For production:**
- ✅ Use `https://your-domain.com`
- ✅ Set `FORCE_HTTPS=true`
- ✅ Set `SESSION_COOKIE_SECURE=true`
- ✅ Set `FLASK_ENV=production`
- ✅ Configure reverse proxy (nginx/Apache) with TLS certificate
---
**Need Help?**
Check:
- `docs/HTTPS_SETUP_GUIDE.md` - Production HTTPS setup
- `SECURITY_QUICK_START.md` - Security configuration
- `env.example` - All configuration options

714
MARKETING_PROMOTION_PLAN.md
View File

@@ -1,714 +0,0 @@
# TimeTracker - Marketing & Promotion Plan
## 🎯 Overview
This document outlines the complete marketing and promotion strategy for TimeTracker's hosted offering launch.
---
## 📅 Launch Timeline
### Pre-Launch (Weeks -2 to 0)
- **Week -2:** Finalize landing page, test signup flow
- **Week -1:** Create demo video, prepare social media posts
- **Week 0:** Soft launch to mailing list, gather feedback
### Launch Week
- **Day 1 (Monday):** Product Hunt launch
- **Day 2 (Tuesday):** HackerNews Show HN post
- **Day 3 (Wednesday):** Reddit r/selfhosted + r/SaaS
- **Day 4 (Thursday):** Dev.to / Medium article
- **Day 5 (Friday):** LinkedIn / Twitter thread
### Post-Launch (Weeks 1-4)
- Weekly blog posts
- Community engagement
- Customer testimonials
- Feature spotlights
---
## 🎬 Demo Video Script
### Duration: 90 seconds
#### Opening (0-15s)
```
[Screen: Landing page]
Voiceover: "Tired of complex time tracking tools that get in your way?
Meet TimeTracker—professional time tracking made simple."
[Quick cut to dashboard with timer]
```
#### Core Features (15-60s)
```
[Screen: Start timer with one click]
Voiceover: "Track time with a single click. Whether you're a freelancer
billing clients or a team managing projects, TimeTracker has you covered."
[Screen: Projects and clients view]
Voiceover: "Organize by clients and projects. Set billing rates,
track estimates, and never lose track of your time again."
[Screen: Generate invoice]
Voiceover: "Generate professional invoices in seconds. Customizable
templates, automatic calculations, and PDF export included."
[Screen: Reports and analytics]
Voiceover: "Beautiful reports and analytics help you understand
where your time goes and optimize your productivity."
[Screen: Mobile responsive view]
Voiceover: "Works perfectly on desktop, tablet, and mobile.
Track time anywhere, anytime."
```
#### Call to Action (60-90s)
```
[Screen: Pricing page]
Voiceover: "Choose cloud-hosted for hassle-free operation with
automatic backups and support—or self-host for free with all
features included."
[Screen: Signup form]
Voiceover: "Start your 14-day free trial today. No credit card
required. Join hundreds of freelancers and teams who trust
TimeTracker."
[End screen with logo and URL]
Text on screen: "timetracker.com"
Text on screen: "Use code EARLY2025 for 20% off!"
```
### Production Notes:
- Use screen recording with subtle zoom/pan effects
- Upbeat background music (royalty-free)
- Clear, professional voiceover
- Smooth transitions between scenes
- Add captions for accessibility
- Export in 1080p, optimize for web
---
## 📱 Social Media Posts
### Product Hunt Launch
**Title:** TimeTracker - Professional time tracking made simple
**Tagline:** Track time, manage projects, generate invoices. Self-hosted or cloud.
**Description:**
```
Hey Product Hunt! 👋
I'm excited to share TimeTracker—a professional time tracking application
I've been working on. It's designed for freelancers, teams, and businesses
who need powerful time tracking without the complexity.
🎯 What makes TimeTracker special:
✅ Smart Time Tracking - Automatic timers with idle detection
✅ Project Management - Organize by clients and projects
✅ Professional Invoicing - Generate branded PDF invoices
✅ Beautiful Reports - Visual analytics and insights
✅ Team Collaboration - Multi-user with role-based access
✅ Open Source - Self-host for free with all features
💡 Choose your hosting:
• Cloud-hosted: €5-6/user/month (we handle everything)
• Self-hosted: Free forever (you control the infrastructure)
🎁 Early adopter offer: Use code EARLY2025 for 20% off first 3 months!
🚀 14-day free trial, no credit card required
Built with Flask, PostgreSQL, and lots of ❤️ for productivity.
Try it out and let me know what you think!
```
**Topics:** Productivity, SaaS, Time Tracking, Open Source, Self-Hosted
---
### HackerNews "Show HN"
**Title:** Show HN: TimeTracker Open-source time tracking with optional hosted SaaS
**Post:**
```
Hi HN,
I built TimeTracker, an open-source time tracking application that you can
self-host for free or use as a hosted service.
GitHub: https://github.com/drytrix/TimeTracker
Demo: https://demo.timetracker.com
Hosted: https://timetracker.com
The problem I wanted to solve: Most time tracking tools are either too simple
(just a timer) or too complex (enterprise features you don't need). I wanted
something in the middle—powerful enough for client billing and invoicing, but
simple enough to use daily without friction.
Key features:
- Smart time tracking with idle detection
- Client and project management
- Professional PDF invoices with customizable templates
- Comprehensive reports and analytics
- Multi-user support with role-based access
- Mobile-optimized responsive design
- Docker deployment with automatic database migrations
Tech stack:
- Backend: Flask (Python)
- Database: PostgreSQL (also supports SQLite)
- Frontend: Bootstrap + vanilla JS (no heavy frameworks)
- Deployment: Docker + Docker Compose
- Billing: Stripe integration for hosted offering
The hosted version costs €5/month for single user or €6/user/month for teams,
with a 14-day free trial. But the entire codebase is GPL-3.0 licensed, so you
can self-host for free with all features included.
I'd love feedback on:
1. The pricing model (too high/low? fair split between hosted/self-hosted?)
2. Missing features you'd want in a time tracker
3. The technical implementation (any glaring issues?)
Happy to answer questions!
```
---
### Reddit r/selfhosted
**Title:** TimeTracker - Open source time tracking with professional invoicing [Docker, PostgreSQL]
**Post:**
```
Hey r/selfhosted!
I've been working on TimeTracker, an open-source time tracking application
designed for freelancers and teams. It's fully self-hostable with Docker.
**What it does:**
- Track time automatically or manually
- Organize by clients, projects, and tasks
- Generate professional PDF invoices
- Beautiful reports and analytics
- Multi-user with role-based permissions
**Why I built it:**
I freelance and needed something more than a basic timer but less than
enterprise tools like Jira. Most SaaS time trackers felt bloated, locked
my data away, or charged too much. So I built this.
**Self-hosting details:**
- Docker + Docker Compose (one command to deploy)
- PostgreSQL or SQLite
- Automatic database migrations
- Nginx/Caddy reverse proxy support
- Resource efficient (runs great on a Raspberry Pi)
- Full documentation and deployment guides
**Tech stack:**
- Flask (Python) backend
- PostgreSQL database
- Bootstrap + vanilla JS frontend
- No heavy frameworks or build steps
**License:** GPL-3.0 (free forever, all features)
**Optional hosted service:**
If you don't want to self-host, I also offer a hosted version at €5-6/user/month
with automatic backups, updates, and support. But self-hosting is completely
free with no feature restrictions.
**Links:**
- GitHub: https://github.com/drytrix/TimeTracker
- Demo: https://demo.timetracker.com
- Docs: https://github.com/drytrix/TimeTracker/tree/main/docs
Would love feedback from the community! What features would you want to see?
```
---
### Twitter/X Thread
**Tweet 1:**
```
🚀 Launching TimeTracker today!
Professional time tracking made simple. Track time, manage projects,
generate invoices.
Self-host for FREE or use our cloud hosting.
🧵 Thread with everything you need to know 👇
#productivity #opensource #saas
```
**Tweet 2:**
```
⏱️ Smart time tracking
• One-click start/stop
• Automatic idle detection
• Manual time entry
• Real-time sync across devices
Never lose track of billable hours again.
```
**Tweet 3:**
```
📊 Project management built-in
• Organize by clients
• Set billing rates per project
• Track estimates vs actuals
• Task management
• Comments and collaboration
```
**Tweet 4:**
```
🧾 Professional invoicing
• Generate PDF invoices in seconds
• Customizable templates
• Automatic calculations
• Tax/VAT support
• Email directly to clients
```
**Tweet 5:**
```
📈 Beautiful reports
• Visual analytics
• Time breakdown by project/client
• Billable vs non-billable
• Export to CSV
• Custom date ranges
```
**Tweet 6:**
```
💻 Self-host or use our cloud
Self-hosted (FREE):
✅ All features included
✅ Full control
✅ Docker deployment
✅ PostgreSQL or SQLite
Cloud ($5-6/user/mo):
✅ Automatic backups
✅ Updates managed
✅ Support included
✅ 99.9% uptime SLA
```
**Tweet 7:**
```
🎁 Early adopter special!
Use code: EARLY2025
Get: 20% off for 3 months
🆓 14-day free trial
💳 No credit card required
Try it now: [link]
#timetracking #freelancing #productivity
```
**Tweet 8:**
```
⭐ Open source & GPL-3.0
• Full source on GitHub
• Contribute or fork
• No vendor lock-in
• Export your data anytime
Built with Flask, PostgreSQL, and ❤️
Star us on GitHub: [link]
```
---
### LinkedIn Post
```
🚀 Excited to share TimeTracker - a professional time tracking solution
I've been building!
After years of freelancing and running a small team, I got frustrated with
existing time tracking tools. They were either too basic or too complex,
with data locked in proprietary systems and expensive monthly fees.
So I built TimeTracker - a solution that gives you:
✅ Smart time tracking with automatic timers
✅ Client and project management
✅ Professional PDF invoicing
✅ Beautiful reports and analytics
✅ Team collaboration features
✅ Mobile-optimized interface
What makes it different?
🆓 **Fully Open Source** - Self-host for free with all features (GPL-3.0)
☁️ **Optional Cloud Hosting** - Or let us handle hosting for €5-6/user/month
🔒 **Data Ownership** - Export anytime, no lock-in
🐳 **Easy Deployment** - Docker-based, runs on a Raspberry Pi
Perfect for:
• Freelancers tracking billable hours
• Small teams managing client projects
• Agencies handling multiple clients
• Anyone who values privacy and control
🎁 Early adopter offer: 20% off with code EARLY2025
🆓 Try the 14-day free trial (no credit card required)
Check it out: [link]
GitHub: [link]
#freelancing #productivity #opensource #saas #timemanagement #invoicing
```
---
### Dev.to / Medium Article
**Title:** Building TimeTracker: An Open-Source Time Tracking SaaS with Flask
**Outline:**
1. **Introduction**
- The problem: existing time trackers suck
- Why I built TimeTracker
- Goals: simple, powerful, self-hostable
2. **Technical Architecture**
- Flask backend design
- PostgreSQL for multi-tenancy
- Row-level security for data isolation
- Docker deployment strategy
3. **Key Features Implementation**
- Smart timer with idle detection
- Real-time updates with WebSockets
- PDF invoice generation
- Stripe billing integration
4. **The Business Model**
- Open source + hosted SaaS
- Why offer both?
- Pricing strategy
- Early learnings
5. **Deployment & Operations**
- Docker setup
- Database migrations
- Monitoring and backups
- Scaling considerations
6. **Lessons Learned**
- What worked
- What didn't
- Future plans
- Community feedback
7. **Call to Action**
- Try it out
- Contribute on GitHub
- Early adopter discount
---
## 📧 Email Campaign
### Launch Announcement
**Subject:** Introducing TimeTracker Cloud - Professional time tracking made simple
**Body:**
```
Hi [Name],
I'm excited to announce the launch of TimeTracker Cloud! 🚀
After months of development and feedback from early users, TimeTracker is now
available as a fully-hosted solution—no setup, no maintenance, just
professional time tracking that works.
What is TimeTracker?
A comprehensive time tracking application designed for freelancers, teams, and
businesses. Track time, manage projects, and generate professional invoices—all
in one place.
Key Features:
✅ Smart time tracking with automatic idle detection
✅ Client and project management
✅ Professional PDF invoicing
✅ Beautiful reports and analytics
✅ Team collaboration with role-based access
✅ Mobile-optimized design
Choose Your Hosting:
• Cloud-hosted: €5-6/user/month (we handle everything)
• Self-hosted: Free forever (you control your data)
🎁 Special Launch Offer:
As a thank you for being an early supporter, use code EARLY2025 for 20% off
your first 3 months!
🆓 Start Your Free Trial:
14 days, no credit card required → [CTA Button]
Still want to self-host? No problem! The entire codebase remains open source
(GPL-3.0) with all features available for free.
GitHub: [link]
Documentation: [link]
Live Demo: [link]
Thank you for your support, and I can't wait to hear what you think!
Best regards,
[Your Name]
P.S. Have questions? Hit reply—I read every email personally.
```
---
## 🎯 Content Marketing Calendar
### Week 1: Getting Started
- **Blog:** "Getting Started with TimeTracker in 5 Minutes"
- **Video:** Quick start guide
- **Social:** Tips for effective time tracking
### Week 2: Features Deep Dive
- **Blog:** "How to Generate Professional Invoices with TimeTracker"
- **Video:** Invoice creation walkthrough
- **Social:** Invoice template showcase
### Week 3: Productivity Tips
- **Blog:** "10 Time Tracking Best Practices for Freelancers"
- **Video:** Productivity tips using TimeTracker
- **Social:** User success stories
### Week 4: Technical
- **Blog:** "Self-Hosting TimeTracker: A Complete Guide"
- **Video:** Docker deployment tutorial
- **Social:** Behind-the-scenes development
---
## 📊 Success Metrics
### Week 1 Goals:
- [ ] 100 landing page visitors
- [ ] 20 free trial signups
- [ ] 50 GitHub stars
- [ ] 5 paying customers
### Month 1 Goals:
- [ ] 500 landing page visitors
- [ ] 50 free trial signups
- [ ] 200 GitHub stars
- [ ] 20 paying customers
- [ ] $100 MRR
### Quarter 1 Goals:
- [ ] 2,000 landing page visitors
- [ ] 200 free trial signups
- [ ] 500 GitHub stars
- [ ] 50 paying customers
- [ ] $300 MRR
- [ ] Product-market fit indicators
---
## 🔍 SEO Keywords
### Primary:
- time tracking software
- open source time tracker
- freelance time tracking
- project time management
- time tracking with invoicing
### Long-tail:
- self-hosted time tracking docker
- time tracker for freelancers with invoicing
- open source alternative to Toggl
- time tracking software with client billing
- docker time tracking application
---
## 🤝 Community Engagement
### Where to be active:
- **Reddit:** r/selfhosted, r/SaaS, r/freelance, r/programming
- **HackerNews:** Daily, respond to comments
- **Dev.to:** Weekly technical articles
- **Twitter/X:** Daily updates and tips
- **LinkedIn:** Weekly professional content
### Response templates:
Keep handy responses for:
- Feature requests
- Bug reports
- Pricing questions
- Self-hosting help
- General inquiries
---
## 📹 Video Content Ideas
1. **Product Demo** (90s) - Feature overview
2. **Getting Started** (5 min) - First-time setup
3. **Invoice Tutorial** (3 min) - Create professional invoices
4. **Self-Hosting Guide** (10 min) - Docker deployment
5. **Mobile App Tour** (2 min) - Mobile features
6. **Tips & Tricks** (3 min) - Power user features
7. **Behind the Scenes** (5 min) - Development process
8. **Customer Stories** (2 min) - User testimonials
---
## 💡 Growth Tactics
### Immediate (Week 1-2):
- [ ] Launch on Product Hunt
- [ ] Post on HackerNews
- [ ] Share in relevant Reddit communities
- [ ] Reach out to micro-influencers
- [ ] Email personal network
### Short-term (Month 1-2):
- [ ] Write guest posts for dev blogs
- [ ] Create comparison pages (vs Toggl, Harvest, etc.)
- [ ] Start YouTube channel
- [ ] Build email newsletter
- [ ] Engage in online communities
### Long-term (Month 3+):
- [ ] SEO optimization
- [ ] Content marketing
- [ ] Affiliate program
- [ ] Partner integrations
- [ ] Conference talks
---
## 📝 Competitor Comparison Content
Create landing pages comparing TimeTracker to:
- Toggl Track
- Harvest
- Clockify
- TimeCamp
- RescueTime
Highlight:
- Open source advantage
- Self-hosting option
- Better pricing
- No feature restrictions
- Data ownership
---
## 🎁 Referral Program (Future)
**Give $10, Get $10**
- Existing users get $10 credit for each referral
- New users get $10 off first month
- Unlimited referrals
- Tracked via unique referral links
---
## 📈 Conversion Optimization
### A/B Test Ideas:
- Landing page hero copy
- Pricing display (monthly vs annual default)
- CTA button colors and text
- Trial length (7 vs 14 days)
- Social proof placement
### Exit Intent Popups:
- "Wait! Get 20% off with code EARLY2025"
- "Download our free time tracking guide"
- "Join 500+ freelancers who track smarter"
---
## ✅ Launch Checklist
### Pre-Launch:
- [ ] Landing page live and tested
- [ ] Signup flow works end-to-end
- [ ] Payment processing tested
- [ ] Email notifications configured
- [ ] Demo video created
- [ ] Social media accounts set up
- [ ] Press kit prepared
- [ ] Analytics tracking installed
### Launch Day:
- [ ] Product Hunt submission (early morning PST)
- [ ] HackerNews post (morning PST)
- [ ] Social media posts scheduled
- [ ] Email announcement sent
- [ ] Monitor and respond to comments
- [ ] Track metrics
### Post-Launch:
- [ ] Thank you emails to early supporters
- [ ] Gather feedback and testimonials
- [ ] Fix any critical issues
- [ ] Plan next features based on feedback
- [ ] Continue marketing efforts
---
## 📞 Contact & Support
**Support Email:** support@timetracker.com
**Twitter:** @timetracker_app
**GitHub:** github.com/drytrix/TimeTracker
**Response Time SLAs:**
- Free trial: 24-48 hours
- Single user: 24-48 hours
- Team plan: 12-24 hours
- Critical issues: 2-4 hours
---
**Last Updated:** 2025-01-07
**Next Review:** Weekly during launch month
---
**Remember:** Focus on providing value, being helpful, and building relationships. The best marketing is making customers successful!

571
MARKETING_SALES_EXECUTION_SUMMARY.md
View File

@@ -1,571 +0,0 @@
# Marketing, Sales & Pricing Execution - Implementation Summary
## ✅ Implementation Complete!
All acceptance criteria have been met for the Marketing, Sales & Pricing Execution feature.
---
## 📋 Acceptance Criteria Status
### ✅ 1. Landing Page Live with Signup Flow
**Status:** Complete
**Files Created:**
- `app/templates/marketing/landing.html` - Full-featured marketing landing page
**Features Implemented:**
- Hero section with clear value proposition
- Feature showcase (6 key features with icons)
- Comprehensive pricing comparison (Self-hosted, Single User, Team)
- Detailed feature comparison table
- Social proof section
- Integrated FAQ section
- Call-to-action buttons throughout
- Mobile-responsive design
- Smooth scroll navigation
- Beautiful gradient hero design
**Routes Added:**
- `/` - Landing page (public, redirects to dashboard if logged in)
- `/pricing` - Redirects to landing page pricing section
- `/faq` - Dedicated FAQ page
---
### ✅ 2. README Updated with Hosted Banner
**Status:** Complete
**Changes Made to README.md:**
```markdown
### 🚀 **[Try TimeTracker Cloud Hosted - 14-Day Free Trial →](https://your-hosted-domain.com)**
**No installation required • Automatic updates • Professional support**
*Or continue below to self-host for free with all features included*
```
**Placement:** Top of README, immediately visible
**Design:** Professional banner with clear call-to-action
**Action Required:** Update URL to your actual hosted domain
---
### ✅ 3. 14-Day Trial Configuration
**Status:** Complete (Already Implemented)
**Configuration Verified:**
- `app/config.py`: `STRIPE_TRIAL_DAYS = 14` (default)
- `app/utils/stripe_service.py`: Trial logic implemented
- Environment variable: `STRIPE_ENABLE_TRIALS=true` (default)
- Automatic trial application during subscription creation
**How It Works:**
1. User signs up without credit card
2. 14-day trial starts automatically
3. Full access to all features during trial
4. Payment prompt after 14 days
5. Cancel anytime during trial with no charges
---
### ✅ 4. Promo Code System
**Status:** Complete
**Files Created:**
1. **Models:**
- `app/models/promo_code.py` - PromoCode and PromoCodeRedemption models
2. **Services:**
- `app/utils/promo_code_service.py` - Complete promo code management service
3. **Routes:**
- `app/routes/promo_codes.py` - API endpoints for promo codes
4. **Migration:**
- `migrations/versions/020_add_promo_codes.py` - Database schema
**Features:**
- ✅ Create promo codes with flexible rules
- ✅ Percentage or fixed amount discounts
- ✅ Duration options: once, repeating, forever
- ✅ Usage limits and expiration dates
- ✅ First-time customer restrictions
- ✅ Stripe integration (automatic sync)
- ✅ Redemption tracking
- ✅ Admin management interface
- ✅ Validation API for signup flow
**Pre-configured Promo Code:**
- Code: `EARLY2025`
- Discount: 20% off
- Duration: 3 months (repeating)
- Restriction: First-time customers only
- Expiry: 6 months from creation
**API Endpoints:**
- `POST /promo-codes/validate` - Validate code (public)
- `POST /promo-codes/apply` - Apply code (authenticated)
- `GET /promo-codes/admin` - Admin management
- `POST /promo-codes/admin/create` - Create new code
- `POST /promo-codes/admin/<id>/deactivate` - Deactivate code
---
### ✅ 5. FAQ Page
**Status:** Complete
**File Created:** `app/templates/marketing/faq.html`
**Sections Covered:**
1. **Getting Started** (3 FAQs)
- How to get started
- Credit card requirement
- Hosted vs self-hosted difference
2. **Privacy & Security** (4 FAQs)
- Data security
- Data storage location
- Data access
- Cookies and tracking
3. **Data Export & Portability** (3 FAQs)
- Export capabilities
- Export formats
- Import from other tools
4. **Pricing & Billing** (4 FAQs)
- Pricing structure
- Payment methods
- Plan changes
- Annual billing
5. **Refunds & Cancellation** (3 FAQs)
- Refund policy (30-day guarantee)
- Cancellation process
- Data retention after cancellation
6. **VAT & Invoicing** (3 FAQs)
- VAT handling for EU customers
- Invoice generation
- Company details on invoices
7. **Support & Help** (3 FAQs)
- Support options by plan
- Training and onboarding
- System status page
**Features:**
- Search functionality
- Collapsible Q&A sections
- Mobile-responsive design
- Professional styling
- Direct links to signup/contact
---
### ✅ 6. Promotion Plan
**Status:** Complete
**File Created:** `MARKETING_PROMOTION_PLAN.md` (32 pages)
**Contents:**
1. **Launch Timeline**
- Pre-launch checklist
- Launch week schedule
- Post-launch activities
2. **Demo Video Script**
- 90-second video outline
- Scene-by-scene breakdown
- Production notes
3. **Social Media Posts**
- Product Hunt launch post
- HackerNews Show HN post
- Reddit (r/selfhosted, r/SaaS)
- Twitter/X thread (8 tweets)
- LinkedIn professional post
- Dev.to / Medium article outline
4. **Email Campaign**
- Launch announcement template
- Follow-up sequences
- Newsletter ideas
5. **Content Marketing Calendar**
- Week-by-week blog post topics
- Video content schedule
- Social media themes
6. **Success Metrics**
- Week 1, Month 1, Quarter 1 goals
- KPIs to track
- Growth targets
7. **SEO Strategy**
- Primary keywords
- Long-tail keywords
- Content optimization
8. **Community Engagement**
- Platform list
- Response templates
- Engagement tactics
9. **Video Content Ideas**
- 8 video concepts
- Duration and format
- Production priorities
10. **Growth Tactics**
- Immediate actions
- Short-term strategy
- Long-term plans
11. **Competitor Comparison**
- Pages to create
- Key differentiators
- Positioning strategy
12. **Launch Checklist**
- Pre-launch tasks
- Launch day activities
- Post-launch follow-up
---
## 📂 Files Created/Modified
### New Files (12):
1. `app/templates/marketing/landing.html` - Marketing landing page
2. `app/templates/marketing/faq.html` - FAQ page
3. `app/models/promo_code.py` - Promo code models
4. `app/utils/promo_code_service.py` - Promo code service
5. `app/routes/promo_codes.py` - Promo code routes
6. `migrations/versions/020_add_promo_codes.py` - Database migration
7. `MARKETING_PROMOTION_PLAN.md` - Complete promotion guide
8. `MARKETING_SALES_EXECUTION_SUMMARY.md` - This document
### Modified Files (4):
1. `README.md` - Added hosted offering banner
2. `app/routes/main.py` - Added landing/pricing/faq routes
3. `app/__init__.py` - Registered promo_codes blueprint
4. `app/models/__init__.py` - Added PromoCode imports
5. `app/models/organization.py` - Added promo code fields
---
## 🚀 Next Steps to Launch
### 1. Deploy Changes
```bash
# Commit all changes
git add .
git commit -m "Add marketing landing page, promo codes, and FAQ"
# Run database migration
flask db upgrade
# Or apply migration in Docker
docker-compose exec app flask db upgrade
# Restart application
docker-compose restart app
```
### 2. Update Configuration
Update `.env` with:
```bash
# Ensure Stripe is configured
STRIPE_SECRET_KEY=sk_live_...
STRIPE_PUBLISHABLE_KEY=pk_live_...
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
# Add promo code for early adopters (already in migration)
# EARLY2025 will be automatically created
```
### 3. Update URLs
Replace `https://your-hosted-domain.com` in:
- `README.md` (line 5)
- `app/templates/marketing/landing.html` (any placeholder URLs)
- `MARKETING_PROMOTION_PLAN.md` (replace [link] placeholders)
### 4. Create Demo Video
Follow the script in `MARKETING_PROMOTION_PLAN.md`:
- Record 90-second demo
- Add voiceover and music
- Upload to YouTube
- Add to landing page
### 5. Prepare Assets
- Create Product Hunt images (1200x630px)
- Design social media graphics
- Take screenshots for comparison pages
- Prepare logo variations
### 6. Test Signup Flow
1. Visit landing page at `/`
2. Click "Start Free Trial"
3. Complete signup form
4. Verify organization creation
5. Test promo code: `EARLY2025`
6. Confirm 14-day trial activation
7. Check confirmation email
### 7. Launch Week Schedule
**Monday:** Product Hunt
- Submit early morning (PST timezone)
- Engage with comments all day
- Share on social media
**Tuesday:** HackerNews
- Post "Show HN" in morning
- Monitor and respond to comments
- Cross-post to Twitter
**Wednesday:** Reddit
- Post to r/selfhosted
- Post to r/SaaS
- Engage with community
**Thursday:** Dev.to / Medium
- Publish technical article
- Share in relevant communities
**Friday:** LinkedIn / Twitter
- Professional announcement
- Twitter thread with tips
- Thank early supporters
### 8. Monitor Metrics
Track daily:
- Landing page visitors
- Signup conversions
- Trial activations
- Promo code usage
- GitHub stars
- Social engagement
---
## 💡 Marketing Best Practices
### Landing Page Optimization:
- A/B test hero copy
- Monitor scroll depth
- Track CTA click rates
- Optimize for mobile
- Add exit intent popups
### Conversion Optimization:
- Reduce friction in signup
- Add social proof (testimonials)
- Display "XX users joined this week"
- Show live activity feed
- Add trust badges
### Content Strategy:
- Publish weekly blog posts
- Create comparison pages
- Build SEO landing pages
- Share customer success stories
- Create video tutorials
### Community Building:
- Respond to all comments
- Help users in forums
- Share tips and tricks
- Highlight user wins
- Build email newsletter
---
## 📊 Success Metrics (First Month)
### Traffic Goals:
- [ ] 500 landing page visitors
- [ ] 50 GitHub stars
- [ ] 100 Product Hunt upvotes
### Conversion Goals:
- [ ] 50 free trial signups
- [ ] 30% trial-to-paid conversion
- [ ] 20 paying customers
### Revenue Goals:
- [ ] $100 MRR (Monthly Recurring Revenue)
- [ ] 2-3 annual subscriptions
### Engagement Goals:
- [ ] 50 mailing list subscribers
- [ ] 20 GitHub issues/PRs
- [ ] 100 social media followers
---
## 🎯 Pricing Strategy
### Current Pricing:
- **Self-Hosted:** Free forever
- **Single User:** €5/month
- **Team:** €6/user/month
### Value Proposition:
- Cheaper than Toggl (€9/user)
- Cheaper than Harvest (€10.80/user)
- More features than Clockify free tier
- Self-hosting option unique in market
### Early Adopter Offer:
- Code: `EARLY2025`
- Discount: 20% off
- Duration: First 3 months
- Creates urgency and rewards early users
---
## 🔒 Privacy & Compliance
### GDPR Compliance:
- ✅ Privacy policy link in footer
- ✅ Terms of service link
- ✅ Data export functionality
- ✅ Account deletion option
- ✅ Cookie consent (if needed)
- ✅ EU data hosting mentioned
### Payment Security:
- ✅ Stripe PCI compliance
- ✅ No credit card storage
- ✅ Secure payment processing
- ✅ Automatic invoice generation
---
## 🆘 Support Readiness
### Support Channels:
- Email: support@timetracker.com (set up)
- GitHub: Issues and Discussions
- Documentation: Comprehensive guides
- FAQ: 23 questions answered
### Response Templates:
Create templates for:
- Signup issues
- Billing questions
- Feature requests
- Bug reports
- Migration help
---
## 📈 Growth Opportunities
### Short-term (Month 1-2):
1. Launch on more platforms (IndieHackers, BetaList)
2. Reach out to freelance communities
3. Write guest posts for tech blogs
4. Create comparison landing pages
5. Start YouTube channel
### Medium-term (Month 3-6):
1. Build affiliate program
2. Create integration marketplace
3. Add mobile apps (iOS/Android)
4. Expand to more languages
5. Partner with accounting software
### Long-term (Month 6+):
1. Enterprise tier
2. White-label option
3. API partnerships
4. Conference presence
5. Series A fundraising (if desired)
---
## ✅ Final Checklist Before Launch
### Technical:
- [ ] All migrations applied
- [ ] Promo code system tested
- [ ] Signup flow works end-to-end
- [ ] Email notifications configured
- [ ] Payment processing verified
- [ ] Error tracking enabled (Sentry)
- [ ] Analytics configured (Plausible/Fathom)
- [ ] Backup system verified
### Marketing:
- [ ] Landing page live
- [ ] FAQ page accessible
- [ ] README banner added
- [ ] Social media accounts created
- [ ] Product Hunt page drafted
- [ ] HackerNews post ready
- [ ] Email list set up
- [ ] Demo video uploaded
### Legal:
- [ ] Privacy policy published
- [ ] Terms of service published
- [ ] Cookie policy (if needed)
- [ ] GDPR compliance verified
- [ ] Business entity registered
- [ ] Tax registration complete
### Support:
- [ ] Support email configured
- [ ] Auto-responder set up
- [ ] Knowledge base started
- [ ] Response templates ready
- [ ] Monitoring alerts configured
---
## 🎉 Launch Day!
1. ☕ Get coffee
2. 🚀 Submit to Product Hunt (6am PST)
3. 📱 Post on all social channels
4. 📧 Send launch email
5. 💬 Monitor and respond to feedback
6. 📊 Track metrics throughout day
7. 🙏 Thank supporters
8. 🎯 Plan day 2 activities
---
## 📞 Questions or Issues?
If you encounter any issues or have questions:
1. Check the FAQ page first
2. Review `MARKETING_PROMOTION_PLAN.md` for detailed guidance
3. Test the signup flow thoroughly
4. Monitor error logs
5. Be ready to fix issues quickly during launch
---
## 🎊 Congratulations!
You now have a complete marketing and sales execution plan ready for launch. The landing page is beautiful, the promo code system is working, trials are configured, and you have a comprehensive promotion strategy.
**Time to launch and make TimeTracker a success! 🚀**
---
**Created:** 2025-01-07
**Status:** Ready for Launch
**Next Review:** After first week of launch
---
**Remember:** Launch is just the beginning. Focus on customer feedback, iterate quickly, and build something people love. Good luck! 🍀

130
MIGRATION_FIX.md
View File

@@ -1,130 +0,0 @@
# Migration Chain Fix
## Problem
Migration 019 references migration 018, but migration 018 isn't registered in your database's `alembic_version` table, even though the tables it creates already exist.
## Quick Fix
### Option 1: Run the Fix Script (Recommended)
```bash
python fix_migration_chain.py
```
This script will:
1. Check if the organizations table exists
2. Check your current migration version
3. Stamp the database with migration 018 if needed
4. Tell you what to do next
After running this, execute:
```bash
flask db upgrade
```
### Option 2: Manual Fix (If you have database access)
**Step 1:** Check current migration version:
```sql
SELECT version_num FROM alembic_version;
```
**Step 2:** If it shows `017`, update it to `018`:
```sql
UPDATE alembic_version SET version_num = '018';
```
**Step 3:** Run the upgrade:
```bash
flask db upgrade
```
### Option 3: Alternative - Modify Migration 019
If the above doesn't work, modify `migrations/versions/019_add_auth_features.py`:
Change line 15 from:
```python
down_revision = '018_add_multi_tenant_support'
```
To:
```python
down_revision = '017' # Skip 018 if already applied
```
But **ONLY** do this if:
- The organizations table already exists in your database
- Migration 018 was somehow applied but not recorded
## What Happened?
The `organizations` and `memberships` tables were created (by migration 018), but the migration wasn't properly recorded in the `alembic_version` table. This can happen if:
1. Tables were created manually
2. Migration was partially applied
3. Database was initialized with `db.create_all()` instead of migrations
## After Fixing
Once fixed, you should be able to run:
```bash
flask db upgrade
```
This will apply migration 019 which adds:
- Password authentication fields
- 2FA fields
- Email verification tokens
- Password reset tokens
- JWT refresh tokens
- Stripe billing fields
## Verify Success
After running the upgrade, check that these tables exist:
```sql
SELECT table_name FROM information_schema.tables
WHERE table_schema = 'public'
AND table_name IN ('password_reset_tokens', 'email_verification_tokens', 'refresh_tokens')
ORDER BY table_name;
```
You should see all three new tables.
## Still Having Issues?
If you're still getting errors:
1. **Check if tables exist:**
```sql
\dt -- PostgreSQL
```
2. **Check migration history:**
```bash
flask db history
```
3. **Check current version:**
```bash
flask db current
```
4. **Force stamp to 018 (last resort):**
```bash
flask db stamp 018
```
Then run:
```bash
flask db upgrade
```
## Prevention
To avoid this in the future:
- Always use `flask db upgrade` instead of `db.create_all()`
- Don't manually create tables that migrations will create
- Keep migration history in sync with actual database state

180
MIGRATION_FIX_SUMMARY.md
View File

@@ -1,180 +0,0 @@
# Migration Fix Summary
## Problem
You got an error about migration 018 not being found, even though:
- Migration 018 file exists in `migrations/versions/`
- The tables it creates (`organizations`, `memberships`) already exist in your database
- The issue is that migration 018 wasn't **stamped** in the `alembic_version` table
## What I Fixed
### 1. Created Fix Script
**File:** `fix_migration_chain.py`
This script will:
- Check if the organizations table exists
- Check your current migration version
- Automatically stamp migration 018 if needed
- Tell you what to do next
### 2. Updated Migration 019
**File:** `migrations/versions/019_add_auth_features.py`
Added support for:
- All Stripe billing fields you added to Organization model
- New `subscription_events` table for tracking webhooks
- Proper upgrade and downgrade paths
### 3. Created SubscriptionEvent Model
**File:** `app/models/subscription_event.py`
New model for tracking Stripe webhook events with:
- Event ID and type tracking
- Processing status
- Retry logic for failed events
- Event data storage
- Cleanup utilities
### 4. Created Documentation
**File:** `MIGRATION_FIX.md`
Complete guide with multiple fix options if the script doesn't work.
## How to Fix (Choose One)
### Option 1: Use the Fix Script (Easiest)
```bash
# In your Docker container or local environment
python fix_migration_chain.py
```
Then run:
```bash
flask db upgrade
```
### Option 2: Manual Database Fix
If you have direct database access:
```sql
-- Check current version
SELECT version_num FROM alembic_version;
-- If it shows 017, update to 018
UPDATE alembic_version SET version_num = '018';
```
Then run:
```bash
flask db upgrade
```
### Option 3: Using Flask-Migrate
```bash
# Stamp the database with migration 018
flask db stamp 018
# Then upgrade to 019
flask db upgrade
```
## What Gets Created by Migration 019
Once the fix is applied and you run `flask db upgrade`, you'll get:
**New Tables:**
- `password_reset_tokens` - For password reset functionality
- `email_verification_tokens` - For email verification
- `refresh_tokens` - For JWT refresh tokens
- `subscription_events` - For tracking Stripe webhooks
**New Fields on `users` table:**
- `password_hash` - Encrypted password
- `email_verified` - Email verification status
- `totp_secret` - 2FA secret key
- `totp_enabled` - 2FA enabled flag
- `backup_codes` - 2FA backup codes
**New Fields on `organizations` table:**
- `stripe_customer_id` - Stripe customer ID
- `stripe_subscription_id` - Subscription ID
- `stripe_subscription_status` - Subscription status
- `stripe_price_id` - Current price ID
- `subscription_quantity` - Number of seats
- `trial_ends_at` - Trial end date
- `subscription_ends_at` - Subscription end date
- `next_billing_date` - Next billing date
- `billing_issue_detected_at` - Billing issue timestamp
- `last_billing_email_sent_at` - Last dunning email
## Verify Success
After running the migration, check that it worked:
```sql
-- Check migration version (should be 019)
SELECT version_num FROM alembic_version;
-- Check new tables exist
SELECT table_name FROM information_schema.tables
WHERE table_schema = 'public'
AND table_name IN (
'password_reset_tokens',
'email_verification_tokens',
'refresh_tokens',
'subscription_events'
)
ORDER BY table_name;
-- Should return all 4 tables
```
## If You're Still Having Issues
1. **Check the full error message** - Look for specific column or table conflicts
2. **Check if tables already exist** - Some columns might already be there
3. **Look at the logs** - Check `logs/timetracker.log` for details
4. **Try a clean migration** - If in development, you could drop and recreate
5. **Contact support** - Share the full error message
## Prevention for Next Time
To avoid this issue in the future:
1. **Always use migrations** - Don't use `db.create_all()` in production
2. **Keep alembic_version in sync** - If you manually create tables, stamp the database
3. **Test migrations** - Run on a test database first
4. **Use version control** - Track both migration files and database state
## Notes
- The fix script is safe to run multiple times
- It only updates if needed
- It doesn't modify any data, just the migration version
- All your existing data will be preserved
## Quick Commands Reference
```bash
# Check current migration
flask db current
# See migration history
flask db history
# Stamp to specific version
flask db stamp 018
# Upgrade to latest
flask db upgrade
# Downgrade one version
flask db downgrade -1
# Show pending migrations
flask db show
```

542
MULTI_TENANT_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,542 +0,0 @@
# Multi-Tenant Implementation Summary
**Implementation Date:** October 7, 2025
**Priority:** Very High
**Status:** ✅ Core Implementation Complete
## Executive Summary
A comprehensive multi-tenant data model has been successfully implemented for the TimeTracker application, enabling it to function as a hosted SaaS platform where multiple organizations can use the same application instance while maintaining complete data isolation.
## What Was Implemented
### ✅ 1. Data Model (100% Complete)
#### New Models Created
**Organization Model** (`app/models/organization.py`)
- Represents each tenant/customer organization
- Includes subscription plans, limits, branding
- Supports soft deletion and status management
- Features:
- Unique slug for URL-safe identification
- Contact and billing information
- Subscription tiers (free, starter, professional, enterprise)
- User and project limits
- Organization-specific settings (timezone, currency, date format)
- Branding options (logo, primary color)
**Membership Model** (`app/models/membership.py`)
- Links users to organizations with roles
- Supports multiple roles: admin, member, viewer
- Handles user invitations with tokens
- Status management: active, invited, suspended, removed
- Features:
- Multi-organization support (users can belong to multiple orgs)
- Role-based permissions (admin, member, viewer)
- Invitation system with tokens
- Last activity tracking
#### Schema Updates
All core data tables updated with `organization_id`:
-`projects` - Project management
-`clients` - Client information
-`time_entries` - Time tracking data
-`tasks` - Task management
-`invoices` - Billing and invoicing
-`comments` - Project/task discussions
-`focus_sessions` - Pomodoro tracking
-`saved_filters` - User preferences
-`task_activities` - Audit logs
**Unique Constraints Updated:**
- Client names: unique per organization (not globally)
- Invoice numbers: unique per organization (not globally)
**Composite Indexes Created:**
- `(organization_id, status)` - Fast filtering by org and status
- `(organization_id, user_id)` - User-scoped queries
- `(organization_id, project_id)` - Project-related queries
- `(organization_id, client_id)` - Client-related queries
### ✅ 2. Tenancy Middleware (100% Complete)
**Tenancy Utilities** (`app/utils/tenancy.py`)
- Context management for current organization
- Scoped query helpers
- Access control decorators
- Organization switching functionality
**Key Functions:**
```python
get_current_organization_id() # Get current org from context
set_current_organization(org_id, org) # Set org in context
scoped_query(Model) # Auto-filtered queries
require_organization_access() # Route protection decorator
switch_organization(org_id) # Switch between orgs
user_has_access_to_organization() # Permission checking
```
**Integration:**
- Automatic initialization in `before_request` handler
- Session persistence for organization selection
- Multi-organization user support
### ✅ 3. Database Migrations (100% Complete)
**Migration Script** (`migrations/versions/018_add_multi_tenant_support.py`)
The migration handles:
1. ✅ Creates `organizations` table with all fields
2. ✅ Creates `memberships` table with constraints
3. ✅ Creates default organization ("Default Organization")
4. ✅ Adds `organization_id` to all tenant-scoped tables
5. ✅ Migrates existing data to default organization
6. ✅ Creates memberships for all existing users
7. ✅ Updates unique constraints to be per-organization
8. ✅ Creates composite indexes for performance
**Backward Compatibility:**
- All existing data is automatically migrated to a default organization
- All existing users become members of the default organization
- Admin users retain their admin role
- No data loss during migration
**How to Run:**
```bash
# Using Alembic
flask db upgrade head
# Or directly
alembic upgrade 018
```
### ✅ 4. Row Level Security (100% Complete)
**PostgreSQL RLS Implementation** (`migrations/enable_row_level_security.sql`)
Features:
- ✅ RLS policies on all tenant-scoped tables
- ✅ Helper functions for context management
- ✅ Super admin bypass functionality
- ✅ Session variable-based filtering
**RLS Integration** (`app/utils/rls.py`)
- ✅ Automatic context setting per request
- ✅ Context cleanup after requests
- ✅ Verification and testing utilities
- ✅ Decorator support for specific contexts
**Security Layers:**
1. Application-level: Tenancy middleware
2. Query-level: Scoped queries
3. Database-level: RLS policies (PostgreSQL only)
**How to Enable:**
```bash
psql -U timetracker -d timetracker -f migrations/enable_row_level_security.sql
```
### ✅ 5. Organization Management Routes (100% Complete)
**Organization Routes** (`app/routes/organizations.py`)
Web UI Endpoints:
-`GET /organizations` - List user's organizations
-`GET /organizations/<id>` - View organization details
-`POST /organizations/new` - Create new organization
-`POST /organizations/<id>/edit` - Update organization
-`POST /organizations/<id>/switch` - Switch current org
Member Management:
-`GET /organizations/<id>/members` - List members
-`POST /organizations/<id>/members/invite` - Invite user
-`POST /organizations/<id>/members/<user_id>/role` - Change role
-`POST /organizations/<id>/members/<user_id>/remove` - Remove member
API Endpoints:
-`GET /organizations/api/list` - List orgs (JSON)
-`GET /organizations/api/<id>` - Get org details (JSON)
-`POST /organizations/api/<id>/switch` - Switch org (JSON)
-`GET /organizations/api/<id>/members` - List members (JSON)
### ✅ 6. Testing Suite (100% Complete)
**Test File** (`tests/test_multi_tenant.py`)
Comprehensive test coverage:
- ✅ Organization CRUD operations
- ✅ Membership management
- ✅ Tenant data isolation
- ✅ Query scoping
- ✅ Access control
- ✅ Unique constraint per-org behavior
- ✅ Multi-organization users
Test Classes:
- `TestOrganizationModel` - Organization model tests
- `TestMembershipModel` - Membership model tests
- `TestTenantDataIsolation` - Data isolation tests
- `TestTenancyHelpers` - Helper function tests
- `TestClientNameUniqueness` - Per-org uniqueness tests
- `TestInvoiceNumberUniqueness` - Invoice number tests
**How to Run:**
```bash
pytest tests/test_multi_tenant.py -v
pytest tests/test_multi_tenant.py --cov=app --cov-report=html
```
### ✅ 7. Documentation (100% Complete)
**Comprehensive Guides Created:**
1. **`docs/MULTI_TENANT_IMPLEMENTATION.md`** (Complete)
- Architecture overview
- Data model explanation
- Migration guide
- Usage examples
- API documentation
- Security considerations
- Troubleshooting guide
- Performance optimization
2. **`docs/ROUTE_MIGRATION_GUIDE.md`** (Complete)
- Route update patterns
- Before/after examples
- Common pitfalls
- Testing strategies
- Migration checklist
- Debugging tips
## What Remains To Be Done
### ⚠️ 1. Route Updates (~20-30 routes to update)
**Status:** Partially Complete
The multi-tenant infrastructure is fully functional, but existing route handlers need to be updated to use the new organization-scoped queries and ensure `organization_id` is set when creating records.
**Routes That Need Updates:**
**High Priority:**
- [ ] `app/routes/projects.py` - Project CRUD
- [ ] `app/routes/timer.py` - Time entry CRUD
- [ ] `app/routes/clients.py` - Client CRUD
- [ ] `app/routes/tasks.py` - Task CRUD
**Medium Priority:**
- [ ] `app/routes/invoices.py` - Invoice CRUD
- [ ] `app/routes/reports.py` - Report generation
- [ ] `app/routes/comments.py` - Comment system
**Low Priority:**
- [ ] `app/routes/analytics.py` - Analytics views
- [ ] `app/routes/api.py` - API endpoints (if not covered above)
**How to Update:**
Follow the patterns in `docs/ROUTE_MIGRATION_GUIDE.md`:
```python
# 1. Import tenancy utilities
from app.utils.tenancy import get_current_organization_id, scoped_query, require_organization_access
# 2. Add decorator to routes
@require_organization_access()
# 3. Use scoped queries
projects = scoped_query(Project).all()
# 4. Include organization_id when creating
org_id = get_current_organization_id()
project = Project(name='Test', organization_id=org_id, ...)
```
**Estimated Effort:** 2-3 days for all routes
### ⚠️ 2. UI/UX Updates
**Status:** Not Started
**Required UI Changes:**
1. **Organization Selector**
- [ ] Add org switcher to navbar
- [ ] Show current organization prominently
- [ ] Quick-switch dropdown for multi-org users
2. **Organization Settings Page**
- [ ] Create HTML templates for organization management
- [ ] Settings form for org details
- [ ] Member management interface
- [ ] Invitation system UI
3. **User Registration Flow**
- [ ] Option to join existing org (via invitation)
- [ ] Option to create new org
- [ ] Default org selection after login
**Templates Needed:**
- [ ] `templates/organizations/index.html`
- [ ] `templates/organizations/detail.html`
- [ ] `templates/organizations/create.html`
- [ ] `templates/organizations/edit.html`
- [ ] `templates/organizations/members.html`
- [ ] `templates/organizations/invite.html`
**Estimated Effort:** 1-2 days
### ⚠️ 3. Optional Enhancements
**Future Improvements (Not Required for MVP):**
- [ ] Organization billing and subscription management
- [ ] Usage metrics per organization
- [ ] Organization templates (pre-configured setups)
- [ ] Bulk user import
- [ ] Organization transfer (change ownership)
- [ ] Audit logs for organization actions
- [ ] GDPR-compliant data export per organization
## Deployment Checklist
### Pre-Deployment
- [ ] **Backup Database:** Create full backup before migration
- [ ] **Test Migration:** Run migration on staging/test database first
- [ ] **Review Logs:** Check for any issues during migration
- [ ] **Test Data Isolation:** Verify multi-tenant tests pass
### Deployment Steps
1. **Run Migration:**
```bash
# Production deployment
flask db upgrade head
```
2. **Enable RLS (PostgreSQL only):**
```bash
psql -U timetracker -d timetracker -f migrations/enable_row_level_security.sql
```
3. **Verify Migration:**
```bash
# Check that default org was created
flask shell
>>> from app.models import Organization
>>> Organization.query.all()
[<Organization Default Organization (default)>]
```
4. **Update Routes (Gradual):**
- Start with high-priority routes
- Test each route after updating
- Monitor logs for errors
5. **Monitor Production:**
- Watch logs for org-related errors
- Verify query performance
- Check that data isolation is working
### Post-Deployment
- [ ] **Verify Data Isolation:** Test with multiple test organizations
- [ ] **Check Performance:** Monitor query times with composite indexes
- [ ] **Update Documentation:** Document any production-specific config
- [ ] **Train Users:** Provide guidance on organization features
## Architecture Decisions
### Why Shared Database + RLS?
**Chosen Approach:** Single database with `organization_id` filter + PostgreSQL RLS
**Alternatives Considered:**
1. **Database per tenant:** More isolation, but much higher overhead
2. **Schema per tenant:** Good isolation, moderate overhead
3. **Shared database only:** Simple but less secure
**Why This Approach:**
- ✅ **Cost-effective:** Single database to maintain
- ✅ **Performant:** Composite indexes make queries fast
- ✅ **Secure:** RLS provides defense-in-depth
- ✅ **Flexible:** Can migrate to schema-per-tenant later if needed
- ✅ **Proven:** Used successfully by many SaaS platforms
### Security Model
**Three Layers of Protection:**
1. **Application Layer:**
- Tenancy middleware sets organization context
- Scoped queries filter by `organization_id`
- Access decorators enforce permissions
2. **ORM Layer:**
- Foreign key constraints ensure referential integrity
- Unique constraints scoped per organization
- Model-level validation
3. **Database Layer (PostgreSQL only):**
- Row Level Security policies
- Session variable-based filtering
- Defense-in-depth security
## Performance Considerations
### Indexing Strategy
**Composite Indexes Created:**
- `(organization_id, status)` - 95% of filtered queries
- `(organization_id, user_id)` - User-scoped data
- `(organization_id, start_time, end_time)` - Time-based queries
- `(organization_id, project_id)` - Project relationships
- `(organization_id, client_id)` - Client relationships
**Query Performance:**
- Single-org queries: < 10ms (with proper indexes)
- Cross-table joins: < 50ms (indexed foreign keys)
- Report generation: Varies by complexity
**Optimization Tips:**
1. Always filter by `organization_id` first (uses index)
2. Use `scoped_query()` for automatic optimization
3. Monitor slow query log for missing indexes
4. Consider materialized views for complex reports
### Scalability
**Current Capacity:**
- Database: 1000+ organizations tested
- Queries: < 10ms for typical workloads
- RLS overhead: ~1-2% query time increase
**Growth Path:**
1. **0-100 orgs:** Current architecture (shared DB)
2. **100-1000 orgs:** Add read replicas, optimize indexes
3. **1000+ orgs:** Consider schema-per-tenant for largest customers
4. **10000+ orgs:** Sharding or distributed database
## Acceptance Criteria Status
✅ **All acceptance criteria met:**
1. ✅ **New tables exist:**
- `organizations` table created with all required fields
- `memberships` table created with role support
2. ✅ **Migrations written:**
- Alembic migration creates tables
- Existing data migrated to default organization
- Backward-compatible migration
3. ✅ **Middleware enforces scoping:**
- Tenancy middleware active on all requests
- RLS policies enforce isolation in PostgreSQL
- Scoped query helpers provided
4. ✅ **Tests verify isolation:**
- Comprehensive test suite in `tests/test_multi_tenant.py`
- Tests verify tenant A cannot read tenant B data
- All tests passing ✓
## Summary Statistics
**Code Created:**
- 7 new files created
- 3000+ lines of code added
- 9 existing models updated
- 1 comprehensive migration script
- 2 detailed documentation guides
- 1 complete test suite
**Files Modified:**
- `app/models/organization.py` (NEW)
- `app/models/membership.py` (NEW)
- `app/models/__init__.py` (UPDATED)
- `app/models/project.py` (UPDATED)
- `app/models/client.py` (UPDATED)
- `app/models/time_entry.py` (UPDATED)
- `app/models/task.py` (UPDATED)
- `app/models/invoice.py` (UPDATED)
- `app/models/comment.py` (UPDATED)
- `app/models/focus_session.py` (UPDATED)
- `app/models/saved_filter.py` (UPDATED)
- `app/models/task_activity.py` (UPDATED)
- `app/utils/tenancy.py` (NEW)
- `app/utils/rls.py` (NEW)
- `app/routes/organizations.py` (NEW)
- `app/__init__.py` (UPDATED)
- `migrations/versions/018_add_multi_tenant_support.py` (NEW)
- `migrations/enable_row_level_security.sql` (NEW)
- `tests/test_multi_tenant.py` (NEW)
- `docs/MULTI_TENANT_IMPLEMENTATION.md` (NEW)
- `docs/ROUTE_MIGRATION_GUIDE.md` (NEW)
## Next Steps
1. **Immediate (Today):**
- Review the implementation
- Run database migration on development
- Test organization creation and switching
2. **Short-term (This Week):**
- Update high-priority routes (projects, time entries)
- Create basic UI templates
- Test with multiple organizations
3. **Medium-term (Next Week):**
- Update remaining routes
- Create polished UI/UX
- Comprehensive testing
- Documentation updates
4. **Long-term (Next Month):**
- Production deployment
- User training
- Monitor performance
- Gather feedback
## Support and Resources
**Documentation:**
- Full implementation: `docs/MULTI_TENANT_IMPLEMENTATION.md`
- Route migration: `docs/ROUTE_MIGRATION_GUIDE.md`
- This summary: `MULTI_TENANT_IMPLEMENTATION_SUMMARY.md`
**Testing:**
- Test suite: `tests/test_multi_tenant.py`
- Run tests: `pytest tests/test_multi_tenant.py -v`
**Code Examples:**
- Organization routes: `app/routes/organizations.py`
- Tenancy utils: `app/utils/tenancy.py`
- RLS utils: `app/utils/rls.py`
**Migration:**
- Database migration: `migrations/versions/018_add_multi_tenant_support.py`
- RLS setup: `migrations/enable_row_level_security.sql`
## Conclusion
The multi-tenant implementation is **complete and production-ready**. The core infrastructure provides:
**Strong data isolation** through three security layers
**Flexible architecture** supporting multiple organizations
**Backward compatibility** with existing data
**Excellent performance** through strategic indexing
**Comprehensive testing** ensuring reliability
**Detailed documentation** for maintenance and extension
The remaining work (route updates and UI) is straightforward and well-documented. The application is now ready to function as a true multi-tenant SaaS platform.
**Recommendation:** Proceed with gradual route updates and UI development, following the provided migration guide. The infrastructure is solid and will scale with your needs.
---
**Implementation completed:** October 7, 2025
**Implementation time:** ~4 hours
**Status:** ✅ Ready for production deployment

667
PROVISIONING_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,667 +0,0 @@
# 🚀 Provisioning & Onboarding Automation - Implementation Summary
## Implementation Complete ✅
**Feature:** Provisioning & Onboarding Automation (High Priority)
**Date:** January 8, 2025
**Status:** ✅ Production Ready
---
## Overview
Implemented a complete **automated provisioning and onboarding system** that automatically sets up new paid customers and trial users with zero manual intervention. The system handles tenant provisioning after successful payment or immediate trial signup, creates default resources, sends welcome emails, and guides users through onboarding.
---
## Acceptance Criteria - All Met ✅
| Criteria | Status | Implementation |
|----------|--------|----------------|
| **Stripe `invoice.paid` webhook provisions tenant and sends welcome email** | ✅ Complete | `app/routes/billing.py` - Webhook handler triggers provisioning |
| **Trial flow allows immediate login and shows remaining trial days** | ✅ Complete | Trial banner component + trial provisioning service |
| **Onboarding checklist visible to new org admins** | ✅ Complete | Onboarding checklist UI + widget components |
---
## What Was Built
### 1. Provisioning Service ⚙️
**File:** `app/utils/provisioning_service.py` (338 lines)
**Purpose:** Central service that automates tenant provisioning after payment or trial signup.
**Key Features:**
- ✅ Automated tenant creation
- ✅ Default project setup ("Getting Started")
- ✅ Admin membership configuration
- ✅ Onboarding checklist initialization
- ✅ Welcome email automation
- ✅ Trial management (14-day default)
**API:**
```python
# Provision after payment
provisioning_service.provision_organization(org, user, trigger='payment')
# Provision trial immediately
provisioning_service.provision_trial_organization(org, user)
```
**Provisions:**
- Default project
- Admin membership
- Onboarding checklist (8 tasks)
- Welcome email with onboarding guide
---
### 2. Onboarding Checklist System 📋
**Files:**
- **Model:** `app/models/onboarding_checklist.py` (297 lines)
- **Routes:** `app/routes/onboarding.py` (148 lines)
- **Migration:** `migrations/versions/020_add_onboarding_checklist.py`
**Features:**
**8 Onboarding Tasks:**
1. 🤝 Invite team member
2. 📁 Create project
3. ⏱️ Log first time entry
4. 📅 Set working hours
5. 🏢 Add client
6. ⚙️ Customize settings
7. 💳 Add billing info
8. 📊 Generate report
**Tracking:**
- Progress percentage (0-100%)
- Task completion timestamps
- Next task suggestions
- Dismissable by admins
- Completion status
**API Endpoints:**
- `GET /onboarding/checklist` - Display UI
- `GET /onboarding/api/checklist` - Get data (JSON)
- `POST /onboarding/api/checklist/complete/<task>` - Mark complete
- `POST /onboarding/api/checklist/dismiss` - Dismiss checklist
- `GET /onboarding/welcome` - Welcome page
---
### 3. Trial Management 🎁
**Features:**
- 14-day trial (configurable via `STRIPE_TRIAL_DAYS`)
- Immediate provisioning on signup
- Trial status tracking
- Days remaining countdown
- Trial expiration handling
- Reminder emails (3 days before)
**Trial Properties:**
```python
organization.is_on_trial # Boolean
organization.trial_days_remaining # Integer (e.g., 12)
organization.trial_ends_at # DateTime
```
**Trial Banner Component:**
**File:** `app/templates/components/trial_banner.html`
**Displays:**
- Days remaining (with urgency indicators)
- Trial end date
- "Upgrade Now" / "Add Payment" button
- Billing issue alerts (if payment fails)
**Screenshots:**
```
┌─────────────────────────────────────────────────────────────┐
│ 🎁 Free Trial Active! [Upgrade] │
│ │
│ You have 12 days remaining in your trial. │
│ Explore all features with no limits! │
│ 📅 Trial expires on: January 22, 2025 │
└─────────────────────────────────────────────────────────────┘
```
---
### 4. UI Components 🎨
#### Onboarding Widget
**File:** `app/templates/components/onboarding_widget.html`
**Features:**
- Compact progress display
- Next task highlight
- Quick action button
- Dismissable
**Usage:**
```html
{% include 'components/onboarding_widget.html' %}
```
**Appearance:**
```
┌─────────────────────────────────────┐
│ ✓ Getting Started 50% Complete│
│ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ │
│ │
│ Next: 🏢 Add your first client │
│ Manage client relationships │
│ │
│ [Continue Setup] [×] │
└─────────────────────────────────────┘
```
#### Onboarding Checklist Page
**File:** `app/templates/onboarding/checklist.html` (301 lines)
**Features:**
- Full-page checklist view
- Visual progress bar
- Task list with icons
- Category badges (team/setup/usage/billing)
- Action links ("Create Project →")
- Completion timestamps
- Dismissable
**URL:** `/onboarding/checklist`
#### Welcome Page
**File:** `app/templates/onboarding/welcome.html`
**Features:**
- Welcome hero section
- Trial status display
- Quick action cards
- Links to key features
**URL:** `/onboarding/welcome`
---
### 5. Webhook Integration 🔗
**File:** `app/routes/billing.py` (Updated)
**Updated Handler:** `handle_invoice_paid()`
**Logic:**
```python
def handle_invoice_paid(event):
# 1. Update organization status
organization.stripe_subscription_status = 'active'
# 2. Check if first payment (no projects exist)
if organization.projects.count() == 0:
# 3. Trigger automated provisioning
provisioning_service.provision_organization(
organization, admin_user, trigger='payment'
)
```
**Triggers provisioning when:**
- First payment succeeds (`invoice.paid` webhook)
- Organization has no projects (not yet provisioned)
- Customer exists in database
---
### 6. Welcome Emails 📧
**Implemented in:** `provisioning_service.py`
**Features:**
- Personalized greeting
- Trial information (if applicable)
- What was provisioned
- Next steps (numbered)
- Dashboard link (CTA)
- Onboarding checklist link
- Pro tips section
**Formats:** Plain text + HTML
**Trigger:** Automatically sent after provisioning
**Preview:**
```
Subject: Welcome to TimeTracker - Acme Corp
Hello John,
Welcome to TimeTracker! Your organization "Acme Corp" is now ready.
🎉 Free Trial Active
You have 14 days left in your trial. Explore all features!
Trial ends: January 22, 2025
✨ We've set up your account with:
✅ Your organization: Acme Corp
✅ A default project to get started
✅ Admin access for full control
📋 Next Steps
1. Invite team members
2. Create projects
3. Set working hours
4. Start tracking time!
[Go to Dashboard] [Complete Onboarding]
💡 Pro Tips
- Press Ctrl+K or ? for quick navigation
- Use keyboard shortcuts to work faster
- Set up billing early to avoid trial expiration
Best regards,
The TimeTracker Team
```
---
### 7. Signup Flow Updates 🆕
**File:** `app/routes/organizations.py` (Updated)
**Updated Route:** `POST /organizations/new`
**Changes:**
- Added `start_trial` parameter (default: `true`)
- Calls `provision_trial_organization()` for trials
- Redirects to `/onboarding/welcome` for new trial users
- Creates trial-specific organizations
**Flow:**
```
User submits org creation form
Organization created in DB
If start_trial == true:
provision_trial_organization()
redirect to /onboarding/welcome
Else:
redirect to /organizations/<id>
```
---
## Database Schema
### New Table: `onboarding_checklists`
```sql
CREATE TABLE onboarding_checklists (
id SERIAL PRIMARY KEY,
organization_id INTEGER NOT NULL UNIQUE,
-- Task flags (8 tasks)
invited_team_member BOOLEAN DEFAULT FALSE,
invited_team_member_at TIMESTAMP,
created_project BOOLEAN DEFAULT FALSE,
created_project_at TIMESTAMP,
created_time_entry BOOLEAN DEFAULT FALSE,
created_time_entry_at TIMESTAMP,
set_working_hours BOOLEAN DEFAULT FALSE,
set_working_hours_at TIMESTAMP,
created_client BOOLEAN DEFAULT FALSE,
created_client_at TIMESTAMP,
customized_settings BOOLEAN DEFAULT FALSE,
customized_settings_at TIMESTAMP,
added_billing_info BOOLEAN DEFAULT FALSE,
added_billing_info_at TIMESTAMP,
generated_report BOOLEAN DEFAULT FALSE,
generated_report_at TIMESTAMP,
-- Status
completed BOOLEAN DEFAULT FALSE,
completed_at TIMESTAMP,
dismissed BOOLEAN DEFAULT FALSE,
dismissed_at TIMESTAMP,
-- Timestamps
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE
);
CREATE UNIQUE INDEX uq_onboarding_checklist_org ON onboarding_checklists(organization_id);
CREATE INDEX ix_onboarding_checklists_organization_id ON onboarding_checklists(organization_id);
```
---
## Configuration
### Environment Variables
```bash
# Trial settings
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
# Stripe credentials
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...
# Stripe price IDs
STRIPE_SINGLE_USER_PRICE_ID=price_...
STRIPE_TEAM_PRICE_ID=price_...
# Email configuration
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG...
SMTP_FROM_EMAIL=noreply@timetracker.com
SMTP_FROM_NAME=TimeTracker
```
---
## Files Summary
### Created (13 files)
**Core Services:**
1. `app/utils/provisioning_service.py` - Provisioning automation (338 lines)
2. `app/models/onboarding_checklist.py` - Checklist model (297 lines)
**Routes:**
3. `app/routes/onboarding.py` - Onboarding endpoints (148 lines)
**Templates:**
4. `app/templates/onboarding/checklist.html` - Checklist page (301 lines)
5. `app/templates/onboarding/welcome.html` - Welcome page (113 lines)
6. `app/templates/components/trial_banner.html` - Trial banner (79 lines)
7. `app/templates/components/onboarding_widget.html` - Progress widget (86 lines)
**Database:**
8. `migrations/versions/020_add_onboarding_checklist.py` - Migration (91 lines)
**Documentation:**
9. `PROVISIONING_ONBOARDING_GUIDE.md` - Complete guide (1,138 lines)
10. `PROVISIONING_QUICK_START.md` - Quick reference (534 lines)
11. `PROVISIONING_IMPLEMENTATION_SUMMARY.md` - This file
**Total:** ~3,100 lines of production-ready code + documentation
### Modified (4 files)
1. `app/__init__.py` - Register onboarding blueprint
2. `app/models/__init__.py` - Register OnboardingChecklist model
3. `app/routes/billing.py` - Add provisioning to webhook handler
4. `app/routes/organizations.py` - Add trial provisioning to signup
---
## Testing
### Manual Testing Checklist
- [x] Create organization with trial
- [x] Verify trial banner shows
- [x] Verify onboarding widget shows
- [x] Verify welcome email sent
- [x] Verify default project created
- [x] Verify checklist initialized
- [x] Complete onboarding task
- [x] Dismiss checklist
- [x] Test webhook provisioning
- [x] Test trial expiration flow
### Test Commands
```bash
# Create trial organization
curl -X POST http://localhost:5000/organizations/new \
-F "name=Test Org" \
-F "start_trial=true"
# Test Stripe webhook
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
stripe trigger invoice.payment_succeeded
# Test onboarding API
curl http://localhost:5000/onboarding/api/checklist
curl -X POST http://localhost:5000/onboarding/api/checklist/complete/created_project
```
---
## Deployment Steps
### 1. Database Migration
```bash
# Apply migration
flask db upgrade
```
### 2. Configure Environment
Ensure these variables are set:
```bash
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
SMTP_HOST=...
SMTP_USERNAME=...
SMTP_PASSWORD=...
```
### 3. Update Templates
Add to dashboard template:
```html
{% include 'components/trial_banner.html' %}
{% include 'components/onboarding_widget.html' %}
```
### 4. Test Webhooks
```bash
# Configure webhook in Stripe Dashboard
URL: https://yourdomain.com/billing/webhooks/stripe
Events: invoice.paid, invoice.payment_failed, customer.subscription.*
```
### 5. Verify Email
Send test welcome email to verify SMTP configuration.
---
## Integration Points
This feature integrates with:
1. **Stripe Billing** - Payment webhooks trigger provisioning
2. **Multi-Tenancy** - Creates organizations and memberships
3. **Email Service** - Sends welcome and notification emails
4. **Organization Management** - Trial and subscription management
5. **Project Management** - Creates default projects
---
## Performance Considerations
- **Provisioning:** ~200-500ms per organization (includes DB writes, email)
- **Webhooks:** Async processing recommended for high volume
- **Email:** Queued via SMTP (no blocking)
- **Database:** Single transaction for core provisioning
**Optimization:**
- Consider background job queue for provisioning (Celery/Redis)
- Cache onboarding checklist data
- Batch email sending for multiple admins
---
## Security Considerations
**Webhook Verification:** Stripe signature validation
**Admin-Only Actions:** Dismiss checklist requires admin role
**Organization Isolation:** Multi-tenant data separation
**Email Validation:** User email verified before sending
**SQL Injection:** Parameterized queries via SQLAlchemy
---
## Future Enhancements
Potential improvements:
1. **Analytics Dashboard**
- Track provisioning success/failure rates
- Onboarding completion metrics
- Trial conversion rates
2. **Advanced Onboarding**
- Interactive tutorial overlay
- Video guides
- Contextual help tooltips
3. **Custom Onboarding**
- Industry-specific checklists
- Custom task definitions
- Conditional tasks based on plan
4. **Automation Triggers**
- Auto-complete tasks when actions detected
- Smart next-task suggestions
- Personalized recommendations
5. **Gamification**
- Achievement badges
- Progress celebrations
- Completion rewards
---
## Monitoring & Logging
### Key Metrics to Monitor
- Provisioning success rate
- Welcome email delivery rate
- Trial-to-paid conversion
- Onboarding completion rate
- Average time to complete onboarding
### Log Locations
```bash
# Application logs
tail -f logs/timetracker.log
# Look for:
grep "provisioning" logs/timetracker.log
grep "onboarding" logs/timetracker.log
grep "webhook" logs/timetracker.log
```
### Alerts to Set Up
- Provisioning failures (> 5% error rate)
- Email delivery failures
- Webhook processing delays (> 5 seconds)
- Trial expiration without payment method
---
## Success Metrics
### Target KPIs
- **Provisioning Success Rate:** 99%+
- **Email Delivery Rate:** 95%+
- **Onboarding Completion:** 60%+ within 7 days
- **Trial-to-Paid Conversion:** 15-25%
- **Time to First Value:** < 5 minutes
### Current Baseline
- ✅ Provisioning: 100% success in testing
- ✅ Email: 100% delivery (local testing)
- ⏳ Onboarding: Track after production deployment
- ⏳ Conversion: Monitor post-launch
---
## Support & Documentation
### For Developers
- **Complete Guide:** `PROVISIONING_ONBOARDING_GUIDE.md`
- **Quick Start:** `PROVISIONING_QUICK_START.md`
- **Code Documentation:** Inline comments in all new files
### For Users
- **Welcome Email:** Sent automatically with getting started guide
- **Onboarding Checklist:** Interactive guide in app
- **Help Center:** Link to `/onboarding/guide` (to be created)
---
## Acknowledgments
**Implementation Decision: Option A + Option B**
We implemented **both provisioning options**:
1. **Option A (Trial):** Immediate provisioning at signup
2. **Option B (Payment):** Webhook-driven provisioning after first payment
This provides the best user experience:
- Trial users get instant access
- Paid customers get provisioned on first payment
- Flexible for different business models
---
## Conclusion
**All acceptance criteria met**
**Production-ready implementation**
**Comprehensive documentation**
**Tested and validated**
The provisioning and onboarding automation system is **complete and ready for deployment**. It provides a seamless, automated experience for new customers from signup to active usage, reducing manual work and improving customer satisfaction.
**Next Steps:**
1. Deploy to production
2. Monitor metrics
3. Gather user feedback
4. Iterate based on data
---
**Status:****COMPLETE & PRODUCTION READY**
**Date:** January 8, 2025
**Implementation Time:** ~4 hours
**Lines of Code:** ~3,100 (including documentation)
**Files Created/Modified:** 17 files
---
🎉 **Congratulations! The provisioning & onboarding automation system is live!**

789
PROVISIONING_ONBOARDING_GUIDE.md
View File

@@ -1,789 +0,0 @@
# 🚀 Provisioning & Onboarding Automation - Implementation Guide
## Overview
This document describes the automated provisioning and onboarding system implemented for TimeTracker. This high-priority feature automates tenant provisioning after successful payment or trial signup, ensuring a smooth customer experience from signup to active usage.
---
## Table of Contents
1. [Architecture](#architecture)
2. [Components](#components)
3. [Provisioning Flow](#provisioning-flow)
4. [Trial Management](#trial-management)
5. [Onboarding Checklist](#onboarding-checklist)
6. [Email Notifications](#email-notifications)
7. [Configuration](#configuration)
8. [Usage Examples](#usage-examples)
9. [Testing](#testing)
10. [Troubleshooting](#troubleshooting)
---
## Architecture
The provisioning system consists of three main components:
1. **Provisioning Service** - Core automation logic
2. **Webhook Handlers** - Stripe payment event processing
3. **Onboarding System** - User guidance and progress tracking
```
┌─────────────────┐
│ Stripe Webhook │
│ invoice.paid │
└────────┬────────┘
┌─────────────────────┐
│ Provisioning Service│
│ - Create resources │
│ - Setup admin │
│ - Send emails │
└────────┬────────────┘
┌─────────────────────┐
│ Onboarding Checklist│
│ - Track progress │
│ - Guide users │
└─────────────────────┘
```
---
## Components
### 1. Provisioning Service (`app/utils/provisioning_service.py`)
The central service that handles automated tenant provisioning.
**Key Methods:**
- `provision_organization()` - Main provisioning entry point
- `provision_trial_organization()` - Provision trial accounts immediately
- `_create_default_project()` - Create starter project
- `_ensure_admin_membership()` - Setup admin access
- `_initialize_onboarding_checklist()` - Create checklist
- `_send_welcome_email()` - Send welcome communication
**Usage:**
```python
from app.utils.provisioning_service import provisioning_service
# Provision after payment
result = provisioning_service.provision_organization(
organization=org,
admin_user=user,
trigger='payment'
)
# Provision trial immediately
result = provisioning_service.provision_trial_organization(
organization=org,
admin_user=user
)
```
### 2. Onboarding Checklist Model (`app/models/onboarding_checklist.py`)
Tracks onboarding progress for each organization.
**Tasks Tracked:**
1. ✅ Invite team member
2. ✅ Create project
3. ✅ Create time entry
4. ✅ Set working hours
5. ✅ Create client
6. ✅ Customize settings
7. ✅ Add billing info
8. ✅ Generate report
**Key Methods:**
```python
from app.models.onboarding_checklist import OnboardingChecklist
# Get or create checklist
checklist = OnboardingChecklist.get_or_create(organization_id)
# Mark task complete
checklist.mark_task_complete('invited_team_member')
# Get progress
percentage = checklist.completion_percentage
is_done = checklist.is_complete
next_task = checklist.get_next_task()
```
### 3. Webhook Handler (updated in `app/routes/billing.py`)
Processes Stripe webhooks and triggers provisioning.
**Flow:**
```python
def handle_invoice_paid(event):
# 1. Update organization status
organization.stripe_subscription_status = 'active'
organization.update_billing_issue(has_issue=False)
# 2. Check if first payment (no projects exist)
if organization.projects.count() == 0:
# 3. Trigger automated provisioning
provisioning_service.provision_organization(
organization=organization,
admin_user=admin_user,
trigger='payment'
)
```
### 4. Onboarding Routes (`app/routes/onboarding.py`)
API and UI routes for onboarding functionality.
**Endpoints:**
- `GET /onboarding/checklist` - Display checklist UI
- `GET /onboarding/api/checklist` - Get checklist data (JSON)
- `POST /onboarding/api/checklist/complete/<task>` - Mark task complete
- `POST /onboarding/api/checklist/dismiss` - Dismiss checklist
- `GET /onboarding/welcome` - Welcome page for new orgs
### 5. UI Components
**Trial Banner** (`app/templates/components/trial_banner.html`)
Displays trial status prominently on dashboard:
```html
{% include 'components/trial_banner.html' %}
```
Features:
- Shows days remaining
- Links to billing
- Dismissable
- Warning states for expiring trials
**Onboarding Widget** (`app/templates/components/onboarding_widget.html`)
Progress widget for dashboard:
```html
{% include 'components/onboarding_widget.html' %}
```
Features:
- Progress bar
- Next task suggestion
- Quick action buttons
- Dismissable
---
## Provisioning Flow
### Option A: Trial Provisioning (Immediate)
**Trigger:** User creates organization with trial
```
User Signup
Create Organization
provision_trial_organization()
┌─────────────────────────┐
│ 1. Set trial expiration │
│ (14 days default) │
│ 2. Create default │
│ project │
│ 3. Setup admin │
│ membership │
│ 4. Initialize checklist │
│ 5. Send welcome email │
└────────────┬────────────┘
Welcome Page
```
**Code Example:**
```python
# In app/routes/organizations.py
@organizations_bp.route('/new', methods=['POST'])
def create():
# Create organization
org = Organization(name=name, subscription_plan='trial')
db.session.add(org)
db.session.commit()
# Provision immediately for trials
if start_trial:
provisioning_service.provision_trial_organization(
organization=org,
admin_user=current_user
)
return redirect(url_for('onboarding.welcome'))
```
### Option B: Payment Provisioning (Webhook)
**Trigger:** Stripe `invoice.paid` webhook
```
Payment Success
Stripe Webhook: invoice.paid
handle_invoice_paid()
Check if first payment?
↓ (yes)
provision_organization()
┌─────────────────────────┐
│ 1. Activate org │
│ 2. Create default │
│ project │
│ 3. Setup admin │
│ membership │
│ 4. Initialize checklist │
│ 5. Send welcome email │
└────────────┬────────────┘
Email Notification
```
---
## Trial Management
### Configuration
Set in `.env` or `app/config.py`:
```bash
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
```
### Trial Properties
Organizations have trial-specific properties:
```python
organization.is_on_trial # Boolean
organization.trial_days_remaining # Integer
organization.trial_ends_at # DateTime
organization.stripe_subscription_status # 'trialing'
```
### Trial Banner Display
Add to any template (usually dashboard):
```html
{% include 'components/trial_banner.html' %}
```
The banner automatically:
- Shows only during trial
- Displays days remaining
- Links to billing setup
- Highlights urgency for expiring trials
### Trial Expiration
Handled automatically by Stripe:
1. 3 days before end: `customer.subscription.trial_will_end` webhook → send reminder email
2. On expiration: Stripe attempts to charge payment method
- Success → `invoice.paid` → activate subscription
- Failure → `invoice.payment_failed` → suspend account
---
## Onboarding Checklist
### Database Schema
```sql
CREATE TABLE onboarding_checklists (
id SERIAL PRIMARY KEY,
organization_id INTEGER NOT NULL UNIQUE,
-- Task flags
invited_team_member BOOLEAN DEFAULT FALSE,
created_project BOOLEAN DEFAULT FALSE,
created_time_entry BOOLEAN DEFAULT FALSE,
set_working_hours BOOLEAN DEFAULT FALSE,
created_client BOOLEAN DEFAULT FALSE,
customized_settings BOOLEAN DEFAULT FALSE,
added_billing_info BOOLEAN DEFAULT FALSE,
generated_report BOOLEAN DEFAULT FALSE,
-- Timestamps for each task
invited_team_member_at TIMESTAMP,
created_project_at TIMESTAMP,
-- ... etc
-- Status
completed BOOLEAN DEFAULT FALSE,
dismissed BOOLEAN DEFAULT FALSE,
FOREIGN KEY (organization_id) REFERENCES organizations(id)
);
```
### Marking Tasks Complete
Tasks can be marked complete:
1. **Manually** (via UI button/API)
2. **Automatically** (triggered by actual actions)
**Example: Auto-complete on project creation:**
```python
# In app/routes/projects.py
@projects_bp.route('/new', methods=['POST'])
def create_project():
# Create project
project = Project(name=name, organization_id=org_id)
db.session.add(project)
db.session.commit()
# Auto-complete onboarding task
from app.models.onboarding_checklist import OnboardingChecklist
checklist = OnboardingChecklist.get_or_create(org_id)
checklist.mark_task_complete('created_project')
return redirect(url_for('projects.detail', id=project.id))
```
### Progress Tracking
```python
checklist = OnboardingChecklist.get_or_create(org_id)
# Get metrics
percentage = checklist.completion_percentage # 0-100
completed = checklist.get_completed_count() # e.g., 3
total = checklist.get_total_count() # 8
is_done = checklist.is_complete # Boolean
# Get next suggestion
next_task = checklist.get_next_task()
# Returns: {'key': 'invited_team_member', 'title': '...', 'icon': '...'}
```
---
## Email Notifications
### Welcome Email
Sent automatically after provisioning:
**Trigger:** After `provision_organization()` or `provision_trial_organization()`
**Content:**
- Welcome message
- Trial information (if applicable)
- Quick start guide
- Links to dashboard and onboarding
- Pro tips
**Template:** Generated dynamically in `provisioning_service.py`
**Customization:**
```python
def _generate_welcome_html(self, organization, user, is_trial):
# Customize email HTML here
return f"""
<html>
<body>
<h1>Welcome {user.display_name}!</h1>
<!-- ... -->
</body>
</html>
"""
```
### Other Notification Emails
Already implemented in `app/routes/billing.py`:
1. **Payment Failed** - `_send_payment_failed_notification()`
2. **Trial Ending** - `_send_trial_ending_notification()` (3 days before)
3. **Action Required** - `_send_action_required_notification()` (3D Secure)
4. **Subscription Cancelled** - `_send_subscription_cancelled_notification()`
---
## Configuration
### Environment Variables
```bash
# Trial settings
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
# Stripe keys
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...
# Plan price IDs
STRIPE_SINGLE_USER_PRICE_ID=price_...
STRIPE_TEAM_PRICE_ID=price_...
# Email settings
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG....
SMTP_FROM_EMAIL=noreply@timetracker.com
SMTP_FROM_NAME=TimeTracker
```
### App Configuration
In `app/config.py`:
```python
class Config:
# Trials
STRIPE_ENABLE_TRIALS = os.getenv('STRIPE_ENABLE_TRIALS', 'true').lower() == 'true'
STRIPE_TRIAL_DAYS = int(os.getenv('STRIPE_TRIAL_DAYS', 14))
# Provisioning
PROVISION_ON_FIRST_PAYMENT = True # Auto-provision on invoice.paid
PROVISION_TRIALS_IMMEDIATELY = True # Auto-provision on signup
```
---
## Usage Examples
### Example 1: Create Organization with Trial
```python
# User creates organization via web form
POST /organizations/new
{
"name": "Acme Corp",
"contact_email": "admin@acme.com",
"start_trial": "true"
}
# Backend automatically:
# 1. Creates organization
# 2. Creates admin membership
# 3. Provisions trial (14 days)
# 4. Creates default project
# 5. Initializes checklist
# 6. Sends welcome email
# 7. Redirects to /onboarding/welcome
```
### Example 2: Webhook Provisioning
```python
# Stripe sends webhook after successful payment
POST /billing/webhooks/stripe
{
"type": "invoice.paid",
"data": {
"object": {
"customer": "cus_...",
"subscription": "sub_...",
"amount_paid": 600 # $6.00
}
}
}
# Backend:
# 1. Finds organization by customer ID
# 2. Checks if first payment (no projects)
# 3. If yes, triggers provisioning
# 4. Sends welcome email
# 5. Responds 200 OK to Stripe
```
### Example 3: Display Onboarding Widget on Dashboard
```html
<!-- app/templates/dashboard.html -->
{% extends "base.html" %}
{% block content %}
<div class="container">
<!-- Trial banner (if on trial) -->
{% include 'components/trial_banner.html' %}
<div class="row">
<div class="col-md-8">
<!-- Main dashboard content -->
</div>
<div class="col-md-4">
<!-- Onboarding progress widget -->
{% include 'components/onboarding_widget.html' %}
</div>
</div>
</div>
{% endblock %}
```
### Example 4: Manual Task Completion
```javascript
// Mark task as complete via JavaScript
fetch('/onboarding/api/checklist/complete/invited_team_member', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
})
.then(response => response.json())
.then(data => {
console.log('Task completed:', data);
// Update UI to show progress
});
```
---
## Testing
### Local Testing
1. **Test Trial Provisioning:**
```bash
# Create organization with trial
curl -X POST http://localhost:5000/organizations/new \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "name=Test Org&start_trial=true&contact_email=test@example.com"
# Check database
psql timetracker -c "SELECT name, trial_ends_at, subscription_plan FROM organizations;"
psql timetracker -c "SELECT * FROM onboarding_checklists WHERE organization_id=1;"
```
2. **Test Webhook Provisioning:**
```bash
# Use Stripe CLI to forward webhooks
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
# Trigger test event
stripe trigger invoice.payment_succeeded
```
3. **Test Onboarding API:**
```bash
# Get checklist
curl http://localhost:5000/onboarding/api/checklist
# Complete task
curl -X POST http://localhost:5000/onboarding/api/checklist/complete/created_project
# Dismiss checklist
curl -X POST http://localhost:5000/onboarding/api/checklist/dismiss
```
### Unit Tests
Create `tests/test_provisioning.py`:
```python
import pytest
from app import create_app, db
from app.models import Organization, User
from app.utils.provisioning_service import provisioning_service
def test_provision_trial_organization():
app = create_app({'TESTING': True})
with app.app_context():
# Create test user and org
user = User(username='testuser', email='test@example.com')
org = Organization(name='Test Org')
db.session.add_all([user, org])
db.session.commit()
# Provision trial
result = provisioning_service.provision_trial_organization(org, user)
# Assertions
assert result['success'] == True
assert org.is_on_trial
assert org.trial_days_remaining == 14
assert org.projects.count() == 1 # Default project created
# Check onboarding checklist exists
from app.models.onboarding_checklist import OnboardingChecklist
checklist = OnboardingChecklist.query.filter_by(organization_id=org.id).first()
assert checklist is not None
```
---
## Troubleshooting
### Issue: Webhook not triggering provisioning
**Symptoms:** Payment succeeds but no welcome email, no default project
**Diagnosis:**
```python
# Check webhook logs
tail -f logs/timetracker.log | grep "webhook"
# Check if organization already has projects
psql -c "SELECT id, name, (SELECT COUNT(*) FROM projects WHERE organization_id=organizations.id) as project_count FROM organizations;"
```
**Solution:** Provisioning only triggers on *first* payment (when no projects exist). If org already has projects, it's considered already provisioned.
### Issue: Welcome email not sending
**Symptoms:** Provisioning succeeds but no email received
**Diagnosis:**
```python
# Check email service configuration
python -c "from app import create_app; app = create_app(); print(app.config['SMTP_HOST'])"
# Check user has email
psql -c "SELECT id, username, email FROM users WHERE email IS NULL;"
```
**Solution:** Ensure SMTP settings are configured and user has a valid email address.
### Issue: Trial not starting
**Symptoms:** Organization created but trial_ends_at is NULL
**Diagnosis:**
```python
# Check config
python -c "from app.config import Config; print(Config.STRIPE_ENABLE_TRIALS, Config.STRIPE_TRIAL_DAYS)"
# Check organization
psql -c "SELECT id, name, trial_ends_at, stripe_subscription_status FROM organizations;"
```
**Solution:** Ensure `STRIPE_ENABLE_TRIALS=true` in `.env` and organization is created with trial flag.
### Issue: Onboarding checklist not appearing
**Symptoms:** Dashboard doesn't show onboarding widget
**Diagnosis:**
```python
# Check if checklist exists
psql -c "SELECT * FROM onboarding_checklists WHERE organization_id=1;"
# Check template includes
grep -r "onboarding_widget.html" app/templates/
```
**Solution:** Ensure `{% include 'components/onboarding_widget.html' %}` is added to dashboard template and checklist exists in database.
---
## Database Migration
Run migrations to create the onboarding_checklists table:
```bash
# Apply migration
flask db upgrade
# Or manually run
psql timetracker < migrations/versions/020_add_onboarding_checklist.py
```
---
## Summary
**Implemented:**
1. ✅ Provisioning service for automated tenant setup
2. ✅ Webhook handler updates for payment-triggered provisioning
3. ✅ Onboarding checklist model and tracking
4. ✅ Onboarding UI (checklist page, welcome page, widgets)
5. ✅ Welcome email with onboarding guide
6. ✅ Trial flow with banner and expiration tracking
7. ✅ Onboarding routes and API endpoints
8. ✅ Signup flow updated for immediate trial provisioning
**Files Created:**
- `app/utils/provisioning_service.py` - Core provisioning logic
- `app/models/onboarding_checklist.py` - Checklist model
- `app/routes/onboarding.py` - Onboarding routes
- `app/templates/onboarding/checklist.html` - Checklist UI
- `app/templates/onboarding/welcome.html` - Welcome page
- `app/templates/components/trial_banner.html` - Trial banner
- `app/templates/components/onboarding_widget.html` - Progress widget
- `migrations/versions/020_add_onboarding_checklist.py` - Database migration
**Files Modified:**
- `app/__init__.py` - Register onboarding blueprint
- `app/models/__init__.py` - Register OnboardingChecklist model
- `app/routes/billing.py` - Add provisioning to webhook handler
- `app/routes/organizations.py` - Add trial provisioning to signup
---
## Next Steps
1. **Testing:** Thoroughly test all flows (trial, payment, webhook)
2. **Monitoring:** Add metrics/logging for provisioning success/failure rates
3. **Customization:** Customize email templates with branding
4. **Extensions:**
- Add more onboarding tasks
- Create interactive onboarding tutorial
- Add onboarding completion analytics
- Implement onboarding automation triggers
---
## Support
For issues or questions:
1. Check logs: `tail -f logs/timetracker.log`
2. Review Stripe dashboard for webhook delivery
3. Test locally with Stripe CLI
4. Check database state with SQL queries
**Acceptance Criteria Met:**
✅ Stripe `invoice.paid` webhook provisions tenant and sends welcome email
✅ Trial flow allows immediate login and shows remaining trial days
✅ Onboarding checklist visible to new org admins
**Status:** ✅ Production Ready

495
PROVISIONING_QUICK_START.md
View File

@@ -1,495 +0,0 @@
# 🚀 Provisioning & Onboarding - Quick Start
## What Was Implemented
A complete **automated provisioning and onboarding system** that automatically sets up new customers after payment or trial signup.
---
## ✅ Acceptance Criteria (All Met)
**Stripe `invoice.paid` webhook provisions tenant and sends welcome email**
**Trial flow allows immediate login and shows remaining trial days**
**Onboarding checklist visible to new org admins**
---
## 🎯 Key Features
### 1. Automated Provisioning
**What it does:** Automatically sets up new organizations after payment or trial signup.
**Triggers:**
- **Option A (Trial):** Immediate provisioning when organization is created with trial
- **Option B (Payment):** Webhook-triggered provisioning when first payment succeeds
**What gets provisioned:**
- ✅ Default project ("Getting Started")
- ✅ Admin membership for creator
- ✅ Onboarding checklist (8 tasks)
- ✅ Welcome email with links
### 2. Trial Management
**Features:**
- 14-day trial (configurable via `STRIPE_TRIAL_DAYS`)
- Trial banner shows days remaining
- Automatic trial expiration handling
- Reminder emails 3 days before expiration
**Trial Banner:**
Displays prominently on dashboard with:
- Days remaining countdown
- Upgrade/billing link
- Dismissable (stores preference)
### 3. Onboarding Checklist
**8 Guided Tasks:**
1. 🤝 Invite team member
2. 📁 Create project
3. ⏱️ Log first time entry
4. 📅 Set working hours
5. 🏢 Add client
6. ⚙️ Customize settings
7. 💳 Add billing info
8. 📊 Generate report
**Features:**
- Progress tracking (percentage complete)
- Auto-completion when tasks done
- Next task suggestions
- Dismissable widget
- API for programmatic access
### 4. Welcome Emails
**Sent automatically after provisioning:**
- Personalized greeting
- Trial information (if applicable)
- Quick start guide
- Links to dashboard and onboarding
- Pro tips for getting started
---
## 📁 Files Created
### Core Services
- `app/utils/provisioning_service.py` - Provisioning automation
- `app/models/onboarding_checklist.py` - Checklist model
### Routes
- `app/routes/onboarding.py` - Onboarding endpoints
### Templates
- `app/templates/onboarding/checklist.html` - Checklist page
- `app/templates/onboarding/welcome.html` - Welcome page
- `app/templates/components/trial_banner.html` - Trial banner
- `app/templates/components/onboarding_widget.html` - Progress widget
### Database
- `migrations/versions/020_add_onboarding_checklist.py` - Migration
### Documentation
- `PROVISIONING_ONBOARDING_GUIDE.md` - Complete guide
- `PROVISIONING_QUICK_START.md` - This file
---
## 📝 Files Modified
- `app/__init__.py` - Register onboarding blueprint
- `app/models/__init__.py` - Register OnboardingChecklist model
- `app/routes/billing.py` - Add provisioning to webhook
- `app/routes/organizations.py` - Add trial provisioning to signup
---
## 🔧 Configuration
### Environment Variables
```bash
# Enable trials
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
# Stripe credentials
STRIPE_SECRET_KEY=sk_test_...
STRIPE_PUBLISHABLE_KEY=pk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...
# Email settings
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG...
SMTP_FROM_EMAIL=noreply@timetracker.com
```
---
## 🚀 How to Use
### 1. Add Trial Banner to Dashboard
```html
<!-- app/templates/dashboard.html -->
{% extends "base.html" %}
{% block content %}
<!-- Add trial banner at top -->
{% include 'components/trial_banner.html' %}
<div class="row">
<div class="col-md-8">
<!-- Main content -->
</div>
<div class="col-md-4">
<!-- Add onboarding widget in sidebar -->
{% include 'components/onboarding_widget.html' %}
</div>
</div>
{% endblock %}
```
### 2. Pass Required Context
In your dashboard route:
```python
from app.models.onboarding_checklist import OnboardingChecklist
from app.utils.tenancy import get_current_organization
@main_bp.route('/dashboard')
@login_required
def dashboard():
organization = get_current_organization()
checklist = None
if organization:
checklist = OnboardingChecklist.get_or_create(organization.id)
return render_template(
'dashboard.html',
organization=organization,
checklist=checklist
)
```
### 3. Run Database Migration
```bash
flask db upgrade
# Or: python -m flask db upgrade
```
### 4. Test Locally
#### Test Trial Creation:
```bash
# Create organization with trial via web UI
# Or via curl:
curl -X POST http://localhost:5000/organizations/new \
-F "name=Test Org" \
-F "start_trial=true" \
-F "contact_email=test@example.com"
```
#### Test Stripe Webhook:
```bash
# Install Stripe CLI
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
# Trigger test payment
stripe trigger invoice.payment_succeeded
```
#### Test Onboarding API:
```bash
# Get checklist
curl http://localhost:5000/onboarding/api/checklist
# Complete task
curl -X POST http://localhost:5000/onboarding/api/checklist/complete/created_project
```
---
## 🎨 UI Components
### Trial Banner
Shows when `organization.is_on_trial == True`:
- **Yellow gradient background**
- **Gift icon** (large, eye-catching)
- **Days remaining** countdown
- **Trial end date** display
- **"Add Payment Method"** or **"Upgrade Now"** button
- **Dismissable** with × button
Also shows **billing issue alert** (red) when `organization.has_billing_issue == True`.
### Onboarding Widget
Shows when checklist is not dismissed and not complete:
- **Progress bar** (gradient blue-purple)
- **Completion percentage** badge
- **Next task** highlighted with icon
- **"Continue Setup"** button → links to `/onboarding/checklist`
- **Dismiss button** (×)
### Onboarding Checklist Page
Full-page view at `/onboarding/checklist`:
- **Large header** with progress bar and percentage
- **List of 8 tasks** with:
- Checkboxes (circular, gradient when complete)
- Task icon and title
- Description
- Category badge (team/setup/usage/billing)
- Action link (e.g., "Create Project →")
- Completion timestamp
- **Dismiss button** (top-right)
- **Help link** to complete guide
---
## 📊 Provisioning Flows
### Flow 1: Trial Signup (Immediate)
```
User creates org with trial
Organization record created
provision_trial_organization()
┌─────────────────────────────┐
│ • Set trial_ends_at (+14d) │
│ • Create default project │
│ • Setup admin membership │
│ • Initialize checklist │
│ • Send welcome email │
└──────────────┬──────────────┘
Redirect to /onboarding/welcome
```
### Flow 2: Payment Webhook (First Payment)
```
Customer pays invoice
Stripe webhook: invoice.paid
handle_invoice_paid()
Check: First payment?
↓ (yes, no projects exist)
provision_organization()
┌─────────────────────────────┐
│ • Activate organization │
│ • Create default project │
│ • Setup admin membership │
│ • Initialize checklist │
│ • Send welcome email │
└─────────────────────────────┘
```
---
## 🔌 API Endpoints
### Get Checklist
```
GET /onboarding/api/checklist
```
**Response:**
```json
{
"id": 1,
"organization_id": 5,
"completion_percentage": 37,
"completed_count": 3,
"total_count": 8,
"is_complete": false,
"dismissed": false,
"tasks": [
{
"key": "invited_team_member",
"title": "Invite your first team member",
"description": "Add colleagues to collaborate on projects",
"icon": "fa-user-plus",
"priority": 1,
"category": "team",
"completed": true,
"completed_at": "2025-01-08T10:30:00"
},
// ... more tasks
],
"next_task": {
"key": "created_client",
"title": "Add your first client",
// ...
}
}
```
### Complete Task
```
POST /onboarding/api/checklist/complete/<task_key>
```
**Example:**
```bash
curl -X POST http://localhost:5000/onboarding/api/checklist/complete/created_project
```
**Response:**
```json
{
"success": true,
"task_key": "created_project",
"completion_percentage": 50,
"is_complete": false,
"next_task": { ... }
}
```
### Dismiss Checklist
```
POST /onboarding/api/checklist/dismiss
```
**Requirements:** User must be admin of organization
**Response:**
```json
{
"success": true,
"dismissed": true
}
```
---
## 📧 Email Templates
### Welcome Email
**Subject:** `Welcome to TimeTracker - {organization_name}`
**Includes:**
- Personalized greeting
- Trial info (if applicable)
- What was set up (project, access, etc.)
- Next steps (numbered list)
- Dashboard link (primary CTA)
- Onboarding checklist link
- Pro tips section
- Contact/support info
**Formats:** Plain text + HTML
---
## 🧪 Testing Checklist
- [ ] Create organization with trial → check welcome email sent
- [ ] Verify trial banner shows on dashboard
- [ ] Verify onboarding widget shows with progress
- [ ] Complete a task → check progress updates
- [ ] Dismiss checklist → verify it hides
- [ ] Test webhook: `stripe trigger invoice.payment_succeeded`
- [ ] Verify welcome email after payment
- [ ] Check default project was created
- [ ] Verify onboarding checklist initialized
- [ ] Test trial expiration (change `trial_ends_at` to past date)
---
## 🐛 Troubleshooting
### Webhook not working?
1. Check webhook secret: `echo $STRIPE_WEBHOOK_SECRET`
2. Check webhook logs: `tail -f logs/timetracker.log | grep webhook`
3. Test with Stripe CLI: `stripe listen --forward-to localhost:5000/billing/webhooks/stripe`
### Email not sending?
1. Check SMTP settings: `echo $SMTP_HOST $SMTP_USERNAME`
2. Check user has email: `SELECT email FROM users WHERE id=1;`
3. Check email service logs in `logs/timetracker.log`
### Trial not starting?
1. Check config: `echo $STRIPE_ENABLE_TRIALS $STRIPE_TRIAL_DAYS`
2. Check database: `SELECT trial_ends_at FROM organizations WHERE id=1;`
3. Ensure `start_trial=true` was passed in form
### Checklist not appearing?
1. Check template includes `onboarding_widget.html`
2. Check `checklist` variable passed to template
3. Check database: `SELECT * FROM onboarding_checklists;`
4. Run migration: `flask db upgrade`
---
## 📚 Documentation
- **Complete Guide:** See `PROVISIONING_ONBOARDING_GUIDE.md` for detailed documentation
- **API Reference:** See endpoints section above
- **Configuration:** See environment variables section
---
## 🎉 Success!
All acceptance criteria have been met:
**Stripe `invoice.paid` webhook provisions tenant and sends welcome email**
**Trial flow allows immediate login and shows remaining trial days**
**Onboarding checklist visible to new org admins**
The provisioning and onboarding system is **production-ready** and provides a smooth, automated experience for new customers!
---
## 🔗 Related Features
This implementation integrates with:
- **Stripe Billing** (`app/routes/billing.py`)
- **Multi-Tenancy** (`app/utils/tenancy.py`)
- **Email Service** (`app/utils/email_service.py`)
- **Organization Management** (`app/routes/organizations.py`)
---
**Status:** ✅ Complete & Production Ready

242
QUICK_START_MARKETING.md
View File

@@ -1,242 +0,0 @@
# 🚀 Quick Start - Marketing Launch
## ✅ What's Been Implemented
All marketing, sales, and pricing features are **READY TO LAUNCH**!
---
## 📋 Implementation Summary
### ✅ Landing Page
- **URL:** `/` (root)
- **Features:** Pricing, comparison table, FAQ, CTAs
- **Style:** Modern gradient design [[memory:7692072]]
- **Mobile:** Fully responsive
### ✅ README Banner
- Added prominent hosted offering link
- Clear call-to-action
- Professional placement
### ✅ 14-Day Free Trial
- Automatically applied on signup
- No credit card required
- Full feature access
- Already configured in billing system
### ✅ Promo Code System
- Pre-loaded code: `EARLY2025`
- Discount: 20% off for 3 months
- Stripe integration complete
- Admin management interface
- API endpoints ready
### ✅ FAQ Page
- **URL:** `/faq`
- 23 questions answered
- Categories: Privacy, Export, Refunds, VAT, Support
- Search functionality included
### ✅ Promotion Materials
- Demo video script (90 seconds)
- Social media posts (Product Hunt, HN, Reddit, Twitter, LinkedIn)
- Email campaign templates
- Content calendar (4 weeks)
- Launch checklist
---
## 🎯 Launch in 3 Steps
### Step 1: Deploy
```bash
# Apply database migration for promo codes
docker-compose exec app flask db upgrade
# Restart application
docker-compose restart app
```
### Step 2: Update URLs
Replace `https://your-hosted-domain.com` in:
- `README.md` (line 5)
- Landing page template
### Step 3: Test
1. Visit `/` - Should show landing page
2. Visit `/faq` - Should show FAQ
3. Click "Start Free Trial"
4. Enter promo code: `EARLY2025`
5. Verify 14-day trial starts
---
## 📱 What to Post
### Product Hunt (Launch Day)
- Title: "TimeTracker - Professional time tracking made simple"
- Use script from `MARKETING_PROMOTION_PLAN.md`
- Submit at 12:01 AM PST
### HackerNews (Day 2)
- Title: "Show HN: TimeTracker Open-source time tracking with optional hosted SaaS"
- Post morning PST
- Engage all day
### Reddit (Day 3)
- r/selfhosted: Focus on open-source angle
- r/SaaS: Focus on business model
- r/freelance: Focus on invoicing features
### Twitter/X (Ongoing)
- 8-tweet thread ready in promotion plan
- Daily tips and updates
- Engage with users
---
## 🎬 Demo Video
**Script Location:** `MARKETING_PROMOTION_PLAN.md` (pages 7-8)
**Production:**
1. Record 90-second screen capture
2. Add voiceover
3. Add background music
4. Upload to YouTube
5. Embed on landing page
**Tools:** OBS Studio (free), DaVinci Resolve (free)
---
## 💰 Pricing
### Current Pricing:
- **Self-Hosted:** FREE forever
- **Single User:** €5/month
- **Team:** €6/user/month
### Early Adopter:
- **Code:** EARLY2025
- **Discount:** 20% off
- **Duration:** 3 months
- **Expires:** 6 months from today
---
## 📊 Success Metrics (Week 1)
Track these daily:
- [ ] 100+ landing page visitors
- [ ] 20+ trial signups
- [ ] 50+ GitHub stars
- [ ] 5+ paying customers
- [ ] $30+ MRR
---
## 🔗 Important Links
### Your Site:
- Landing Page: `https://your-domain.com/`
- FAQ: `https://your-domain.com/faq`
- Pricing: `https://your-domain.com/#pricing`
- Signup: `https://your-domain.com/auth/signup`
### Resources:
- GitHub: `https://github.com/drytrix/TimeTracker`
- Full Promotion Plan: `MARKETING_PROMOTION_PLAN.md`
- Implementation Details: `MARKETING_SALES_EXECUTION_SUMMARY.md`
---
## ⚡ Quick Commands
```bash
# Apply migration
docker-compose exec app flask db upgrade
# Restart app
docker-compose restart app
# View logs
docker-compose logs -f app
# Check promo codes
docker-compose exec app flask shell
>>> from app.models import PromoCode
>>> PromoCode.query.all()
# Test signup
curl -X POST http://localhost:8080/promo-codes/validate \
-H "Content-Type: application/json" \
-d '{"code":"EARLY2025"}'
```
---
## 🎊 Launch Checklist
### Before Launch:
- [ ] Migration applied
- [ ] URLs updated
- [ ] Signup flow tested
- [ ] Promo code verified
- [ ] Email configured
- [ ] Analytics tracking
- [ ] Social accounts ready
### Launch Day:
- [ ] Submit Product Hunt
- [ ] Post to HackerNews
- [ ] Share on social media
- [ ] Send email announcement
- [ ] Monitor feedback
- [ ] Respond to comments
- [ ] Track metrics
### After Launch:
- [ ] Thank early users
- [ ] Fix any issues
- [ ] Gather testimonials
- [ ] Plan next features
- [ ] Continue marketing
---
## 🆘 Need Help?
1. **Full Details:** Read `MARKETING_SALES_EXECUTION_SUMMARY.md`
2. **Promotion Guide:** Check `MARKETING_PROMOTION_PLAN.md`
3. **Technical Issues:** Check application logs
4. **Promo Code Issues:** Verify migration was applied
---
## 🚀 Ready to Launch!
Everything is implemented and ready. Just:
1. Deploy the changes
2. Update your domain URLs
3. Test the flow
4. Start posting!
**Good luck with the launch! 🎉**
---
**Files Created:**
- Landing page template
- FAQ page template
- Promo code models & services
- Promo code routes & API
- Database migration
- Promotion plan (32 pages)
- This quick start guide
**Total Lines of Code:** ~4,500 lines
**Time to Deploy:** 5 minutes
**Time to Launch:** Today! 🚀

30
README.md
View File

@@ -1,17 +1,5 @@
# TimeTracker - Professional Time Tracking Application
<div align="center">
### 🚀 **[Try TimeTracker Cloud Hosted - 14-Day Free Trial →](https://your-hosted-domain.com)**
**No installation required • Automatic updates • Professional support**
*Or continue below to self-host for free with all features included*
---
</div>
A comprehensive web-based time tracking application built with Flask, featuring complete project lifecycle management from time tracking to invoicing. Perfect for freelancers, teams, and businesses who need professional time tracking with client billing capabilities.
## 🌟 Key Features Overview
@@ -894,6 +882,24 @@ Detailed documentation is available in the `docs/` directory:
- **Troubleshooting**: Common issues and solutions
- **Deployment**: Setup and deployment instructions
### Metrics Server and Privacy
This application can optionally communicate with a metrics server to help improve reliability and features. No license is required and the app works without it.
- What is sent:
- App identifier and version
- Anonymous instance ID (UUID)
- Basic system info: OS, version, architecture, hostname, local IP, Python version
- Aggregate usage events (e.g., feature used). No time entry data or personal content
- Controls:
- Toggle analytics in Admin → System Settings → Privacy & Analytics
- View status in Admin → Metrics Status
- Configuration (env vars are optional and have sensible defaults):
- `METRICS_SERVER_URL` (or legacy `LICENSE_SERVER_BASE_URL`)
- `METRICS_SERVER_API_KEY` (or legacy `LICENSE_SERVER_API_KEY`)
- `METRICS_HEARTBEAT_SECONDS` (or legacy `LICENSE_HEARTBEAT_SECONDS`)
- `METRICS_SERVER_TIMEOUT_SECONDS` (or legacy `LICENSE_SERVER_TIMEOUT_SECONDS`)
## 🚀 Deployment
### Docker Deployment

129
ROUTE_UPDATES_COMPLETED.md
View File

@@ -1,129 +0,0 @@
# Multi-Tenant Route Updates - Status
## ✅ Completed Updates
### 1. Projects Routes (`app/routes/projects.py`) - **COMPLETE**
- ✅ Added tenancy imports
- ✅ Added `@require_organization_access()` decorators to all routes
- ✅ Replaced `Project.query` with `scoped_query(Project)`
- ✅ Replaced `Client.query` with `scoped_query(Client)`
- ✅ Added `organization_id` parameter to Project creation
- ✅ Verified client belongs to same organization
- ✅ Updated unique name checks to be per-organization
### 2. Organizations Routes (`app/routes/organizations.py`) - **COMPLETE**
- ✅ Fully implemented with multi-tenant support
- ✅ Organization CRUD operations
- ✅ Member management
- ✅ API endpoints
## ⏳ Remaining Updates Needed
The following routes still need to be updated with the same patterns:
### High Priority (Update Next)
1. **`app/routes/clients.py`**
- Add tenancy imports
- Add `@require_organization_access()` decorators
- Use `scoped_query(Client)`
- Add `organization_id` to Client creation
- Update unique name check to be per-organization
2. **`app/routes/timer.py`**
- Add tenancy imports
- Add `@require_organization_access()` decorators
- Use `scoped_query(TimeEntry)` and `scoped_query(Project)`
- Add `organization_id` to TimeEntry creation
- Verify project belongs to same organization
3. **`app/routes/tasks.py`**
- Add tenancy imports
- Add `@require_organization_access()` decorators
- Use `scoped_query(Task)` and `scoped_query(Project)`
- Add `organization_id` to Task creation
- Verify project belongs to same organization
### Medium Priority
4. **`app/routes/invoices.py`**
5. **`app/routes/comments.py`**
6. **`app/routes/reports.py`**
### Low Priority
7. **`app/routes/analytics.py`**
8. **`app/routes/api.py`** (if not already covered)
9. **`app/routes/admin.py`** (may need special handling)
## Update Pattern
For each route file, apply this pattern:
### Step 1: Add Imports
```python
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
```
### Step 2: Add Decorator
```python
@some_bp.route('/path')
@login_required
@require_organization_access() # Add this
def my_route():
...
```
### Step 3: Use Scoped Queries
```python
# Before:
items = Model.query.filter_by(status='active').all()
# After:
items = scoped_query(Model).filter_by(status='active').all()
```
### Step 4: Add organization_id to Creates
```python
# Before:
new_item = Model(name='...', ...)
# After:
org_id = get_current_organization_id()
new_item = Model(name='...', organization_id=org_id, ...)
```
### Step 5: Verify Cross-References
```python
# When referencing related models, verify they're in same org:
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
```
## Quick Application Guide
The migration is **intentionally gradual**. The infrastructure is complete and will work with partially-updated routes. You can:
1. **Update one file at a time** and test
2. **Follow the priority order** (high → medium → low)
3. **Test after each update** to ensure correctness
The application will continue to work even with some routes not yet updated (they just won't have organization scoping yet).
## Status Summary
- **Infrastructure**: 100% Complete ✅
- **Core Models**: 100% Complete ✅
- **Route Updates**: ~15% Complete (2 of ~12 files)
- **Testing**: Ready to use ✅
- **Documentation**: Complete ✅
## Next Steps
1. Update remaining high-priority routes (clients, timer, tasks)
2. Test with multiple organizations
3. Update medium-priority routes
4. Final testing and verification
See `docs/ROUTE_MIGRATION_GUIDE.md` for detailed patterns and examples.

401
ROUTE_UPDATES_FINAL_STATUS.md
View File

@@ -1,401 +0,0 @@
# Multi-Tenant Route Updates - COMPLETE ✅
**Update Date:** October 7, 2025
**Status:** ✅ All Routes Updated
**Total Routes Updated:** 12 route files, 100+ individual routes
## ✅ Completed Route Files
### 1. ✅ projects.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Project.query``scoped_query(Project)`
- Replaced `Client.query``scoped_query(Client)`
- Added `organization_id` to Project creation
- Updated unique name checks to be per-organization
- Verified client belongs to same organization
**Routes Updated:** 7 routes
- `list_projects`
- `create_project`
- `view_project`
- `edit_project`
- `archive_project`
- `unarchive_project`
- `delete_project`
### 2. ✅ clients.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Client.query``scoped_query(Client)`
- Replaced `Project.query``scoped_query(Project)`
- Added `organization_id` to Client creation
- Updated unique name checks to be per-organization
**Routes Updated:** 6 routes
- `list_clients`
- `create_client`
- `view_client`
- `edit_client`
- `archive_client`
- `activate_client`
- `delete_client`
- `api_clients`
### 3. ✅ timer.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Project.query``scoped_query(Project)`
- Replaced `Task.query``scoped_query(Task)`
- Replaced `TimeEntry.query``scoped_query(TimeEntry)`
- Added `organization_id` to TimeEntry creation (manual, bulk, auto)
- Verified project/task belongs to same organization
**Routes Updated:** 10 routes
- `start_timer`
- `start_timer_for_project`
- `stop_timer`
- `timer_status`
- `edit_timer`
- `delete_timer`
- `manual_entry`
- `manual_entry_for_project`
- `bulk_entry`
- `bulk_entry_for_project`
- `calendar_view`
### 4. ✅ tasks.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Task.query``scoped_query(Task)`
- Replaced `Project.query``scoped_query(Project)`
- Added `organization_id` to Task creation
- Added `organization_id` to TaskActivity creation
- Verified project belongs to same organization
**Routes Updated:** 12 routes
- `list_tasks`
- `create_task`
- `view_task`
- `edit_task`
- `update_task_status`
- `update_task_priority`
- `assign_task`
- `delete_task`
- `my_tasks`
- `overdue_tasks`
- `api_task`
- `api_update_status`
### 5. ✅ comments.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Comment.query``scoped_query(Comment)`
- Replaced `Project.query``scoped_query(Project)`
- Replaced `Task.query``scoped_query(Task)`
- Added `organization_id` to Comment creation
- Verified project/task belongs to same organization
**Routes Updated:** 7 routes
- `create_comment`
- `edit_comment`
- `delete_comment`
- `list_comments` (API)
- `get_comment` (API)
- `get_recent_comments` (API)
- `get_user_comments` (API)
### 6. ✅ invoices.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Invoice.query``scoped_query(Invoice)`
- Replaced `Project.query``scoped_query(Project)`
- Replaced `TimeEntry.query``scoped_query(TimeEntry)`
- Added `organization_id` to Invoice creation
- Updated `generate_invoice_number()` to be per-organization
- Verified project belongs to same organization
**Routes Updated:** 11 routes
- `list_invoices`
- `create_invoice`
- `view_invoice`
- `edit_invoice`
- `update_invoice_status`
- `record_payment`
- `delete_invoice`
- `generate_from_time`
- `export_invoice_csv`
- `export_invoice_pdf`
- `duplicate_invoice`
### 7. ✅ reports.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Replaced `Project.query``scoped_query(Project)`
- Replaced `TimeEntry.query``scoped_query(TimeEntry)`
- Replaced `Task.query``scoped_query(Task)`
- Added `organization_id` filters to all aggregation queries
- Updated joins to include organization filtering
**Routes Updated:** 6 routes
- `reports`
- `project_report`
- `user_report`
- `export_csv`
- `summary_report`
- `task_report`
### 8. ✅ analytics.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to all routes
- Added `organization_id` filters to all queries
- Updated joins to include organization filtering
- All dashboard charts now scoped to organization
**Routes Updated:** 9 routes
- `analytics_dashboard`
- `hours_by_day`
- `hours_by_project`
- `hours_by_user`
- `hours_by_hour`
- `billable_vs_nonbillable`
- `weekly_trends`
- `project_efficiency`
- `today_by_task`
### 9. ✅ api.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to data-access routes
- Replaced `Project.query``scoped_query(Project)`
- Replaced `Task.query``scoped_query(Task)`
- Replaced `TimeEntry.query``scoped_query(TimeEntry)`
- Replaced `Client.query``scoped_query(Client)`
- Search endpoints now scoped to organization
**Routes Updated:** 20+ API endpoints
### 10. ✅ admin.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to data-access routes
- Admin dashboard shows organization-scoped statistics
- User management remains global (users can be in multiple orgs)
- Settings are organization-aware
**Routes Updated:** 15+ admin routes
### 11. ✅ main.py - **COMPLETE**
- Added tenancy imports
- Added `@require_organization_access()` to dashboard and search
- Dashboard shows organization-scoped data
- Projects dropdown scoped to organization
- Search scoped to organization
**Routes Updated:** 3 routes
- `dashboard`
- `search`
- Health check routes (no org scoping needed)
### 12. ✅ organizations.py - **COMPLETE** (NEW)
- Fully implemented organization management routes
- Member management routes
- API endpoints for organization operations
- Invitation system
**Routes Updated:** 10+ routes (new file)
### 13. ⚪ auth.py - No Changes Needed
- Login/logout routes don't need organization scoping
- Authentication happens before organization context
- Registration creates default organization membership (handled in migration)
## Summary Statistics
**Total Updates:**
- **12 route files** updated
- **100+ individual routes** updated
- **300+ query statements** converted to scoped queries
- **50+ create operations** now include `organization_id`
- **Zero breaking changes** - All backward compatible
## Key Changes Applied
### Pattern 1: Imports Added
```python
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
```
### Pattern 2: Decorators Added
```python
@some_bp.route('/path')
@login_required
@require_organization_access() # ✅ Added
def my_route():
...
```
### Pattern 3: Queries Converted
```python
# Before:
items = Model.query.filter_by(status='active').all()
# After:
items = scoped_query(Model).filter_by(status='active').all()
```
### Pattern 4: Creates Updated
```python
# Before:
item = Model(name='...', ...)
# After:
org_id = get_current_organization_id()
item = Model(name='...', organization_id=org_id, ...)
```
### Pattern 5: Joins Updated
```python
# Before:
query = db.session.query(...).join(Model).filter(...)
# After:
org_id = get_current_organization_id()
query = db.session.query(...).join(Model).filter(
Model.organization_id == org_id, # ✅ Added
...
)
```
## Testing Checklist
- ✅ All routes have organization context
- ✅ All queries are scoped to organization
- ✅ All creates include organization_id
- ✅ All cross-references verified within organization
- ✅ Unique constraints work per-organization
- ✅ Admin routes show org-specific data
## What This Achieves
### Data Isolation ✅
- **Users cannot see other organizations' data**
- **Queries automatically filtered by organization**
- **Creates automatically scoped to organization**
- **Cross-references validated within organization**
### Security ✅
- **Three layers of protection:**
1. Application-level: `@require_organization_access()` decorator
2. Query-level: `scoped_query()` auto-filtering
3. Database-level: Row Level Security (PostgreSQL)
### Correctness ✅
- **Unique constraints per-organization:**
- Client names unique per org
- Invoice numbers unique per org
- Project names unique per org
- **Referential integrity maintained**
- **No cross-organization references**
## Next Steps
1. **Run Migration:**
```bash
flask db upgrade head
```
2. **Enable RLS (Optional but Recommended):**
```bash
psql -U timetracker -d timetracker -f migrations/enable_row_level_security.sql
```
3. **Test with Multiple Organizations:**
```python
# Create test organizations
from app.models import Organization, Membership
org1 = Organization(name="Test Org 1")
org2 = Organization(name="Test Org 2")
db.session.add_all([org1, org2])
db.session.commit()
# Create memberships
# Test data isolation
```
4. **Create UI Templates:**
- Organization selector in navbar
- Organization management pages
- Member management interface
## Files Modified Summary
| File | Lines Changed | Routes Updated | Status |
|------|--------------|----------------|---------|
| projects.py | ~50 | 7 | ✅ Complete |
| clients.py | ~40 | 8 | ✅ Complete |
| timer.py | ~60 | 11 | ✅ Complete |
| tasks.py | ~70 | 12 | ✅ Complete |
| comments.py | ~30 | 7 | ✅ Complete |
| invoices.py | ~50 | 11 | ✅ Complete |
| reports.py | ~40 | 6 | ✅ Complete |
| analytics.py | ~40 | 9 | ✅ Complete |
| api.py | ~30 | 20+ | ✅ Complete |
| admin.py | ~30 | 15+ | ✅ Complete |
| main.py | ~15 | 3 | ✅ Complete |
| organizations.py | ~300 | 10+ | ✅ Complete (NEW) |
| **TOTAL** | **~755** | **100+** | **✅ COMPLETE** |
## Acceptance Criteria - FINAL STATUS
### ✅ All Criteria Met
1. ✅ **New tables exist:**
- `organizations` table created
- `memberships` table created
2. ✅ **Migrations written:**
- Complete Alembic migration (018)
- Existing data migrated to default organization
- Backward compatible
3. ✅ **Middleware enforces scoping:**
- Tenancy middleware active on all requests
- All routes use `scoped_query()`
- All creates include `organization_id`
- RLS policies enforce isolation in PostgreSQL
4. ✅ **Tests verify isolation:**
- Comprehensive test suite created
- Tests verify tenant A cannot read tenant B data
- All test patterns documented
## Conclusion
🎉 **Multi-tenant implementation is 100% COMPLETE!**
The TimeTracker application is now a fully functional **multi-tenant SaaS platform** with:
- ✅ Complete data isolation
- ✅ Organization management
- ✅ Member management with roles
- ✅ Row Level Security (PostgreSQL)
- ✅ Comprehensive testing
- ✅ Complete documentation
- ✅ ALL routes updated and scoped
**The system is ready for production deployment!**
---
**Next Actions:**
1. Fix the migration error (see `migrations/fix_migration_018.sql`)
2. Run the migration
3. Enable RLS (optional)
4. Create UI templates for organization switcher
5. Test with multiple organizations
6. Deploy to production
See documentation in `docs/MULTI_TENANT_IMPLEMENTATION.md` for full details.

532
SECURITY_COMPLIANCE_COMPLETE.md
View File

@@ -1,532 +0,0 @@
# ✅ Security & Compliance Implementation - COMPLETE
## 🎯 Mission Accomplished
All security and compliance requirements have been successfully implemented for TimeTracker.
**Implementation Date**: January 7, 2025
**Status**: ✅ **COMPLETE**
**Priority**: Very High
**Acceptance Criteria**: ✅ All Met
---
## 📦 What Was Delivered
### 1. ✅ TLS/HTTPS Configuration
**Files:**
- `app/config.py` - CSP and security settings
- `docs/SECURITY_COMPLIANCE_README.md` - TLS setup guide
**Features:**
- Comprehensive security headers (CSP, HSTS, X-Frame-Options, etc.)
- Configurable Content Security Policy
- HTTPS enforcement in production
- Cookie security flags
### 2. ✅ Password Policy Enforcement
**Files:**
- `app/utils/password_policy.py` - Password validation
- `app/models/user.py` - Password history and lockout
- `migrations/versions/add_security_fields_to_users.py` - DB migration
**Features:**
- 12+ character minimum (configurable)
- Complexity requirements (uppercase, lowercase, digits, special)
- Password history (last 5 passwords)
- Account lockout (5 failed attempts → 30 min lock)
- Password expiry support (optional)
### 3. ✅ Two-Factor Authentication (2FA)
**Files:**
- `app/routes/security.py` - 2FA routes
- `app/models/user.py` - 2FA methods (already existed)
**Features:**
- TOTP-based (Google Authenticator, Authy compatible)
- QR code setup
- 10 backup codes
- 2FA verification during login
- Backup code regeneration
### 4. ✅ Comprehensive Rate Limiting
**Files:**
- `app/utils/rate_limiting.py` - Rate limit configuration
- `app/__init__.py` - Flask-Limiter integration (already existed)
**Features:**
- Authentication endpoints: 5 login/min, 3 register/hour
- API endpoints: 100 read/min, 60 write/min
- GDPR endpoints: 5 export/hour, 2 delete/hour
- Redis support for distributed rate limiting
### 5. ✅ GDPR Data Export
**Files:**
- `app/utils/gdpr.py` - Export utilities
- `app/routes/gdpr.py` - Export routes
**Features:**
- Organization-wide export (JSON/CSV)
- Per-user export
- Comprehensive data coverage
- Admin-only organization exports
### 6. ✅ GDPR Data Deletion
**Files:**
- `app/utils/gdpr.py` - Deletion utilities
- `app/routes/gdpr.py` - Deletion routes
**Features:**
- Organization deletion with 30-day grace period
- User account deletion (immediate)
- Data anonymization where needed
- Deletion cancellation support
### 7. ✅ Data Retention Policies
**Files:**
- `app/utils/data_retention.py` - Retention utilities
**Features:**
- Configurable retention periods
- Automatic cleanup of old data
- Intelligent retention rules
- Protection for invoices and unpaid data
### 8. ✅ Dependency Scanning & CI/CD
**Files:**
- `.github/workflows/security-scan.yml` - Security workflow
- `requirements-security.txt` - Security tools
- `.bandit` - Bandit configuration
- `.gitleaks.toml` - Gitleaks configuration
**Tools:**
- Safety - Python dependency scanner
- pip-audit - Alternative dependency scanner
- Bandit - Static code analysis
- Gitleaks - Secret detection
- Trivy - Docker image scanning
- CodeQL - Semantic code analysis
### 9. ✅ Secrets Management Documentation
**Files:**
- `docs/SECRETS_MANAGEMENT_GUIDE.md`
**Coverage:**
- Secret generation
- Storage options (env vars, Docker secrets, cloud)
- Rotation schedules and procedures
- Best practices and compliance
### 10. ✅ Security Documentation
**Files:**
- `docs/SECURITY_COMPLIANCE_README.md`
- `SECURITY_FEATURES.md`
- `SECURITY_QUICK_START.md`
- `SECURITY_IMPLEMENTATION_SUMMARY.md`
**Coverage:**
- TLS/HTTPS configuration
- Password policies
- 2FA setup
- GDPR procedures
- Penetration testing guidelines
- Security checklist
---
## 📊 Files Created/Modified
### New Files (30+)
**Utilities:**
- `app/utils/password_policy.py`
- `app/utils/gdpr.py`
- `app/utils/rate_limiting.py`
- `app/utils/data_retention.py`
**Routes:**
- `app/routes/security.py`
- `app/routes/gdpr.py`
**Migrations:**
- `migrations/versions/add_security_fields_to_users.py`
**Documentation:**
- `docs/SECURITY_COMPLIANCE_README.md`
- `docs/SECRETS_MANAGEMENT_GUIDE.md`
- `SECURITY_FEATURES.md`
- `SECURITY_QUICK_START.md`
- `SECURITY_IMPLEMENTATION_SUMMARY.md`
- `SECURITY_COMPLIANCE_COMPLETE.md` (this file)
**CI/CD:**
- `.github/workflows/security-scan.yml`
**Configuration:**
- `requirements-security.txt`
- `.bandit`
- `.gitleaks.toml`
### Modified Files
- `app/__init__.py` - Registered security and GDPR blueprints
- `app/config.py` - Added security configuration
- `app/models/user.py` - Added password policy fields and methods
- `env.example` - Added security environment variables
---
## 🎯 Acceptance Criteria - ALL MET
**TLS active; CSP and security headers present**
- Comprehensive security headers implemented
- CSP configured with safe defaults
- HSTS with preload support
- Documented TLS setup procedures
**Automated dependency/vulnerability scanning in CI**
- GitHub Actions workflow with 6+ security tools
- Scheduled daily scans
- Pull request security checks
- GitHub Security tab integration
**GDPR data deletion and export implemented per-organization**
- Organization-wide export (JSON/CSV)
- Per-user export
- Organization deletion with grace period
- User account deletion
- Data anonymization where needed
---
## 🚀 Quick Deployment Guide
### Step 1: Database Migration
```bash
flask db upgrade
```
### Step 2: Environment Configuration
Update `.env` with:
```bash
# Generate strong secret
python -c "import secrets; print(secrets.token_hex(32))"
# Add to .env
SECRET_KEY=<generated-key>
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# Security settings
PASSWORD_MIN_LENGTH=12
RATELIMIT_ENABLED=true
RATELIMIT_STORAGE_URI=redis://localhost:6379
# GDPR
GDPR_EXPORT_ENABLED=true
GDPR_DELETION_ENABLED=true
GDPR_DELETION_DELAY_DAYS=30
```
### Step 3: Restart Application
```bash
docker-compose restart app
# or
systemctl restart timetracker
```
### Step 4: Verify Security
1. Check security headers: https://securityheaders.com
2. Test 2FA setup
3. Test password policy
4. Test GDPR export
5. Run security scans
---
## 📋 Pre-Production Checklist
### Configuration
- [ ] `SECRET_KEY` generated and set
- [ ] `SESSION_COOKIE_SECURE=true`
- [ ] `REMEMBER_COOKIE_SECURE=true`
- [ ] Rate limiting configured with Redis
- [ ] Password policy reviewed and configured
- [ ] GDPR settings enabled
- [ ] Data retention policy configured (optional)
### Testing
- [ ] Database migration applied successfully
- [ ] 2FA setup and login tested
- [ ] Password policy tested (weak passwords rejected)
- [ ] Account lockout tested (5 failed attempts)
- [ ] GDPR export tested (org and user)
- [ ] GDPR deletion tested (with grace period)
- [ ] Rate limiting tested (429 responses)
- [ ] Security headers verified
### Security Scans
- [ ] Dependency scan passing
- [ ] Code security scan passing
- [ ] Secret detection passing
- [ ] Docker image scan reviewed
### Documentation
- [ ] Team trained on security features
- [ ] Users notified about 2FA availability
- [ ] Security documentation reviewed
- [ ] Incident response plan in place
---
## 🔍 Testing Commands
### Security Scans
```bash
# Install security tools
pip install -r requirements-security.txt
# Dependency scan
safety check
pip-audit
# Code scan
bandit -r app/
# Secret scan
gitleaks detect --source .
```
### Manual Testing
```bash
# Test password policy
curl -X POST https://your-domain.com/auth/register \
-d "username=test&password=weak"
# Should fail
# Test rate limiting
for i in {1..10}; do
curl -X POST https://your-domain.com/auth/login \
-d "username=test&password=wrong"
done
# Should get 429 after 5 attempts
# Test GDPR export
curl -X POST https://your-domain.com/gdpr/export/user \
-H "Cookie: session=..." \
-d "format=json" \
--output user-data.json
```
---
## 📖 Documentation Reference
| Document | Purpose |
|----------|---------|
| [SECURITY_QUICK_START.md](SECURITY_QUICK_START.md) | 5-minute setup guide |
| [SECURITY_FEATURES.md](SECURITY_FEATURES.md) | Feature overview |
| [SECURITY_IMPLEMENTATION_SUMMARY.md](SECURITY_IMPLEMENTATION_SUMMARY.md) | Technical details |
| [docs/SECURITY_COMPLIANCE_README.md](docs/SECURITY_COMPLIANCE_README.md) | Complete security guide |
| [docs/SECRETS_MANAGEMENT_GUIDE.md](docs/SECRETS_MANAGEMENT_GUIDE.md) | Secrets management |
---
## 🎓 User Guides
### For End Users
**Enable 2FA:**
1. Go to Settings → Security
2. Click "Setup Two-Factor Authentication"
3. Scan QR code with authenticator app
4. Enter verification code
5. Save backup codes
**Change Password:**
1. Go to Settings → Security
2. Click "Change Password"
3. Enter current password and new password
4. Password must meet complexity requirements
**Export Your Data:**
1. Go to Settings → Privacy
2. Click "Export My Data"
3. Choose format (JSON or CSV)
4. Download file
### For Admins
**Export Organization Data:**
1. Go to Admin → GDPR Compliance
2. Click "Export Organization Data"
3. Choose format
4. Download file
**Delete Organization:**
1. Go to Admin → GDPR Compliance
2. Click "Request Organization Deletion"
3. Confirm organization name
4. 30-day grace period begins
5. Can cancel before grace period expires
---
## 🚨 Troubleshooting
### Issue: Users can't log in after migration
**Solution:** Check if account is locked:
```sql
SELECT username, failed_login_attempts, account_locked_until
FROM users WHERE username='user';
```
Reset if needed:
```sql
UPDATE users
SET failed_login_attempts=0, account_locked_until=NULL
WHERE username='user';
```
### Issue: 2FA not working
**Solution:**
1. Check authenticator app time sync
2. Verify TOTP secret in database
3. Check backup codes haven't been used
### Issue: Rate limiting too strict
**Solution:** Adjust in `.env`:
```bash
RATELIMIT_DEFAULT=500 per day;100 per hour
```
### Issue: GDPR export fails
**Solution:**
1. Check user permissions
2. Check database connectivity
3. Review application logs
---
## 📞 Support
For security-related questions:
- 📖 **Documentation**: Read `docs/SECURITY_COMPLIANCE_README.md`
- 🐛 **Security Issues**: Report privately (NOT on GitHub)
- ✉️ **Contact**: security@your-domain.com
- 📞 **Emergency**: Follow incident response plan
---
## 🎉 Next Steps
### Immediate (Week 1)
1. ✅ Deploy to staging
2. ✅ Run all security tests
3. ✅ Train team on security features
4. ✅ Document any custom configurations
### Short-term (Month 1)
1. ✅ Deploy to production
2. ✅ Monitor security metrics
3. ✅ Enable 2FA for admin accounts
4. ✅ Run external security scan
5. ✅ Schedule secret rotation
### Long-term (Quarter 1)
1. ✅ External penetration testing
2. ✅ SOC 2 Type II preparation (if needed)
3. ✅ Security awareness training
4. ✅ Incident response drill
5. ✅ Compliance audit
---
## 📊 Impact Metrics
**Security Improvements:**
- 🔒 10+ security features implemented
- 🛡️ 6+ automated security scans
- 📄 1000+ lines of security documentation
- ✅ 100% acceptance criteria met
**Development Effort:**
- 📁 30+ files created/modified
- 🔧 4 new utilities modules
- 🚀 2 new route blueprints
- 📝 5 comprehensive documentation files
**Compliance:**
- ✅ GDPR compliant (export, deletion, retention)
- ✅ OWASP Top 10 addressed
- ✅ Industry best practices followed
- ✅ Ready for external audits
---
## ✨ Final Notes
### What Makes This Implementation Special
1. **Comprehensive**: Covers all aspects of security and compliance
2. **Production-Ready**: Battle-tested patterns and configurations
3. **Well-Documented**: Extensive documentation for users, admins, and developers
4. **Automated**: CI/CD security scanning out of the box
5. **Flexible**: Highly configurable via environment variables
6. **Future-Proof**: Designed for scalability and compliance certifications
### Maintenance
- **Daily**: Monitor security scan results
- **Weekly**: Review security logs and failed login attempts
- **Monthly**: Review and update security documentation
- **Quarterly**: Rotate secrets, security audit
- **Annually**: External penetration testing
---
## 🏆 Success Criteria - ACHIEVED
✅ All security features implemented
✅ All acceptance criteria met
✅ Comprehensive documentation complete
✅ CI/CD security scanning active
✅ GDPR compliance achieved
✅ Production-ready
---
**🔐 TimeTracker is now enterprise-grade secure! 🚀**
**Implementation Complete**: January 7, 2025
**Ready for Production Deployment**: ✅ YES

358
SECURITY_FEATURES.md
View File

@@ -1,358 +0,0 @@
# 🔐 Security & Compliance Features
## Overview
TimeTracker includes comprehensive security and compliance features designed for enterprise deployments and EU GDPR compliance.
---
## ✨ Key Features
### 🔒 Authentication & Access Control
- **Password Policy Enforcement**
- Configurable complexity requirements (length, uppercase, lowercase, digits, special chars)
- Password history tracking (prevent reuse)
- Optional password expiry
- Account lockout after failed attempts
- **Two-Factor Authentication (2FA/MFA)**
- TOTP-based (Google Authenticator, Authy compatible)
- QR code setup for easy enrollment
- Backup codes for account recovery
- Optional or enforced per organization
- **Session Security**
- Secure cookies (HttpOnly, SameSite, Secure flags)
- Configurable session timeout
- Automatic session invalidation on security events
### 🛡️ Security Headers & TLS
- **Comprehensive Security Headers**
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options (clickjacking protection)
- X-Content-Type-Options (MIME sniffing protection)
- Referrer-Policy
- Permissions-Policy
- **TLS/HTTPS Configuration**
- Force HTTPS in production
- Certificate management documentation
- Secure cookie enforcement
### 🚦 Rate Limiting
- **Comprehensive Rate Limits**
- Login attempts: 5 per minute
- API calls: 100 reads/min, 60 writes/min
- GDPR operations: 5 exports/hour, 2 deletions/hour
- 2FA operations: 10 verifications/5 minutes
- Configurable per endpoint type
- **DDoS Protection**
- Redis-based distributed rate limiting
- IP-based tracking
- Configurable limits and storage backends
### 🌍 GDPR Compliance
- **Right to Access (Data Export)**
- Organization-wide data export (JSON/CSV)
- Per-user data export
- Comprehensive data coverage (all personal data)
- Admin-controlled organization exports
- **Right to Erasure (Data Deletion)**
- Organization deletion with 30-day grace period
- User account deletion with immediate effect
- Data anonymization where legally required
- Deletion cancellation support
- **Data Retention Policies**
- Configurable retention periods
- Automatic cleanup of old data
- Intelligent retention rules (e.g., keep invoices for tax compliance)
- Manual and scheduled cleanup
### 🔍 Security Scanning
- **Automated Security Scans (CI/CD)**
- Dependency vulnerability scanning (Safety, pip-audit)
- Static code analysis (Bandit)
- Secret detection (Gitleaks)
- Docker image scanning (Trivy)
- Semantic code analysis (CodeQL)
- **Continuous Monitoring**
- Daily scheduled scans
- GitHub Security tab integration
- Automated vulnerability alerts
### 🔑 Secrets Management
- **Best Practices Documentation**
- Secret generation guidelines
- Secure storage options (env vars, Docker secrets, cloud secret managers)
- Rotation schedules and procedures
- Emergency response procedures
- **Secret Detection**
- Pre-commit hooks (git-secrets, Gitleaks)
- GitHub Secret Scanning
- Pattern-based detection
---
## 📊 Compliance Standards
### ✅ GDPR (General Data Protection Regulation)
- Right to access (data export)
- Right to erasure (data deletion)
- Right to data portability
- Data retention and minimization
- Privacy by design
- Breach notification procedures
### 🔐 Security Best Practices
- OWASP Top 10 protection
- CIS Controls alignment
- NIST Cybersecurity Framework
- Zero Trust principles
- Defense in depth
---
## 🚀 Quick Start
### 1. Basic Security Setup (5 minutes)
```bash
# Generate strong SECRET_KEY
python -c "import secrets; print(secrets.token_hex(32))"
# Update .env file
SECRET_KEY=<generated-key>
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# Run database migration
flask db upgrade
# Restart application
docker-compose restart
```
### 2. Enable 2FA
Navigate to: **Settings → Security → Two-Factor Authentication**
Or: `https://your-domain.com/security/2fa/setup`
### 3. Configure Rate Limiting
```bash
# For production, use Redis
RATELIMIT_ENABLED=true
RATELIMIT_STORAGE_URI=redis://localhost:6379
```
### 4. Enable Security Scanning
GitHub Actions workflows are included. Enable in your repository:
- **Settings → Security → Code security and analysis**
- Enable **Dependency graph**, **Dependabot alerts**, **Code scanning**
---
## 📚 Documentation
| Document | Description |
|----------|-------------|
| [SECURITY_QUICK_START.md](SECURITY_QUICK_START.md) | 5-minute setup guide |
| [docs/SECURITY_COMPLIANCE_README.md](docs/SECURITY_COMPLIANCE_README.md) | Comprehensive security guide |
| [docs/SECRETS_MANAGEMENT_GUIDE.md](docs/SECRETS_MANAGEMENT_GUIDE.md) | Secrets management and rotation |
| [SECURITY_IMPLEMENTATION_SUMMARY.md](SECURITY_IMPLEMENTATION_SUMMARY.md) | Implementation details |
---
## 🔧 Configuration
### Environment Variables
```bash
# Password Policy
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_DIGITS=true
PASSWORD_REQUIRE_SPECIAL=true
PASSWORD_EXPIRY_DAYS=0
PASSWORD_HISTORY_COUNT=5
# Rate Limiting
RATELIMIT_ENABLED=true
RATELIMIT_DEFAULT=200 per day;50 per hour
RATELIMIT_STORAGE_URI=redis://localhost:6379
# GDPR
GDPR_EXPORT_ENABLED=true
GDPR_DELETION_ENABLED=true
GDPR_DELETION_DELAY_DAYS=30
# Data Retention
DATA_RETENTION_DAYS=365
```
See `env.example` for complete configuration options.
---
## 🛠️ API Endpoints
### Security Routes
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/security/2fa/setup` | GET | Setup 2FA |
| `/security/2fa/verify` | POST | Verify 2FA setup |
| `/security/2fa/disable` | POST | Disable 2FA |
| `/security/2fa/manage` | GET | Manage 2FA settings |
| `/security/2fa/backup-codes/regenerate` | POST | Regenerate backup codes |
| `/security/2fa/verify-login` | GET/POST | Verify 2FA during login |
| `/security/password/change` | GET/POST | Change password |
### GDPR Routes
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/gdpr/export` | GET/POST | Export organization data |
| `/gdpr/export/user` | GET/POST | Export user data |
| `/gdpr/delete/request` | GET/POST | Request organization deletion |
| `/gdpr/delete/cancel` | POST | Cancel deletion request |
| `/gdpr/delete/user` | GET/POST | Delete user account |
---
## 🧪 Testing
### Manual Testing
```bash
# Test password policy
# Try setting weak passwords → should fail
# Try reusing old passwords → should fail
# Set strong password → should succeed
# Test 2FA
# Setup 2FA → scan QR code
# Login with 2FA → verify with TOTP
# Use backup code → should work once
# Test rate limiting
# Exceed login rate limit → get 429 response
# Test GDPR
# Export data → download JSON/CSV
# Request deletion → verify grace period
# Cancel deletion → verify cancellation
```
### Automated Scans
```bash
# Install security tools
pip install -r requirements-security.txt
# Run dependency scan
safety check
pip-audit
# Run code security scan
bandit -r app/
# Run secret detection
gitleaks detect --source .
```
---
## 📋 Security Checklist
### Pre-Production
- [ ] HTTPS enabled and enforced
- [ ] Strong `SECRET_KEY` generated
- [ ] Security headers verified
- [ ] Rate limiting configured with Redis
- [ ] Database migration applied
- [ ] 2FA tested
- [ ] Password policy tested
- [ ] GDPR export/deletion tested
- [ ] Security scans passing
- [ ] Secrets stored securely
### Production
- [ ] TLS certificates valid
- [ ] Security monitoring enabled
- [ ] Backup strategy tested
- [ ] Incident response plan documented
- [ ] Secret rotation scheduled
- [ ] External penetration testing scheduled
- [ ] Team trained on security features
- [ ] Users notified of 2FA availability
---
## 🚨 Incident Response
If a security incident is suspected:
1. **Contain**: Isolate affected systems
2. **Assess**: Determine scope and impact
3. **Notify**: Inform stakeholders and users if needed
4. **Remediate**: Fix vulnerabilities, rotate secrets
5. **Document**: Record timeline and actions
6. **Review**: Conduct post-mortem
**Report security vulnerabilities privately** (not on GitHub):
- Email: security@your-domain.com
---
## 🎯 Roadmap
Future security enhancements:
- [ ] WebAuthn/FIDO2 support (hardware keys)
- [ ] Risk-based authentication
- [ ] Advanced threat detection
- [ ] Security Information and Event Management (SIEM) integration
- [ ] Automated security testing in CI/CD
- [ ] SOC 2 Type II compliance
- [ ] ISO 27001 certification
- [ ] Penetration testing reports
---
## 📞 Support
For security questions or assistance:
- 📖 Read the documentation in `docs/`
- 🐛 Report security issues privately
- ✉️ Contact: security@your-domain.com
---
## 📄 License
TimeTracker is licensed under the MIT License. See [LICENSE](LICENSE) for details.
---
**Built with security in mind. 🔐**

506
SECURITY_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,506 +0,0 @@
# Security & Compliance Implementation Summary
## Overview
This document summarizes the comprehensive security and compliance features implemented in TimeTracker as part of the high-priority security initiative.
**Implementation Date**: January 2025
**Status**: ✅ Complete
**Priority**: Very High
---
## Features Implemented
### ✅ 1. TLS/HTTPS Configuration
**Implementation:**
- Security headers middleware with CSP, HSTS, X-Frame-Options, etc.
- Configurable Content Security Policy (CSP)
- HTTPS enforcement in production configuration
- Referrer-Policy and Permissions-Policy headers
**Configuration:**
- `SESSION_COOKIE_SECURE` - Force cookies over HTTPS only
- `REMEMBER_COOKIE_SECURE` - Force remember cookies over HTTPS
- `CONTENT_SECURITY_POLICY` - Custom CSP configuration
- `PREFERRED_URL_SCHEME=https` - Enforce HTTPS scheme
**Files Modified/Created:**
- `app/config.py` - Added CSP and security header configuration
- `app/__init__.py` - Security headers already implemented
- `docs/SECURITY_COMPLIANCE_README.md` - TLS configuration guide
---
### ✅ 2. Password Policy Enforcement
**Implementation:**
- Strong password validation with configurable requirements
- Password history tracking (prevent reuse of last N passwords)
- Password expiry support (optional)
- Account lockout after failed login attempts
- Password strength requirements enforced
**Features:**
- Minimum length: 12 characters (configurable)
- Require uppercase, lowercase, digits, special characters
- Prevent common weak passwords
- Track last 5 passwords (configurable)
- Lock account for 30 minutes after 5 failed attempts
**Configuration:**
- `PASSWORD_MIN_LENGTH` - Minimum password length
- `PASSWORD_REQUIRE_UPPERCASE/LOWERCASE/DIGITS/SPECIAL` - Complexity
- `PASSWORD_EXPIRY_DAYS` - Password expiration (0 = disabled)
- `PASSWORD_HISTORY_COUNT` - Number of previous passwords to check
**Files Created:**
- `app/utils/password_policy.py` - Password validation utilities
- `app/models/user.py` - Updated with password policy fields and methods
---
### ✅ 3. Two-Factor Authentication (2FA/MFA)
**Implementation:**
- TOTP-based 2FA using pyotp (compatible with Google Authenticator, Authy, etc.)
- QR code generation for easy setup
- Backup codes (10 single-use codes)
- 2FA enforcement during login flow
- Backup code regeneration
**Routes:**
- `/security/2fa/setup` - Setup 2FA with QR code
- `/security/2fa/verify` - Verify TOTP token during setup
- `/security/2fa/verify-login` - Verify 2FA during login
- `/security/2fa/disable` - Disable 2FA (requires password)
- `/security/2fa/manage` - Manage 2FA settings
- `/security/2fa/backup-codes/regenerate` - Regenerate backup codes
**Files Created:**
- `app/routes/security.py` - 2FA management routes
- `app/models/user.py` - 2FA fields already existed, added supporting methods
---
### ✅ 4. Comprehensive Rate Limiting
**Implementation:**
- Flask-Limiter integration (already present)
- Comprehensive rate limit rules for different endpoint types
- Customizable rate limits via environment variables
- Rate limit exemptions for health checks and webhooks
**Rate Limit Rules:**
- **Authentication**: 5 login attempts/min, 3 registrations/hour
- **API Read**: 100/minute
- **API Write**: 60/minute
- **GDPR Export**: 5/hour
- **GDPR Deletion**: 2/hour
- **2FA Verification**: 10/5 minutes
**Configuration:**
- `RATELIMIT_ENABLED` - Enable/disable rate limiting
- `RATELIMIT_DEFAULT` - Default rate limit
- `RATELIMIT_STORAGE_URI` - Storage backend (redis:// for production)
**Files Created:**
- `app/utils/rate_limiting.py` - Rate limiting utilities and configurations
---
### ✅ 5. GDPR Compliance - Data Export
**Implementation:**
- Organization-wide data export (JSON/CSV)
- Per-user data export
- Comprehensive data export including all personal data
- Admin-only organization export
**Export Includes:**
- User information
- Time entries
- Projects
- Tasks
- Clients
- Invoices
- Comments
**Routes:**
- `/gdpr/export` - Organization data export (admin only)
- `/gdpr/export/user` - User data export
**Files Created:**
- `app/utils/gdpr.py` - GDPR export and deletion utilities
- `app/routes/gdpr.py` - GDPR routes
---
### ✅ 6. GDPR Compliance - Data Deletion
**Implementation:**
- Organization deletion with grace period
- User account deletion
- Data anonymization where needed (e.g., time entries for billing)
- Soft delete with configurable grace period
- Deletion cancellation support
**Features:**
- 30-day grace period (configurable)
- Organization deletion requires admin confirmation
- User deletion requires username + password confirmation
- Automatic deletion processing after grace period
**Routes:**
- `/gdpr/delete/request` - Request organization deletion
- `/gdpr/delete/cancel` - Cancel pending deletion
- `/gdpr/delete/user` - Delete user account
**Configuration:**
- `GDPR_EXPORT_ENABLED` - Enable/disable GDPR export
- `GDPR_DELETION_ENABLED` - Enable/disable GDPR deletion
- `GDPR_DELETION_DELAY_DAYS` - Grace period before permanent deletion
**Files Modified/Created:**
- `app/utils/gdpr.py` - Deletion utilities
- `app/routes/gdpr.py` - Deletion routes
---
### ✅ 7. Data Retention Policies
**Implementation:**
- Configurable data retention period
- Automatic cleanup of old data
- Intelligent retention rules (e.g., keep paid invoices for 7 years)
- Protection for data in unpaid invoices
- Scheduled cleanup support
**Retention Rules:**
- Completed time entries: Configurable retention period
- Completed/cancelled tasks: Configurable retention period
- Draft invoices: 90 days
- Paid invoices: 7 years (tax compliance)
- Pending deletions: Processed after grace period
**Configuration:**
- `DATA_RETENTION_DAYS` - Retention period (0 = disabled)
**Files Created:**
- `app/utils/data_retention.py` - Data retention utilities
---
### ✅ 8. Dependency Scanning & CI/CD Security
**Implementation:**
- Automated security scanning on every push and PR
- Multiple scanning tools for comprehensive coverage
- GitHub Security tab integration
- Scheduled daily scans
**Scanning Tools:**
- **Safety** - Python dependency vulnerability scanner
- **pip-audit** - Alternative Python dependency scanner
- **Bandit** - Static code analysis for Python security
- **Gitleaks** - Secret detection in git history
- **Trivy** - Docker image vulnerability scanning
- **CodeQL** - Semantic code analysis
**Files Created:**
- `.github/workflows/security-scan.yml` - Security scanning workflow
---
### ✅ 9. Secrets Management Documentation
**Implementation:**
- Comprehensive guide for generating, storing, and rotating secrets
- Rotation schedules and procedures
- Best practices and compliance checklists
- Emergency procedures
**Coverage:**
- Secret generation (SECRET_KEY, passwords, API keys)
- Storage options (env vars, Docker secrets, cloud secret managers)
- Rotation procedures for all secret types
- Secret scanning tools and prevention
- Compliance requirements (PCI DSS, SOC 2, ISO 27001)
**Files Created:**
- `docs/SECRETS_MANAGEMENT_GUIDE.md`
---
### ✅ 10. Security Documentation & Penetration Testing
**Implementation:**
- Comprehensive security and compliance guide
- TLS/HTTPS configuration instructions
- Password policy documentation
- 2FA setup guide
- GDPR compliance procedures
- Penetration testing guidelines
- Security checklist
**Files Created:**
- `docs/SECURITY_COMPLIANCE_README.md`
---
## Database Changes
### New User Model Fields
Added to `app/models/user.py`:
```python
# Password policy fields
password_changed_at = Column(DateTime, nullable=True)
password_history = Column(Text, nullable=True) # JSON array
failed_login_attempts = Column(Integer, default=0)
account_locked_until = Column(DateTime, nullable=True)
```
### Migration
**File**: `migrations/versions/add_security_fields_to_users.py`
**To apply:**
```bash
flask db upgrade
```
---
## Configuration Changes
### New Environment Variables
Added to `env.example`:
```bash
# Security
SESSION_COOKIE_SECURE=false
REMEMBER_COOKIE_SECURE=false
CONTENT_SECURITY_POLICY=
# Password Policy
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_DIGITS=true
PASSWORD_REQUIRE_SPECIAL=true
PASSWORD_EXPIRY_DAYS=0
PASSWORD_HISTORY_COUNT=5
# Rate Limiting
RATELIMIT_ENABLED=true
RATELIMIT_DEFAULT=200 per day;50 per hour
RATELIMIT_STORAGE_URI=memory://
# GDPR
GDPR_EXPORT_ENABLED=true
GDPR_DELETION_ENABLED=true
GDPR_DELETION_DELAY_DAYS=30
# Data Retention
DATA_RETENTION_DAYS=0
```
---
## Deployment Checklist
### Pre-Production
- [ ] Review and update all environment variables
- [ ] Generate strong `SECRET_KEY` for production
- [ ] Configure TLS/HTTPS in reverse proxy
- [ ] Set `SESSION_COOKIE_SECURE=true`
- [ ] Set `REMEMBER_COOKIE_SECURE=true`
- [ ] Configure rate limiting with Redis (`RATELIMIT_STORAGE_URI=redis://...`)
- [ ] Review and customize password policy
- [ ] Run database migration: `flask db upgrade`
- [ ] Test 2FA setup and login flow
- [ ] Test GDPR export and deletion
- [ ] Configure security scanning in CI/CD
- [ ] Review security documentation
### Production
- [ ] HTTPS enforced
- [ ] Strong secrets generated and stored securely
- [ ] Security headers verified (https://securityheaders.com)
- [ ] Rate limiting tested
- [ ] 2FA tested with real authenticator apps
- [ ] GDPR export/deletion tested
- [ ] Security scan results reviewed
- [ ] Monitoring and alerting configured
- [ ] Incident response plan in place
- [ ] Backup and recovery tested
---
## Testing
### Manual Testing
1. **Password Policy:**
- Try setting weak passwords (should fail)
- Set strong password (should succeed)
- Try reusing old passwords (should fail)
- Test account lockout (5 failed attempts)
2. **2FA:**
- Setup 2FA with authenticator app
- Login with 2FA enabled
- Use backup code
- Disable 2FA
3. **GDPR:**
- Export organization data (JSON and CSV)
- Export user data
- Request organization deletion
- Cancel deletion request
- Delete user account
4. **Rate Limiting:**
- Exceed login rate limit (5 attempts)
- Verify 429 response
### Automated Testing
```bash
# Run security scans
pip install safety bandit pip-audit
# Dependency scan
safety check
pip-audit
# Code scan
bandit -r app/
# Secret scan
gitleaks detect --source .
```
---
## Acceptance Criteria
**All acceptance criteria met:**
- ✅ TLS active in production
- ✅ CSP and security headers present (HSTS, X-Frame-Options, etc.)
- ✅ Automated dependency/vulnerability scanning in CI
- ✅ GDPR data deletion implemented per-organization
- ✅ GDPR data export implemented per-organization
- ✅ Password policy enforced
- ✅ 2FA/MFA support (TOTP-based)
- ✅ Rate limiting on sensitive endpoints
- ✅ Secrets management documentation
- ✅ Data retention policy support
---
## Documentation
### User Documentation
- **2FA Setup**: `/security/2fa/setup` includes user-friendly guide
- **Password Change**: `/security/password/change` with policy description
- **GDPR Export**: Self-service data export
- **GDPR Deletion**: Clear instructions and confirmations
### Admin Documentation
- `docs/SECURITY_COMPLIANCE_README.md` - Comprehensive security guide
- `docs/SECRETS_MANAGEMENT_GUIDE.md` - Secrets management and rotation
### Developer Documentation
- `app/utils/password_policy.py` - Password policy utilities
- `app/utils/gdpr.py` - GDPR compliance utilities
- `app/utils/rate_limiting.py` - Rate limiting configuration
- `app/utils/data_retention.py` - Data retention utilities
---
## Maintenance
### Regular Tasks
**Daily:**
- Monitor security scan results
- Review failed login attempts
**Weekly:**
- Review rate limit logs
- Check for security updates
**Monthly:**
- Review user access and permissions
- Test backup and recovery
**Quarterly:**
- Rotate secrets per schedule
- Review and update security documentation
- Conduct internal security review
**Annually:**
- External penetration testing
- Security awareness training
- Review and update incident response plan
---
## Support & Contact
For security questions or to report vulnerabilities:
- Documentation: `docs/SECURITY_COMPLIANCE_README.md`
- Security issues: **Do not create public GitHub issues**
- Email: security@your-domain.com (if configured)
---
## Compliance Status
| Requirement | Status | Notes |
|-------------|--------|-------|
| TLS/HTTPS | ✅ Complete | Configure in reverse proxy |
| Security Headers | ✅ Complete | CSP, HSTS, X-Frame-Options, etc. |
| Password Policy | ✅ Complete | Configurable, history, expiry |
| 2FA/MFA | ✅ Complete | TOTP-based with backup codes |
| Rate Limiting | ✅ Complete | Comprehensive rules |
| Secrets Management | ✅ Complete | Documentation and best practices |
| Dependency Scanning | ✅ Complete | Automated CI/CD scanning |
| GDPR Export | ✅ Complete | Per-org and per-user |
| GDPR Deletion | ✅ Complete | Grace period, soft delete |
| Data Retention | ✅ Complete | Configurable policies |
| Penetration Testing | ✅ Guidelines | Ready for external testing |
---
## Next Steps
1. **Deploy to staging** and test all security features
2. **Configure production secrets** and environment variables
3. **Run database migration**: `flask db upgrade`
4. **Enable security scanning** in CI/CD
5. **Schedule external penetration testing**
6. **Train team** on security features and procedures
7. **Update user documentation** with 2FA instructions
8. **Notify users** about new security features
9. **Monitor** security metrics and logs
10. **Schedule first secret rotation** per documented schedule
---
**Implementation Complete ✅**
All security and compliance features have been successfully implemented and are ready for deployment.

308
SECURITY_QUICK_START.md
View File

@@ -1,308 +0,0 @@
# Security & Compliance - Quick Start Guide
## 🚀 Getting Started with Security Features
This guide will help you quickly enable and configure the security and compliance features in TimeTracker.
---
## ⚡ Quick Setup (5 minutes)
### 1. Update Environment Variables
Add these to your `.env` file:
```bash
# Security
SESSION_COOKIE_SECURE=true # Enable in production with HTTPS
REMEMBER_COOKIE_SECURE=true # Enable in production with HTTPS
# Password Policy
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_DIGITS=true
PASSWORD_REQUIRE_SPECIAL=true
# Rate Limiting
RATELIMIT_ENABLED=true
RATELIMIT_STORAGE_URI=redis://localhost:6379 # Recommended for production
# GDPR
GDPR_EXPORT_ENABLED=true
GDPR_DELETION_ENABLED=true
GDPR_DELETION_DELAY_DAYS=30
# Data Retention (optional)
DATA_RETENTION_DAYS=365 # 1 year retention
```
### 2. Run Database Migration
```bash
flask db upgrade
```
### 3. Generate Strong SECRET_KEY
```bash
python -c "import secrets; print(secrets.token_hex(32))"
```
Copy the output and update your `SECRET_KEY` in `.env`
### 4. Restart Application
```bash
docker-compose restart app
# or
systemctl restart timetracker
```
---
## 🔐 Enable 2FA for Your Account
### For Users
1. Navigate to **Settings → Security → Two-Factor Authentication**
2. Or go directly to: `https://your-domain.com/security/2fa/setup`
3. Scan QR code with your authenticator app (Google Authenticator, Authy, etc.)
4. Enter the 6-digit code to verify
5. **Save your backup codes** securely!
### For Admins (Enforcing 2FA)
Currently, 2FA is optional. To make it mandatory:
1. Enable 2FA for your own account first
2. Encourage users to enable 2FA
3. Monitor 2FA adoption in user management
---
## 🔒 Password Policy
### Default Requirements
- Minimum **12 characters**
- At least one **uppercase** letter
- At least one **lowercase** letter
- At least one **digit**
- At least one **special character** (!@#$%^&*...)
- Cannot reuse last **5 passwords**
- Account locks after **5 failed attempts** for **30 minutes**
### Change Your Password
Navigate to: `https://your-domain.com/security/password/change`
---
## 🌍 GDPR Compliance
### Export Your Data
**Organization Data (Admin only):**
```
https://your-domain.com/gdpr/export
```
**Your Personal Data:**
```
https://your-domain.com/gdpr/export/user
```
### Delete Your Data
**Organization Deletion (Admin only):**
```
https://your-domain.com/gdpr/delete/request
```
- 30-day grace period
- Can be cancelled before deletion
**User Account Deletion:**
```
https://your-domain.com/gdpr/delete/user
```
- Immediate deletion
- Requires password confirmation
---
## 🛡️ Security Headers
Security headers are automatically applied. Verify at:
- https://securityheaders.com
- https://observatory.mozilla.org
Headers included:
- ✅ Content-Security-Policy (CSP)
- ✅ Strict-Transport-Security (HSTS)
- ✅ X-Content-Type-Options
- ✅ X-Frame-Options
- ✅ Referrer-Policy
---
## 🚦 Rate Limiting
### Default Limits
- **Login**: 5 attempts per minute
- **API calls**: 100 reads/min, 60 writes/min
- **GDPR Export**: 5 per hour
- **2FA Setup**: 10 per hour
### For Production
Use Redis for distributed rate limiting:
```bash
# Install Redis
docker run -d -p 6379:6379 redis:alpine
# Update .env
RATELIMIT_STORAGE_URI=redis://localhost:6379
```
---
## 🔍 Security Scanning
### Automated Scans (GitHub Actions)
Security scans run automatically on every push. Check:
- **Security tab** in GitHub
- **Actions tab** for workflow runs
### Manual Scans
```bash
# Install tools
pip install safety bandit pip-audit
# Run dependency scan
safety check
pip-audit
# Run code security scan
bandit -r app/
# Scan for secrets
brew install gitleaks
gitleaks detect --source .
```
---
## 📋 Pre-Production Checklist
### Before Going Live
- [ ] **HTTPS enabled** and enforced
- [ ] **Strong SECRET_KEY** generated
- [ ] **Session cookies secure** (`SESSION_COOKIE_SECURE=true`)
- [ ] **Rate limiting** configured with Redis
- [ ] **Database migration** applied
- [ ] **Security headers** verified
- [ ] **2FA tested** with real authenticator
- [ ] **Password policy** tested
- [ ] **GDPR export/deletion** tested
- [ ] **Security scans** passing
- [ ] **Secrets** stored securely (not in code!)
- [ ] **Backup** strategy tested
---
## 🆘 Common Issues
### Issue: Users can't log in after enabling 2FA
**Solution:** They need to complete 2FA setup first at `/security/2fa/setup`
### Issue: Rate limiting too strict
**Solution:** Adjust in `.env`:
```bash
RATELIMIT_DEFAULT=500 per day;100 per hour
```
### Issue: GDPR export fails
**Solution:** Check logs and ensure user has proper permissions
### Issue: Password policy too strict
**Solution:** Adjust requirements in `.env`:
```bash
PASSWORD_MIN_LENGTH=8
PASSWORD_REQUIRE_SPECIAL=false
```
### Issue: Account locked out
**Solution:** Wait 30 minutes or admin can reset in database:
```sql
UPDATE users SET failed_login_attempts=0, account_locked_until=NULL WHERE username='user';
```
---
## 📚 Full Documentation
For detailed information, see:
- **Security & Compliance**: `docs/SECURITY_COMPLIANCE_README.md`
- **Secrets Management**: `docs/SECRETS_MANAGEMENT_GUIDE.md`
- **Implementation Summary**: `SECURITY_IMPLEMENTATION_SUMMARY.md`
---
## 🔧 Configuration Reference
### Minimal Production Config
```bash
# Required
SECRET_KEY=<generate-with-python-secrets>
SESSION_COOKIE_SECURE=true
REMEMBER_COOKIE_SECURE=true
# Recommended
PASSWORD_MIN_LENGTH=12
RATELIMIT_ENABLED=true
RATELIMIT_STORAGE_URI=redis://localhost:6379
GDPR_EXPORT_ENABLED=true
GDPR_DELETION_ENABLED=true
```
### Full Security Config
See `env.example` for all available options.
---
## 🎯 Next Steps
1. ✅ Complete quick setup above
2. ✅ Test 2FA with your account
3. ✅ Review security documentation
4. ✅ Schedule external penetration testing
5. ✅ Train team on security features
6. ✅ Set up monitoring and alerts
7. ✅ Schedule first secret rotation (90 days)
---
## 💬 Support
For questions:
- 📖 Read the full documentation in `docs/`
- 🐛 Report security issues privately (not on GitHub)
- ✉️ Contact: security@your-domain.com
---
**Security is everyone's responsibility!** 🔐

130
STARTUP_FIX_SUMMARY.md
View File

@@ -1,130 +0,0 @@
# Startup Error Fix - Summary
## Problem Fixed
The application was failing to start with this error:
```
RuntimeError: Working outside of application context
```
This occurred because `stripe_service` was trying to access `current_app.config` at module import time (when the module is loaded), but Flask's `current_app` is only available within an application context.
## What Was Fixed
### File: `app/utils/stripe_service.py`
**Changed the initialization pattern from:**
```python
class StripeService:
def __init__(self):
# ❌ This tries to access current_app at import time
self.api_key = current_app.config.get('STRIPE_SECRET_KEY')
if self.api_key:
stripe.api_key = self.api_key
```
**To lazy initialization:**
```python
class StripeService:
def __init__(self):
# ✅ Just set flags, don't access current_app yet
self._api_key = None
self._initialized = False
def _ensure_initialized(self):
# ✅ Access current_app only when methods are called
if not self._initialized:
try:
self._api_key = current_app.config.get('STRIPE_SECRET_KEY')
if self._api_key:
stripe.api_key = self._api_key
self._initialized = True
except RuntimeError:
pass
```
**Added `self._ensure_initialized()` to all methods** that interact with Stripe API or config.
## Why This Works
1. **Module Import**: When Python imports the module, `StripeService()` is instantiated, but it no longer accesses `current_app`
2. **Method Calls**: When you actually call a method like `stripe_service.create_customer()`, it's within a request context
3. **Lazy Loading**: The `_ensure_initialized()` method only runs the first time a method is called, when `current_app` is available
## Files Modified
-`app/utils/stripe_service.py` - Fixed lazy initialization
## Next Steps
The application should now start successfully. You can now:
1. **Start the application**: The startup error should be resolved
2. **Run migrations**: Apply the authentication system migrations
3. **Test Stripe integration**: When Stripe is configured, it will initialize on first use
## Verification
To verify the fix worked:
```bash
# Application should start without errors
flask run
# Or in Docker
docker-compose up
```
You should see the app start successfully without the `RuntimeError`.
## Migration Fix Still Needed
Don't forget you also need to fix the migration chain. See:
- `MIGRATION_FIX_SUMMARY.md` - Quick overview
- `MIGRATION_FIX.md` - Detailed guide
- `fix_migration_chain.py` - Automated fix script
Run one of these after the app starts:
```bash
# Option 1: Auto-fix
python fix_migration_chain.py
flask db upgrade
# Option 2: Manual stamp
flask db stamp 018
flask db upgrade
```
## Pattern for Future Services
If you create other services that need Flask config, use this pattern:
```python
class MyService:
def __init__(self):
# Don't access current_app here
self._initialized = False
def _ensure_initialized(self):
# Access current_app when first method is called
if not self._initialized:
try:
self._config = current_app.config.get('MY_CONFIG')
self._initialized = True
except RuntimeError:
pass
def my_method(self):
self._ensure_initialized() # Call this first
# ... rest of method
```
## Summary
- ✅ Fixed `StripeService` initialization
- ✅ Application can now start
- ⏳ Migration fix still needed (see other docs)
- ✅ Pattern documented for future services
The authentication system is complete and ready to use once migrations are applied!

640
STRIPE_BILLING_SETUP.md
View File

@@ -1,640 +0,0 @@
# Stripe Billing Integration - Setup Guide
This guide walks you through setting up Stripe billing for your TimeTracker installation.
## Table of Contents
1. [Overview](#overview)
2. [Prerequisites](#prerequisites)
3. [Stripe Dashboard Setup](#stripe-dashboard-setup)
4. [Application Configuration](#application-configuration)
5. [Database Migration](#database-migration)
6. [Webhook Configuration](#webhook-configuration)
7. [Testing](#testing)
8. [Production Deployment](#production-deployment)
9. [Troubleshooting](#troubleshooting)
---
## Overview
The Stripe billing integration provides:
- **Subscription Management**: Automatic billing for Single User (€5/month) and Team (€6/user/month) plans
- **Seat-Based Billing**: Automatic seat synchronization when users are added/removed
- **Trial Periods**: 14-day free trial (configurable)
- **Proration**: Automatic proration when changing seat counts
- **Dunning Management**: Automated handling of failed payments with email notifications
- **EU VAT Compliance**: Built-in VAT collection using Stripe Billing
- **Customer Portal**: Self-service billing management via Stripe Customer Portal
---
## Prerequisites
Before starting, ensure you have:
1. A Stripe account (sign up at https://stripe.com)
2. Access to your Stripe Dashboard
3. Database access (PostgreSQL)
4. SMTP server configured for email notifications
5. HTTPS enabled for webhook endpoints (required by Stripe)
---
## Stripe Dashboard Setup
### Step 1: Create Products and Prices
1. **Login to Stripe Dashboard**: https://dashboard.stripe.com
2. **Create Single User Product**:
- Navigate to: Products → Add product
- Name: `TimeTracker Single User`
- Description: `Single user subscription for TimeTracker`
- Pricing:
- Price: `€5.00`
- Billing period: `Monthly`
- Currency: `EUR`
- Save and copy the **Price ID** (starts with `price_...`)
3. **Create Team Product**:
- Navigate to: Products → Add product
- Name: `TimeTracker Team`
- Description: `Per-seat team subscription for TimeTracker`
- Pricing:
- Price: `€6.00`
- Billing period: `Monthly`
- Currency: `EUR`
- **Important**: Enable "Usage is metered" or set up quantity-based pricing
- Save and copy the **Price ID** (starts with `price_...`)
### Step 2: Enable Customer Portal
1. Navigate to: Settings → Billing → Customer portal
2. Click "Activate test link"
3. Configure portal settings:
-**Update subscription**: Allow customers to change plans
-**Cancel subscription**: Allow customers to cancel
-**Update payment method**: Allow updating cards
-**View invoice history**: Show past invoices
4. Save settings
### Step 3: Configure Tax Settings
1. Navigate to: Settings → Tax
2. Enable **Stripe Tax** for EU VAT collection
3. Configure tax settings:
- Enable automatic tax calculation
- Add your business location
- Enable invoice generation
4. Save tax settings
### Step 4: Get API Keys
1. Navigate to: Developers → API keys
2. Copy your keys:
- **Publishable key** (starts with `pk_test_...` or `pk_live_...`)
- **Secret key** (starts with `sk_test_...` or `sk_live_...`)
3. **Important**: Keep your Secret key secure and never commit it to version control
---
## Application Configuration
### Step 1: Install Stripe SDK
The Stripe SDK is already included in `requirements.txt`. If you're installing manually:
```bash
pip install stripe==7.9.0
```
### Step 2: Set Environment Variables
Add these variables to your `.env` file or environment configuration:
```bash
# Stripe API Keys
STRIPE_SECRET_KEY=sk_test_your_secret_key_here
STRIPE_PUBLISHABLE_KEY=pk_test_your_publishable_key_here
STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_here
# Stripe Price IDs
STRIPE_SINGLE_USER_PRICE_ID=price_xxxxx # From Step 1.2
STRIPE_TEAM_PRICE_ID=price_xxxxx # From Step 1.3
# Stripe Configuration
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
STRIPE_ENABLE_PRORATION=true
STRIPE_TAX_BEHAVIOR=exclusive # or 'inclusive'
```
**Security Notes**:
- Never commit `.env` files to version control
- Use different keys for test and production environments
- Rotate keys regularly in production
- Use environment-specific secrets management (e.g., AWS Secrets Manager, Azure Key Vault)
### Step 3: Update Configuration
The configuration is already set up in `app/config.py`. Verify these settings are present:
```python
# Stripe billing settings
STRIPE_SECRET_KEY = os.getenv('STRIPE_SECRET_KEY')
STRIPE_PUBLISHABLE_KEY = os.getenv('STRIPE_PUBLISHABLE_KEY')
STRIPE_WEBHOOK_SECRET = os.getenv('STRIPE_WEBHOOK_SECRET')
STRIPE_SINGLE_USER_PRICE_ID = os.getenv('STRIPE_SINGLE_USER_PRICE_ID')
STRIPE_TEAM_PRICE_ID = os.getenv('STRIPE_TEAM_PRICE_ID')
STRIPE_ENABLE_TRIALS = os.getenv('STRIPE_ENABLE_TRIALS', 'true').lower() == 'true'
STRIPE_TRIAL_DAYS = int(os.getenv('STRIPE_TRIAL_DAYS', 14))
STRIPE_ENABLE_PRORATION = os.getenv('STRIPE_ENABLE_PRORATION', 'true').lower() == 'true'
```
---
## Database Migration
### Run the Migration
The migration adds new fields to the `organizations` table and creates the `subscription_events` table.
```bash
# Using psql
psql -U timetracker -d timetracker -f migrations/add_stripe_billing_fields.sql
# Or using Flask-Migrate (if you've created an Alembic migration)
flask db upgrade
```
### Verify Migration
Check that the migration was successful:
```sql
-- Check organizations table has new columns
\d organizations
-- Check subscription_events table was created
\d subscription_events
-- Verify indexes
\di subscription_events*
```
---
## Webhook Configuration
Webhooks are critical for billing automation. They notify your application about subscription events.
### Step 1: Set Up Local Testing (Development)
For local development, use the Stripe CLI:
```bash
# Install Stripe CLI
# macOS
brew install stripe/stripe-cli/stripe
# Windows
scoop install stripe
# Linux
wget https://github.com/stripe/stripe-cli/releases/download/vX.X.X/stripe_X.X.X_linux_x86_64.tar.gz
tar -xvf stripe_X.X.X_linux_x86_64.tar.gz
# Login to Stripe
stripe login
# Forward webhooks to your local server
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
```
Copy the webhook signing secret (starts with `whsec_...`) and add it to your `.env`:
```bash
STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_from_cli
```
### Step 2: Set Up Production Webhooks
1. Navigate to: Developers → Webhooks → Add endpoint
2. Endpoint URL: `https://your-domain.com/billing/webhooks/stripe`
3. Description: `TimeTracker Billing Webhooks`
4. Events to send:
-`invoice.paid`
-`invoice.payment_failed`
-`invoice.payment_action_required`
-`customer.subscription.created`
-`customer.subscription.updated`
-`customer.subscription.deleted`
-`customer.subscription.trial_will_end`
5. Click "Add endpoint"
6. Copy the **Signing secret** and update your production environment variables
### Step 3: Verify Webhook Setup
Test the webhook endpoint:
```bash
# Using Stripe CLI
stripe trigger invoice.paid
# Check your application logs for:
# "Received Stripe webhook: invoice.paid"
# "Invoice paid for organization..."
```
**Important Security Notes**:
- The webhook endpoint verifies signatures using `STRIPE_WEBHOOK_SECRET`
- The endpoint is CSRF-exempt (required for Stripe webhooks)
- Ensure HTTPS is enabled in production
- Never disable signature verification
---
## Testing
### Test Mode
All testing should be done with Stripe test mode keys (starting with `sk_test_` and `pk_test_`).
### Test Credit Cards
Use these test cards (from Stripe):
```
Success: 4242 4242 4242 4242
Decline: 4000 0000 0000 0002
3D Secure: 4000 0025 0000 3155
```
- Any future expiry date (e.g., 12/34)
- Any 3-digit CVC
- Any zip code
### Test Scenarios
#### 1. Test Single User Subscription
```bash
# Navigate to your application
http://localhost:5000/billing
# Click "Subscribe" for Single User plan
# Complete checkout with test card 4242 4242 4242 4242
# Verify subscription is active in dashboard
```
#### 2. Test Team Subscription with Seat Changes
```bash
# Subscribe to Team plan
# Add a new user to organization
# Check that seats were automatically synced in Stripe Dashboard
# Remove a user
# Verify seat count decreased
```
#### 3. Test Failed Payment
```bash
# Use declined card: 4000 0000 0000 0002
# Trigger payment
# Verify:
# - Organization status shows billing issue
# - Email notification sent
# - Subscription event logged
```
#### 4. Test Trial Period
```bash
# Create new subscription
# Verify trial_ends_at is set to 14 days from now
# Check organization.is_on_trial returns True
# Wait 11 days or manually trigger trial_will_end event
# Verify email notification sent
```
#### 5. Test Webhooks
```bash
# Use Stripe CLI to trigger events
stripe trigger invoice.paid
stripe trigger invoice.payment_failed
stripe trigger customer.subscription.updated
stripe trigger customer.subscription.deleted
# Check application logs and database
# Verify subscription_events table has entries
# Verify organization status updated
```
---
## Production Deployment
### Pre-Deployment Checklist
- [ ] Replace test API keys with live keys
- [ ] Update webhook endpoint to production URL
- [ ] Verify HTTPS is enabled
- [ ] Test webhook signature verification
- [ ] Enable Stripe Radar (fraud protection)
- [ ] Set up Stripe email notifications
- [ ] Configure backup payment retry schedule
- [ ] Test email delivery (SMTP configured)
- [ ] Set up monitoring and alerting
- [ ] Document incident response procedures
### Environment Variables (Production)
```bash
# Stripe Live Keys
STRIPE_SECRET_KEY=sk_live_your_live_secret_key
STRIPE_PUBLISHABLE_KEY=pk_live_your_live_publishable_key
STRIPE_WEBHOOK_SECRET=whsec_your_production_webhook_secret
# Production Price IDs
STRIPE_SINGLE_USER_PRICE_ID=price_live_xxxxx
STRIPE_TEAM_PRICE_ID=price_live_xxxxx
# Production Configuration
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
STRIPE_ENABLE_PRORATION=true
```
### Post-Deployment Verification
1. **Test Checkout Flow**:
- Create a test subscription
- Verify payment processing
- Check subscription activation
2. **Verify Webhooks**:
- Check webhook endpoint is receiving events
- Monitor webhook logs in Stripe Dashboard
- Verify signature verification is working
3. **Test Email Notifications**:
- Trigger a test payment failure
- Verify email delivery
- Check email formatting
4. **Monitor Subscription Events**:
```sql
-- Check recent subscription events
SELECT * FROM subscription_events
ORDER BY created_at DESC
LIMIT 10;
```
### Monitoring
Set up monitoring for:
- Webhook failures (check Stripe Dashboard → Developers → Webhooks)
- Failed payments (check `organizations` with `billing_issue_detected_at`)
- Unprocessed events (check `subscription_events` where `processed = false`)
- Email delivery failures
---
## Troubleshooting
### Webhooks Not Receiving Events
**Problem**: Webhook endpoint not receiving events from Stripe.
**Solutions**:
1. Verify endpoint URL is correct and publicly accessible
2. Check HTTPS is enabled (required by Stripe)
3. Test webhook manually from Stripe Dashboard
4. Check application logs for errors
5. Verify webhook signature secret is correct
6. Check firewall/security groups allow Stripe IPs
**Debug**:
```bash
# Check recent webhook attempts in Stripe Dashboard
# Developers → Webhooks → [Your endpoint] → View logs
# Check application logs
grep "Received Stripe webhook" logs/timetracker.log
```
### Signature Verification Failed
**Problem**: Webhook returns "Invalid signature" error.
**Solutions**:
1. Verify `STRIPE_WEBHOOK_SECRET` matches the endpoint's signing secret
2. Ensure raw request body is passed to verification (not parsed JSON)
3. Check for proxy/middleware modifying the request
4. Verify endpoint hasn't expired (regenerate if needed)
### Payment Failed Not Triggering Emails
**Problem**: `invoice.payment_failed` webhook received but no email sent.
**Solutions**:
1. Verify SMTP configuration in environment
2. Check organization has valid `billing_email` or `contact_email`
3. Check email service logs
4. Verify email templates exist
5. Check `last_billing_email_sent_at` for rate limiting
**Debug**:
```python
# Test email service directly
from app.utils.email_service import send_email
send_email(
to_email='test@example.com',
subject='Test',
template='billing/payment_failed.html',
organization=org,
invoice=invoice,
user=user
)
```
### Seats Not Syncing
**Problem**: Adding/removing users doesn't update Stripe subscription quantity.
**Solutions**:
1. Verify organization has `subscription_plan = 'team'`
2. Check organization has active subscription
3. Verify Stripe API keys are correct
4. Check application logs for sync errors
5. Manually trigger sync:
```python
from app.utils.seat_sync import seat_sync_service
result = seat_sync_service.sync_seats(organization)
print(result)
```
### Subscription Events Not Logging
**Problem**: Webhook events processed but not appearing in `subscription_events` table.
**Solutions**:
1. Check database connection
2. Verify `subscription_events` table exists
3. Check for database errors in logs
4. Verify organization_id is correct
5. Check event deduplication (event_id must be unique)
**Debug**:
```sql
-- Check if events are being inserted
SELECT COUNT(*) FROM subscription_events;
-- Check for recent failed events
SELECT * FROM subscription_events
WHERE processing_error IS NOT NULL
ORDER BY created_at DESC;
```
### Trial Not Starting
**Problem**: New subscriptions not receiving trial period.
**Solutions**:
1. Verify `STRIPE_ENABLE_TRIALS=true`
2. Check `STRIPE_TRIAL_DAYS` is set
3. Verify product/price allows trials in Stripe Dashboard
4. Check subscription creation parameters
### Customer Portal Not Working
**Problem**: Customer Portal button returns error or doesn't redirect.
**Solutions**:
1. Verify Customer Portal is activated in Stripe Dashboard
2. Check organization has valid `stripe_customer_id`
3. Verify Stripe API keys are correct
4. Check return URL is valid
---
## API Reference
### Stripe Service
Main service class for Stripe interactions: `app/utils/stripe_service.py`
```python
from app.utils.stripe_service import stripe_service
# Create customer
customer_id = stripe_service.create_customer(organization, email='test@example.com')
# Create subscription
result = stripe_service.create_subscription(
organization=org,
price_id='price_xxxxx',
quantity=5,
trial_days=14
)
# Update seats
result = stripe_service.update_subscription_quantity(
organization=org,
new_quantity=10,
prorate=True
)
# Cancel subscription
result = stripe_service.cancel_subscription(
organization=org,
at_period_end=True
)
```
### Seat Sync Service
Automatic seat synchronization: `app/utils/seat_sync.py`
```python
from app.utils.seat_sync import seat_sync_service
# Sync seats
result = seat_sync_service.sync_seats(organization)
# Check if can add member
check = seat_sync_service.check_seat_limit(organization)
if check['can_add']:
# Add member
pass
```
---
## Support
For issues related to:
- **Stripe Integration**: Check Stripe Dashboard logs and webhook history
- **Application Errors**: Check application logs (`logs/timetracker.log`)
- **Database Issues**: Check PostgreSQL logs
- **Email Delivery**: Check SMTP logs and email service status
---
## Appendix
### Webhook Event Types
| Event Type | Trigger | Handler | Action Taken |
|------------|---------|---------|--------------|
| `invoice.paid` | Successful payment | `handle_invoice_paid` | Activate subscription, clear billing issues |
| `invoice.payment_failed` | Failed payment | `handle_invoice_payment_failed` | Mark billing issue, send notification |
| `invoice.payment_action_required` | 3D Secure required | `handle_invoice_payment_action_required` | Send action required notification |
| `customer.subscription.created` | New subscription | `handle_subscription_created` | Log subscription creation |
| `customer.subscription.updated` | Subscription changed | `handle_subscription_updated` | Update org data, log changes |
| `customer.subscription.deleted` | Subscription cancelled | `handle_subscription_deleted` | Suspend organization, downgrade to free |
| `customer.subscription.trial_will_end` | 3 days before trial ends | `handle_subscription_trial_will_end` | Send reminder email |
### Database Schema
**organizations** (new fields):
```sql
stripe_price_id VARCHAR(100) -- Current price ID
subscription_quantity INTEGER -- Number of seats
next_billing_date TIMESTAMP -- Next billing date
billing_issue_detected_at TIMESTAMP -- When payment failed
last_billing_email_sent_at TIMESTAMP -- Last dunning email sent
```
**subscription_events** (new table):
```sql
id SERIAL PRIMARY KEY
organization_id INTEGER -- FK to organizations
event_type VARCHAR(100) -- Stripe event type
event_id VARCHAR(100) UNIQUE -- Stripe event ID
stripe_customer_id VARCHAR(100) -- Stripe customer ID
stripe_subscription_id VARCHAR(100) -- Stripe subscription ID
status VARCHAR(50) -- Current status
quantity INTEGER -- Seat count
amount NUMERIC(10,2) -- Payment amount
processed BOOLEAN -- Processing status
raw_payload TEXT -- Full webhook JSON
created_at TIMESTAMP -- Event creation time
...
```
---
**Last Updated**: October 7, 2025
**Version**: 1.0.0

687
STRIPE_IMPLEMENTATION_SUMMARY.md
View File

@@ -1,687 +0,0 @@
# Stripe Billing Integration - Implementation Summary
## ✅ Implementation Complete!
All requirements from the feature specification have been successfully implemented.
---
## 📋 What Was Implemented
### 1. Core Infrastructure ✅
#### Database Schema
- **Enhanced `organizations` table** with billing fields:
- `stripe_price_id` - Current Stripe price ID
- `subscription_quantity` - Number of seats
- `next_billing_date` - Next billing cycle date
- `billing_issue_detected_at` - Payment failure timestamp
- `last_billing_email_sent_at` - Dunning email tracking
- **New `subscription_events` table** for complete audit trail:
- Tracks all Stripe webhook events
- Stores event processing status
- Maintains full event payload for debugging
- Supports retry logic for failed events
#### Configuration
- Added Stripe configuration to `app/config.py`
- Environment variable support for all Stripe settings
- Secure API key management
- Configurable trial periods and proration settings
### 2. Stripe Products & Pricing ✅
Two subscription tiers implemented:
**TimeTracker Single User**
- €5/month
- Quantity = 1 (fixed)
- Suitable for individual users
**TimeTracker Team**
- €6/user/month
- Quantity = number of seats (variable)
- Automatic per-seat billing with proration
### 3. Subscription Management ✅
#### Stripe Service (`app/utils/stripe_service.py`)
Comprehensive service module providing:
**Customer Management:**
- Create Stripe customers
- Update customer information
- Link organizations to customers
**Subscription Management:**
- Create subscriptions with trial periods
- Update subscription quantities
- Cancel subscriptions (immediate or at period end)
- Reactivate cancelled subscriptions
**Checkout & Portal:**
- Create Checkout sessions for new subscriptions
- Generate Customer Portal sessions for self-service
- Support for success/cancel redirects
**Billing Information:**
- Retrieve upcoming invoices
- Fetch invoice history
- Get payment methods
- Calculate proration amounts
### 4. Webhook Handlers ✅
#### Webhook Endpoint (`/billing/webhooks/stripe`)
Secure webhook processing with signature verification:
**Implemented Webhooks:**
1. **`invoice.paid`**
- Activates subscription
- Clears billing issues
- Updates next billing date
- Provisions tenant
2. **`invoice.payment_failed`**
- Marks billing issue
- Updates subscription status to `past_due`
- Sends failure notification email
- Starts dunning sequence
3. **`invoice.payment_action_required`**
- Sends 3D Secure/SCA notification
- Provides payment completion link
4. **`customer.subscription.updated`**
- Syncs subscription data
- Tracks seat changes
- Logs status transitions
- Handles proration
5. **`customer.subscription.deleted`**
- Suspends organization
- Downgrades to free plan
- Sends cancellation notification
6. **`customer.subscription.trial_will_end`**
- Sends reminder 3 days before trial ends
- Provides upgrade link
### 5. Seat Synchronization ✅
#### Automatic Seat Sync (`app/utils/seat_sync.py`)
**Features:**
- Automatic sync when members added/removed
- Updates Stripe subscription quantity via API
- Proration support (configurable)
- Seat limit checking before invitation
- Real-time seat availability display
**Integration Points:**
- Member invitation (checks seat limit)
- Member removal (decreases seats)
- Invitation acceptance (increases seats)
**Proration Handling:**
- Immediate charges when adding seats
- Credits when removing seats
- Configurable via `STRIPE_ENABLE_PRORATION`
### 6. Billing Management UI ✅
#### Billing Dashboard (`/billing`)
**Subscription Status Section:**
- Current plan display with badge
- Seat count and usage
- Trial status with countdown
- Billing issue alerts
- Next billing date
**Plan Selection:**
- Single User plan card
- Team plan card (popular badge)
- Clear pricing display
- Subscribe buttons with Checkout integration
**Usage Summary:**
- Member count with progress bar
- Seat availability indicator
- Project count
- Upcoming invoice preview
**Payment Methods:**
- Card brand and last 4 digits
- Expiration date
- Update payment method link
**Invoice History:**
- Table of recent invoices
- Invoice number/ID
- Payment date and amount
- Status badges
- Download PDF links
- View hosted invoice links
#### Customer Portal Integration
- One-click access to Stripe Customer Portal
- Self-service subscription management
- Payment method updates
- Invoice downloads
- Cancellation handling
### 7. Dunning Management ✅
#### Email Notifications
**4 Email Templates Created:**
1. **Payment Failed** (`payment_failed.html`)
- Sent when payment fails
- Shows invoice amount and attempt count
- Call-to-action to update payment method
- Grace period information
2. **Trial Ending Soon** (`trial_ending.html`)
- Sent 3 days before trial ends
- Shows days remaining countdown
- Plan information
- Upgrade prompts
3. **Payment Action Required** (`action_required.html`)
- Sent for 3D Secure/SCA requirements
- Instructions for completing authentication
- Direct link to complete payment
4. **Subscription Cancelled** (`subscription_cancelled.html`)
- Confirmation of cancellation
- Account status information
- Reactivation options
#### Dunning Sequence
- Automatic retry by Stripe (configurable in Dashboard)
- Email sent on each failure
- Rate limiting via `last_billing_email_sent_at`
- Escalation to suspension after multiple failures
### 8. Billing Gates & Feature Access ✅
#### Decorator System (`app/utils/billing_gates.py`)
**Decorators:**
```python
@require_active_subscription() # Requires active paid or trial subscription
@require_plan('team') # Requires specific plan level
```
**Utility Functions:**
- `check_user_limit()` - Validates user count against plan limits
- `check_project_limit()` - Validates project count against plan limits
- `check_feature_access()` - Checks if plan includes specific feature
- `get_subscription_warning()` - Returns any subscription alerts
**Context Injection:**
- Billing warnings automatically shown in all templates
- Subscription status available globally
- Trial countdown displayed when relevant
**Feature Access Matrix:**
- Basic features: All plans
- Advanced reports: Team & Enterprise
- API access: Team & Enterprise
- Custom branding: Enterprise only
- SSO: Enterprise only
### 9. EU VAT Compliance ✅
**Stripe Tax Integration:**
- Automatic VAT calculation
- EU reverse charge mechanism
- Invoice generation with VAT details
- Configurable tax behavior (inclusive/exclusive)
**Setup Instructions:**
- Enable Stripe Tax in Dashboard
- Configure business location
- Automatic tax ID validation
### 10. Trial Periods ✅
**Trial Configuration:**
- 14-day trial by default (configurable)
- Enable/disable via `STRIPE_ENABLE_TRIALS`
- Automatic conversion to paid at end
- Trial status tracking in database
- Trial countdown display
- Reminder emails before expiration
**Trial Features:**
- Full access to paid features
- No payment method required to start
- Automatic charge at trial end
- Can upgrade early to skip trial
---
## 📁 Files Created
### Models (2 files)
1. `app/models/subscription_event.py` - Subscription event tracking
2. Enhanced `app/models/organization.py` - Added billing fields and methods
### Services (2 files)
1. `app/utils/stripe_service.py` - Stripe API integration service
2. `app/utils/seat_sync.py` - Automatic seat synchronization
3. `app/utils/billing_gates.py` - Subscription checks and feature gates
### Routes (1 file)
1. `app/routes/billing.py` - Billing routes and webhook handlers
### Templates (5 files)
1. `app/templates/billing/index.html` - Billing dashboard
2. `app/templates/billing/payment_failed.html` - Email template
3. `app/templates/billing/trial_ending.html` - Email template
4. `app/templates/billing/action_required.html` - Email template
5. `app/templates/billing/subscription_cancelled.html` - Email template
### Database (1 file)
1. `migrations/add_stripe_billing_fields.sql` - Database migration
### Documentation (2 files)
1. `STRIPE_BILLING_SETUP.md` - Complete setup guide
2. `STRIPE_IMPLEMENTATION_SUMMARY.md` - This file
### Configuration Changes
1. `requirements.txt` - Added `stripe==7.9.0`
2. `app/config.py` - Added Stripe configuration
3. `app/__init__.py` - Registered billing blueprint, CSRF exemption, CSP updates
4. `app/models/__init__.py` - Registered SubscriptionEvent model
**Total: 18+ files created/modified**
---
## 🔧 Configuration Required
### Environment Variables
```bash
# Stripe API Keys
STRIPE_SECRET_KEY=sk_test_xxxxx
STRIPE_PUBLISHABLE_KEY=pk_test_xxxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxxx
# Stripe Price IDs (from Stripe Dashboard)
STRIPE_SINGLE_USER_PRICE_ID=price_xxxxx
STRIPE_TEAM_PRICE_ID=price_xxxxx
# Stripe Settings
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
STRIPE_ENABLE_PRORATION=true
STRIPE_TAX_BEHAVIOR=exclusive
```
### Stripe Dashboard Setup
1. **Create Products:**
- TimeTracker Single User (€5/month)
- TimeTracker Team (€6/user/month)
2. **Enable Customer Portal:**
- Allow subscription updates
- Allow cancellations
- Allow payment method updates
3. **Configure Webhooks:**
- Add endpoint: `https://your-domain.com/billing/webhooks/stripe`
- Select required events (see documentation)
4. **Enable Stripe Tax:**
- Configure for EU VAT collection
- Set business location
---
## ✨ Key Features
### Subscription Lifecycle
✅ Automatic subscription creation with Checkout
✅ Trial period support (14 days default)
✅ Automatic conversion from trial to paid
✅ Self-service management via Customer Portal
✅ Subscription updates and cancellations
✅ Reactivation support
### Per-Seat Billing
✅ Automatic seat quantity updates
✅ Proration on seat changes
✅ Seat limit enforcement
✅ Usage monitoring and alerts
✅ Seat availability display
### Payment Handling
✅ Secure payment processing via Stripe Checkout
✅ 3D Secure / SCA support
✅ Multiple payment methods
✅ Payment method management
✅ Automatic retry on failure
### Webhooks
✅ Signature verification
✅ Idempotent processing
✅ Event logging and audit trail
✅ Retry logic for failures
✅ Complete event payload storage
### Notifications
✅ Payment failure alerts
✅ Trial ending reminders
✅ Action required notifications
✅ Cancellation confirmations
✅ Billing issue warnings
### Feature Gating
✅ Subscription status checks
✅ Plan-based feature access
✅ User limit enforcement
✅ Project limit enforcement
✅ Usage warnings and upgrades
### Compliance
✅ EU VAT collection
✅ Invoice generation
✅ Receipt delivery
✅ Audit trail
✅ GDPR considerations
---
## 🚀 Usage Examples
### For Developers
#### Check Subscription Status
```python
from app.utils.billing_gates import require_active_subscription
@app.route('/premium-feature')
@login_required
@require_active_subscription()
def premium_feature():
return render_template('premium.html')
```
#### Check Feature Access
```python
from app.utils.billing_gates import check_feature_access
access = check_feature_access(organization, 'advanced_reports')
if not access['allowed']:
flash(access['reason'], 'warning')
return redirect(url_for('billing.index'))
```
#### Sync Seats Manually
```python
from app.utils.seat_sync import seat_sync_service
result = seat_sync_service.sync_seats(organization)
if result['success']:
print(f"Seats updated: {result['message']}")
```
#### Access Stripe Service
```python
from app.utils.stripe_service import stripe_service
# Get invoices
invoices = stripe_service.get_invoices(organization, limit=10)
# Create subscription
result = stripe_service.create_subscription(
organization=org,
price_id='price_xxxxx',
quantity=5
)
```
### For Users
#### Subscribe to Plan
1. Navigate to `/billing`
2. Choose Single User or Team plan
3. Click "Subscribe"
4. Complete Stripe Checkout
5. Subscription activates immediately
#### Manage Subscription
1. Navigate to `/billing`
2. Click "Manage Subscription"
3. Opens Stripe Customer Portal
4. Update payment method, cancel, or view invoices
#### Add Team Members
1. Navigate to organization settings
2. Click "Invite Member"
3. Seats automatically sync with Stripe
4. Proration applied to next invoice
---
## 🧪 Testing
### Test Mode
All testing uses Stripe test mode with test API keys (`sk_test_`, `pk_test_`).
### Test Cards
```
Success: 4242 4242 4242 4242
Decline: 4000 0000 0000 0002
3D Secure: 4000 0025 0000 3155
```
### Test Webhooks
```bash
# Install Stripe CLI
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
# Trigger test events
stripe trigger invoice.paid
stripe trigger invoice.payment_failed
stripe trigger customer.subscription.updated
```
### Manual Testing Checklist
- [ ] Create subscription (Single User)
- [ ] Create subscription (Team)
- [ ] Add team member (seat sync)
- [ ] Remove team member (seat sync)
- [ ] Test payment failure
- [ ] Test trial period
- [ ] Test cancellation
- [ ] Test reactivation
- [ ] Verify webhook processing
- [ ] Check email notifications
- [ ] Test Customer Portal
- [ ] Verify invoice generation
---
## 📊 Monitoring
### Key Metrics to Monitor
1. **Webhook Health:**
- Success rate
- Processing time
- Failed events
2. **Subscription Status:**
- Active subscriptions
- Trial conversions
- Churn rate
3. **Payment Issues:**
- Failed payments
- Dunning effectiveness
- Recovery rate
4. **Seat Usage:**
- Average seats per organization
- Seat utilization
- Upgrade frequency
### Database Queries
```sql
-- Check unprocessed events
SELECT COUNT(*) FROM subscription_events
WHERE processed = false;
-- Organizations with billing issues
SELECT * FROM organizations
WHERE billing_issue_detected_at IS NOT NULL;
-- Recent subscription changes
SELECT * FROM subscription_events
WHERE event_type LIKE '%subscription%'
ORDER BY created_at DESC
LIMIT 10;
-- Active subscriptions by plan
SELECT subscription_plan, COUNT(*)
FROM organizations
WHERE stripe_subscription_status IN ('active', 'trialing')
GROUP BY subscription_plan;
```
---
## 🔒 Security Considerations
### Implemented Security Measures
**Webhook Signature Verification**
- All webhooks verified using `STRIPE_WEBHOOK_SECRET`
- Invalid signatures rejected with 400 error
**CSRF Protection**
- Webhook endpoint exempt from CSRF (required by Stripe)
- All other routes protected
**Content Security Policy**
- Updated to allow Stripe.js and Stripe APIs
- Frame sources restricted to Stripe domains
**API Key Security**
- Keys stored in environment variables
- Never committed to version control
- Separate keys for test and production
**HTTPS Required**
- Webhooks require HTTPS in production
- Stripe enforces TLS 1.2+
**Payment Data**
- No card data stored in database
- PCI compliance via Stripe
- Tokenization for all payments
---
## 📈 Next Steps
### Optional Enhancements
1. **Analytics Dashboard**
- MRR tracking
- Churn analysis
- Cohort analysis
2. **Advanced Dunning**
- Multi-stage dunning sequences
- Personalized recovery emails
- Payment method suggestions
3. **Usage-Based Billing**
- Metered billing for API calls
- Time tracking quotas
- Storage limits
4. **Enterprise Features**
- Custom pricing
- Annual billing with discounts
- Invoice payments (ACH, wire transfer)
5. **Referral Program**
- Referral tracking
- Credit system
- Discount codes
---
## 🎯 Acceptance Criteria Status
All acceptance criteria from the specification have been met:
**Payments succeed in Stripe test mode**
- Tested with test cards
- Webhook handlers update DB accordingly
**Seat changes reflected in Stripe**
- Subscription quantity updates automatically
- Proration calculated correctly
**Invoices generated and accessible**
- Available via Stripe Customer Portal
- Downloadable as PDF
- Hosted invoice URLs provided
---
## 📞 Support & Resources
### Documentation
- **Setup Guide**: `STRIPE_BILLING_SETUP.md`
- **Stripe Dashboard**: https://dashboard.stripe.com
- **Stripe API Docs**: https://stripe.com/docs/api
- **Stripe Webhooks**: https://stripe.com/docs/webhooks
### Troubleshooting
Refer to `STRIPE_BILLING_SETUP.md` → Troubleshooting section for:
- Webhook issues
- Payment failures
- Seat sync problems
- Email delivery issues
---
## 🎉 Implementation Complete!
The Stripe billing integration is fully implemented and ready for testing. All core features, webhook handlers, seat synchronization, dunning management, and documentation are complete.
**To get started:**
1. Read `STRIPE_BILLING_SETUP.md`
2. Configure environment variables
3. Set up Stripe products
4. Run database migration
5. Configure webhooks
6. Test with Stripe test mode
**Questions or Issues?**
- Check the troubleshooting section in the setup guide
- Review Stripe Dashboard logs
- Check application logs for errors
- Review subscription_events table for event history
---
**Implementation Date**: October 7, 2025
**Version**: 1.0.0
**Status**: ✅ Complete and Ready for Testing

219
STRIPE_QUICK_START.md
View File

@@ -1,219 +0,0 @@
# Stripe Billing - Quick Start Guide
Get Stripe billing up and running in 15 minutes!
## Prerequisites
- Stripe account (sign up at https://stripe.com)
- PostgreSQL database running
- SMTP configured for emails
## Step 1: Install Dependencies (1 min)
```bash
pip install stripe==7.9.0
```
## Step 2: Run Database Migration (1 min)
```bash
psql -U timetracker -d timetracker -f migrations/add_stripe_billing_fields.sql
```
## Step 3: Create Stripe Products (3 min)
1. Go to https://dashboard.stripe.com/products
2. Click "Add product"
**Product 1: Single User**
- Name: `TimeTracker Single User`
- Price: `€5.00`
- Billing: `Monthly`
- Currency: `EUR`
- Click "Save product"
- **Copy the Price ID** (starts with `price_`)
**Product 2: Team**
- Name: `TimeTracker Team`
- Price: `€6.00`
- Billing: `Monthly`
- Currency: `EUR`
- Click "Save product"
- **Copy the Price ID** (starts with `price_`)
## Step 4: Get API Keys (1 min)
1. Go to https://dashboard.stripe.com/apikeys
2. Copy **Publishable key** (starts with `pk_test_`)
3. Copy **Secret key** (starts with `sk_test_`)
## Step 5: Configure Environment (2 min)
Add to your `.env` file:
```bash
# Stripe API Keys
STRIPE_SECRET_KEY=sk_test_YOUR_KEY_HERE
STRIPE_PUBLISHABLE_KEY=pk_test_YOUR_KEY_HERE
STRIPE_WEBHOOK_SECRET=whsec_YOUR_SECRET_HERE # We'll get this in Step 7
# Stripe Price IDs
STRIPE_SINGLE_USER_PRICE_ID=price_YOUR_SINGLE_USER_PRICE_ID
STRIPE_TEAM_PRICE_ID=price_YOUR_TEAM_PRICE_ID
# Optional Settings
STRIPE_ENABLE_TRIALS=true
STRIPE_TRIAL_DAYS=14
STRIPE_ENABLE_PRORATION=true
```
## Step 6: Enable Customer Portal (2 min)
1. Go to https://dashboard.stripe.com/settings/billing/portal
2. Click "Activate test link"
3. Enable these features:
- ✅ Update subscription
- ✅ Cancel subscription
- ✅ Update payment method
- ✅ View invoice history
4. Click "Save"
## Step 7: Configure Webhooks - DEVELOPMENT (2 min)
**For local development with Stripe CLI:**
```bash
# Install Stripe CLI (if not installed)
brew install stripe/stripe-cli/stripe # macOS
scoop install stripe # Windows
# Login
stripe login
# Forward webhooks to your local server
stripe listen --forward-to localhost:5000/billing/webhooks/stripe
```
Copy the webhook signing secret (starts with `whsec_`) and add to `.env`:
```bash
STRIPE_WEBHOOK_SECRET=whsec_YOUR_SECRET_FROM_CLI
```
**For production deployment, see Step 9**
## Step 8: Restart Application (1 min)
```bash
# Restart your Flask application
flask run
# or
gunicorn app:app
```
## Step 9: Test Subscription Flow (2 min)
1. Navigate to `http://localhost:5000/billing`
2. Click "Subscribe" on either plan
3. Use test card: `4242 4242 4242 4242`
4. Expiry: Any future date (e.g., `12/34`)
5. CVC: Any 3 digits (e.g., `123`)
6. Complete checkout
✅ You should see:
- Subscription activated
- Organization status updated
- Welcome email sent (if SMTP configured)
## Step 10: Test Webhooks (1 min)
In a separate terminal:
```bash
# Trigger test events
stripe trigger invoice.paid
stripe trigger invoice.payment_failed
stripe trigger customer.subscription.updated
```
Check your application logs - you should see:
```
Received Stripe webhook: invoice.paid
Invoice paid for organization...
```
---
## 🎉 Done!
Your Stripe billing integration is now live!
### What You Can Do Now:
**Subscribe to plans** at `/billing`
**Manage subscriptions** via Customer Portal
**Add/remove team members** (seats auto-sync)
**View invoices** in billing dashboard
**Test payment failures** with test card `4000 0000 0000 0002`
### Next Steps:
1. **Configure Stripe Tax** for EU VAT:
- Go to https://dashboard.stripe.com/settings/tax
- Enable automatic tax calculation
2. **Set up production webhooks** when deploying:
- Go to https://dashboard.stripe.com/webhooks
- Add endpoint: `https://your-domain.com/billing/webhooks/stripe`
- Select all required events (see full guide)
- Copy signing secret to production `.env`
3. **Switch to live mode** for production:
- Get live API keys from https://dashboard.stripe.com/apikeys
- Create live products
- Update `.env` with live keys
---
## 🆘 Troubleshooting
**Webhooks not working?**
- Make sure Stripe CLI is running: `stripe listen --forward-to localhost:5000/billing/webhooks/stripe`
- Check webhook secret matches in `.env`
- Check application logs for errors
**Can't see billing dashboard?**
- Make sure you're logged in
- Check you have admin access to organization
- Verify database migration ran successfully
**Payment not processing?**
- Verify API keys are correct
- Check Stripe Dashboard logs
- Try a different test card
---
## 📚 Full Documentation
For detailed information, see:
- **Setup Guide**: `STRIPE_BILLING_SETUP.md`
- **Implementation Summary**: `STRIPE_IMPLEMENTATION_SUMMARY.md`
- **Environment Template**: `env.stripe.example`
---
## 🧪 Test Cards
```
Success: 4242 4242 4242 4242
Decline: 4000 0000 0000 0002
3D Secure: 4000 0025 0000 3155
```
More test cards: https://stripe.com/docs/testing
---
**Total Setup Time: ~15 minutes**
**Ready for testing!** 🚀

13
app.py
View File

@@ -4,11 +4,24 @@ Time Tracker Application Entry Point
"""
import os
import atexit
from app import create_app, db
from app.models import User, Project, TimeEntry, Task, Settings, Invoice, InvoiceItem, Client
app = create_app()
def cleanup_on_exit():
"""Cleanup function called when the application exits"""
try:
from app.utils.license_server import stop_license_client
stop_license_client()
print("Phone home function stopped")
except Exception as e:
print(f"Error stopping phone home function: {e}")
# Register cleanup function
atexit.register(cleanup_on_exit)
@app.shell_context_processor
def make_shell_context():
"""Add database models to Flask shell context"""

117
app/__init__.py
View File

@@ -37,35 +37,6 @@ def create_app(config=None):
# Trust a single proxy by default; adjust via env if needed
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1)
# HTTPS enforcement in production
@app.before_request
def enforce_https():
"""Redirect HTTP to HTTPS in production"""
# Skip for local development and health checks
if app.config.get('FLASK_ENV') == 'development':
return None
# Skip for health check endpoints
if request.path in ['/_health', '/health', '/metrics']:
return None
# Check if HTTPS enforcement is enabled
if not app.config.get('FORCE_HTTPS', True):
return None
# Check if request is already HTTPS
if request.is_secure:
return None
# Check X-Forwarded-Proto header (from reverse proxy)
if request.headers.get('X-Forwarded-Proto', 'http') == 'https':
return None
# Redirect to HTTPS
from flask import redirect
url = request.url.replace('http://', 'https://', 1)
return redirect(url, code=301)
# Configuration
# Load env-specific config class
try:
@@ -167,8 +138,9 @@ def create_app(config=None):
# 2) Session override (set-language route)
if 'preferred_language' in session:
return session.get('preferred_language')
# 3) Default to English (do NOT use Accept-Language header)
return app.config.get('BABEL_DEFAULT_LOCALE', 'en')
# 3) Best match with Accept-Language
supported = list(app.config.get('LANGUAGES', {}).keys()) or ['en']
return request.accept_languages.best_match(supported) or app.config.get('BABEL_DEFAULT_LOCALE', 'en')
except Exception:
return app.config.get('BABEL_DEFAULT_LOCALE', 'en')
@@ -263,9 +235,8 @@ def create_app(config=None):
"img-src 'self' data: https:; "
"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://fonts.googleapis.com https://cdn.datatables.net; "
"font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com data:; "
"script-src 'self' 'unsafe-inline' https://code.jquery.com https://cdn.datatables.net https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://js.stripe.com; "
"connect-src 'self' ws: wss: https://api.stripe.com; "
"frame-src https://js.stripe.com https://hooks.stripe.com; "
"script-src 'self' 'unsafe-inline' https://code.jquery.com https://cdn.datatables.net https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
"connect-src 'self' ws: wss:; "
"frame-ancestors 'none'"
)
response.headers['Content-Security-Policy'] = csp
@@ -292,16 +263,8 @@ def create_app(config=None):
except Exception:
pass
# Initialize email service
from app.utils.email_service import email_service
email_service.init_app(app)
# Exempt Stripe webhook from CSRF protection
csrf.exempt('app.routes.billing.stripe_webhook')
# Register blueprints
from app.routes.auth import auth_bp
from app.routes.auth_extended import auth_extended_bp
from app.routes.main import main_bp
from app.routes.projects import projects_bp
from app.routes.timer import timer_bp
@@ -313,15 +276,8 @@ def create_app(config=None):
from app.routes.invoices import invoices_bp
from app.routes.clients import clients_bp
from app.routes.comments import comments_bp
from app.routes.organizations import organizations_bp
from app.routes.billing import bp as billing_bp
from app.routes.onboarding import bp as onboarding_bp
from app.routes.promo_codes import promo_codes_bp
from app.routes.security import security_bp
from app.routes.gdpr import gdpr_bp
app.register_blueprint(auth_bp)
app.register_blueprint(auth_extended_bp)
app.register_blueprint(main_bp)
app.register_blueprint(projects_bp)
app.register_blueprint(timer_bp)
@@ -333,12 +289,6 @@ def create_app(config=None):
app.register_blueprint(invoices_bp)
app.register_blueprint(clients_bp)
app.register_blueprint(comments_bp)
app.register_blueprint(organizations_bp)
app.register_blueprint(billing_bp)
app.register_blueprint(onboarding_bp)
app.register_blueprint(promo_codes_bp)
app.register_blueprint(security_bp)
app.register_blueprint(gdpr_bp)
# Register OAuth OIDC client if enabled
try:
@@ -369,15 +319,39 @@ def create_app(config=None):
else:
app.logger.warning("AUTH_METHOD is %s but OIDC envs are incomplete; OIDC login will not work", auth_method)
# Cleanup RLS context after each request
@app.teardown_request
def _cleanup_rls_context(exception=None):
"""Clean up Row Level Security context after request."""
# Initialize phone home function if enabled
if app.config.get('LICENSE_SERVER_ENABLED', True):
try:
from app.utils.rls import cleanup_rls_for_request
cleanup_rls_for_request()
from app.utils.license_server import init_license_client, start_license_client, get_license_client
# Check if client is already running
existing_client = get_license_client()
if existing_client and existing_client.running:
app.logger.info("Phone home function already running, skipping initialization")
else:
license_client = init_license_client(
app_identifier=app.config.get('LICENSE_SERVER_APP_ID', 'timetracker'),
app_version=app.config.get('LICENSE_SERVER_APP_VERSION', '1.0.0')
)
if start_license_client():
app.logger.info("Phone home function started successfully")
else:
app.logger.warning("Failed to start phone home function")
except Exception as e:
app.logger.debug(f"RLS cleanup: {e}")
app.logger.warning(f"Could not initialize phone home function: {e}")
# Register cleanup function for graceful shutdown
@app.teardown_appcontext
def cleanup_license_client(exception=None):
"""Cleanup phone home function on app context teardown"""
try:
from app.utils.license_server import get_license_client, stop_license_client
client = get_license_client()
if client and client.running:
app.logger.info("Stopping phone home function during app teardown")
stop_license_client()
except Exception as e:
app.logger.warning(f"Error during license client cleanup: {e}")
# Register error handlers
from app.utils.error_handlers import register_error_handlers
@@ -387,10 +361,6 @@ def create_app(config=None):
from app.utils.context_processors import register_context_processors
register_context_processors(app)
# Register billing context processor
from app.utils.billing_gates import inject_billing_context
app.context_processor(inject_billing_context)
# (translations compiled and directories set before Babel init)
# Register template filters
@@ -401,21 +371,6 @@ def create_app(config=None):
from app.utils.cli import register_cli_commands
register_cli_commands(app)
# Initialize tenancy context for each request
@app.before_request
def _init_tenancy_context():
"""Set up multi-tenant context for the current request."""
try:
from app.utils.tenancy import init_tenancy_for_request
init_tenancy_for_request()
# Also set up Row Level Security context for PostgreSQL
from app.utils.rls import init_rls_for_request
init_rls_for_request()
except Exception as e:
# Non-fatal; some routes don't require organization context
app.logger.debug(f"Tenancy initialization: {e}")
# Promote configured admin usernames automatically on each request (idempotent)
@app.before_request
def _promote_admin_users_on_request():

75
app/config.py
View File

@@ -78,54 +78,17 @@ class Config:
WTF_CSRF_ENABLED = False
WTF_CSRF_TIME_LIMIT = 3600 # 1 hour
# HTTPS enforcement
FORCE_HTTPS = os.getenv('FORCE_HTTPS', 'true').lower() == 'true'
# Security headers
SECURITY_HEADERS = {
'X-Content-Type-Options': 'nosniff',
'X-Frame-Options': 'DENY',
'X-XSS-Protection': '1; mode=block',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload'
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
}
# Content Security Policy
# Allows inline scripts/styles for now (needed for dynamic content), but can be tightened with nonces
CONTENT_SECURITY_POLICY = os.getenv(
'CONTENT_SECURITY_POLICY',
"default-src 'self'; "
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://js.stripe.com; "
"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; "
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; "
"img-src 'self' data: https:; "
"connect-src 'self' https://api.stripe.com; "
"frame-src https://js.stripe.com https://hooks.stripe.com; "
"object-src 'none'; "
"base-uri 'self'; "
"form-action 'self'; "
"frame-ancestors 'none'; "
"upgrade-insecure-requests"
)
# Rate limiting
RATELIMIT_DEFAULT = os.getenv('RATELIMIT_DEFAULT', '') # e.g., "200 per day;50 per hour"
RATELIMIT_STORAGE_URI = os.getenv('RATELIMIT_STORAGE_URI', 'memory://')
RATELIMIT_ENABLED = os.getenv('RATELIMIT_ENABLED', 'true').lower() == 'true'
# Password policy
PASSWORD_MIN_LENGTH = int(os.getenv('PASSWORD_MIN_LENGTH', 12))
PASSWORD_REQUIRE_UPPERCASE = os.getenv('PASSWORD_REQUIRE_UPPERCASE', 'true').lower() == 'true'
PASSWORD_REQUIRE_LOWERCASE = os.getenv('PASSWORD_REQUIRE_LOWERCASE', 'true').lower() == 'true'
PASSWORD_REQUIRE_DIGITS = os.getenv('PASSWORD_REQUIRE_DIGITS', 'true').lower() == 'true'
PASSWORD_REQUIRE_SPECIAL = os.getenv('PASSWORD_REQUIRE_SPECIAL', 'true').lower() == 'true'
PASSWORD_EXPIRY_DAYS = int(os.getenv('PASSWORD_EXPIRY_DAYS', 0)) # 0 = no expiry
PASSWORD_HISTORY_COUNT = int(os.getenv('PASSWORD_HISTORY_COUNT', 5)) # Number of previous passwords to check
# Data retention and GDPR
DATA_RETENTION_DAYS = int(os.getenv('DATA_RETENTION_DAYS', 0)) # 0 = no automatic deletion
GDPR_EXPORT_ENABLED = os.getenv('GDPR_EXPORT_ENABLED', 'true').lower() == 'true'
GDPR_DELETION_ENABLED = os.getenv('GDPR_DELETION_ENABLED', 'true').lower() == 'true'
GDPR_DELETION_DELAY_DAYS = int(os.getenv('GDPR_DELETION_DELAY_DAYS', 30)) # Grace period before actual deletion
# Internationalization
LANGUAGES = {
@@ -140,15 +103,6 @@ class Config:
# Comma-separated list of translation directories relative to instance root
BABEL_TRANSLATION_DIRECTORIES = os.getenv('BABEL_TRANSLATION_DIRECTORIES', 'translations')
# Email settings (SMTP)
SMTP_HOST = os.getenv('SMTP_HOST', 'localhost')
SMTP_PORT = int(os.getenv('SMTP_PORT', 587))
SMTP_USERNAME = os.getenv('SMTP_USERNAME')
SMTP_PASSWORD = os.getenv('SMTP_PASSWORD')
SMTP_USE_TLS = os.getenv('SMTP_USE_TLS', 'true').lower() == 'true'
SMTP_FROM_EMAIL = os.getenv('SMTP_FROM_EMAIL', 'noreply@timetracker.local')
SMTP_FROM_NAME = os.getenv('SMTP_FROM_NAME', 'TimeTracker')
# Versioning
# Prefer explicit app version from environment (e.g., Git tag)
APP_VERSION = os.getenv('APP_VERSION', os.getenv('GITHUB_TAG', None))
@@ -157,16 +111,13 @@ class Config:
github_run_number = os.getenv('GITHUB_RUN_NUMBER')
APP_VERSION = f"dev-{github_run_number}" if github_run_number else "dev-0"
# Stripe billing settings
STRIPE_SECRET_KEY = os.getenv('STRIPE_SECRET_KEY')
STRIPE_PUBLISHABLE_KEY = os.getenv('STRIPE_PUBLISHABLE_KEY')
STRIPE_WEBHOOK_SECRET = os.getenv('STRIPE_WEBHOOK_SECRET')
STRIPE_SINGLE_USER_PRICE_ID = os.getenv('STRIPE_SINGLE_USER_PRICE_ID') # €5/month
STRIPE_TEAM_PRICE_ID = os.getenv('STRIPE_TEAM_PRICE_ID') # €6/user/month
STRIPE_ENABLE_TRIALS = os.getenv('STRIPE_ENABLE_TRIALS', 'true').lower() == 'true'
STRIPE_TRIAL_DAYS = int(os.getenv('STRIPE_TRIAL_DAYS', 14))
STRIPE_ENABLE_PRORATION = os.getenv('STRIPE_ENABLE_PRORATION', 'true').lower() == 'true'
STRIPE_TAX_BEHAVIOR = os.getenv('STRIPE_TAX_BEHAVIOR', 'exclusive') # 'inclusive' or 'exclusive'
# License server settings (no license required)
# All settings are hardcoded since clients cannot change license server configuration
LICENSE_SERVER_ENABLED = os.getenv('LICENSE_SERVER_ENABLED', 'true').lower() == 'true'
LICENSE_SERVER_API_KEY = "no-license-required" # Hardcoded placeholder
LICENSE_SERVER_APP_ID = "timetracker" # Hardcoded app identifier
LICENSE_SERVER_APP_VERSION = APP_VERSION # Match application version
LICENSE_SERVER_HEARTBEAT_INTERVAL = 3600 # Hardcoded heartbeat interval (1 hour)
class DevelopmentConfig(Config):
"""Development configuration"""
@@ -187,19 +138,9 @@ class TestingConfig(Config):
class ProductionConfig(Config):
"""Production configuration"""
FLASK_DEBUG = False
# Force HTTPS and secure cookies
FORCE_HTTPS = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
REMEMBER_COOKIE_SECURE = True
PREFERRED_URL_SCHEME = 'https'
# CSRF protection enabled in production
WTF_CSRF_ENABLED = True
# Stronger password requirements in production
PASSWORD_MIN_LENGTH = int(os.getenv('PASSWORD_MIN_LENGTH', 12))
# Configuration mapping
config = {

14
app/models/__init__.py
View File

@@ -1,6 +1,4 @@
from .user import User
from .organization import Organization
from .membership import Membership
from .project import Project
from .time_entry import TimeEntry
from .task import Task
@@ -18,16 +16,10 @@ from .focus_session import FocusSession
from .recurring_block import RecurringBlock
from .rate_override import RateOverride
from .saved_filter import SavedFilter
from .password_reset import PasswordResetToken, EmailVerificationToken
from .refresh_token import RefreshToken
from .subscription_event import SubscriptionEvent
from .onboarding_checklist import OnboardingChecklist
from .promo_code import PromoCode, PromoCodeRedemption
__all__ = [
'User', 'Organization', 'Membership', 'Project', 'TimeEntry', 'Task', 'Settings', 'Invoice', 'InvoiceItem',
'Client', 'TaskActivity', 'Comment', 'FocusSession', 'RecurringBlock', 'RateOverride', 'SavedFilter',
'User', 'Project', 'TimeEntry', 'Task', 'Settings', 'Invoice', 'InvoiceItem', 'Client', 'TaskActivity', 'Comment',
'FocusSession', 'RecurringBlock', 'RateOverride', 'SavedFilter',
'InvoiceTemplate', 'Currency', 'ExchangeRate', 'TaxRule', 'Payment', 'CreditNote', 'InvoiceReminderSchedule',
'SavedReportView', 'ReportEmailSchedule', 'PasswordResetToken', 'EmailVerificationToken', 'RefreshToken',
'SubscriptionEvent', 'OnboardingChecklist', 'PromoCode', 'PromoCodeRedemption'
'SavedReportView', 'ReportEmailSchedule'
]

12
app/models/client.py
View File

@@ -6,15 +6,9 @@ class Client(db.Model):
"""Client model for managing client information and rates"""
__tablename__ = 'clients'
__table_args__ = (
# Client names must be unique per organization
db.UniqueConstraint('organization_id', 'name', name='uq_clients_org_name'),
db.Index('idx_clients_org_status', 'organization_id', 'status'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
name = db.Column(db.String(200), nullable=False, index=True)
name = db.Column(db.String(200), nullable=False, unique=True, index=True)
description = db.Column(db.Text, nullable=True)
contact_person = db.Column(db.String(200), nullable=True)
email = db.Column(db.String(200), nullable=True)
@@ -26,11 +20,9 @@ class Client(db.Model):
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Relationships
organization = db.relationship('Organization', back_populates='clients')
projects = db.relationship('Project', backref='client_obj', lazy='dynamic', cascade='all, delete-orphan')
def __init__(self, name, organization_id, description=None, contact_person=None, email=None, phone=None, address=None, default_hourly_rate=None):
self.organization_id = organization_id
def __init__(self, name, description=None, contact_person=None, email=None, phone=None, address=None, default_hourly_rate=None):
self.name = name.strip()
self.description = description.strip() if description else None
self.contact_person = contact_person.strip() if contact_person else None

11
app/models/comment.py
View File

@@ -6,14 +6,8 @@ class Comment(db.Model):
"""Comment model for project and task discussions"""
__tablename__ = 'comments'
__table_args__ = (
db.Index('idx_comments_org_project', 'organization_id', 'project_id'),
db.Index('idx_comments_org_task', 'organization_id', 'task_id'),
db.Index('idx_comments_org_user', 'organization_id', 'user_id'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
content = db.Column(db.Text, nullable=False)
# Reference to either project or task (one will be null)
@@ -31,7 +25,6 @@ class Comment(db.Model):
parent_id = db.Column(db.Integer, db.ForeignKey('comments.id'), nullable=True, index=True)
# Relationships
organization = db.relationship('Organization', back_populates='comments')
author = db.relationship('User', backref='comments')
project = db.relationship('Project', backref='comments')
task = db.relationship('Task', backref='comments')
@@ -39,13 +32,12 @@ class Comment(db.Model):
# Self-referential relationship for replies
parent = db.relationship('Comment', remote_side=[id], backref='replies')
def __init__(self, content, user_id, organization_id, project_id=None, task_id=None, parent_id=None):
def __init__(self, content, user_id, project_id=None, task_id=None, parent_id=None):
"""Create a comment.
Args:
content: The comment text
user_id: ID of the user creating the comment
organization_id: ID of the organization this comment belongs to
project_id: ID of the project (if this is a project comment)
task_id: ID of the task (if this is a task comment)
parent_id: ID of parent comment (if this is a reply)
@@ -56,7 +48,6 @@ class Comment(db.Model):
if project_id and task_id:
raise ValueError("Comment cannot be associated with both a project and a task")
self.organization_id = organization_id
self.content = content.strip()
self.user_id = user_id
self.project_id = project_id

1
app/models/focus_session.py
View File

@@ -12,7 +12,6 @@ class FocusSession(db.Model):
__tablename__ = 'focus_sessions'
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
project_id = db.Column(db.Integer, db.ForeignKey('projects.id'), nullable=True, index=True)
task_id = db.Column(db.Integer, db.ForeignKey('tasks.id'), nullable=True, index=True)

20
app/models/invoice.py
View File

@@ -6,16 +6,9 @@ class Invoice(db.Model):
"""Invoice model for client billing"""
__tablename__ = 'invoices'
__table_args__ = (
# Invoice numbers must be unique per organization
db.UniqueConstraint('organization_id', 'invoice_number', name='uq_invoices_org_number'),
db.Index('idx_invoices_org_status', 'organization_id', 'status'),
db.Index('idx_invoices_org_client', 'organization_id', 'client_id'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
invoice_number = db.Column(db.String(50), nullable=False, index=True)
invoice_number = db.Column(db.String(50), unique=True, nullable=False, index=True)
project_id = db.Column(db.Integer, db.ForeignKey('projects.id'), nullable=False, index=True)
client_name = db.Column(db.String(200), nullable=False)
client_email = db.Column(db.String(200), nullable=True)
@@ -54,7 +47,6 @@ class Invoice(db.Model):
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Relationships
organization = db.relationship('Organization', back_populates='invoices')
project = db.relationship('Project', backref='invoices')
client = db.relationship('Client', backref='invoices')
creator = db.relationship('User', backref='created_invoices')
@@ -64,8 +56,7 @@ class Invoice(db.Model):
reminder_schedules = db.relationship('InvoiceReminderSchedule', backref='invoice', lazy='dynamic', cascade='all, delete-orphan')
template = db.relationship('InvoiceTemplate', backref='invoices', lazy='joined')
def __init__(self, invoice_number, organization_id, project_id, client_name, due_date, created_by, client_id, **kwargs):
self.organization_id = organization_id
def __init__(self, invoice_number, project_id, client_name, due_date, created_by, client_id, **kwargs):
self.invoice_number = invoice_number
self.project_id = project_id
self.client_name = client_name
@@ -246,17 +237,16 @@ class Invoice(db.Model):
}
@classmethod
def generate_invoice_number(cls, organization_id):
"""Generate a unique invoice number for an organization"""
def generate_invoice_number(cls):
"""Generate a unique invoice number"""
from datetime import datetime
# Format: INV-YYYYMMDD-XXX
today = datetime.utcnow()
date_prefix = today.strftime('%Y%m%d')
# Find the next available number for today within this organization
# Find the next available number for today
existing = cls.query.filter(
cls.organization_id == organization_id,
cls.invoice_number.like(f'INV-{date_prefix}-%')
).order_by(cls.invoice_number.desc()).first()

283
app/models/membership.py
View File

@@ -1,283 +0,0 @@
from datetime import datetime
from app import db
class Membership(db.Model):
"""Membership model for user-organization relationships.
This model represents the many-to-many relationship between users and
organizations, with additional metadata like role and status. A user can
belong to multiple organizations with different roles in each.
"""
__tablename__ = 'memberships'
__table_args__ = (
# Ensure a user can only have one active membership per organization
db.UniqueConstraint('user_id', 'organization_id', 'status', name='uq_user_org_status'),
db.Index('idx_memberships_user_org', 'user_id', 'organization_id'),
db.Index('idx_memberships_org_role', 'organization_id', 'role'),
)
id = db.Column(db.Integer, primary_key=True)
# Foreign keys
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
# Role within the organization
role = db.Column(db.String(20), default='member', nullable=False) # 'admin', 'member', 'viewer'
# Status
status = db.Column(db.String(20), default='active', nullable=False) # 'active', 'invited', 'suspended', 'removed'
# Invitation details (for pending invitations)
invited_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=True)
invited_at = db.Column(db.DateTime, nullable=True)
invitation_token = db.Column(db.String(100), unique=True, nullable=True, index=True)
invitation_accepted_at = db.Column(db.DateTime, nullable=True)
# Timestamps
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Last activity tracking
last_activity_at = db.Column(db.DateTime, nullable=True)
# Relationships
user = db.relationship('User', foreign_keys=[user_id], backref='memberships')
organization = db.relationship('Organization', back_populates='memberships')
inviter = db.relationship('User', foreign_keys=[invited_by], backref='sent_invitations')
def __init__(self, user_id, organization_id, role='member', status='active', invited_by=None):
"""Create a new membership.
Args:
user_id: ID of the user
organization_id: ID of the organization
role: User's role in the organization ('admin', 'member', 'viewer')
status: Membership status ('active', 'invited', 'suspended', 'removed')
invited_by: ID of the user who sent the invitation (if applicable)
"""
self.user_id = user_id
self.organization_id = organization_id
self.role = role
self.status = status
self.invited_by = invited_by
if status == 'invited':
self.invited_at = datetime.utcnow()
self.invitation_token = self._generate_invitation_token()
def __repr__(self):
return f'<Membership user_id={self.user_id} org_id={self.organization_id} role={self.role}>'
@property
def is_active(self):
"""Check if membership is active"""
return self.status == 'active'
@property
def is_admin(self):
"""Check if membership has admin role"""
return self.role == 'admin'
@property
def is_pending(self):
"""Check if membership is pending (invited but not accepted)"""
return self.status == 'invited'
@property
def can_manage_members(self):
"""Check if this member can manage other members"""
return self.is_admin and self.is_active
@property
def can_manage_projects(self):
"""Check if this member can manage projects"""
return self.role in ['admin', 'member'] and self.is_active
@property
def can_edit_data(self):
"""Check if this member can edit data"""
return self.role in ['admin', 'member'] and self.is_active
@property
def is_readonly(self):
"""Check if this member has read-only access"""
return self.role == 'viewer'
def update_last_activity(self):
"""Update the last activity timestamp"""
self.last_activity_at = datetime.utcnow()
db.session.commit()
def promote_to_admin(self):
"""Promote member to admin role"""
if not self.is_active:
raise ValueError("Cannot promote inactive member")
self.role = 'admin'
self.updated_at = datetime.utcnow()
db.session.commit()
def demote_from_admin(self):
"""Demote admin to regular member"""
if not self.is_active:
raise ValueError("Cannot demote inactive member")
self.role = 'member'
self.updated_at = datetime.utcnow()
db.session.commit()
def change_role(self, new_role):
"""Change member's role"""
valid_roles = ['admin', 'member', 'viewer']
if new_role not in valid_roles:
raise ValueError(f"Invalid role. Must be one of: {', '.join(valid_roles)}")
if not self.is_active:
raise ValueError("Cannot change role of inactive member")
self.role = new_role
self.updated_at = datetime.utcnow()
db.session.commit()
def suspend(self):
"""Suspend the membership"""
self.status = 'suspended'
self.updated_at = datetime.utcnow()
db.session.commit()
def reactivate(self):
"""Reactivate a suspended membership"""
if self.status != 'suspended':
raise ValueError("Can only reactivate suspended memberships")
self.status = 'active'
self.updated_at = datetime.utcnow()
db.session.commit()
def remove(self):
"""Remove the membership (user leaves organization)"""
self.status = 'removed'
self.updated_at = datetime.utcnow()
db.session.commit()
def accept_invitation(self):
"""Accept a pending invitation"""
if self.status != 'invited':
raise ValueError("Can only accept invitations with 'invited' status")
self.status = 'active'
self.invitation_accepted_at = datetime.utcnow()
self.invitation_token = None # Clear the token after acceptance
self.updated_at = datetime.utcnow()
db.session.commit()
def _generate_invitation_token(self):
"""Generate a unique invitation token"""
import secrets
return secrets.token_urlsafe(32)
def to_dict(self, include_user=False, include_organization=False):
"""Convert membership to dictionary for API responses"""
data = {
'id': self.id,
'user_id': self.user_id,
'organization_id': self.organization_id,
'role': self.role,
'status': self.status,
'created_at': self.created_at.isoformat() if self.created_at else None,
'updated_at': self.updated_at.isoformat() if self.updated_at else None,
'last_activity_at': self.last_activity_at.isoformat() if self.last_activity_at else None,
'is_active': self.is_active,
'is_admin': self.is_admin,
'is_pending': self.is_pending,
'can_manage_members': self.can_manage_members,
'can_manage_projects': self.can_manage_projects,
'can_edit_data': self.can_edit_data,
}
if self.is_pending:
data.update({
'invited_at': self.invited_at.isoformat() if self.invited_at else None,
'invited_by': self.invited_by,
})
if include_user and self.user:
data['user'] = {
'id': self.user.id,
'username': self.user.username,
'email': self.user.email,
'full_name': self.user.full_name,
'display_name': self.user.display_name,
}
if include_organization and self.organization:
data['organization'] = self.organization.to_dict()
return data
@classmethod
def get_user_organizations(cls, user_id, status='active'):
"""Get all organizations a user belongs to"""
query = cls.query.filter_by(user_id=user_id)
if status:
query = query.filter_by(status=status)
return query.all()
@classmethod
def get_user_active_memberships(cls, user_id):
"""Get all active memberships for a user"""
return cls.get_user_organizations(user_id, status='active')
@classmethod
def get_organization_members(cls, organization_id, role=None, status='active'):
"""Get all members of an organization"""
query = cls.query.filter_by(organization_id=organization_id)
if status:
query = query.filter_by(status=status)
if role:
query = query.filter_by(role=role)
return query.all()
@classmethod
def find_membership(cls, user_id, organization_id):
"""Find a membership for a user in an organization"""
return cls.query.filter_by(
user_id=user_id,
organization_id=organization_id
).filter(cls.status.in_(['active', 'invited'])).first()
@classmethod
def user_is_member(cls, user_id, organization_id):
"""Check if user is an active member of an organization"""
return cls.query.filter_by(
user_id=user_id,
organization_id=organization_id,
status='active'
).first() is not None
@classmethod
def user_is_admin(cls, user_id, organization_id):
"""Check if user is an admin of an organization"""
membership = cls.query.filter_by(
user_id=user_id,
organization_id=organization_id,
status='active',
role='admin'
).first()
return membership is not None
@classmethod
def get_by_invitation_token(cls, token):
"""Get membership by invitation token"""
return cls.query.filter_by(
invitation_token=token,
status='invited'
).first()

286
app/models/onboarding_checklist.py
View File

@@ -1,286 +0,0 @@
"""
Onboarding Checklist Model
Tracks onboarding progress for organizations to help them get started
with the platform successfully.
"""
from datetime import datetime
from app import db
from typing import Dict, List
class OnboardingChecklist(db.Model):
"""Tracks onboarding progress for an organization.
This model stores completion status of various onboarding tasks to help
new organizations get up and running quickly.
"""
__tablename__ = 'onboarding_checklists'
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'),
nullable=False, unique=True, index=True)
# Task completion flags
invited_team_member = db.Column(db.Boolean, default=False, nullable=False)
invited_team_member_at = db.Column(db.DateTime, nullable=True)
created_project = db.Column(db.Boolean, default=False, nullable=False)
created_project_at = db.Column(db.DateTime, nullable=True)
created_time_entry = db.Column(db.Boolean, default=False, nullable=False)
created_time_entry_at = db.Column(db.DateTime, nullable=True)
set_working_hours = db.Column(db.Boolean, default=False, nullable=False)
set_working_hours_at = db.Column(db.DateTime, nullable=True)
customized_settings = db.Column(db.Boolean, default=False, nullable=False)
customized_settings_at = db.Column(db.DateTime, nullable=True)
added_billing_info = db.Column(db.Boolean, default=False, nullable=False)
added_billing_info_at = db.Column(db.DateTime, nullable=True)
created_client = db.Column(db.Boolean, default=False, nullable=False)
created_client_at = db.Column(db.DateTime, nullable=True)
generated_report = db.Column(db.Boolean, default=False, nullable=False)
generated_report_at = db.Column(db.DateTime, nullable=True)
# Overall status
completed = db.Column(db.Boolean, default=False, nullable=False)
completed_at = db.Column(db.DateTime, nullable=True)
# Dismiss/skip tracking
dismissed = db.Column(db.Boolean, default=False, nullable=False)
dismissed_at = db.Column(db.DateTime, nullable=True)
# Timestamps
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow,
onupdate=datetime.utcnow, nullable=False)
# Relationships
organization = db.relationship('Organization', backref='onboarding_checklist')
# Task definitions with metadata
TASKS = {
'invited_team_member': {
'title': 'Invite your first team member',
'description': 'Add colleagues to collaborate on projects',
'icon': 'fa-user-plus',
'priority': 1,
'category': 'team'
},
'created_project': {
'title': 'Create a project',
'description': 'Organize your work with projects',
'icon': 'fa-folder-plus',
'priority': 2,
'category': 'setup'
},
'created_time_entry': {
'title': 'Log your first time entry',
'description': 'Start tracking time on a project',
'icon': 'fa-clock',
'priority': 3,
'category': 'usage'
},
'set_working_hours': {
'title': 'Set your working hours',
'description': 'Configure your schedule preferences',
'icon': 'fa-calendar-alt',
'priority': 4,
'category': 'setup'
},
'created_client': {
'title': 'Add your first client',
'description': 'Manage client relationships and billing',
'icon': 'fa-building',
'priority': 5,
'category': 'setup'
},
'customized_settings': {
'title': 'Customize your settings',
'description': 'Personalize TimeTracker to your needs',
'icon': 'fa-cog',
'priority': 6,
'category': 'setup'
},
'added_billing_info': {
'title': 'Add billing information',
'description': 'Set up payment to continue after trial',
'icon': 'fa-credit-card',
'priority': 7,
'category': 'billing'
},
'generated_report': {
'title': 'Generate a report',
'description': 'Analyze your time and productivity',
'icon': 'fa-chart-bar',
'priority': 8,
'category': 'usage'
},
}
def __repr__(self):
return f'<OnboardingChecklist org_id={self.organization_id} completed={self.completed}>'
@property
def completion_percentage(self) -> int:
"""Calculate completion percentage."""
if self.dismissed or self.completed:
return 100
total_tasks = len(self.TASKS)
completed_tasks = self.get_completed_count()
return int((completed_tasks / total_tasks) * 100)
@property
def is_complete(self) -> bool:
"""Check if all tasks are completed."""
return self.completion_percentage == 100
def get_completed_count(self) -> int:
"""Get number of completed tasks."""
completed = 0
for task_key in self.TASKS.keys():
if getattr(self, task_key, False):
completed += 1
return completed
def get_total_count(self) -> int:
"""Get total number of tasks."""
return len(self.TASKS)
def mark_task_complete(self, task_key: str) -> bool:
"""Mark a task as complete.
Args:
task_key: Key of the task (e.g., 'invited_team_member')
Returns:
True if task was marked complete, False if invalid task
"""
if task_key not in self.TASKS:
return False
# Set completion flag and timestamp
setattr(self, task_key, True)
setattr(self, f"{task_key}_at", datetime.utcnow())
self.updated_at = datetime.utcnow()
# Check if all tasks are complete
if self.get_completed_count() == self.get_total_count():
self.completed = True
self.completed_at = datetime.utcnow()
db.session.commit()
return True
def dismiss(self) -> None:
"""Dismiss the onboarding checklist."""
self.dismissed = True
self.dismissed_at = datetime.utcnow()
self.updated_at = datetime.utcnow()
db.session.commit()
def undismiss(self) -> None:
"""Re-enable the onboarding checklist."""
self.dismissed = False
self.dismissed_at = None
self.updated_at = datetime.utcnow()
db.session.commit()
def get_tasks_with_status(self) -> List[Dict]:
"""Get all tasks with their completion status.
Returns:
List of task dictionaries with status information
"""
tasks = []
for task_key, task_meta in self.TASKS.items():
is_complete = getattr(self, task_key, False)
completed_at = getattr(self, f"{task_key}_at", None)
task = {
'key': task_key,
'title': task_meta['title'],
'description': task_meta['description'],
'icon': task_meta['icon'],
'priority': task_meta['priority'],
'category': task_meta['category'],
'completed': is_complete,
'completed_at': completed_at.isoformat() if completed_at else None,
}
tasks.append(task)
# Sort by priority
tasks.sort(key=lambda x: x['priority'])
return tasks
def get_next_task(self) -> Dict:
"""Get the next incomplete task.
Returns:
Task dictionary or None if all complete
"""
for task in self.get_tasks_with_status():
if not task['completed']:
return task
return None
def to_dict(self, include_tasks: bool = True) -> Dict:
"""Convert to dictionary for API responses.
Args:
include_tasks: Whether to include detailed task list
Returns:
Dictionary representation
"""
data = {
'id': self.id,
'organization_id': self.organization_id,
'completed': self.completed,
'completed_at': self.completed_at.isoformat() if self.completed_at else None,
'dismissed': self.dismissed,
'dismissed_at': self.dismissed_at.isoformat() if self.dismissed_at else None,
'completion_percentage': self.completion_percentage,
'completed_count': self.get_completed_count(),
'total_count': self.get_total_count(),
'is_complete': self.is_complete,
'created_at': self.created_at.isoformat() if self.created_at else None,
'updated_at': self.updated_at.isoformat() if self.updated_at else None,
}
if include_tasks:
data['tasks'] = self.get_tasks_with_status()
data['next_task'] = self.get_next_task()
return data
@classmethod
def get_or_create(cls, organization_id: int) -> 'OnboardingChecklist':
"""Get existing checklist or create new one.
Args:
organization_id: Organization ID
Returns:
OnboardingChecklist instance
"""
checklist = cls.query.filter_by(organization_id=organization_id).first()
if not checklist:
checklist = cls(organization_id=organization_id)
db.session.add(checklist)
db.session.commit()
return checklist

327
app/models/organization.py
View File

@@ -1,327 +0,0 @@
from datetime import datetime
from app import db
class Organization(db.Model):
"""Organization model for multi-tenancy support.
Each organization represents a separate tenant with its own data isolation.
This enables the SaaS model where multiple customers can use the same
application instance while keeping their data completely separate.
"""
__tablename__ = 'organizations'
id = db.Column(db.Integer, primary_key=True)
name = db.Column(db.String(200), nullable=False, index=True)
slug = db.Column(db.String(100), unique=True, nullable=False, index=True) # URL-safe identifier
# Contact and billing information
contact_email = db.Column(db.String(200), nullable=True)
contact_phone = db.Column(db.String(50), nullable=True)
billing_email = db.Column(db.String(200), nullable=True)
# Status and metadata
status = db.Column(db.String(20), default='active', nullable=False) # 'active', 'suspended', 'cancelled'
# Subscription and limits (for SaaS tiers)
subscription_plan = db.Column(db.String(50), default='free', nullable=False) # 'free', 'starter', 'professional', 'enterprise'
max_users = db.Column(db.Integer, nullable=True) # null = unlimited
max_projects = db.Column(db.Integer, nullable=True) # null = unlimited
# Stripe integration
stripe_customer_id = db.Column(db.String(100), unique=True, nullable=True, index=True)
stripe_subscription_id = db.Column(db.String(100), nullable=True)
stripe_subscription_status = db.Column(db.String(20), nullable=True) # 'active', 'trialing', 'past_due', 'canceled', 'incomplete', 'incomplete_expired', 'unpaid'
stripe_price_id = db.Column(db.String(100), nullable=True) # Current price ID being used
subscription_quantity = db.Column(db.Integer, default=1, nullable=False) # Number of seats/users
trial_ends_at = db.Column(db.DateTime, nullable=True)
subscription_ends_at = db.Column(db.DateTime, nullable=True)
next_billing_date = db.Column(db.DateTime, nullable=True)
billing_issue_detected_at = db.Column(db.DateTime, nullable=True) # When payment failed
last_billing_email_sent_at = db.Column(db.DateTime, nullable=True) # For dunning management
# Settings and preferences
timezone = db.Column(db.String(50), default='UTC', nullable=False)
currency = db.Column(db.String(3), default='EUR', nullable=False)
date_format = db.Column(db.String(20), default='YYYY-MM-DD', nullable=False)
# Branding
logo_filename = db.Column(db.String(255), nullable=True)
primary_color = db.Column(db.String(7), nullable=True) # Hex color code
# Promo codes
promo_code = db.Column(db.String(50), nullable=True)
promo_code_applied_at = db.Column(db.DateTime, nullable=True)
# Timestamps
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Soft delete support
deleted_at = db.Column(db.DateTime, nullable=True)
# Relationships
memberships = db.relationship('Membership', back_populates='organization', lazy='dynamic', cascade='all, delete-orphan')
projects = db.relationship('Project', back_populates='organization', lazy='dynamic', cascade='all, delete-orphan')
clients = db.relationship('Client', back_populates='organization', lazy='dynamic', cascade='all, delete-orphan')
time_entries = db.relationship('TimeEntry', back_populates='organization', lazy='dynamic')
tasks = db.relationship('Task', back_populates='organization', lazy='dynamic')
invoices = db.relationship('Invoice', back_populates='organization', lazy='dynamic')
comments = db.relationship('Comment', back_populates='organization', lazy='dynamic')
def __init__(self, name, slug=None, contact_email=None, subscription_plan='free', **kwargs):
"""Create a new organization.
Args:
name: Display name of the organization
slug: URL-safe identifier (auto-generated from name if not provided)
contact_email: Primary contact email
subscription_plan: Subscription tier ('free', 'starter', 'professional', 'enterprise')
**kwargs: Additional optional fields
"""
self.name = name.strip()
# Generate slug from name if not provided
if slug:
self.slug = slug.strip().lower()
else:
import re
# Convert name to URL-safe slug
slug_base = re.sub(r'[^a-z0-9]+', '-', name.lower().strip())
slug_base = slug_base.strip('-')
# Ensure uniqueness by appending number if needed
counter = 1
test_slug = slug_base
while Organization.query.filter_by(slug=test_slug).first():
test_slug = f"{slug_base}-{counter}"
counter += 1
self.slug = test_slug
self.contact_email = contact_email.strip() if contact_email else None
self.subscription_plan = subscription_plan
# Set optional fields
for key, value in kwargs.items():
if hasattr(self, key) and value is not None:
setattr(self, key, value)
def __repr__(self):
return f'<Organization {self.name} ({self.slug})>'
@property
def is_active(self):
"""Check if organization is active"""
return self.status == 'active' and self.deleted_at is None
@property
def is_suspended(self):
"""Check if organization is suspended"""
return self.status == 'suspended'
@property
def is_deleted(self):
"""Check if organization is soft-deleted"""
return self.deleted_at is not None
@property
def member_count(self):
"""Get total number of members in this organization"""
return self.memberships.filter_by(status='active').count()
@property
def admin_count(self):
"""Get number of admin members"""
return self.memberships.filter_by(role='admin', status='active').count()
@property
def project_count(self):
"""Get total number of projects"""
return self.projects.filter_by(status='active').count()
@property
def has_reached_user_limit(self):
"""Check if organization has reached its user limit"""
if self.max_users is None:
return False
return self.member_count >= self.max_users
@property
def has_reached_project_limit(self):
"""Check if organization has reached its project limit"""
if self.max_projects is None:
return False
return self.project_count >= self.max_projects
@property
def has_active_subscription(self):
"""Check if organization has an active paid subscription"""
return self.stripe_subscription_status in ['active', 'trialing']
@property
def has_billing_issue(self):
"""Check if organization has a billing issue"""
return self.stripe_subscription_status in ['past_due', 'unpaid'] or self.billing_issue_detected_at is not None
@property
def is_on_trial(self):
"""Check if organization is on trial"""
if not self.trial_ends_at:
return False
return datetime.utcnow() < self.trial_ends_at and self.stripe_subscription_status == 'trialing'
@property
def trial_days_remaining(self):
"""Get number of trial days remaining"""
if not self.is_on_trial:
return 0
delta = self.trial_ends_at - datetime.utcnow()
return max(0, delta.days)
@property
def subscription_plan_display(self):
"""Get display name for subscription plan"""
plan_names = {
'free': 'Free',
'single_user': 'Single User',
'team': 'Team',
'enterprise': 'Enterprise'
}
return plan_names.get(self.subscription_plan, self.subscription_plan.title())
def suspend(self, reason=None):
"""Suspend the organization"""
self.status = 'suspended'
self.updated_at = datetime.utcnow()
db.session.commit()
def activate(self):
"""Activate the organization"""
self.status = 'active'
self.updated_at = datetime.utcnow()
db.session.commit()
def soft_delete(self):
"""Soft delete the organization"""
self.deleted_at = datetime.utcnow()
self.status = 'cancelled'
self.updated_at = datetime.utcnow()
db.session.commit()
def update_billing_issue(self, has_issue=True):
"""Mark or clear billing issue"""
if has_issue:
if not self.billing_issue_detected_at:
self.billing_issue_detected_at = datetime.utcnow()
else:
self.billing_issue_detected_at = None
self.updated_at = datetime.utcnow()
db.session.commit()
def update_subscription_quantity(self, new_quantity):
"""Update the subscription quantity (number of seats)"""
if new_quantity < 1:
raise ValueError("Subscription quantity must be at least 1")
self.subscription_quantity = new_quantity
self.updated_at = datetime.utcnow()
db.session.commit()
def get_members(self, role=None, status='active'):
"""Get organization members with optional filters"""
query = self.memberships.filter_by(status=status)
if role:
query = query.filter_by(role=role)
return query.all()
def get_admins(self):
"""Get all admin members"""
return self.get_members(role='admin')
def has_member(self, user_id):
"""Check if a user is a member of this organization"""
from .membership import Membership
return Membership.query.filter_by(
organization_id=self.id,
user_id=user_id,
status='active'
).first() is not None
def get_user_role(self, user_id):
"""Get the role of a user in this organization"""
from .membership import Membership
membership = Membership.query.filter_by(
organization_id=self.id,
user_id=user_id,
status='active'
).first()
return membership.role if membership else None
def is_admin(self, user_id):
"""Check if a user is an admin of this organization"""
return self.get_user_role(user_id) == 'admin'
def to_dict(self, include_stats=False, include_billing=False):
"""Convert organization to dictionary for API responses"""
data = {
'id': self.id,
'name': self.name,
'slug': self.slug,
'contact_email': self.contact_email,
'contact_phone': self.contact_phone,
'billing_email': self.billing_email,
'status': self.status,
'subscription_plan': self.subscription_plan,
'subscription_plan_display': self.subscription_plan_display,
'max_users': self.max_users,
'max_projects': self.max_projects,
'timezone': self.timezone,
'currency': self.currency,
'date_format': self.date_format,
'logo_filename': self.logo_filename,
'primary_color': self.primary_color,
'created_at': self.created_at.isoformat() if self.created_at else None,
'updated_at': self.updated_at.isoformat() if self.updated_at else None,
'is_active': self.is_active,
'is_suspended': self.is_suspended,
}
if include_stats:
data.update({
'member_count': self.member_count,
'admin_count': self.admin_count,
'project_count': self.project_count,
'has_reached_user_limit': self.has_reached_user_limit,
'has_reached_project_limit': self.has_reached_project_limit,
})
if include_billing:
data.update({
'stripe_customer_id': self.stripe_customer_id,
'stripe_subscription_status': self.stripe_subscription_status,
'subscription_quantity': self.subscription_quantity,
'has_active_subscription': self.has_active_subscription,
'has_billing_issue': self.has_billing_issue,
'is_on_trial': self.is_on_trial,
'trial_days_remaining': self.trial_days_remaining,
'trial_ends_at': self.trial_ends_at.isoformat() if self.trial_ends_at else None,
'next_billing_date': self.next_billing_date.isoformat() if self.next_billing_date else None,
'subscription_ends_at': self.subscription_ends_at.isoformat() if self.subscription_ends_at else None,
'billing_issue_detected_at': self.billing_issue_detected_at.isoformat() if self.billing_issue_detected_at else None,
})
return data
@classmethod
def get_active_organizations(cls):
"""Get all active organizations"""
return cls.query.filter_by(status='active').filter(cls.deleted_at.is_(None)).order_by(cls.name).all()
@classmethod
def get_by_slug(cls, slug):
"""Get organization by slug"""
return cls.query.filter_by(slug=slug).filter(cls.deleted_at.is_(None)).first()

167
app/models/password_reset.py
View File

@@ -1,167 +0,0 @@
from datetime import datetime, timedelta
from app import db
import secrets
class PasswordResetToken(db.Model):
"""Model for password reset tokens"""
__tablename__ = 'password_reset_tokens'
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
token = db.Column(db.String(100), unique=True, nullable=False, index=True)
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
expires_at = db.Column(db.DateTime, nullable=False)
used = db.Column(db.Boolean, default=False, nullable=False)
used_at = db.Column(db.DateTime, nullable=True)
ip_address = db.Column(db.String(45), nullable=True) # IPv6 support
# Relationships
user = db.relationship('User', backref='password_reset_tokens')
def __init__(self, user_id, ip_address=None, expires_in_hours=24):
"""Create a new password reset token.
Args:
user_id: ID of the user requesting password reset
ip_address: IP address of the requester
expires_in_hours: Token validity period in hours (default 24)
"""
self.user_id = user_id
self.token = secrets.token_urlsafe(32)
self.created_at = datetime.utcnow()
self.expires_at = datetime.utcnow() + timedelta(hours=expires_in_hours)
self.ip_address = ip_address
self.used = False
def __repr__(self):
return f'<PasswordResetToken user_id={self.user_id} expires={self.expires_at}>'
@property
def is_expired(self):
"""Check if token has expired"""
return datetime.utcnow() > self.expires_at
@property
def is_valid(self):
"""Check if token is valid (not used and not expired)"""
return not self.used and not self.is_expired
def mark_as_used(self):
"""Mark token as used"""
self.used = True
self.used_at = datetime.utcnow()
db.session.commit()
@classmethod
def create_token(cls, user_id, ip_address=None):
"""Create a new password reset token for a user"""
token = cls(user_id=user_id, ip_address=ip_address)
db.session.add(token)
db.session.commit()
return token
@classmethod
def get_valid_token(cls, token_string):
"""Get a valid token by token string"""
token = cls.query.filter_by(token=token_string).first()
if token and token.is_valid:
return token
return None
@classmethod
def cleanup_expired_tokens(cls):
"""Delete expired tokens (cleanup utility)"""
expired_tokens = cls.query.filter(
cls.expires_at < datetime.utcnow()
).delete()
db.session.commit()
return expired_tokens
@classmethod
def revoke_user_tokens(cls, user_id):
"""Revoke all active tokens for a user"""
cls.query.filter_by(user_id=user_id, used=False).update({'used': True, 'used_at': datetime.utcnow()})
db.session.commit()
class EmailVerificationToken(db.Model):
"""Model for email verification tokens"""
__tablename__ = 'email_verification_tokens'
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
email = db.Column(db.String(200), nullable=False) # Email to verify
token = db.Column(db.String(100), unique=True, nullable=False, index=True)
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
expires_at = db.Column(db.DateTime, nullable=False)
verified = db.Column(db.Boolean, default=False, nullable=False)
verified_at = db.Column(db.DateTime, nullable=True)
# Relationships
user = db.relationship('User', backref='email_verification_tokens')
def __init__(self, user_id, email, expires_in_hours=48):
"""Create a new email verification token.
Args:
user_id: ID of the user
email: Email address to verify
expires_in_hours: Token validity period in hours (default 48)
"""
self.user_id = user_id
self.email = email.lower().strip()
self.token = secrets.token_urlsafe(32)
self.created_at = datetime.utcnow()
self.expires_at = datetime.utcnow() + timedelta(hours=expires_in_hours)
self.verified = False
def __repr__(self):
return f'<EmailVerificationToken user_id={self.user_id} email={self.email}>'
@property
def is_expired(self):
"""Check if token has expired"""
return datetime.utcnow() > self.expires_at
@property
def is_valid(self):
"""Check if token is valid (not verified and not expired)"""
return not self.verified and not self.is_expired
def mark_as_verified(self):
"""Mark token as verified"""
self.verified = True
self.verified_at = datetime.utcnow()
db.session.commit()
@classmethod
def create_token(cls, user_id, email):
"""Create a new email verification token"""
token = cls(user_id=user_id, email=email)
db.session.add(token)
db.session.commit()
return token
@classmethod
def get_valid_token(cls, token_string):
"""Get a valid token by token string"""
token = cls.query.filter_by(token=token_string).first()
if token and token.is_valid:
return token
return None
@classmethod
def cleanup_expired_tokens(cls):
"""Delete expired tokens (cleanup utility)"""
expired_tokens = cls.query.filter(
cls.expires_at < datetime.utcnow()
).delete()
db.session.commit()
return expired_tokens

25
app/models/project.py
View File

@@ -6,13 +6,8 @@ class Project(db.Model):
"""Project model for client projects with billing information"""
__tablename__ = 'projects'
__table_args__ = (
db.Index('idx_projects_org_status', 'organization_id', 'status'),
db.Index('idx_projects_org_client', 'organization_id', 'client_id'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
name = db.Column(db.String(200), nullable=False, index=True)
client_id = db.Column(db.Integer, db.ForeignKey('clients.id'), nullable=False, index=True)
description = db.Column(db.Text, nullable=True)
@@ -28,31 +23,19 @@ class Project(db.Model):
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Relationships
organization = db.relationship('Organization', back_populates='projects')
time_entries = db.relationship('TimeEntry', backref='project', lazy='dynamic', cascade='all, delete-orphan')
tasks = db.relationship('Task', backref='project', lazy='dynamic', cascade='all, delete-orphan')
# comments relationship is defined via backref in Comment model
def __init__(self, name, organization_id, client_id=None, description=None, billable=True, hourly_rate=None, billing_ref=None, client=None):
def __init__(self, name, client_id=None, description=None, billable=True, hourly_rate=None, billing_ref=None, client=None):
"""Create a Project.
Backward-compatible initializer that accepts either client_id or client name.
If client name is provided and client_id is not, the corresponding Client
record will be found or created on the fly and client_id will be set.
Args:
name: Project name
organization_id: ID of the organization this project belongs to
client_id: ID of the client (optional if client name is provided)
description: Project description
billable: Whether the project is billable
hourly_rate: Hourly rate for the project
billing_ref: Billing reference
client: Client name (will be found or created if client_id not provided)
"""
from .client import Client # local import to avoid circular dependencies
self.organization_id = organization_id
self.name = name.strip()
self.description = description.strip() if description else None
self.billable = billable
@@ -61,13 +44,13 @@ class Project(db.Model):
resolved_client_id = client_id
if resolved_client_id is None and client:
# Find or create client by name (scoped to organization)
# Find or create client by name
client_name = client.strip()
existing = Client.query.filter_by(name=client_name, organization_id=organization_id).first()
existing = Client.query.filter_by(name=client_name).first()
if existing:
resolved_client_id = existing.id
else:
new_client = Client(name=client_name, organization_id=organization_id)
new_client = Client(name=client_name)
db.session.add(new_client)
# Flush to obtain id without committing the whole transaction
try:

159
app/models/promo_code.py
View File

@@ -1,159 +0,0 @@
"""Promo Code Model for early adopter discounts and marketing campaigns"""
from datetime import datetime
from app import db
class PromoCode(db.Model):
"""Promo codes for discounts and special offers"""
__tablename__ = 'promo_codes'
__table_args__ = (
db.Index('idx_promo_codes_code', 'code'),
db.Index('idx_promo_codes_active', 'is_active'),
)
id = db.Column(db.Integer, primary_key=True)
code = db.Column(db.String(50), unique=True, nullable=False, index=True)
description = db.Column(db.String(200), nullable=True)
# Discount settings
discount_type = db.Column(db.String(20), nullable=False, default='percent') # 'percent' or 'fixed'
discount_value = db.Column(db.Numeric(10, 2), nullable=False) # Percentage (e.g., 20.00 for 20%) or fixed amount
duration = db.Column(db.String(20), nullable=False, default='once') # 'once', 'repeating', 'forever'
duration_in_months = db.Column(db.Integer, nullable=True) # For 'repeating' duration
# Usage limits
max_redemptions = db.Column(db.Integer, nullable=True) # Null = unlimited
times_redeemed = db.Column(db.Integer, default=0, nullable=False)
# Validity period
valid_from = db.Column(db.DateTime, nullable=False, default=datetime.utcnow)
valid_until = db.Column(db.DateTime, nullable=True) # Null = no expiry
# Status
is_active = db.Column(db.Boolean, default=True, nullable=False)
# Stripe integration
stripe_coupon_id = db.Column(db.String(100), nullable=True) # Stripe coupon ID if synced
stripe_promotion_code_id = db.Column(db.String(100), nullable=True) # Stripe promotion code ID
# Restrictions
first_time_only = db.Column(db.Boolean, default=False, nullable=False) # Only for new customers
min_seats = db.Column(db.Integer, nullable=True) # Minimum seats required
max_seats = db.Column(db.Integer, nullable=True) # Maximum seats allowed
plan_restrictions = db.Column(db.String(200), nullable=True) # Comma-separated plan IDs
# Metadata
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
created_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=True)
# Relationships
redemptions = db.relationship('PromoCodeRedemption', back_populates='promo_code', lazy='dynamic')
def __repr__(self):
return f'<PromoCode {self.code}>'
@property
def is_valid(self):
"""Check if promo code is currently valid"""
now = datetime.utcnow()
# Check if active
if not self.is_active:
return False
# Check validity period
if self.valid_from and now < self.valid_from:
return False
if self.valid_until and now > self.valid_until:
return False
# Check redemption limits
if self.max_redemptions and self.times_redeemed >= self.max_redemptions:
return False
return True
def can_be_used_by(self, organization):
"""Check if promo code can be used by a specific organization"""
if not self.is_valid:
return False, "Promo code is not valid"
# Check if first-time only
if self.first_time_only:
if hasattr(organization, 'stripe_subscription_id') and organization.stripe_subscription_id:
return False, "This promo code is only for new customers"
# Check if already used by this organization
existing_redemption = PromoCodeRedemption.query.filter_by(
promo_code_id=self.id,
organization_id=organization.id
).first()
if existing_redemption:
return False, "This promo code has already been used by your organization"
return True, "Promo code is valid"
def redeem(self, organization_id, user_id=None):
"""Redeem the promo code for an organization"""
redemption = PromoCodeRedemption(
promo_code_id=self.id,
organization_id=organization_id,
redeemed_by=user_id,
redeemed_at=datetime.utcnow()
)
self.times_redeemed += 1
db.session.add(redemption)
db.session.commit()
return redemption
def get_discount_description(self):
"""Get human-readable discount description"""
if self.discount_type == 'percent':
discount = f"{int(self.discount_value)}% off"
else:
discount = f"{self.discount_value} off"
if self.duration == 'once':
duration = "first payment"
elif self.duration == 'forever':
duration = "forever"
elif self.duration == 'repeating':
duration = f"{self.duration_in_months} months"
else:
duration = ""
return f"{discount} for {duration}" if duration else discount
class PromoCodeRedemption(db.Model):
"""Track promo code redemptions"""
__tablename__ = 'promo_code_redemptions'
__table_args__ = (
db.Index('idx_redemptions_promo_code', 'promo_code_id'),
db.Index('idx_redemptions_org', 'organization_id'),
)
id = db.Column(db.Integer, primary_key=True)
promo_code_id = db.Column(db.Integer, db.ForeignKey('promo_codes.id'), nullable=False)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False)
redeemed_by = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=True)
redeemed_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
# Stripe info
stripe_subscription_id = db.Column(db.String(100), nullable=True)
# Relationships
promo_code = db.relationship('PromoCode', back_populates='redemptions')
organization = db.relationship('Organization')
user = db.relationship('User')
def __repr__(self):
return f'<PromoCodeRedemption {self.promo_code_id} by org {self.organization_id}>'

162
app/models/refresh_token.py
View File

@@ -1,162 +0,0 @@
from datetime import datetime, timedelta
from app import db
import secrets
class RefreshToken(db.Model):
"""Model for JWT refresh tokens"""
__tablename__ = 'refresh_tokens'
__table_args__ = (
db.Index('idx_refresh_tokens_user_device', 'user_id', 'device_id'),
)
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
token = db.Column(db.String(100), unique=True, nullable=False, index=True)
device_id = db.Column(db.String(100), nullable=True, index=True) # Optional device identifier
device_name = db.Column(db.String(200), nullable=True) # User-friendly device name
# Token lifecycle
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
expires_at = db.Column(db.DateTime, nullable=False)
last_used_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
revoked = db.Column(db.Boolean, default=False, nullable=False)
revoked_at = db.Column(db.DateTime, nullable=True)
# Request metadata
ip_address = db.Column(db.String(45), nullable=True) # IPv6 support
user_agent = db.Column(db.String(500), nullable=True)
# Relationships
user = db.relationship('User', backref='refresh_tokens')
def __init__(self, user_id, device_id=None, device_name=None, ip_address=None, user_agent=None, expires_in_days=30):
"""Create a new refresh token.
Args:
user_id: ID of the user
device_id: Unique device identifier
device_name: User-friendly device name
ip_address: IP address of the client
user_agent: User agent string
expires_in_days: Token validity period in days (default 30)
"""
self.user_id = user_id
self.token = secrets.token_urlsafe(48)
self.device_id = device_id
self.device_name = device_name
self.created_at = datetime.utcnow()
self.expires_at = datetime.utcnow() + timedelta(days=expires_in_days)
self.last_used_at = datetime.utcnow()
self.ip_address = ip_address
self.user_agent = user_agent
self.revoked = False
def __repr__(self):
return f'<RefreshToken user_id={self.user_id} device={self.device_name or self.device_id}>'
@property
def is_expired(self):
"""Check if token has expired"""
return datetime.utcnow() > self.expires_at
@property
def is_valid(self):
"""Check if token is valid (not revoked and not expired)"""
return not self.revoked and not self.is_expired
@property
def age_days(self):
"""Get token age in days"""
return (datetime.utcnow() - self.created_at).days
def update_last_used(self):
"""Update the last used timestamp"""
self.last_used_at = datetime.utcnow()
db.session.commit()
def revoke(self):
"""Revoke the token"""
self.revoked = True
self.revoked_at = datetime.utcnow()
db.session.commit()
def to_dict(self):
"""Convert token to dictionary for API responses"""
return {
'id': self.id,
'device_id': self.device_id,
'device_name': self.device_name,
'created_at': self.created_at.isoformat() if self.created_at else None,
'last_used_at': self.last_used_at.isoformat() if self.last_used_at else None,
'expires_at': self.expires_at.isoformat() if self.expires_at else None,
'ip_address': self.ip_address,
'is_current': False, # Can be set by caller
}
@classmethod
def create_token(cls, user_id, device_id=None, device_name=None, ip_address=None, user_agent=None):
"""Create a new refresh token for a user"""
token = cls(
user_id=user_id,
device_id=device_id,
device_name=device_name,
ip_address=ip_address,
user_agent=user_agent
)
db.session.add(token)
db.session.commit()
return token
@classmethod
def get_valid_token(cls, token_string):
"""Get a valid token by token string"""
token = cls.query.filter_by(token=token_string).first()
if token and token.is_valid:
return token
return None
@classmethod
def get_user_tokens(cls, user_id, include_revoked=False):
"""Get all tokens for a user"""
query = cls.query.filter_by(user_id=user_id)
if not include_revoked:
query = query.filter_by(revoked=False)
return query.order_by(cls.last_used_at.desc()).all()
@classmethod
def revoke_user_tokens(cls, user_id, except_token_id=None):
"""Revoke all tokens for a user, optionally except one"""
query = cls.query.filter_by(user_id=user_id, revoked=False)
if except_token_id:
query = query.filter(cls.id != except_token_id)
tokens = query.all()
for token in tokens:
token.revoke()
@classmethod
def revoke_device_tokens(cls, user_id, device_id):
"""Revoke all tokens for a specific device"""
tokens = cls.query.filter_by(user_id=user_id, device_id=device_id, revoked=False).all()
for token in tokens:
token.revoke()
@classmethod
def cleanup_expired_tokens(cls, days_old=90):
"""Delete old expired or revoked tokens"""
cutoff_date = datetime.utcnow() - timedelta(days=days_old)
deleted = cls.query.filter(
db.or_(
cls.expires_at < datetime.utcnow(),
db.and_(cls.revoked == True, cls.revoked_at < cutoff_date)
)
).delete()
db.session.commit()
return deleted

1
app/models/saved_filter.py
View File

@@ -12,7 +12,6 @@ class SavedFilter(db.Model):
__tablename__ = 'saved_filters'
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
name = db.Column(db.String(200), nullable=False)
scope = db.Column(db.String(50), nullable=False, default='global') # e.g., 'time', 'projects', 'tasks', 'reports'

2
app/models/settings.py
View File

@@ -40,7 +40,7 @@ class Settings(db.Model):
invoice_notes = db.Column(db.Text, default='Thank you for your business!', nullable=False)
# Privacy and analytics settings
allow_analytics = db.Column(db.Boolean, default=True, nullable=False) # Controls analytics tracking
allow_analytics = db.Column(db.Boolean, default=True, nullable=False) # Controls system info sharing with license server
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)

248
app/models/subscription_event.py
View File

@@ -1,248 +0,0 @@
"""Subscription event model for tracking Stripe webhooks and subscription changes"""
from datetime import datetime
from app import db
import json
class SubscriptionEvent(db.Model):
"""Model for tracking subscription events from Stripe webhooks.
This helps with auditing, debugging, and handling webhook delivery issues.
"""
__tablename__ = 'subscription_events'
__table_args__ = (
db.Index('idx_subscription_events_org', 'organization_id'),
db.Index('idx_subscription_events_type', 'event_type'),
db.Index('idx_subscription_events_created', 'created_at'),
)
id = db.Column(db.Integer, primary_key=True)
# Stripe event details
stripe_event_id = db.Column(db.String(100), unique=True, nullable=True, index=True) # Made nullable for manual events
event_type = db.Column(db.String(100), nullable=False) # e.g., 'customer.subscription.created'
event_id = db.Column(db.String(100), nullable=True) # For Stripe webhook event ID
# Organization reference
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=True, index=True)
# Event data
event_data = db.Column(db.Text, nullable=True) # JSON string of the full event
raw_payload = db.Column(db.Text, nullable=True) # Raw webhook payload
# Transaction details (for financial events)
stripe_customer_id = db.Column(db.String(100), nullable=True)
stripe_subscription_id = db.Column(db.String(100), nullable=True)
stripe_invoice_id = db.Column(db.String(100), nullable=True)
stripe_charge_id = db.Column(db.String(100), nullable=True)
stripe_refund_id = db.Column(db.String(100), nullable=True)
amount = db.Column(db.Numeric(10, 2), nullable=True)
currency = db.Column(db.String(3), nullable=True)
# Status tracking
status = db.Column(db.String(50), nullable=True) # Event-specific status
previous_status = db.Column(db.String(50), nullable=True)
quantity = db.Column(db.Integer, nullable=True) # For subscription quantity changes
previous_quantity = db.Column(db.Integer, nullable=True)
# Processing status
processed = db.Column(db.Boolean, default=False, nullable=False)
processed_at = db.Column(db.DateTime, nullable=True)
processing_error = db.Column(db.Text, nullable=True)
retry_count = db.Column(db.Integer, default=0, nullable=False)
notes = db.Column(db.Text, nullable=True) # Additional notes or context
# Timestamps
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False)
# Relationships
organization = db.relationship('Organization', backref='subscription_events')
def __init__(self, event_type, stripe_event_id=None, organization_id=None, **kwargs):
"""Create a new subscription event.
Args:
event_type: Type of event (e.g., 'customer.subscription.updated')
stripe_event_id: Stripe's unique event ID (optional for manual events)
organization_id: Optional organization ID
**kwargs: Additional fields
"""
self.stripe_event_id = stripe_event_id
self.event_type = event_type
self.organization_id = organization_id
# Set additional fields from kwargs
for key, value in kwargs.items():
if hasattr(self, key):
# Convert dict to JSON string for text fields
if key in ('event_data', 'raw_payload') and isinstance(value, dict):
setattr(self, key, json.dumps(value))
else:
setattr(self, key, value)
if not hasattr(self, 'processed') or self.processed is None:
self.processed = False
if not hasattr(self, 'retry_count') or self.retry_count is None:
self.retry_count = 0
def __repr__(self):
return f'<SubscriptionEvent {self.stripe_event_id} type={self.event_type}>'
@property
def event_data_dict(self):
"""Get event data as a dictionary"""
if not self.event_data:
return {}
try:
return json.loads(self.event_data)
except (json.JSONDecodeError, TypeError):
return {}
def mark_as_processed(self, success=True, error_message=None):
"""Mark event as processed.
Args:
success: Whether processing was successful
error_message: Error message if processing failed
"""
self.processed = success
self.processed_at = datetime.utcnow()
if not success and error_message:
self.processing_error = error_message
self.retry_count += 1
db.session.commit()
def to_dict(self):
"""Convert event to dictionary for API responses"""
return {
'id': self.id,
'stripe_event_id': self.stripe_event_id,
'event_id': self.event_id,
'event_type': self.event_type,
'organization_id': self.organization_id,
'stripe_customer_id': self.stripe_customer_id,
'stripe_subscription_id': self.stripe_subscription_id,
'stripe_invoice_id': self.stripe_invoice_id,
'amount': float(self.amount) if self.amount else None,
'currency': self.currency,
'status': self.status,
'previous_status': self.previous_status,
'quantity': self.quantity,
'previous_quantity': self.previous_quantity,
'processed': self.processed,
'processed_at': self.processed_at.isoformat() if self.processed_at else None,
'processing_error': self.processing_error,
'retry_count': self.retry_count,
'notes': self.notes,
'created_at': self.created_at.isoformat() if self.created_at else None,
'updated_at': self.updated_at.isoformat() if self.updated_at else None,
}
@classmethod
def create_event(cls, event_type, stripe_event_id=None, event_data=None, organization_id=None, **kwargs):
"""Create a new subscription event.
Args:
event_type: Type of event
stripe_event_id: Stripe's unique event ID (optional)
event_data: Full event data
organization_id: Optional organization ID
**kwargs: Additional fields
Returns:
SubscriptionEvent: The created event
"""
event = cls(
event_type=event_type,
stripe_event_id=stripe_event_id,
event_data=event_data,
organization_id=organization_id,
**kwargs
)
db.session.add(event)
db.session.commit()
return event
@classmethod
def get_by_stripe_id(cls, stripe_event_id):
"""Get event by Stripe event ID.
Args:
stripe_event_id: Stripe's event ID
Returns:
SubscriptionEvent or None
"""
return cls.query.filter_by(stripe_event_id=stripe_event_id).first()
@classmethod
def get_unprocessed_events(cls, limit=100):
"""Get unprocessed events.
Args:
limit: Maximum number of events to return
Returns:
list: List of unprocessed events
"""
return cls.query.filter_by(processed=False).order_by(cls.created_at).limit(limit).all()
@classmethod
def get_failed_events(cls, max_retries=3):
"""Get events that failed processing and haven't exceeded retry limit.
Args:
max_retries: Maximum number of retries before giving up
Returns:
list: List of failed events eligible for retry
"""
return cls.query.filter(
cls.processed == False,
cls.processing_error.isnot(None),
cls.retry_count < max_retries
).order_by(cls.updated_at).all()
@classmethod
def get_organization_events(cls, organization_id, event_type=None, limit=50):
"""Get events for an organization.
Args:
organization_id: Organization ID
event_type: Optional filter by event type
limit: Maximum number of events to return
Returns:
list: List of events
"""
query = cls.query.filter_by(organization_id=organization_id)
if event_type:
query = query.filter_by(event_type=event_type)
return query.order_by(cls.created_at.desc()).limit(limit).all()
@classmethod
def cleanup_old_events(cls, days_old=90):
"""Delete old processed events.
Args:
days_old: Delete events older than this many days
Returns:
int: Number of events deleted
"""
from datetime import timedelta
cutoff_date = datetime.utcnow() - timedelta(days=days_old)
deleted = cls.query.filter(
cls.processed == True,
cls.created_at < cutoff_date
).delete()
db.session.commit()
return deleted

10
app/models/task.py
View File

@@ -6,14 +6,8 @@ class Task(db.Model):
"""Task model for breaking down projects into manageable components"""
__tablename__ = 'tasks'
__table_args__ = (
db.Index('idx_tasks_org_project', 'organization_id', 'project_id'),
db.Index('idx_tasks_org_status', 'organization_id', 'status'),
db.Index('idx_tasks_org_assigned', 'organization_id', 'assigned_to'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
project_id = db.Column(db.Integer, db.ForeignKey('projects.id'), nullable=False, index=True)
name = db.Column(db.String(200), nullable=False, index=True)
description = db.Column(db.Text, nullable=True)
@@ -29,16 +23,14 @@ class Task(db.Model):
completed_at = db.Column(db.DateTime, nullable=True)
# Relationships
organization = db.relationship('Organization', back_populates='tasks')
# project relationship is defined via backref in Project model
assigned_user = db.relationship('User', foreign_keys=[assigned_to], backref='assigned_tasks')
creator = db.relationship('User', foreign_keys=[created_by], backref='created_tasks')
time_entries = db.relationship('TimeEntry', backref='task', lazy='dynamic', cascade='all, delete-orphan')
# comments relationship is defined via backref in Comment model
def __init__(self, project_id, organization_id, name, description=None, priority='medium', estimated_hours=None,
def __init__(self, project_id, name, description=None, priority='medium', estimated_hours=None,
due_date=None, assigned_to=None, created_by=None):
self.organization_id = organization_id
self.project_id = project_id
self.name = name.strip()
self.description = description.strip() if description else None

4
app/models/task_activity.py
View File

@@ -7,7 +7,6 @@ class TaskActivity(db.Model):
__tablename__ = 'task_activities'
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
task_id = db.Column(db.Integer, db.ForeignKey('tasks.id'), nullable=False, index=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=True, index=True)
event = db.Column(db.String(50), nullable=False, index=True)
@@ -17,8 +16,7 @@ class TaskActivity(db.Model):
task = db.relationship('Task', backref=db.backref('activities', lazy='dynamic', cascade='all, delete-orphan'))
user = db.relationship('User')
def __init__(self, task_id, organization_id, event, user_id=None, details=None):
self.organization_id = organization_id
def __init__(self, task_id, event, user_id=None, details=None):
self.task_id = task_id
self.user_id = user_id
self.event = event

10
app/models/time_entry.py
View File

@@ -14,14 +14,8 @@ class TimeEntry(db.Model):
"""Time entry model for manual and automatic time tracking"""
__tablename__ = 'time_entries'
__table_args__ = (
db.Index('idx_time_entries_org_user', 'organization_id', 'user_id'),
db.Index('idx_time_entries_org_project', 'organization_id', 'project_id'),
db.Index('idx_time_entries_org_dates', 'organization_id', 'start_time', 'end_time'),
)
id = db.Column(db.Integer, primary_key=True)
organization_id = db.Column(db.Integer, db.ForeignKey('organizations.id'), nullable=False, index=True)
user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False, index=True)
project_id = db.Column(db.Integer, db.ForeignKey('projects.id'), nullable=False, index=True)
task_id = db.Column(db.Integer, db.ForeignKey('tasks.id'), nullable=True, index=True)
@@ -36,12 +30,10 @@ class TimeEntry(db.Model):
updated_at = db.Column(db.DateTime, default=local_now, onupdate=local_now, nullable=False)
# Relationships
organization = db.relationship('Organization', back_populates='time_entries')
# user and project relationships are defined via backref in their respective models
# task relationship is defined via backref in Task model
def __init__(self, user_id, project_id, organization_id, start_time, end_time=None, task_id=None, notes=None, tags=None, source='manual', billable=True):
self.organization_id = organization_id
def __init__(self, user_id, project_id, start_time, end_time=None, task_id=None, notes=None, tags=None, source='manual', billable=True):
self.user_id = user_id
self.project_id = project_id
self.task_id = task_id

175
app/models/user.py
View File

@@ -13,32 +13,17 @@ class User(UserMixin, db.Model):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(80), unique=True, nullable=False, index=True)
email = db.Column(db.String(200), unique=True, nullable=True, index=True)
password_hash = db.Column(db.String(255), nullable=True) # For local auth
email = db.Column(db.String(200), nullable=True, index=True)
full_name = db.Column(db.String(200), nullable=True)
role = db.Column(db.String(20), default='user', nullable=False) # 'user' or 'admin'
created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
last_login = db.Column(db.DateTime, nullable=True)
is_active = db.Column(db.Boolean, default=True, nullable=False)
email_verified = db.Column(db.Boolean, default=False, nullable=False)
theme_preference = db.Column(db.String(10), default=None, nullable=True) # 'light' | 'dark' | None=system
preferred_language = db.Column(db.String(8), default=None, nullable=True) # e.g., 'en', 'de'
# OIDC authentication
oidc_sub = db.Column(db.String(255), nullable=True)
oidc_issuer = db.Column(db.String(255), nullable=True)
# 2FA fields
totp_secret = db.Column(db.String(32), nullable=True) # For TOTP 2FA
totp_enabled = db.Column(db.Boolean, default=False, nullable=False)
backup_codes = db.Column(db.Text, nullable=True) # JSON array of hashed backup codes
# Password policy fields
password_changed_at = db.Column(db.DateTime, nullable=True)
password_history = db.Column(db.Text, nullable=True) # JSON array of previous password hashes
failed_login_attempts = db.Column(db.Integer, default=0, nullable=False)
account_locked_until = db.Column(db.DateTime, nullable=True)
# Relationships
time_entries = db.relationship('TimeEntry', backref='user', lazy='dynamic', cascade='all, delete-orphan')
@@ -98,161 +83,6 @@ class User(UserMixin, db.Model):
self.last_login = datetime.utcnow()
db.session.commit()
def set_password(self, password, validate=True):
"""Set user password (hashed) with optional policy validation"""
if validate:
from app.utils.password_policy import PasswordPolicy
is_valid, error_msg = PasswordPolicy.validate_password(password, self)
if not is_valid:
raise ValueError(error_msg)
# Store old password in history before updating
if self.password_hash:
self._add_to_password_history(self.password_hash)
# Set new password
self.password_hash = generate_password_hash(password, method='pbkdf2:sha256')
self.password_changed_at = datetime.utcnow()
# Reset failed login attempts when password is changed
self.failed_login_attempts = 0
self.account_locked_until = None
def check_password(self, password):
"""Check if provided password matches the hash"""
# Check if account is locked
if self.is_account_locked():
return False
if not self.password_hash:
return False
is_valid = check_password_hash(self.password_hash, password)
if is_valid:
# Reset failed attempts on successful login
self.failed_login_attempts = 0
self.account_locked_until = None
else:
# Increment failed attempts
self.failed_login_attempts += 1
# Lock account after 5 failed attempts for 30 minutes
from datetime import timedelta
if self.failed_login_attempts >= 5:
self.account_locked_until = datetime.utcnow() + timedelta(minutes=30)
return is_valid
@property
def has_password(self):
"""Check if user has a password set (for local auth)"""
return self.password_hash is not None
def verify_totp(self, token):
"""Verify TOTP token for 2FA"""
if not self.totp_enabled or not self.totp_secret:
return False
import pyotp
totp = pyotp.TOTP(self.totp_secret)
return totp.verify(token, valid_window=1)
def verify_backup_code(self, code):
"""Verify and consume a backup code"""
if not self.backup_codes:
return False
import json
codes = json.loads(self.backup_codes)
code_hash = generate_password_hash(code)
for idx, stored_hash in enumerate(codes):
if check_password_hash(stored_hash, code):
# Remove the used code
codes.pop(idx)
self.backup_codes = json.dumps(codes)
db.session.commit()
return True
return False
def generate_backup_codes(self, count=10):
"""Generate new backup codes for 2FA"""
import secrets
import json
codes = []
hashed_codes = []
for _ in range(count):
code = '-'.join([secrets.token_hex(2) for _ in range(4)])
codes.append(code)
hashed_codes.append(generate_password_hash(code))
self.backup_codes = json.dumps(hashed_codes)
db.session.commit()
return codes # Return plain codes for user to save
def is_account_locked(self):
"""Check if account is currently locked due to failed login attempts"""
if not self.account_locked_until:
return False
if datetime.utcnow() < self.account_locked_until:
return True
# Lock has expired, clear it
self.account_locked_until = None
self.failed_login_attempts = 0
return False
def _add_to_password_history(self, password_hash):
"""Add a password hash to the user's password history"""
import json
from flask import current_app
history_count = current_app.config.get('PASSWORD_HISTORY_COUNT', 5)
if history_count == 0:
return
# Get existing history
history = []
if self.password_history:
try:
history = json.loads(self.password_history)
except Exception:
history = []
# Add new hash to history
history.append(password_hash)
# Keep only the most recent entries
history = history[-history_count:]
self.password_history = json.dumps(history)
def check_password_history(self, password):
"""Check if password was used recently"""
import json
if not self.password_history:
return False
try:
history = json.loads(self.password_history)
except Exception:
return False
# Check if password matches any in history
for old_hash in history:
if check_password_hash(old_hash, password):
return True
return False
def to_dict(self):
"""Convert user to dictionary for API responses"""
return {
@@ -265,8 +95,5 @@ class User(UserMixin, db.Model):
'created_at': self.created_at.isoformat() if self.created_at else None,
'last_login': self.last_login.isoformat() if self.last_login else None,
'is_active': self.is_active,
'email_verified': self.email_verified,
'totp_enabled': self.totp_enabled,
'has_password': self.has_password,
'total_hours': self.total_hours
}

489
app/routes/admin.py
View File

@@ -3,24 +3,15 @@ from flask_babel import gettext as _
from flask_login import login_required, current_user
from app import db, limiter
from app.models import User, Project, TimeEntry, Settings, Invoice
from app.models.organization import Organization
from app.models.membership import Membership
from app.models.subscription_event import SubscriptionEvent
from datetime import datetime
from sqlalchemy import text, func, desc
from sqlalchemy import text
import os
from werkzeug.utils import secure_filename
import uuid
from app.utils.db import safe_commit
from app.utils.backup import create_backup, restore_backup
from app.utils.stripe_service import stripe_service
import threading
import time
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
admin_bp = Blueprint('admin', __name__)
@@ -56,37 +47,23 @@ def get_upload_folder():
@admin_bp.route('/admin')
@login_required
@admin_required
@require_organization_access()
def admin_dashboard():
"""Admin dashboard"""
org_id = get_current_organization_id()
# Get system statistics (scoped to organization)
total_users = User.query.count() # Users are global
# Get system statistics
total_users = User.query.count()
active_users = User.query.filter_by(is_active=True).count()
total_projects = scoped_query(Project).count()
active_projects = scoped_query(Project).filter_by(status='active').count()
total_entries = scoped_query(TimeEntry).filter(TimeEntry.end_time.isnot(None)).count()
active_timers = scoped_query(TimeEntry).filter_by(end_time=None).count()
total_projects = Project.query.count()
active_projects = Project.query.filter_by(status='active').count()
total_entries = TimeEntry.query.filter(TimeEntry.end_time.isnot(None)).count()
active_timers = TimeEntry.query.filter_by(end_time=None).count()
# Get recent activity (scoped to organization)
recent_entries = scoped_query(TimeEntry).filter(
# Get recent activity
recent_entries = TimeEntry.query.filter(
TimeEntry.end_time.isnot(None)
).order_by(
TimeEntry.created_at.desc()
).limit(10).all()
# Calculate hours (scoped to organization)
org_total_seconds = db.session.query(db.func.sum(TimeEntry.duration_seconds)).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None)
).scalar() or 0
org_billable_seconds = db.session.query(db.func.sum(TimeEntry.duration_seconds)).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.billable == True
).scalar() or 0
# Build stats object expected by the template
stats = {
'total_users': total_users,
@@ -94,8 +71,8 @@ def admin_dashboard():
'total_projects': total_projects,
'active_projects': active_projects,
'total_entries': total_entries,
'total_hours': round(org_total_seconds / 3600, 2),
'billable_hours': round(org_billable_seconds / 3600, 2),
'total_hours': TimeEntry.get_total_hours_for_period(),
'billable_hours': TimeEntry.get_total_hours_for_period(billable_only=True),
'last_backup': None
}
@@ -713,414 +690,64 @@ def system_info():
active_timers=active_timers,
db_size_mb=db_size_mb)
# ========================================
# Customer Management (Organizations)
# ========================================
@admin_bp.route('/admin/customers')
@admin_bp.route('/license-status')
@login_required
@admin_required
def customers():
"""List all organizations (customers) with billing info"""
# Get all organizations with member counts and subscription info
organizations = Organization.query.order_by(Organization.created_at.desc()).all()
# Enrich with additional data
customer_data = []
for org in organizations:
# Get active member count
active_members = Membership.query.filter_by(
organization_id=org.id,
status='active'
).count()
# Get most recent activity (last login of any member)
last_activity = db.session.query(func.max(User.last_login)).join(
Membership, Membership.user_id == User.id
).filter(
Membership.organization_id == org.id,
Membership.status == 'active'
).scalar()
# Get invoice count
invoice_count = Invoice.query.filter_by(organization_id=org.id).count()
customer_data.append({
'organization': org,
'active_members': active_members,
'last_activity': last_activity,
'invoice_count': invoice_count,
})
return render_template(
'admin/customers.html',
customer_data=customer_data,
stripe_configured=stripe_service.is_configured()
)
@admin_bp.route('/admin/customers/<int:org_id>')
@login_required
@admin_required
def customer_detail(org_id):
"""View detailed information about a specific organization/customer"""
organization = Organization.query.get_or_404(org_id)
# Get members
memberships = Membership.query.filter_by(
organization_id=org_id
).join(User).order_by(Membership.created_at.desc()).all()
# Get subscription events
recent_events = SubscriptionEvent.get_organization_events(
organization_id=org_id,
limit=20
)
# Get Stripe data if configured
stripe_data = None
if stripe_service.is_configured() and organization.stripe_customer_id:
try:
stripe_data = {
'invoices': stripe_service.get_invoices(organization, limit=10),
'upcoming_invoice': stripe_service.get_upcoming_invoice(organization),
'payment_methods': stripe_service.get_payment_methods(organization),
'refunds': stripe_service.get_refunds(organization, limit=5),
}
except Exception as e:
current_app.logger.error(f"Error fetching Stripe data: {e}")
flash('Error loading Stripe data', 'warning')
return render_template(
'admin/customer_detail.html',
organization=organization,
memberships=memberships,
recent_events=recent_events,
stripe_data=stripe_data,
stripe_configured=stripe_service.is_configured()
)
@admin_bp.route('/admin/customers/<int:org_id>/subscription/quantity', methods=['POST'])
@login_required
@admin_required
@limiter.limit("10 per minute")
def update_subscription_quantity(org_id):
"""Update the subscription quantity (seats) for an organization"""
organization = Organization.query.get_or_404(org_id)
if not organization.stripe_subscription_id:
flash(_('Organization does not have an active subscription'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
def license_status():
"""Show metrics server client status"""
try:
new_quantity = int(request.form.get('quantity', 1))
if new_quantity < 1:
flash(_('Quantity must be at least 1'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
# Update via Stripe
result = stripe_service.update_subscription_quantity(organization, new_quantity)
flash(_(f'Subscription updated: {result["old_quantity"]}{result["new_quantity"]} seats'), 'success')
except Exception as e:
current_app.logger.error(f"Error updating subscription quantity: {e}")
flash(_(f'Error updating subscription: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
@admin_bp.route('/admin/customers/<int:org_id>/subscription/cancel', methods=['POST'])
@login_required
@admin_required
@limiter.limit("5 per minute")
def cancel_subscription(org_id):
"""Cancel a subscription"""
organization = Organization.query.get_or_404(org_id)
if not organization.stripe_subscription_id:
flash(_('Organization does not have an active subscription'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
try:
at_period_end = request.form.get('at_period_end', 'true') == 'true'
result = stripe_service.cancel_subscription(organization, at_period_end=at_period_end)
if at_period_end:
flash(_(f'Subscription will cancel at period end: {result["ends_at"].strftime("%Y-%m-%d")}'), 'success')
from app.utils.license_server import get_license_client
client = get_license_client()
if client:
status = client.get_status()
settings = Settings.get_settings()
return render_template('admin/license_status.html', status=status, settings=settings)
else:
flash(_('Subscription cancelled immediately'), 'success')
flash('Metrics server client not initialized', 'warning')
return redirect(url_for('admin.admin_dashboard'))
except Exception as e:
current_app.logger.error(f"Error cancelling subscription: {e}")
flash(_(f'Error cancelling subscription: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
@admin_bp.route('/admin/customers/<int:org_id>/subscription/reactivate', methods=['POST'])
@login_required
@admin_required
@limiter.limit("5 per minute")
def reactivate_subscription(org_id):
"""Reactivate a subscription that was set to cancel"""
organization = Organization.query.get_or_404(org_id)
if not organization.stripe_subscription_id:
flash(_('Organization does not have an active subscription'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
try:
result = stripe_service.reactivate_subscription(organization)
flash(_('Subscription reactivated successfully'), 'success')
except Exception as e:
current_app.logger.error(f"Error reactivating subscription: {e}")
flash(_(f'Error reactivating subscription: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
@admin_bp.route('/admin/customers/<int:org_id>/suspend', methods=['POST'])
@login_required
@admin_required
@limiter.limit("5 per minute")
def suspend_organization(org_id):
"""Suspend an organization"""
organization = Organization.query.get_or_404(org_id)
if organization.is_suspended:
flash(_('Organization is already suspended'), 'info')
return redirect(url_for('admin.customer_detail', org_id=org_id))
try:
reason = request.form.get('reason', 'Administrative action')
organization.suspend(reason=reason)
# Log event
SubscriptionEvent.create_event(
event_type='organization.suspended',
organization_id=organization.id,
notes=f'Suspended by admin: {reason}'
)
flash(_('Organization suspended successfully'), 'success')
except Exception as e:
current_app.logger.error(f"Error suspending organization: {e}")
flash(_(f'Error suspending organization: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
@admin_bp.route('/admin/customers/<int:org_id>/activate', methods=['POST'])
@login_required
@admin_required
@limiter.limit("5 per minute")
def activate_organization(org_id):
"""Activate/reactivate an organization"""
organization = Organization.query.get_or_404(org_id)
if organization.is_active:
flash(_('Organization is already active'), 'info')
return redirect(url_for('admin.customer_detail', org_id=org_id))
try:
organization.activate()
# Log event
SubscriptionEvent.create_event(
event_type='organization.activated',
organization_id=organization.id,
notes=f'Activated by admin: {current_user.username}'
)
flash(_('Organization activated successfully'), 'success')
except Exception as e:
current_app.logger.error(f"Error activating organization: {e}")
flash(_(f'Error activating organization: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
@admin_bp.route('/admin/customers/<int:org_id>/invoice/<invoice_id>/refund', methods=['POST'])
@login_required
@admin_required
@limiter.limit("3 per minute")
def create_refund(org_id, invoice_id):
"""Create a refund for an invoice"""
organization = Organization.query.get_or_404(org_id)
if not stripe_service.is_configured():
flash(_('Stripe is not configured'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
try:
amount_str = request.form.get('amount')
reason = request.form.get('reason', 'requested_by_customer')
# Convert amount to cents if provided
amount_cents = None
if amount_str:
try:
amount_cents = int(float(amount_str) * 100)
except ValueError:
flash(_('Invalid amount'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
result = stripe_service.create_refund(
organization=organization,
invoice_id=invoice_id,
amount=amount_cents,
reason=reason
)
flash(_(f'Refund created: {result["amount"]} {result["currency"]}'), 'success')
except Exception as e:
current_app.logger.error(f"Error creating refund: {e}")
flash(_(f'Error creating refund: {str(e)}'), 'error')
return redirect(url_for('admin.customer_detail', org_id=org_id))
# ========================================
# Billing Reconciliation
# ========================================
@admin_bp.route('/admin/billing/reconciliation')
@login_required
@admin_required
def billing_reconciliation():
"""View billing reconciliation - sync status between Stripe and local DB"""
if not stripe_service.is_configured():
flash(_('Stripe is not configured'), 'warning')
return redirect(url_for('admin.admin_dashboard'))
try:
sync_results = stripe_service.check_all_organizations_sync()
return render_template(
'admin/billing_reconciliation.html',
sync_results=sync_results
)
except Exception as e:
current_app.logger.error(f"Error checking sync status: {e}")
flash(_(f'Error checking sync status: {str(e)}'), 'error')
flash(f'Error getting metrics status: {e}', 'error')
return redirect(url_for('admin.admin_dashboard'))
@admin_bp.route('/admin/billing/reconciliation/<int:org_id>/sync', methods=['POST'])
@admin_bp.route('/license-test')
@login_required
@admin_required
@limiter.limit("10 per minute")
def sync_organization(org_id):
"""Manually sync an organization with Stripe"""
organization = Organization.query.get_or_404(org_id)
if not stripe_service.is_configured():
flash(_('Stripe is not configured'), 'error')
return redirect(url_for('admin.billing_reconciliation'))
def license_test():
"""Test metrics server communication"""
try:
result = stripe_service.sync_organization_with_stripe(organization)
if result.get('synced'):
if result.get('discrepancy_count', 0) > 0:
flash(_(f'Synced with {result["discrepancy_count"]} discrepancy(ies) found and corrected'), 'warning')
from app.utils.license_server import get_license_client, send_usage_event
client = get_license_client()
if client:
# Test server health
server_healthy = client.check_server_health()
# Test usage event
usage_sent = send_usage_event("admin_test", {"admin": current_user.username})
flash(f'Metrics Server: {"✓ Healthy" if server_healthy else "✗ Not Responding"}, Usage Event: {"✓ Sent" if usage_sent else "✗ Failed"}', 'info')
else:
flash('Metrics server client not initialized', 'warning')
except Exception as e:
flash(f'Error testing metrics server: {e}', 'error')
return redirect(url_for('admin.license_status'))
@admin_bp.route('/license-restart')
@login_required
@admin_required
def license_restart():
"""Restart the metrics server client"""
try:
from app.utils.license_server import get_license_client, start_license_client
client = get_license_client()
if client:
if start_license_client():
flash('Metrics server client restarted successfully', 'success')
else:
flash(_('Organization synced successfully - no discrepancies found'), 'success')
flash('Failed to restart metrics server client', 'error')
else:
flash(_(f'Sync failed: {result.get("error")}'), 'error')
flash('Metrics server client not initialized', 'warning')
except Exception as e:
current_app.logger.error(f"Error syncing organization: {e}")
flash(_(f'Error syncing organization: {str(e)}'), 'error')
flash(f'Error restarting metrics server client: {e}', 'error')
return redirect(url_for('admin.billing_reconciliation'))
# ========================================
# Webhook Logs
# ========================================
@admin_bp.route('/admin/webhooks')
@login_required
@admin_required
def webhook_logs():
"""View webhook event logs"""
page = request.args.get('page', 1, type=int)
per_page = 50
# Filter options
event_type = request.args.get('event_type')
org_id = request.args.get('org_id', type=int)
processed = request.args.get('processed')
# Build query
query = SubscriptionEvent.query
if event_type:
query = query.filter_by(event_type=event_type)
if org_id:
query = query.filter_by(organization_id=org_id)
if processed == 'true':
query = query.filter_by(processed=True)
elif processed == 'false':
query = query.filter_by(processed=False)
# Order by most recent first
query = query.order_by(desc(SubscriptionEvent.created_at))
# Paginate
pagination = query.paginate(page=page, per_page=per_page, error_out=False)
events = pagination.items
# Get unique event types for filter
event_types = db.session.query(
SubscriptionEvent.event_type
).distinct().order_by(SubscriptionEvent.event_type).all()
event_types = [et[0] for et in event_types]
# Get organizations for filter
organizations = Organization.query.order_by(Organization.name).all()
return render_template(
'admin/webhook_logs.html',
events=events,
pagination=pagination,
event_types=event_types,
organizations=organizations,
current_filters={
'event_type': event_type,
'org_id': org_id,
'processed': processed
}
)
@admin_bp.route('/admin/webhooks/<int:event_id>')
@login_required
@admin_required
def webhook_detail(event_id):
"""View detailed information about a webhook event"""
event = SubscriptionEvent.query.get_or_404(event_id)
return render_template(
'admin/webhook_detail.html',
event=event
)
@admin_bp.route('/admin/webhooks/<int:event_id>/reprocess', methods=['POST'])
@login_required
@admin_required
@limiter.limit("10 per minute")
def reprocess_webhook(event_id):
"""Reprocess a failed webhook event"""
event = SubscriptionEvent.query.get_or_404(event_id)
if event.processed and not event.processing_error:
flash(_('Event has already been processed successfully'), 'info')
return redirect(url_for('admin.webhook_logs'))
try:
# Mark as unprocessed and reset retry count
event.processed = False
event.processing_error = None
event.retry_count = 0
db.session.commit()
flash(_('Event queued for reprocessing'), 'success')
except Exception as e:
current_app.logger.error(f"Error queueing event for reprocessing: {e}")
flash(_(f'Error: {str(e)}'), 'error')
return redirect(url_for('admin.webhook_logs'))
return redirect(url_for('admin.license_status'))

37
app/routes/analytics.py
View File

@@ -5,17 +5,11 @@ from app.models import User, Project, TimeEntry, Settings, Task
from datetime import datetime, timedelta
from sqlalchemy import func, extract
import calendar
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
analytics_bp = Blueprint('analytics', __name__)
@analytics_bp.route('/analytics')
@login_required
@require_organization_access()
def analytics_dashboard():
"""Main analytics dashboard with charts"""
# Check if user agent indicates mobile device
@@ -29,20 +23,17 @@ def analytics_dashboard():
@analytics_bp.route('/api/analytics/hours-by-day')
@login_required
@require_organization_access()
def hours_by_day():
"""Get hours worked per day for the last 30 days"""
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
# Build query based on user permissions (scoped to organization)
# Build query based on user permissions
query = db.session.query(
func.date(TimeEntry.start_time).label('date'),
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date
@@ -79,10 +70,8 @@ def hours_by_day():
@analytics_bp.route('/api/analytics/hours-by-project')
@login_required
@require_organization_access()
def hours_by_project():
"""Get total hours per project"""
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
@@ -91,8 +80,6 @@ def hours_by_project():
Project.name,
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).join(TimeEntry).filter(
Project.organization_id == org_id,
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date,
@@ -126,13 +113,11 @@ def hours_by_project():
@analytics_bp.route('/api/analytics/hours-by-user')
@login_required
@require_organization_access()
def hours_by_user():
"""Get total hours per user (admin only)"""
if not current_user.is_admin:
return jsonify({'error': 'Unauthorized'}), 403
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
@@ -141,7 +126,6 @@ def hours_by_user():
User.username,
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).join(TimeEntry).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date,
@@ -164,10 +148,8 @@ def hours_by_user():
@analytics_bp.route('/api/analytics/hours-by-hour')
@login_required
@require_organization_access()
def hours_by_hour():
"""Get hours worked by hour of day (24-hour format)"""
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
@@ -176,7 +158,6 @@ def hours_by_hour():
extract('hour', TimeEntry.start_time).label('hour'),
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date
@@ -208,10 +189,8 @@ def hours_by_hour():
@analytics_bp.route('/api/analytics/billable-vs-nonbillable')
@login_required
@require_organization_access()
def billable_vs_nonbillable():
"""Get billable vs non-billable hours breakdown"""
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
@@ -220,7 +199,6 @@ def billable_vs_nonbillable():
TimeEntry.billable,
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date
@@ -254,10 +232,8 @@ def billable_vs_nonbillable():
@analytics_bp.route('/api/analytics/weekly-trends')
@login_required
@require_organization_access()
def weekly_trends():
"""Get weekly trends over the last 12 weeks"""
org_id = get_current_organization_id()
weeks = int(request.args.get('weeks', 12))
end_date = datetime.now().date()
start_date = end_date - timedelta(weeks=weeks)
@@ -266,7 +242,6 @@ def weekly_trends():
func.date_trunc('week', TimeEntry.start_time).label('week'),
func.sum(TimeEntry.duration_seconds).label('total_seconds')
).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date
@@ -304,10 +279,8 @@ def weekly_trends():
@analytics_bp.route('/api/analytics/project-efficiency')
@login_required
@require_organization_access()
def project_efficiency():
"""Get project efficiency metrics (hours vs billable amount)"""
org_id = get_current_organization_id()
days = int(request.args.get('days', 30))
end_date = datetime.now().date()
start_date = end_date - timedelta(days=days)
@@ -317,8 +290,6 @@ def project_efficiency():
func.sum(TimeEntry.duration_seconds).label('total_seconds'),
Project.hourly_rate
).join(TimeEntry).filter(
Project.organization_id == org_id,
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_date,
TimeEntry.start_time <= end_date,
@@ -361,7 +332,6 @@ def project_efficiency():
@analytics_bp.route('/api/analytics/today-by-task')
@login_required
@require_organization_access()
def today_by_task():
"""Get today's total hours grouped by task (includes project-level entries without task).
@@ -379,8 +349,7 @@ def today_by_task():
else:
target_date = datetime.now().date()
# Base query (scoped to organization)
org_id = get_current_organization_id()
# Base query
query = db.session.query(
TimeEntry.task_id,
Task.name.label('task_name'),
@@ -392,8 +361,6 @@ def today_by_task():
).outerjoin(
Task, Task.id == TimeEntry.task_id
).filter(
TimeEntry.organization_id == org_id,
Project.organization_id == org_id,
TimeEntry.end_time.isnot(None),
func.date(TimeEntry.start_time) == target_date
)

16
app/routes/api.py
View File

@@ -11,17 +11,11 @@ import json
import os
import uuid
from werkzeug.utils import secure_filename
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
api_bp = Blueprint('api', __name__)
@api_bp.route('/api/timer/status')
@login_required
@require_organization_access()
def timer_status():
"""Get current timer status"""
active_timer = current_user.active_timer
@@ -47,10 +41,8 @@ def timer_status():
@api_bp.route('/api/search')
@login_required
@require_organization_access()
def search():
"""Global search endpoint for projects, tasks, clients, and time entries"""
org_id = get_current_organization_id()
query = request.args.get('q', '').strip()
limit = request.args.get('limit', 10, type=int)
@@ -60,9 +52,9 @@ def search():
results = []
search_pattern = f'%{query}%'
# Search projects (scoped to organization)
# Search projects
try:
projects = scoped_query(Project).filter(
projects = Project.query.filter(
Project.status == 'active',
or_(
Project.name.ilike(search_pattern),
@@ -83,9 +75,9 @@ def search():
except Exception as e:
current_app.logger.error(f"Error searching projects: {e}")
# Search tasks (scoped to organization)
# Search tasks
try:
tasks = scoped_query(Task).join(Project).filter(
tasks = Task.query.join(Project).filter(
Project.status == 'active',
or_(
Task.name.ilike(search_pattern),

39
app/routes/auth.py
View File

@@ -36,28 +36,25 @@ def login():
if request.method == 'POST':
try:
username = request.form.get('username', '').strip().lower()
password = request.form.get('password', '')
current_app.logger.info("POST /login (username=%s) from %s", username or '<empty>', request.headers.get('X-Forwarded-For') or request.remote_addr)
if not username:
flash(_('Username or email is required'), 'error')
flash(_('Username is required'), 'error')
return render_template('auth/login.html')
# Try to find user by username or email
user = User.query.filter(
db.or_(User.username == username, User.email == username)
).first()
current_app.logger.info("User lookup for '%s': %s", username, 'found' if user else 'not found')
# Normalize admin usernames from config
try:
admin_usernames = [u.strip().lower() for u in (Config.ADMIN_USERNAMES or [])]
except Exception:
admin_usernames = ['admin']
# Check if user exists
user = User.query.filter_by(username=username).first()
current_app.logger.info("User lookup for '%s': %s", username, 'found' if user else 'not found')
if not user:
# Check if self-registration is allowed (passwordless mode)
if Config.ALLOW_SELF_REGISTER and not password:
# Check if self-registration is allowed
if Config.ALLOW_SELF_REGISTER:
# Create new user, promote to admin if username is configured as admin
role = 'admin' if username in admin_usernames else 'user'
user = User(username=username, role=role)
@@ -69,19 +66,9 @@ def login():
current_app.logger.info("Created new user '%s'", username)
flash(_('Welcome! Your account has been created.'), 'success')
else:
flash(_('Invalid credentials'), 'error')
flash(_('User not found. Please contact an administrator.'), 'error')
return render_template('auth/login.html')
else:
# If user has password set, require password
if user.has_password:
if not password:
flash(_('Password is required'), 'error')
return render_template('auth/login.html')
if not user.check_password(password):
flash(_('Invalid credentials'), 'error')
return render_template('auth/login.html')
# If existing user matches admin usernames, ensure admin role
if username in admin_usernames and user.role != 'admin':
user.role = 'admin'
@@ -95,16 +82,8 @@ def login():
flash(_('Account is disabled. Please contact an administrator.'), 'error')
return render_template('auth/login.html')
# Check for 2FA
if user.totp_enabled:
# Store user info in session for 2FA verification
session['2fa_user_id'] = user.id
session['2fa_remember'] = request.form.get('remember') == 'on'
return redirect(url_for('auth_extended.verify_2fa', next=request.args.get('next')))
# Log in the user
remember_me = request.form.get('remember') == 'on'
login_user(user, remember=remember_me)
login_user(user, remember=True)
user.update_last_login()
current_app.logger.info("User '%s' logged in successfully", user.username)

792
app/routes/auth_extended.py
View File

@@ -1,792 +0,0 @@
"""Extended authentication routes for signup, password reset, 2FA, and invitations"""
from flask import Blueprint, render_template, request, redirect, url_for, flash, session, current_app, jsonify
from flask_login import login_user, logout_user, login_required, current_user
from app import db, limiter
from app.models import User, Organization, Membership, PasswordResetToken, EmailVerificationToken
from app.utils.db import safe_commit
from app.utils.email_service import email_service
from app.utils.jwt_utils import create_token_pair, refresh_access_token, revoke_refresh_token, revoke_all_user_tokens
from app.utils.totp import generate_totp_secret, get_totp_uri, generate_qr_code, verify_totp_token
from app.utils.permissions import get_current_user, organization_admin_required
from flask_babel import gettext as _
from datetime import datetime
auth_extended_bp = Blueprint('auth_extended', __name__)
# ============================================================================
# REGISTRATION / SIGNUP
# ============================================================================
@auth_extended_bp.route('/signup', methods=['GET', 'POST'])
@limiter.limit("5 per hour", methods=["POST"])
def signup():
"""User registration with email and password"""
if current_user.is_authenticated:
return redirect(url_for('main.dashboard'))
# Check if self-registration is allowed
if not current_app.config.get('ALLOW_SELF_REGISTER', True):
flash(_('Self-registration is disabled. Please contact an administrator.'), 'error')
return redirect(url_for('auth.login'))
if request.method == 'POST':
username = request.form.get('username', '').strip().lower()
email = request.form.get('email', '').strip().lower()
password = request.form.get('password', '')
password_confirm = request.form.get('password_confirm', '')
full_name = request.form.get('full_name', '').strip()
# Validation
errors = []
if not username or len(username) < 3:
errors.append(_('Username must be at least 3 characters'))
if not email or '@' not in email:
errors.append(_('Valid email is required'))
if not password or len(password) < 8:
errors.append(_('Password must be at least 8 characters'))
if password != password_confirm:
errors.append(_('Passwords do not match'))
# Check if username or email already exists
if User.query.filter_by(username=username).first():
errors.append(_('Username already taken'))
if User.query.filter_by(email=email).first():
errors.append(_('Email already registered'))
if errors:
for error in errors:
flash(error, 'error')
return render_template('auth/signup.html')
try:
# Create user
user = User(username=username, email=email, full_name=full_name)
# Try to set password - this will raise ValueError if password doesn't meet requirements
try:
user.set_password(password)
except ValueError as ve:
# Password validation failed - show the specific error
flash(str(ve), 'error')
return render_template('auth/signup.html')
user.is_active = True
user.email_verified = False
db.session.add(user)
db.session.flush() # Get user ID
# Create default organization for the user
org_name = f"{full_name or username}'s Organization"
organization = Organization(name=org_name, contact_email=email)
db.session.add(organization)
db.session.flush() # Get org ID
# Create membership with owner/admin role
membership = Membership(
user_id=user.id,
organization_id=organization.id,
role='admin',
status='active'
)
db.session.add(membership)
if not safe_commit('signup_user', {'username': username}):
raise RuntimeError('Failed to create user')
# Send email verification
if email_service.is_configured:
verification_token = EmailVerificationToken.create_token(user.id, email)
email_service.send_email_verification(user, verification_token)
flash(_('Account created! Please check your email to verify your address.'), 'success')
else:
# Auto-verify if email not configured
user.email_verified = True
db.session.commit()
flash(_('Account created successfully!'), 'success')
# Log the user in
login_user(user, remember=True)
return redirect(url_for('main.dashboard'))
except ValueError as ve:
# This catches password validation errors that weren't caught in the inner try
db.session.rollback()
current_app.logger.error(f'Signup password validation error: {ve}')
flash(str(ve), 'error')
return render_template('auth/signup.html')
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Signup error: {e}')
flash(_('An error occurred during signup. Please try again.'), 'error')
return render_template('auth/signup.html')
return render_template('auth/signup.html')
# ============================================================================
# PASSWORD RESET
# ============================================================================
@auth_extended_bp.route('/forgot-password', methods=['GET', 'POST'])
@limiter.limit("3 per hour", methods=["POST"])
def forgot_password():
"""Request password reset"""
if current_user.is_authenticated:
return redirect(url_for('main.dashboard'))
if request.method == 'POST':
email = request.form.get('email', '').strip().lower()
if not email:
flash(_('Email is required'), 'error')
return render_template('auth/forgot_password.html')
# Always show success message (don't reveal if email exists)
flash(_('If an account exists with that email, a password reset link has been sent.'), 'success')
# Find user and send reset email
user = User.query.filter_by(email=email).first()
if user and user.is_active and user.has_password:
try:
# Revoke any existing tokens for this user
PasswordResetToken.revoke_user_tokens(user.id)
# Create new reset token
ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
reset_token = PasswordResetToken.create_token(user.id, ip_address)
# Send email
if email_service.is_configured:
email_service.send_password_reset_email(user, reset_token)
current_app.logger.info(f'Password reset email sent to {email}')
else:
current_app.logger.warning(f'Email service not configured, cannot send reset to {email}')
except Exception as e:
current_app.logger.exception(f'Error sending password reset: {e}')
return redirect(url_for('auth.login'))
return render_template('auth/forgot_password.html')
@auth_extended_bp.route('/reset-password/<token>', methods=['GET', 'POST'])
@limiter.limit("5 per hour", methods=["POST"])
def reset_password(token):
"""Reset password with token"""
if current_user.is_authenticated:
return redirect(url_for('main.dashboard'))
# Validate token
reset_token = PasswordResetToken.get_valid_token(token)
if not reset_token:
flash(_('Invalid or expired password reset link'), 'error')
return redirect(url_for('auth_extended.forgot_password'))
if request.method == 'POST':
password = request.form.get('password', '')
password_confirm = request.form.get('password_confirm', '')
if not password or len(password) < 8:
flash(_('Password must be at least 8 characters'), 'error')
return render_template('auth/reset_password.html', token=token)
if password != password_confirm:
flash(_('Passwords do not match'), 'error')
return render_template('auth/reset_password.html', token=token)
try:
user = reset_token.user
user.set_password(password)
reset_token.mark_as_used()
# Revoke all existing sessions/tokens for security
revoke_all_user_tokens(user.id)
db.session.commit()
flash(_('Password reset successfully! Please log in.'), 'success')
return redirect(url_for('auth.login'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Password reset error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return render_template('auth/reset_password.html', token=token)
return render_template('auth/reset_password.html', token=token)
@auth_extended_bp.route('/verify-email/<token>')
def verify_email(token):
"""Verify email address"""
verification_token = EmailVerificationToken.get_valid_token(token)
if not verification_token:
flash(_('Invalid or expired verification link'), 'error')
return redirect(url_for('auth.login'))
try:
user = verification_token.user
user.email = verification_token.email
user.email_verified = True
verification_token.mark_as_verified()
db.session.commit()
flash(_('Email verified successfully!'), 'success')
if current_user.is_authenticated:
return redirect(url_for('auth.profile'))
else:
return redirect(url_for('auth.login'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Email verification error: {e}')
flash(_('An error occurred during verification.'), 'error')
return redirect(url_for('auth.login'))
# ============================================================================
# ACCOUNT SETTINGS
# ============================================================================
@auth_extended_bp.route('/settings', methods=['GET'])
@login_required
def settings():
"""User account settings page"""
from app.models import RefreshToken
# Get active sessions/devices
active_tokens = RefreshToken.get_user_tokens(current_user.id)
return render_template('auth/settings.html', active_tokens=active_tokens)
@auth_extended_bp.route('/settings/change-email', methods=['POST'])
@login_required
@limiter.limit("3 per hour")
def change_email():
"""Change user email address"""
new_email = request.form.get('new_email', '').strip().lower()
password = request.form.get('password', '')
if not new_email or '@' not in new_email:
flash(_('Valid email is required'), 'error')
return redirect(url_for('auth_extended.settings'))
if not current_user.check_password(password):
flash(_('Incorrect password'), 'error')
return redirect(url_for('auth_extended.settings'))
# Check if email already in use
if User.query.filter_by(email=new_email).first():
flash(_('Email already in use'), 'error')
return redirect(url_for('auth_extended.settings'))
try:
# Send verification email to new address
verification_token = EmailVerificationToken.create_token(current_user.id, new_email)
if email_service.is_configured:
email_service.send_email_verification(current_user, verification_token)
flash(_('Verification email sent to new address. Please check your email.'), 'success')
else:
# Auto-update if email not configured
current_user.email = new_email
current_user.email_verified = True
db.session.commit()
flash(_('Email updated successfully'), 'success')
return redirect(url_for('auth_extended.settings'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Email change error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(url_for('auth_extended.settings'))
@auth_extended_bp.route('/settings/change-password', methods=['POST'])
@login_required
@limiter.limit("5 per hour")
def change_password():
"""Change user password"""
current_password = request.form.get('current_password', '')
new_password = request.form.get('new_password', '')
confirm_password = request.form.get('confirm_password', '')
if not current_user.check_password(current_password):
flash(_('Current password is incorrect'), 'error')
return redirect(url_for('auth_extended.settings'))
if len(new_password) < 8:
flash(_('New password must be at least 8 characters'), 'error')
return redirect(url_for('auth_extended.settings'))
if new_password != confirm_password:
flash(_('New passwords do not match'), 'error')
return redirect(url_for('auth_extended.settings'))
try:
current_user.set_password(new_password)
# Revoke all other sessions for security
from app.models import RefreshToken
RefreshToken.revoke_user_tokens(current_user.id)
db.session.commit()
flash(_('Password changed successfully. Other sessions have been logged out.'), 'success')
return redirect(url_for('auth_extended.settings'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Password change error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(url_for('auth_extended.settings'))
# ============================================================================
# TWO-FACTOR AUTHENTICATION (2FA)
# ============================================================================
@auth_extended_bp.route('/settings/2fa/enable', methods=['GET', 'POST'])
@login_required
def enable_2fa():
"""Enable two-factor authentication"""
if current_user.totp_enabled:
flash(_('2FA is already enabled'), 'info')
return redirect(url_for('auth_extended.settings'))
if request.method == 'POST':
token = request.form.get('token', '').strip()
# Get secret from session
secret = session.get('totp_secret')
if not secret:
flash(_('2FA setup session expired. Please try again.'), 'error')
return redirect(url_for('auth_extended.enable_2fa'))
# Verify token
if not verify_totp_token(secret, token):
flash(_('Invalid verification code. Please try again.'), 'error')
return render_template('auth/enable_2fa.html',
secret=secret,
qr_code=session.get('totp_qr'))
try:
# Enable 2FA
current_user.totp_secret = secret
current_user.totp_enabled = True
# Generate backup codes
backup_codes = current_user.generate_backup_codes()
db.session.commit()
# Clear session
session.pop('totp_secret', None)
session.pop('totp_qr', None)
flash(_('2FA enabled successfully! Save your backup codes.'), 'success')
return render_template('auth/2fa_backup_codes.html', backup_codes=backup_codes)
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'2FA enable error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(url_for('auth_extended.enable_2fa'))
# Generate new secret and QR code
secret = generate_totp_secret()
totp_uri = get_totp_uri(secret, current_user.email or current_user.username)
qr_code = generate_qr_code(totp_uri)
# Store in session temporarily
session['totp_secret'] = secret
session['totp_qr'] = qr_code
return render_template('auth/enable_2fa.html', secret=secret, qr_code=qr_code)
@auth_extended_bp.route('/settings/2fa/disable', methods=['POST'])
@login_required
def disable_2fa():
"""Disable two-factor authentication"""
password = request.form.get('password', '')
if not current_user.check_password(password):
flash(_('Incorrect password'), 'error')
return redirect(url_for('auth_extended.settings'))
try:
current_user.totp_enabled = False
current_user.totp_secret = None
current_user.backup_codes = None
db.session.commit()
flash(_('2FA disabled successfully'), 'success')
return redirect(url_for('auth_extended.settings'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'2FA disable error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(url_for('auth_extended.settings'))
@auth_extended_bp.route('/2fa/verify', methods=['GET', 'POST'])
def verify_2fa():
"""Verify 2FA token during login"""
# Check if user is in 2FA pending state
user_id = session.get('2fa_user_id')
remember = session.get('2fa_remember', False)
if not user_id:
return redirect(url_for('auth.login'))
user = User.query.get(user_id)
if not user or not user.totp_enabled:
session.pop('2fa_user_id', None)
return redirect(url_for('auth.login'))
if request.method == 'POST':
token = request.form.get('token', '').strip()
use_backup = request.form.get('use_backup') == 'true'
verified = False
if use_backup:
verified = user.verify_backup_code(token)
if verified:
flash(_('Backup code used successfully'), 'info')
else:
verified = user.verify_totp(token)
if verified:
# Clear 2FA session data
session.pop('2fa_user_id', None)
session.pop('2fa_remember', None)
# Complete login
login_user(user, remember=remember)
user.update_last_login()
flash(_('Welcome back, %(username)s!', username=user.username), 'success')
next_page = request.args.get('next')
if not next_page or not next_page.startswith('/'):
next_page = url_for('main.dashboard')
return redirect(next_page)
else:
flash(_('Invalid verification code'), 'error')
return render_template('auth/verify_2fa.html')
return render_template('auth/verify_2fa.html')
# ============================================================================
# ORGANIZATION INVITATIONS
# ============================================================================
@auth_extended_bp.route('/invite', methods=['POST'])
@login_required
@organization_admin_required
@limiter.limit("10 per hour")
def send_invitation(organization):
"""Send organization invitation to user by email"""
email = request.form.get('email', '').strip().lower()
role = request.form.get('role', 'member')
if not email or '@' not in email:
flash(_('Valid email is required'), 'error')
return redirect(request.referrer or url_for('organizations.members', org_slug=organization.slug))
if role not in ['admin', 'member', 'viewer']:
role = 'member'
# Check if organization has reached user limit
if organization.has_reached_user_limit:
flash(_('Organization has reached its user limit'), 'error')
return redirect(request.referrer or url_for('organizations.members', org_slug=organization.slug))
try:
# Check if user already exists
existing_user = User.query.filter_by(email=email).first()
if existing_user:
# Check if already a member
if Membership.user_is_member(existing_user.id, organization.id):
flash(_('User is already a member of this organization'), 'info')
return redirect(request.referrer or url_for('organizations.members', org_slug=organization.slug))
# Create membership with invited status
membership = Membership(
user_id=existing_user.id,
organization_id=organization.id,
role=role,
status='invited',
invited_by=current_user.id
)
else:
# Create placeholder user for invitation
# Generate username from email
username = email.split('@')[0]
counter = 1
while User.query.filter_by(username=username).first():
username = f"{email.split('@')[0]}{counter}"
counter += 1
user = User(username=username, email=email)
user.is_active = False # Inactive until they accept
db.session.add(user)
db.session.flush()
membership = Membership(
user_id=user.id,
organization_id=organization.id,
role=role,
status='invited',
invited_by=current_user.id
)
db.session.add(membership)
db.session.commit()
# Send invitation email
if email_service.is_configured:
email_service.send_invitation_email(current_user, email, organization, membership)
flash(_('Invitation sent to %(email)s', email=email), 'success')
else:
flash(_('Invitation created but email service not configured'), 'warning')
return redirect(request.referrer or url_for('organizations.members', org_slug=organization.slug))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Invitation error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(request.referrer or url_for('organizations.members', org_slug=organization.slug))
@auth_extended_bp.route('/accept-invitation/<token>', methods=['GET', 'POST'])
def accept_invitation(token):
"""Accept organization invitation"""
membership = Membership.get_by_invitation_token(token)
if not membership:
flash(_('Invalid or expired invitation'), 'error')
return redirect(url_for('auth.login'))
organization = membership.organization
inviter = membership.inviter
# If user is not active, they need to complete signup
if not membership.user.is_active:
if request.method == 'POST':
password = request.form.get('password', '')
password_confirm = request.form.get('password_confirm', '')
full_name = request.form.get('full_name', '').strip()
if len(password) < 8:
flash(_('Password must be at least 8 characters'), 'error')
return render_template('auth/accept_invitation.html',
organization=organization,
inviter=inviter,
token=token)
if password != password_confirm:
flash(_('Passwords do not match'), 'error')
return render_template('auth/accept_invitation.html',
organization=organization,
inviter=inviter,
token=token)
try:
# Activate user account
user = membership.user
user.set_password(password)
if full_name:
user.full_name = full_name
user.is_active = True
user.email_verified = True # Email verified through invitation
# Accept membership
membership.accept_invitation()
db.session.commit()
# Log them in
login_user(user, remember=True)
flash(_('Welcome to %(org)s!', org=organization.name), 'success')
return redirect(url_for('main.dashboard'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Accept invitation error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return render_template('auth/accept_invitation.html',
organization=organization,
inviter=inviter,
token=token)
return render_template('auth/accept_invitation.html',
organization=organization,
inviter=inviter,
token=token)
# Existing user - just accept the membership
try:
membership.accept_invitation()
db.session.commit()
if current_user.is_authenticated and current_user.id == membership.user_id:
flash(_('You joined %(org)s!', org=organization.name), 'success')
return redirect(url_for('main.dashboard'))
else:
flash(_('Please log in to access %(org)s', org=organization.name), 'info')
return redirect(url_for('auth.login'))
except Exception as e:
db.session.rollback()
current_app.logger.exception(f'Accept invitation error: {e}')
flash(_('An error occurred. Please try again.'), 'error')
return redirect(url_for('auth.login'))
# ============================================================================
# API ENDPOINTS (JWT)
# ============================================================================
@auth_extended_bp.route('/api/auth/token', methods=['POST'])
@limiter.limit("10 per minute")
def api_login():
"""API login endpoint - returns JWT tokens"""
data = request.get_json()
if not data:
return jsonify({'error': 'Invalid request'}), 400
username = data.get('username', '').strip().lower()
email = data.get('email', '').strip().lower()
password = data.get('password', '')
totp_token = data.get('totp_token', '').strip()
# Find user by username or email
user = None
if username:
user = User.query.filter_by(username=username).first()
elif email:
user = User.query.filter_by(email=email).first()
if not user or not user.check_password(password):
return jsonify({'error': 'Invalid credentials'}), 401
if not user.is_active:
return jsonify({'error': 'Account is disabled'}), 401
# Check 2FA if enabled
if user.totp_enabled:
if not totp_token:
return jsonify({'error': '2FA required', 'requires_2fa': True}), 401
if not user.verify_totp(totp_token):
return jsonify({'error': 'Invalid 2FA code'}), 401
# Generate tokens
ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
user_agent = request.headers.get('User-Agent')
device_name = data.get('device_name', 'API Client')
token_data = create_token_pair(
user_id=user.id,
device_name=device_name,
ip_address=ip_address,
user_agent=user_agent
)
user.update_last_login()
return jsonify({
'user': user.to_dict(),
**token_data
}), 200
@auth_extended_bp.route('/api/auth/refresh', methods=['POST'])
@limiter.limit("20 per minute")
def api_refresh():
"""Refresh access token using refresh token"""
data = request.get_json()
if not data or 'refresh_token' not in data:
return jsonify({'error': 'Refresh token required'}), 400
refresh_token = data.get('refresh_token')
access_token, new_refresh_token = refresh_access_token(refresh_token)
if not access_token:
return jsonify({'error': 'Invalid or expired refresh token'}), 401
return jsonify({
'access_token': access_token,
'refresh_token': new_refresh_token,
'token_type': 'Bearer',
'expires_in': 900
}), 200
@auth_extended_bp.route('/api/auth/logout', methods=['POST'])
def api_logout():
"""API logout - revoke refresh token"""
data = request.get_json()
if not data or 'refresh_token' not in data:
return jsonify({'error': 'Refresh token required'}), 400
refresh_token = data.get('refresh_token')
revoke_refresh_token(refresh_token)
return jsonify({'message': 'Logged out successfully'}), 200
@auth_extended_bp.route('/settings/sessions/<int:token_id>/revoke', methods=['POST'])
@login_required
def revoke_session(token_id):
"""Revoke a specific session/device"""
from app.models import RefreshToken
token = RefreshToken.query.get(token_id)
if not token or token.user_id != current_user.id:
flash(_('Session not found'), 'error')
return redirect(url_for('auth_extended.settings'))
try:
token.revoke()
flash(_('Session revoked successfully'), 'success')
except Exception as e:
current_app.logger.exception(f'Session revoke error: {e}')
flash(_('An error occurred'), 'error')
return redirect(url_for('auth_extended.settings'))

593
app/routes/billing.py
View File

@@ -1,593 +0,0 @@
"""
Billing Routes
Handles Stripe webhooks, checkout flows, and billing management.
"""
from flask import Blueprint, request, jsonify, render_template, redirect, url_for, flash, current_app
from flask_login import login_required, current_user
from datetime import datetime
import stripe
import json
from app import db
from app.models.organization import Organization
from app.models.subscription_event import SubscriptionEvent
from app.models.membership import Membership
from app.utils.stripe_service import stripe_service
from app.utils.email_service import email_service
from app.utils.provisioning_service import provisioning_service
bp = Blueprint('billing', __name__, url_prefix='/billing')
# ========================================
# Stripe Webhook Handlers
# ========================================
@bp.route('/webhooks/stripe', methods=['POST'])
def stripe_webhook():
"""Handle Stripe webhook events.
This endpoint processes webhook events from Stripe and updates
the database accordingly. It handles subscription lifecycle events,
payment events, and more.
"""
payload = request.data
sig_header = request.headers.get('Stripe-Signature')
try:
# Verify webhook signature
event = stripe_service.construct_webhook_event(payload, sig_header)
except ValueError as e:
current_app.logger.error(f"Invalid webhook payload: {e}")
return jsonify({'error': 'Invalid payload'}), 400
except stripe.error.SignatureVerificationError as e:
current_app.logger.error(f"Invalid webhook signature: {e}")
return jsonify({'error': 'Invalid signature'}), 400
# Log the event
current_app.logger.info(f"Received Stripe webhook: {event.type}")
# Route to appropriate handler
handlers = {
'invoice.paid': handle_invoice_paid,
'invoice.payment_failed': handle_invoice_payment_failed,
'invoice.payment_action_required': handle_invoice_payment_action_required,
'customer.subscription.created': handle_subscription_created,
'customer.subscription.updated': handle_subscription_updated,
'customer.subscription.deleted': handle_subscription_deleted,
'customer.subscription.trial_will_end': handle_subscription_trial_will_end,
}
handler = handlers.get(event.type)
if handler:
try:
handler(event)
except Exception as e:
current_app.logger.error(f"Error processing webhook {event.type}: {e}", exc_info=True)
return jsonify({'error': 'Processing failed'}), 500
else:
current_app.logger.info(f"Unhandled webhook event type: {event.type}")
return jsonify({'status': 'success'}), 200
def handle_invoice_paid(event):
"""Handle invoice.paid webhook event.
This is triggered when an invoice is successfully paid.
We activate the subscription and provision the tenant.
"""
invoice = event.data.object
customer_id = invoice.customer
subscription_id = invoice.subscription
# Find organization by customer ID
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
current_app.logger.warning(f"Organization not found for customer {customer_id}")
return
# Clear any billing issues
organization.update_billing_issue(has_issue=False)
organization.stripe_subscription_status = 'active'
# Update next billing date
if invoice.period_end:
organization.next_billing_date = datetime.fromtimestamp(invoice.period_end)
# Activate organization if it was suspended
if organization.status == 'suspended':
organization.activate()
db.session.commit()
# Log event
subscription_event = SubscriptionEvent(
organization_id=organization.id,
event_type='invoice.paid',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription_id,
stripe_invoice_id=invoice.id,
amount=invoice.amount_paid / 100,
currency=invoice.currency.upper(),
status='paid',
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict())
)
db.session.add(subscription_event)
db.session.commit()
# AUTOMATED PROVISIONING: If this is the first payment, provision the organization
# Check if organization needs provisioning (doesn't have any projects yet)
if organization.projects.count() == 0:
current_app.logger.info(f"First payment detected for {organization.name}, triggering provisioning")
# Find admin user (first member with admin role)
admin_membership = organization.memberships.filter_by(role='admin', status='active').first()
admin_user = admin_membership.user if admin_membership else None
# Trigger provisioning
try:
provisioning_result = provisioning_service.provision_organization(
organization=organization,
admin_user=admin_user,
trigger='payment'
)
if provisioning_result.get('success'):
current_app.logger.info(f"Successfully provisioned {organization.name}: {provisioning_result}")
else:
current_app.logger.error(f"Provisioning failed for {organization.name}: {provisioning_result.get('errors')}")
except Exception as e:
current_app.logger.error(f"Error during provisioning for {organization.name}: {e}", exc_info=True)
current_app.logger.info(f"Invoice paid for organization {organization.name} ({organization.id})")
def handle_invoice_payment_failed(event):
"""Handle invoice.payment_failed webhook event.
This is triggered when a payment attempt fails.
We mark the billing issue and start the dunning sequence.
"""
invoice = event.data.object
customer_id = invoice.customer
subscription_id = invoice.subscription
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
current_app.logger.warning(f"Organization not found for customer {customer_id}")
return
# Mark billing issue
organization.update_billing_issue(has_issue=True)
organization.stripe_subscription_status = 'past_due'
db.session.commit()
# Log event
SubscriptionEvent(
organization_id=organization.id,
event_type='invoice.payment_failed',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription_id,
stripe_invoice_id=invoice.id,
amount=invoice.amount_due / 100,
currency=invoice.currency.upper(),
status='payment_failed',
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict()),
notes=f"Payment failed. Attempt count: {invoice.attempt_count}"
).mark_processed(success=True)
# Send notification email to admins
_send_payment_failed_notification(organization, invoice)
current_app.logger.warning(f"Payment failed for organization {organization.name} ({organization.id})")
def handle_invoice_payment_action_required(event):
"""Handle invoice.payment_action_required webhook event.
This is triggered when additional authentication is required (e.g., 3D Secure).
"""
invoice = event.data.object
customer_id = invoice.customer
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
return
# Log event
SubscriptionEvent(
organization_id=organization.id,
event_type='invoice.payment_action_required',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=invoice.subscription,
stripe_invoice_id=invoice.id,
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict()),
notes="Payment requires additional authentication"
).mark_processed(success=True)
# Send notification to admins
_send_action_required_notification(organization, invoice)
def handle_subscription_created(event):
"""Handle customer.subscription.created webhook event."""
subscription = event.data.object
customer_id = subscription.customer
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
return
# Update organization
stripe_service._update_organization_from_subscription(organization, subscription)
# Log event
SubscriptionEvent(
organization_id=organization.id,
event_type='customer.subscription.created',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription.id,
status=subscription.status,
quantity=subscription.items.data[0].quantity if subscription.items.data else 1,
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict())
).mark_processed(success=True)
def handle_subscription_updated(event):
"""Handle customer.subscription.updated webhook event.
This handles seat changes, status updates, and proration.
"""
subscription = event.data.object
customer_id = subscription.customer
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
return
# Get previous values
previous_status = organization.stripe_subscription_status
previous_quantity = organization.subscription_quantity
# Update organization
stripe_service._update_organization_from_subscription(organization, subscription)
# Log event
new_quantity = subscription.items.data[0].quantity if subscription.items.data else 1
SubscriptionEvent(
organization_id=organization.id,
event_type='customer.subscription.updated',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription.id,
status=subscription.status,
previous_status=previous_status,
quantity=new_quantity,
previous_quantity=previous_quantity,
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict()),
notes=f"Status: {previous_status}{subscription.status}, Seats: {previous_quantity}{new_quantity}"
).mark_processed(success=True)
current_app.logger.info(f"Subscription updated for organization {organization.name}")
def handle_subscription_deleted(event):
"""Handle customer.subscription.deleted webhook event.
This is triggered when a subscription is cancelled or expires.
We disable or downgrade the account.
"""
subscription = event.data.object
customer_id = subscription.customer
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
return
# Update organization status
organization.stripe_subscription_status = 'canceled'
organization.subscription_ends_at = datetime.utcnow()
organization.status = 'suspended' # Suspend the organization
organization.subscription_plan = 'free' # Downgrade to free
db.session.commit()
# Log event
SubscriptionEvent(
organization_id=organization.id,
event_type='customer.subscription.deleted',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription.id,
status='canceled',
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict()),
notes="Subscription deleted - organization suspended"
).mark_processed(success=True)
# Send notification
_send_subscription_cancelled_notification(organization)
current_app.logger.warning(f"Subscription deleted for organization {organization.name} ({organization.id})")
def handle_subscription_trial_will_end(event):
"""Handle customer.subscription.trial_will_end webhook event.
This is triggered 3 days before a trial ends.
"""
subscription = event.data.object
customer_id = subscription.customer
# Find organization
organization = Organization.query.filter_by(stripe_customer_id=customer_id).first()
if not organization:
return
# Log event
SubscriptionEvent(
organization_id=organization.id,
event_type='customer.subscription.trial_will_end',
event_id=event.id,
stripe_customer_id=customer_id,
stripe_subscription_id=subscription.id,
processed=True,
processed_at=datetime.utcnow(),
raw_payload=json.dumps(event.to_dict()),
notes=f"Trial ending soon - {organization.trial_days_remaining} days remaining"
).mark_processed(success=True)
# Send reminder email
_send_trial_ending_notification(organization)
# ========================================
# Billing Management Views
# ========================================
@bp.route('/')
@login_required
def index():
"""Billing dashboard - view subscription, invoices, and payment methods."""
# Get current organization (you'll need to implement organization context)
# For now, we'll assume you have a way to get the current organization
organization = _get_current_organization()
if not organization:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
# Check if user is admin
if not Membership.user_is_admin(current_user.id, organization.id):
flash('Only admins can access billing settings', 'error')
return redirect(url_for('main.dashboard'))
# Get billing data
subscription_data = None
invoices = []
upcoming_invoice = None
payment_methods = []
if stripe_service.is_configured() and organization.stripe_customer_id:
try:
invoices = stripe_service.get_invoices(organization, limit=10)
upcoming_invoice = stripe_service.get_upcoming_invoice(organization)
payment_methods = stripe_service.get_payment_methods(organization)
except Exception as e:
current_app.logger.error(f"Error fetching billing data: {e}")
flash('Error loading billing data', 'error')
return render_template(
'billing/index.html',
organization=organization,
invoices=invoices,
upcoming_invoice=upcoming_invoice,
payment_methods=payment_methods,
stripe_publishable_key=current_app.config.get('STRIPE_PUBLISHABLE_KEY')
)
@bp.route('/subscribe/<plan>')
@login_required
def subscribe(plan):
"""Start subscription checkout flow."""
organization = _get_current_organization()
if not organization:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
# Check if user is admin
if not Membership.user_is_admin(current_user.id, organization.id):
flash('Only admins can manage subscriptions', 'error')
return redirect(url_for('main.dashboard'))
# Determine price ID and quantity
if plan == 'single':
price_id = current_app.config.get('STRIPE_SINGLE_USER_PRICE_ID')
quantity = 1
elif plan == 'team':
price_id = current_app.config.get('STRIPE_TEAM_PRICE_ID')
# Calculate current active users
quantity = organization.member_count or 1
else:
flash('Invalid subscription plan', 'error')
return redirect(url_for('billing.index'))
# Create checkout session
try:
session_data = stripe_service.create_checkout_session(
organization=organization,
price_id=price_id,
quantity=quantity,
success_url=url_for('billing.success', _external=True) + '?session_id={CHECKOUT_SESSION_ID}',
cancel_url=url_for('billing.index', _external=True)
)
return redirect(session_data['url'])
except Exception as e:
current_app.logger.error(f"Error creating checkout session: {e}")
flash('Error starting checkout process', 'error')
return redirect(url_for('billing.index'))
@bp.route('/success')
@login_required
def success():
"""Subscription checkout success page."""
session_id = request.args.get('session_id')
flash('Subscription activated successfully!', 'success')
return redirect(url_for('billing.index'))
@bp.route('/portal')
@login_required
def portal():
"""Redirect to Stripe Customer Portal for managing subscription."""
organization = _get_current_organization()
if not organization:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
# Check if user is admin
if not Membership.user_is_admin(current_user.id, organization.id):
flash('Only admins can access billing portal', 'error')
return redirect(url_for('main.dashboard'))
try:
portal_session = stripe_service.create_billing_portal_session(
organization=organization,
return_url=url_for('billing.index', _external=True)
)
return redirect(portal_session['url'])
except Exception as e:
current_app.logger.error(f"Error creating portal session: {e}")
flash('Error accessing billing portal', 'error')
return redirect(url_for('billing.index'))
# ========================================
# Helper Functions
# ========================================
def _get_current_organization():
"""Get the current user's organization.
This is a placeholder - you'll need to implement proper organization
context management based on your application's structure.
"""
# Get the user's active memberships
memberships = Membership.get_user_active_memberships(current_user.id)
if not memberships:
return None
# Return the first organization (you might want to implement org switching)
return memberships[0].organization
def _send_payment_failed_notification(organization, invoice):
"""Send payment failed notification to organization admins."""
admins = organization.get_admins()
for membership in admins:
if membership.user.email:
try:
# TODO: Implement template-based email for payment failures
# email_service.send_email(
# to_email=membership.user.email,
# subject=f"Payment Failed - {organization.name}",
# body_text=f"Your payment for {organization.name} has failed. Please update your payment method.",
# body_html=None
# )
pass
except Exception as e:
current_app.logger.error(f"Failed to send payment notification: {e}")
# Update last email sent timestamp
organization.last_billing_email_sent_at = datetime.utcnow()
db.session.commit()
def _send_action_required_notification(organization, invoice):
"""Send payment action required notification."""
admins = organization.get_admins()
for membership in admins:
if membership.user.email:
try:
# TODO: Implement template-based email for action required
# email_service.send_email(
# to_email=membership.user.email,
# subject=f"Payment Action Required - {organization.name}",
# body_text=f"Action required for your {organization.name} subscription.",
# body_html=None
# )
pass
except Exception as e:
current_app.logger.error(f"Failed to send action required notification: {e}")
def _send_subscription_cancelled_notification(organization):
"""Send subscription cancelled notification."""
admins = organization.get_admins()
for membership in admins:
if membership.user.email:
try:
# TODO: Implement template-based email for subscription cancelled
# email_service.send_email(
# to_email=membership.user.email,
# subject=f"Subscription Cancelled - {organization.name}",
# body_text=f"Your subscription for {organization.name} has been cancelled.",
# body_html=None
# )
pass
except Exception as e:
current_app.logger.error(f"Failed to send cancellation notification: {e}")
def _send_trial_ending_notification(organization):
"""Send trial ending soon notification."""
admins = organization.get_admins()
for membership in admins:
if membership.user.email:
try:
# TODO: Implement template-based email for trial ending
# email_service.send_email(
# to_email=membership.user.email,
# subject=f"Your Trial is Ending Soon - {organization.name}",
# body_text=f"Your trial for {organization.name} ends in {organization.trial_days_remaining} days.",
# body_html=None
# )
pass
except Exception as e:
current_app.logger.error(f"Failed to send trial ending notification: {e}")

59
app/routes/clients.py
View File

@@ -6,23 +6,17 @@ from app.models import Client, Project
from datetime import datetime
from decimal import Decimal
from app.utils.db import safe_commit
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
clients_bp = Blueprint('clients', __name__)
@clients_bp.route('/clients')
@login_required
@require_organization_access()
def list_clients():
"""List all clients"""
status = request.args.get('status', 'active')
search = request.args.get('search', '').strip()
query = scoped_query(Client)
query = Client.query
if status == 'active':
query = query.filter_by(status='active')
elif status == 'inactive':
@@ -45,15 +39,12 @@ def list_clients():
@clients_bp.route('/clients/create', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def create_client():
"""Create a new client"""
if not current_user.is_admin:
flash(_('Only administrators can create clients'), 'error')
return redirect(url_for('clients.list_clients'))
org_id = get_current_organization_id()
if request.method == 'POST':
name = request.form.get('name', '').strip()
description = request.form.get('description', '').strip()
@@ -64,11 +55,10 @@ def create_client():
default_hourly_rate = request.form.get('default_hourly_rate', '').strip()
try:
current_app.logger.info(
"POST /clients/create user=%s name=%s email=%s org_id=%s",
"POST /clients/create user=%s name=%s email=%s",
current_user.username,
name or '<empty>',
email or '<empty>',
org_id
email or '<empty>'
)
except Exception:
pass
@@ -82,11 +72,11 @@ def create_client():
pass
return render_template('clients/create.html')
# Check if client name already exists (within organization)
if scoped_query(Client).filter_by(name=name).first():
flash('A client with this name already exists in your organization', 'error')
# Check if client name already exists
if Client.query.filter_by(name=name).first():
flash('A client with this name already exists', 'error')
try:
current_app.logger.warning("Validation failed: duplicate client name '%s' in org %s", name, org_id)
current_app.logger.warning("Validation failed: duplicate client name '%s'", name)
except Exception:
pass
return render_template('clients/create.html')
@@ -102,10 +92,9 @@ def create_client():
pass
return render_template('clients/create.html')
# Create client with organization_id
# Create client
client = Client(
name=name,
organization_id=org_id,
description=description,
contact_person=contact_person,
email=email,
@@ -126,26 +115,24 @@ def create_client():
@clients_bp.route('/clients/<int:client_id>')
@login_required
@require_organization_access()
def view_client(client_id):
"""View client details and projects"""
client = scoped_query(Client).filter_by(id=client_id).first_or_404()
client = Client.query.get_or_404(client_id)
# Get projects for this client (scoped to organization)
projects = scoped_query(Project).filter_by(client_id=client.id).order_by(Project.name).all()
# Get projects for this client
projects = Project.query.filter_by(client_id=client.id).order_by(Project.name).all()
return render_template('clients/view.html', client=client, projects=projects)
@clients_bp.route('/clients/<int:client_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_client(client_id):
"""Edit client details"""
if not current_user.is_admin:
flash('Only administrators can edit clients', 'error')
return redirect(url_for('clients.view_client', client_id=client_id))
client = scoped_query(Client).filter_by(id=client_id).first_or_404()
client = Client.query.get_or_404(client_id)
if request.method == 'POST':
name = request.form.get('name', '').strip()
@@ -161,10 +148,10 @@ def edit_client(client_id):
flash('Client name is required', 'error')
return render_template('clients/edit.html', client=client)
# Check if client name already exists (excluding current client, within organization)
existing = scoped_query(Client).filter_by(name=name).first()
# Check if client name already exists (excluding current client)
existing = Client.query.filter_by(name=name).first()
if existing and existing.id != client.id:
flash('A client with this name already exists in your organization', 'error')
flash('A client with this name already exists', 'error')
return render_template('clients/edit.html', client=client)
# Validate hourly rate
@@ -195,14 +182,13 @@ def edit_client(client_id):
@clients_bp.route('/clients/<int:client_id>/archive', methods=['POST'])
@login_required
@require_organization_access()
def archive_client(client_id):
"""Archive a client"""
if not current_user.is_admin:
flash('Only administrators can archive clients', 'error')
return redirect(url_for('clients.view_client', client_id=client_id))
client = scoped_query(Client).filter_by(id=client_id).first_or_404()
client = Client.query.get_or_404(client_id)
if client.status == 'inactive':
flash('Client is already inactive', 'info')
@@ -214,14 +200,13 @@ def archive_client(client_id):
@clients_bp.route('/clients/<int:client_id>/activate', methods=['POST'])
@login_required
@require_organization_access()
def activate_client(client_id):
"""Activate a client"""
if not current_user.is_admin:
flash('Only administrators can activate clients', 'error')
return redirect(url_for('clients.view_client', client_id=client_id))
client = scoped_query(Client).filter_by(id=client_id).first_or_404()
client = Client.query.get_or_404(client_id)
if client.status == 'active':
flash('Client is already active', 'info')
@@ -233,10 +218,13 @@ def activate_client(client_id):
@clients_bp.route('/clients/<int:client_id>/delete', methods=['POST'])
@login_required
@require_organization_access(admin_only=True)
def delete_client(client_id):
"""Delete a client (only if no projects exist)"""
client = scoped_query(Client).filter_by(id=client_id).first_or_404()
if not current_user.is_admin:
flash('Only administrators can delete clients', 'error')
return redirect(url_for('clients.view_client', client_id=client_id))
client = Client.query.get_or_404(client_id)
# Check if client has projects
if client.projects.count() > 0:
@@ -254,8 +242,7 @@ def delete_client(client_id):
@clients_bp.route('/api/clients')
@login_required
@require_organization_access()
def api_clients():
"""API endpoint to get clients for dropdowns"""
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
clients = Client.get_active_clients()
return {'clients': [{'id': c.id, 'name': c.name, 'default_rate': float(c.default_hourly_rate) if c.default_hourly_rate else None} for c in clients]}

49
app/routes/comments.py
View File

@@ -4,21 +4,14 @@ from flask_login import login_required, current_user
from app import db
from app.models import Comment, Project, Task
from app.utils.db import safe_commit
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
comments_bp = Blueprint('comments', __name__)
@comments_bp.route('/comments/create', methods=['POST'])
@login_required
@require_organization_access()
def create_comment():
"""Create a new comment for a project or task"""
try:
org_id = get_current_organization_id()
content = request.form.get('content', '').strip()
project_id = request.form.get('project_id', type=int)
task_id = request.form.get('task_id', type=int)
@@ -37,29 +30,28 @@ def create_comment():
flash(_('Comment cannot be associated with both a project and a task'), 'error')
return redirect(request.referrer or url_for('main.dashboard'))
# Verify project or task exists (scoped to organization)
# Verify project or task exists
if project_id:
target = scoped_query(Project).filter_by(id=project_id).first_or_404()
target = Project.query.get_or_404(project_id)
target_type = 'project'
else:
target = scoped_query(Task).filter_by(id=task_id).first_or_404()
target = Task.query.get_or_404(task_id)
target_type = 'task'
project_id = target.project_id # For redirects
# If this is a reply, verify parent comment exists (scoped to organization)
# If this is a reply, verify parent comment exists
if parent_id:
parent_comment = scoped_query(Comment).filter_by(id=parent_id).first_or_404()
parent_comment = Comment.query.get_or_404(parent_id)
# Verify parent is for the same target
if (project_id and parent_comment.project_id != project_id) or \
(task_id and parent_comment.task_id != task_id):
flash(_('Invalid parent comment'), 'error')
return redirect(request.referrer or url_for('main.dashboard'))
# Create the comment with organization_id
# Create the comment
comment = Comment(
content=content,
user_id=current_user.id,
organization_id=org_id,
project_id=project_id if target_type == 'project' else None,
task_id=task_id if target_type == 'task' else None,
parent_id=parent_id
@@ -84,10 +76,9 @@ def create_comment():
@comments_bp.route('/comments/<int:comment_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_comment(comment_id):
"""Edit an existing comment"""
comment = scoped_query(Comment).filter_by(id=comment_id).first_or_404()
comment = Comment.query.get_or_404(comment_id)
# Check permissions
if not comment.can_edit(current_user):
@@ -120,10 +111,9 @@ def edit_comment(comment_id):
@comments_bp.route('/comments/<int:comment_id>/delete', methods=['POST'])
@login_required
@require_organization_access()
def delete_comment(comment_id):
"""Delete a comment"""
comment = scoped_query(Comment).filter_by(id=comment_id).first_or_404()
comment = Comment.query.get_or_404(comment_id)
# Check permissions
if not comment.can_delete(current_user):
@@ -151,7 +141,6 @@ def delete_comment(comment_id):
@comments_bp.route('/api/comments')
@login_required
@require_organization_access()
def list_comments():
"""API endpoint to get comments for a project or task"""
project_id = request.args.get('project_id', type=int)
@@ -166,12 +155,12 @@ def list_comments():
try:
if project_id:
# Verify project exists (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
# Verify project exists
project = Project.query.get_or_404(project_id)
comments = Comment.get_project_comments(project_id, include_replies)
else:
# Verify task exists (scoped to organization)
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
# Verify task exists
task = Task.query.get_or_404(task_id)
comments = Comment.get_task_comments(task_id, include_replies)
return jsonify({
@@ -184,11 +173,10 @@ def list_comments():
@comments_bp.route('/api/comments/<int:comment_id>')
@login_required
@require_organization_access()
def get_comment(comment_id):
"""API endpoint to get a single comment"""
try:
comment = scoped_query(Comment).filter_by(id=comment_id).first_or_404()
comment = Comment.query.get_or_404(comment_id)
return jsonify({
'success': True,
'comment': comment.to_dict()
@@ -199,14 +187,12 @@ def get_comment(comment_id):
@comments_bp.route('/api/comments/recent')
@login_required
@require_organization_access()
def get_recent_comments():
"""API endpoint to get recent comments"""
limit = request.args.get('limit', 10, type=int)
try:
# Get recent comments scoped to organization
comments = scoped_query(Comment).order_by(Comment.created_at.desc()).limit(limit).all()
comments = Comment.get_recent_comments(limit)
return jsonify({
'success': True,
'comments': [comment.to_dict() for comment in comments]
@@ -217,7 +203,6 @@ def get_recent_comments():
@comments_bp.route('/api/comments/user/<int:user_id>')
@login_required
@require_organization_access()
def get_user_comments(user_id):
"""API endpoint to get comments by a specific user"""
limit = request.args.get('limit', type=int)
@@ -227,11 +212,7 @@ def get_user_comments(user_id):
return jsonify({'error': 'Permission denied'}), 403
try:
# Get user comments scoped to organization
query = scoped_query(Comment).filter_by(user_id=user_id).order_by(Comment.created_at.desc())
if limit:
query = query.limit(limit)
comments = query.all()
comments = Comment.get_user_comments(user_id, limit)
return jsonify({
'success': True,
'comments': [comment.to_dict() for comment in comments]

247
app/routes/gdpr.py
View File

@@ -1,247 +0,0 @@
"""
GDPR Routes - Data Export and Deletion
"""
from flask import Blueprint, render_template, request, redirect, url_for, flash, send_file, current_app, jsonify
from flask_login import login_required, current_user
from app import db, limiter
from app.models import Organization
from app.utils.gdpr import GDPRExporter, GDPRDeleter
from app.utils.tenancy import get_current_organization_id, require_organization_access
from flask_babel import gettext as _
import json
import io
from datetime import datetime
gdpr_bp = Blueprint('gdpr', __name__, url_prefix='/gdpr')
@gdpr_bp.route('/export', methods=['GET', 'POST'])
@login_required
@limiter.limit("5 per hour")
@require_organization_access()
def export_data():
"""Export organization data for GDPR compliance"""
org_id = get_current_organization_id()
if not org_id:
flash(_('No organization selected.'), 'error')
return redirect(url_for('main.dashboard'))
organization = Organization.query.get(org_id)
# Check if user is an admin of the organization
if not organization.is_admin(current_user.id):
flash(_('You must be an organization admin to export data.'), 'error')
return redirect(url_for('main.dashboard'))
if request.method == 'GET':
return render_template('gdpr/export.html', organization=organization)
# POST - perform export
export_format = request.form.get('format', 'json')
try:
data = GDPRExporter.export_organization_data(org_id, format=export_format)
if export_format == 'json':
# Create JSON file
buffer = io.BytesIO()
buffer.write(json.dumps(data, indent=2).encode('utf-8'))
buffer.seek(0)
filename = f"gdpr_export_{organization.slug}_{datetime.utcnow().strftime('%Y%m%d')}.json"
return send_file(
buffer,
as_attachment=True,
download_name=filename,
mimetype='application/json'
)
else:
# CSV format
buffer = io.BytesIO()
buffer.write(data.encode('utf-8'))
buffer.seek(0)
filename = f"gdpr_export_{organization.slug}_{datetime.utcnow().strftime('%Y%m%d')}.csv"
return send_file(
buffer,
as_attachment=True,
download_name=filename,
mimetype='text/csv'
)
except Exception as e:
current_app.logger.error(f"GDPR export failed: {e}")
flash(_('Failed to export data. Please try again.'), 'error')
return redirect(url_for('gdpr.export_data'))
@gdpr_bp.route('/export/user', methods=['GET', 'POST'])
@login_required
@limiter.limit("5 per hour")
def export_user_data():
"""Export current user's data for GDPR compliance"""
if request.method == 'GET':
return render_template('gdpr/export_user.html')
# POST - perform export
export_format = request.form.get('format', 'json')
try:
data = GDPRExporter.export_user_data(current_user.id, format=export_format)
if export_format == 'json':
buffer = io.BytesIO()
buffer.write(json.dumps(data, indent=2).encode('utf-8'))
buffer.seek(0)
filename = f"user_data_export_{current_user.username}_{datetime.utcnow().strftime('%Y%m%d')}.json"
return send_file(
buffer,
as_attachment=True,
download_name=filename,
mimetype='application/json'
)
else:
buffer = io.BytesIO()
buffer.write(data.encode('utf-8'))
buffer.seek(0)
filename = f"user_data_export_{current_user.username}_{datetime.utcnow().strftime('%Y%m%d')}.csv"
return send_file(
buffer,
as_attachment=True,
download_name=filename,
mimetype='text/csv'
)
except Exception as e:
current_app.logger.error(f"User data export failed: {e}")
flash(_('Failed to export data. Please try again.'), 'error')
return redirect(url_for('gdpr.export_user_data'))
@gdpr_bp.route('/delete/request', methods=['GET', 'POST'])
@login_required
@limiter.limit("3 per hour")
@require_organization_access()
def request_deletion():
"""Request deletion of organization data"""
org_id = get_current_organization_id()
if not org_id:
flash(_('No organization selected.'), 'error')
return redirect(url_for('main.dashboard'))
organization = Organization.query.get(org_id)
# Check if user is an admin
if not organization.is_admin(current_user.id):
flash(_('You must be an organization admin to request deletion.'), 'error')
return redirect(url_for('main.dashboard'))
if request.method == 'GET':
grace_days = current_app.config.get('GDPR_DELETION_DELAY_DAYS', 30)
return render_template('gdpr/delete_request.html',
organization=organization,
grace_days=grace_days)
# POST - request deletion
confirmation = request.form.get('confirmation', '')
if confirmation != organization.name:
flash(_('Organization name confirmation does not match.'), 'error')
return redirect(url_for('gdpr.request_deletion'))
try:
result = GDPRDeleter.request_organization_deletion(org_id, current_user.id)
flash(
_('Organization deletion has been scheduled for %(date)s. You can cancel this request until that date.',
date=result['deletion_scheduled_for']),
'warning'
)
return redirect(url_for('main.dashboard'))
except PermissionError:
flash(_('You do not have permission to request deletion.'), 'error')
return redirect(url_for('main.dashboard'))
except Exception as e:
current_app.logger.error(f"Deletion request failed: {e}")
flash(_('Failed to request deletion. Please try again.'), 'error')
return redirect(url_for('gdpr.request_deletion'))
@gdpr_bp.route('/delete/cancel', methods=['POST'])
@login_required
@limiter.limit("5 per hour")
@require_organization_access()
def cancel_deletion():
"""Cancel a pending deletion request"""
org_id = get_current_organization_id()
if not org_id:
flash(_('No organization selected.'), 'error')
return redirect(url_for('main.dashboard'))
try:
GDPRDeleter.cancel_organization_deletion(org_id, current_user.id)
flash(_('Organization deletion request has been cancelled.'), 'success')
except PermissionError:
flash(_('You do not have permission to cancel deletion.'), 'error')
except ValueError as e:
flash(str(e), 'error')
except Exception as e:
current_app.logger.error(f"Deletion cancellation failed: {e}")
flash(_('Failed to cancel deletion. Please try again.'), 'error')
return redirect(url_for('main.dashboard'))
@gdpr_bp.route('/delete/user', methods=['GET', 'POST'])
@login_required
@limiter.limit("2 per hour")
def delete_user_account():
"""Delete current user's account"""
if request.method == 'GET':
return render_template('gdpr/delete_user.html')
# POST - delete account
password = request.form.get('password', '')
confirmation = request.form.get('confirmation', '')
# Verify password
if not current_user.check_password(password):
flash(_('Incorrect password.'), 'error')
return redirect(url_for('gdpr.delete_user_account'))
# Verify confirmation
if confirmation != current_user.username:
flash(_('Username confirmation does not match.'), 'error')
return redirect(url_for('gdpr.delete_user_account'))
try:
user_id = current_user.id
# Log out before deleting
from flask_login import logout_user
logout_user()
# Delete user data
GDPRDeleter.delete_user_data(user_id)
flash(_('Your account has been deleted.'), 'info')
return redirect(url_for('auth.login'))
except Exception as e:
current_app.logger.error(f"User deletion failed: {e}")
flash(_('Failed to delete account. Please contact support.'), 'error')
return redirect(url_for('main.dashboard'))

71
app/routes/invoices.py
View File

@@ -9,24 +9,18 @@ import io
import csv
import json
from app.utils.db import safe_commit
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
invoices_bp = Blueprint('invoices', __name__)
@invoices_bp.route('/invoices')
@login_required
@require_organization_access()
def list_invoices():
"""List all invoices"""
# Get invoices scoped to organization (scope by user unless admin)
# Get invoices (scope by user unless admin)
if current_user.is_admin:
invoices = scoped_query(Invoice).order_by(Invoice.created_at.desc()).all()
invoices = Invoice.query.order_by(Invoice.created_at.desc()).all()
else:
invoices = scoped_query(Invoice).filter_by(created_by=current_user.id).order_by(Invoice.created_at.desc()).all()
invoices = Invoice.query.filter_by(created_by=current_user.id).order_by(Invoice.created_at.desc()).all()
# Get summary statistics
total_invoices = len(invoices)
@@ -52,11 +46,8 @@ def list_invoices():
@invoices_bp.route('/invoices/create', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def create_invoice():
"""Create a new invoice"""
org_id = get_current_organization_id()
if request.method == 'POST':
# Get form data
project_id = request.form.get('project_id', type=int)
@@ -85,19 +76,18 @@ def create_invoice():
flash('Invalid tax rate format', 'error')
return render_template('invoices/create.html')
# Get project (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id).first()
# Get project
project = Project.query.get(project_id)
if not project:
flash('Selected project not found in your organization', 'error')
flash('Selected project not found', 'error')
return render_template('invoices/create.html')
# Generate invoice number (scoped to organization)
invoice_number = Invoice.generate_invoice_number(org_id)
# Generate invoice number
invoice_number = Invoice.generate_invoice_number()
# Create invoice with organization_id
# Create invoice
invoice = Invoice(
invoice_number=invoice_number,
organization_id=org_id,
project_id=project_id,
client_name=client_name,
due_date=due_date,
@@ -118,8 +108,8 @@ def create_invoice():
flash(f'Invoice {invoice_number} created successfully', 'success')
return redirect(url_for('invoices.edit_invoice', invoice_id=invoice.id))
# GET request - show form (scoped to organization)
projects = scoped_query(Project).filter_by(status='active', billable=True).order_by(Project.name).all()
# GET request - show form
projects = Project.query.filter_by(status='active', billable=True).order_by(Project.name).all()
settings = Settings.get_settings()
# Set default due date to 30 days from now
@@ -132,10 +122,9 @@ def create_invoice():
@invoices_bp.route('/invoices/<int:invoice_id>')
@login_required
@require_organization_access()
def view_invoice(invoice_id):
"""View invoice details"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and invoice.created_by != current_user.id:
@@ -146,10 +135,9 @@ def view_invoice(invoice_id):
@invoices_bp.route('/invoices/<int:invoice_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_invoice(invoice_id):
"""Edit invoice"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and invoice.created_by != current_user.id:
@@ -197,21 +185,20 @@ def edit_invoice(invoice_id):
invoice.calculate_totals()
if not safe_commit('edit_invoice', {'invoice_id': invoice.id}):
flash('Could not update invoice due to a database error. Please check server logs.', 'error')
return render_template('invoices/edit.html', invoice=invoice, projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all())
return render_template('invoices/edit.html', invoice=invoice, projects=Project.query.filter_by(status='active').order_by(Project.name).all())
flash('Invoice updated successfully', 'success')
return redirect(url_for('invoices.view_invoice', invoice_id=invoice.id))
# GET request - show edit form (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# GET request - show edit form
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
return render_template('invoices/edit.html', invoice=invoice, projects=projects)
@invoices_bp.route('/invoices/<int:invoice_id>/status', methods=['POST'])
@login_required
@require_organization_access()
def update_invoice_status(invoice_id):
"""Update invoice status"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and invoice.created_by != current_user.id:
@@ -237,10 +224,9 @@ def update_invoice_status(invoice_id):
@invoices_bp.route('/invoices/<int:invoice_id>/payment', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def record_payment(invoice_id):
"""Record payment for invoice"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and invoice.created_by != current_user.id:
@@ -336,7 +322,7 @@ def generate_from_time(invoice_id):
invoice.items.delete()
# Group time entries by task/project and create invoice items
time_entries = scoped_query(TimeEntry).filter(TimeEntry.id.in_(selected_entries)).all()
time_entries = TimeEntry.query.filter(TimeEntry.id.in_(selected_entries)).all()
# Group by task (if available) or project
grouped_entries = {}
@@ -386,7 +372,7 @@ def generate_from_time(invoice_id):
# GET request - show time entry selection
# Get unbilled time entries for this project
time_entries = scoped_query(TimeEntry).filter(
time_entries = TimeEntry.query.filter(
TimeEntry.project_id == invoice.project_id,
TimeEntry.end_time.isnot(None),
TimeEntry.billable == True
@@ -424,10 +410,9 @@ def generate_from_time(invoice_id):
@invoices_bp.route('/invoices/<int:invoice_id>/export/csv')
@login_required
@require_organization_access()
def export_invoice_csv(invoice_id):
"""Export invoice as CSV"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and invoice.created_by != current_user.id:
@@ -475,10 +460,9 @@ def export_invoice_csv(invoice_id):
@invoices_bp.route('/invoices/<int:invoice_id>/export/pdf')
@login_required
@require_organization_access()
def export_invoice_pdf(invoice_id):
"""Export invoice as PDF"""
invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
invoice = Invoice.query.get_or_404(invoice_id)
if not current_user.is_admin and invoice.created_by != current_user.id:
flash(_('You do not have permission to export this invoice'), 'error')
return redirect(request.referrer or url_for('invoices.list_invoices'))
@@ -513,24 +497,21 @@ def export_invoice_pdf(invoice_id):
@invoices_bp.route('/invoices/<int:invoice_id>/duplicate')
@login_required
@require_organization_access()
def duplicate_invoice(invoice_id):
"""Duplicate an existing invoice"""
org_id = get_current_organization_id()
original_invoice = scoped_query(Invoice).filter_by(id=invoice_id).first_or_404()
original_invoice = Invoice.query.get_or_404(invoice_id)
# Check access permissions
if not current_user.is_admin and original_invoice.created_by != current_user.id:
flash('You do not have permission to duplicate this invoice', 'error')
return redirect(url_for('invoices.list_invoices'))
# Generate new invoice number (scoped to organization)
new_invoice_number = Invoice.generate_invoice_number(org_id)
# Generate new invoice number
new_invoice_number = Invoice.generate_invoice_number()
# Create new invoice with organization_id
# Create new invoice
new_invoice = Invoice(
invoice_number=new_invoice_number,
organization_id=org_id,
project_id=original_invoice.project_id,
client_name=original_invoice.client_name,
client_email=original_invoice.client_email,

31
app/routes/main.py
View File

@@ -9,34 +9,12 @@ from sqlalchemy import text
from flask import make_response, current_app
import json
import os
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
main_bp = Blueprint('main', __name__)
@main_bp.route('/')
def index():
"""Landing page or dashboard based on auth status"""
if current_user.is_authenticated:
return redirect(url_for('main.dashboard'))
return render_template('marketing/landing.html')
@main_bp.route('/pricing')
def pricing():
"""Pricing page redirect to landing"""
return redirect(url_for('main.index', _anchor='pricing'))
@main_bp.route('/faq')
def faq():
"""FAQ page"""
return render_template('marketing/faq.html')
@main_bp.route('/dashboard')
@login_required
@require_organization_access()
def dashboard():
"""Main dashboard showing active timer and recent entries"""
# Get user's active timer
@@ -45,8 +23,8 @@ def dashboard():
# Get recent entries for the user
recent_entries = current_user.get_recent_entries(limit=10)
# Get active projects for timer dropdown (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get active projects for timer dropdown
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
# Get user statistics
today = datetime.utcnow().date()
@@ -150,7 +128,6 @@ def set_language():
@main_bp.route('/search')
@login_required
@require_organization_access()
def search():
"""Search time entries"""
query = request.args.get('q', '').strip()
@@ -159,9 +136,9 @@ def search():
if not query:
return redirect(url_for('main.dashboard'))
# Search in time entries (scoped to organization)
# Search in time entries
from sqlalchemy import or_
entries = scoped_query(TimeEntry).filter(
entries = TimeEntry.query.filter(
TimeEntry.user_id == current_user.id,
TimeEntry.end_time.isnot(None),
or_(

176
app/routes/onboarding.py
View File

@@ -1,176 +0,0 @@
"""
Onboarding Routes
Handles onboarding checklist display, task completion tracking, and
user guidance for new organizations.
"""
from flask import Blueprint, render_template, request, jsonify, flash, redirect, url_for
from flask_login import login_required, current_user
from app import db
from app.models.onboarding_checklist import OnboardingChecklist
from app.models.membership import Membership
from app.utils.tenancy import require_organization_access, get_current_organization
bp = Blueprint('onboarding', __name__, url_prefix='/onboarding')
@bp.route('/')
@bp.route('/checklist')
@login_required
@require_organization_access()
def checklist():
"""Display onboarding checklist for current organization."""
organization = get_current_organization()
if not organization:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
# Get or create checklist
checklist_data = OnboardingChecklist.get_or_create(organization.id)
return render_template(
'onboarding/checklist.html',
organization=organization,
checklist=checklist_data,
tasks=checklist_data.get_tasks_with_status()
)
@bp.route('/api/checklist', methods=['GET'])
@login_required
@require_organization_access()
def get_checklist():
"""Get onboarding checklist data (API endpoint)."""
organization = get_current_organization()
if not organization:
return jsonify({'error': 'No organization found'}), 404
# Get or create checklist
checklist_data = OnboardingChecklist.get_or_create(organization.id)
return jsonify(checklist_data.to_dict(include_tasks=True))
@bp.route('/api/checklist/complete/<task_key>', methods=['POST'])
@login_required
@require_organization_access()
def complete_task(task_key):
"""Mark a task as complete (API endpoint).
Args:
task_key: Key of the task to complete
"""
organization = get_current_organization()
if not organization:
return jsonify({'error': 'No organization found'}), 404
# Get checklist
checklist_data = OnboardingChecklist.get_or_create(organization.id)
# Mark task complete
success = checklist_data.mark_task_complete(task_key)
if not success:
return jsonify({'error': f'Invalid task key: {task_key}'}), 400
return jsonify({
'success': True,
'task_key': task_key,
'completion_percentage': checklist_data.completion_percentage,
'is_complete': checklist_data.is_complete,
'next_task': checklist_data.get_next_task()
})
@bp.route('/api/checklist/dismiss', methods=['POST'])
@login_required
@require_organization_access()
def dismiss_checklist():
"""Dismiss the onboarding checklist."""
organization = get_current_organization()
if not organization:
return jsonify({'error': 'No organization found'}), 404
# Check if user is admin
if not Membership.user_is_admin(current_user.id, organization.id):
return jsonify({'error': 'Only admins can dismiss the checklist'}), 403
# Get checklist and dismiss
checklist_data = OnboardingChecklist.get_or_create(organization.id)
checklist_data.dismiss()
return jsonify({
'success': True,
'dismissed': True
})
@bp.route('/api/checklist/restore', methods=['POST'])
@login_required
@require_organization_access()
def restore_checklist():
"""Restore a dismissed onboarding checklist."""
organization = get_current_organization()
if not organization:
return jsonify({'error': 'No organization found'}), 404
# Check if user is admin
if not Membership.user_is_admin(current_user.id, organization.id):
return jsonify({'error': 'Only admins can restore the checklist'}), 403
# Get checklist and restore
checklist_data = OnboardingChecklist.get_or_create(organization.id)
checklist_data.undismiss()
return jsonify({
'success': True,
'dismissed': False
})
@bp.route('/guide')
@login_required
@require_organization_access()
def guide():
"""Display comprehensive onboarding guide."""
organization = get_current_organization()
if not organization:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
return render_template(
'onboarding/guide.html',
organization=organization
)
@bp.route('/welcome')
@login_required
def welcome():
"""Welcome page for newly created organizations."""
# Get user's first active organization (newly created)
memberships = Membership.get_user_active_memberships(current_user.id)
if not memberships:
flash('No organization found', 'error')
return redirect(url_for('main.dashboard'))
organization = memberships[0].organization
# Get checklist
checklist_data = OnboardingChecklist.get_or_create(organization.id)
return render_template(
'onboarding/welcome.html',
organization=organization,
checklist=checklist_data
)

403
app/routes/organizations.py
View File

@@ -1,403 +0,0 @@
"""
Routes for organization management.
Handles:
- Organization CRUD operations
- Membership management
- Organization switching
- User invitations
"""
from flask import Blueprint, render_template, request, jsonify, flash, redirect, url_for, session
from flask_login import login_required, current_user
from sqlalchemy.exc import IntegrityError
from app import db
from app.models import Organization, Membership, User
from app.utils.tenancy import (
get_current_organization, get_current_organization_id,
switch_organization, require_organization_access,
get_user_organizations, user_is_organization_admin
)
from app.utils.seat_sync import seat_sync_service, check_can_add_member
from app.utils.provisioning_service import provisioning_service
organizations_bp = Blueprint('organizations', __name__, url_prefix='/organizations')
@organizations_bp.route('/')
@login_required
def index():
"""List all organizations the current user belongs to."""
memberships = Membership.get_user_active_memberships(current_user.id)
current_org_id = get_current_organization_id()
organizations = [
{
'id': m.organization.id,
'name': m.organization.name,
'slug': m.organization.slug,
'role': m.role,
'member_count': m.organization.member_count,
'project_count': m.organization.project_count,
'is_current': m.organization.id == current_org_id,
'is_admin': m.is_admin
}
for m in memberships
]
return render_template('organizations/index.html', organizations=organizations)
@organizations_bp.route('/<int:org_id>')
@login_required
@require_organization_access()
def detail(org_id):
"""View organization details."""
org = Organization.query.get_or_404(org_id)
# Check if user is admin of this org
is_admin = user_is_organization_admin(current_user.id, org_id)
# Get membership info
membership = Membership.find_membership(current_user.id, org_id)
# Get members if admin
members = None
if is_admin:
members = org.get_members()
return render_template(
'organizations/detail.html',
organization=org,
membership=membership,
members=members,
is_admin=is_admin
)
@organizations_bp.route('/new', methods=['GET', 'POST'])
@login_required
def create():
"""Create a new organization with optional trial provisioning."""
if request.method == 'POST':
try:
# Check if user wants to start with a trial
start_trial = request.form.get('start_trial', 'true').lower() == 'true'
org = Organization(
name=request.form['name'],
slug=request.form.get('slug'), # Optional, will be auto-generated
contact_email=request.form.get('contact_email', current_user.email),
subscription_plan='trial' if start_trial else 'free'
)
db.session.add(org)
db.session.flush() # Get org.id
# Create membership for creator as admin
membership = Membership(
user_id=current_user.id,
organization_id=org.id,
role='admin',
status='active'
)
db.session.add(membership)
db.session.commit()
# AUTOMATED PROVISIONING: If trial, provision immediately
if start_trial:
try:
provisioning_result = provisioning_service.provision_trial_organization(
organization=org,
admin_user=current_user
)
if provisioning_result.get('success'):
flash(f'🎉 Organization "{org.name}" created successfully with a free trial!', 'success')
# Redirect to welcome page for new trial users
return redirect(url_for('onboarding.welcome'))
else:
flash(f'Organization "{org.name}" created, but provisioning had issues.', 'warning')
except Exception as prov_error:
# Log the provisioning error but don't fail the org creation
from flask import current_app
current_app.logger.error(f"Provisioning error for {org.name}: {prov_error}")
flash(f'Organization "{org.name}" created successfully!', 'success')
else:
flash(f'Organization "{org.name}" created successfully!', 'success')
return redirect(url_for('organizations.detail', org_id=org.id))
except IntegrityError as e:
db.session.rollback()
flash('An organization with that name or slug already exists.', 'danger')
except Exception as e:
db.session.rollback()
flash(f'Error creating organization: {str(e)}', 'danger')
return render_template('organizations/create.html')
@organizations_bp.route('/<int:org_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access(admin_only=True)
def edit(org_id):
"""Edit organization settings (admin only)."""
org = Organization.query.get_or_404(org_id)
if request.method == 'POST':
try:
org.name = request.form['name']
org.contact_email = request.form.get('contact_email')
org.contact_phone = request.form.get('contact_phone')
org.billing_email = request.form.get('billing_email')
org.timezone = request.form.get('timezone', 'UTC')
org.currency = request.form.get('currency', 'EUR')
db.session.commit()
flash('Organization settings updated successfully!', 'success')
return redirect(url_for('organizations.detail', org_id=org_id))
except Exception as e:
db.session.rollback()
flash(f'Error updating organization: {str(e)}', 'danger')
return render_template('organizations/edit.html', organization=org)
@organizations_bp.route('/<int:org_id>/switch', methods=['POST'])
@login_required
def switch(org_id):
"""Switch to a different organization."""
try:
org = switch_organization(org_id)
flash(f'Switched to organization: {org.name}', 'success')
return redirect(request.referrer or url_for('main.index'))
except PermissionError:
flash('You do not have access to that organization.', 'danger')
return redirect(url_for('organizations.index'))
except ValueError as e:
flash(str(e), 'danger')
return redirect(url_for('organizations.index'))
@organizations_bp.route('/<int:org_id>/members')
@login_required
@require_organization_access(admin_only=True)
def members(org_id):
"""List organization members (admin only)."""
org = Organization.query.get_or_404(org_id)
members = org.get_members()
return render_template(
'organizations/members.html',
organization=org,
members=members
)
@organizations_bp.route('/<int:org_id>/members/invite', methods=['GET', 'POST'])
@login_required
@require_organization_access(admin_only=True)
def invite_member(org_id):
"""Invite a user to the organization (admin only)."""
org = Organization.query.get_or_404(org_id)
if request.method == 'POST':
try:
email = request.form['email']
role = request.form.get('role', 'member')
# Check if organization can add more members
seat_check = check_can_add_member(org_id)
if not seat_check['can_add']:
flash(seat_check['message'], 'warning')
return redirect(url_for('organizations.members', org_id=org_id))
# Find or create user
user = User.query.filter_by(email=email).first()
if not user:
# Create new user with invitation
username = email.split('@')[0]
# Ensure unique username
base_username = username
counter = 1
while User.query.filter_by(username=username).first():
username = f"{base_username}{counter}"
counter += 1
user = User(username=username, email=email, role='user')
user.is_active = False # Inactive until they accept
db.session.add(user)
db.session.flush()
# Check if already a member
existing = Membership.find_membership(user.id, org_id)
if existing and existing.status == 'active':
flash('User is already a member of this organization.', 'warning')
return redirect(url_for('organizations.members', org_id=org_id))
# Create membership with invitation
membership = Membership(
user_id=user.id,
organization_id=org_id,
role=role,
status='invited',
invited_by=current_user.id
)
db.session.add(membership)
db.session.commit()
# Note: Seat sync will happen when invitation is accepted
# No need to sync here since invited members don't count until active
# TODO: Send invitation email with token
# send_invitation_email(user.email, membership.invitation_token)
flash(f'Invitation sent to {email}!', 'success')
return redirect(url_for('organizations.members', org_id=org_id))
except Exception as e:
db.session.rollback()
flash(f'Error inviting user: {str(e)}', 'danger')
return render_template('organizations/invite.html', organization=org)
@organizations_bp.route('/<int:org_id>/members/<int:user_id>/role', methods=['POST'])
@login_required
@require_organization_access(admin_only=True)
def change_member_role(org_id, user_id):
"""Change a member's role (admin only)."""
org = Organization.query.get_or_404(org_id)
membership = Membership.find_membership(user_id, org_id)
if not membership:
flash('Member not found.', 'danger')
return redirect(url_for('organizations.members', org_id=org_id))
# Don't allow changing own role
if user_id == current_user.id:
flash('You cannot change your own role.', 'warning')
return redirect(url_for('organizations.members', org_id=org_id))
try:
new_role = request.form['role']
membership.change_role(new_role)
flash(f'Role updated to {new_role}.', 'success')
except Exception as e:
flash(f'Error updating role: {str(e)}', 'danger')
return redirect(url_for('organizations.members', org_id=org_id))
@organizations_bp.route('/<int:org_id>/members/<int:user_id>/remove', methods=['POST'])
@login_required
@require_organization_access(admin_only=True)
def remove_member(org_id, user_id):
"""Remove a member from the organization (admin only)."""
org = Organization.query.get_or_404(org_id)
membership = Membership.find_membership(user_id, org_id)
if not membership:
flash('Member not found.', 'danger')
return redirect(url_for('organizations.members', org_id=org_id))
# Don't allow removing self
if user_id == current_user.id:
flash('You cannot remove yourself from the organization.', 'warning')
return redirect(url_for('organizations.members', org_id=org_id))
# Check if this is the last admin
if membership.is_admin and org.admin_count <= 1:
flash('Cannot remove the last admin from the organization.', 'danger')
return redirect(url_for('organizations.members', org_id=org_id))
try:
user = membership.user
membership.remove()
# Sync seats with Stripe
sync_result = seat_sync_service.on_member_removed(org, user)
if not sync_result['success']:
flash(f"Member removed but seat sync failed: {sync_result['message']}", 'warning')
else:
flash('Member removed from organization.', 'success')
except Exception as e:
flash(f'Error removing member: {str(e)}', 'danger')
return redirect(url_for('organizations.members', org_id=org_id))
# ========================================
# API Endpoints
# ========================================
@organizations_bp.route('/api/list', methods=['GET'])
@login_required
def api_list():
"""API: List user's organizations."""
memberships = Membership.get_user_active_memberships(current_user.id)
current_org_id = get_current_organization_id()
organizations = [
{
**m.organization.to_dict(include_stats=True),
'role': m.role,
'is_current': m.organization.id == current_org_id
}
for m in memberships
]
return jsonify({'organizations': organizations})
@organizations_bp.route('/api/<int:org_id>', methods=['GET'])
@login_required
@require_organization_access()
def api_detail(org_id):
"""API: Get organization details."""
org = Organization.query.get_or_404(org_id)
membership = Membership.find_membership(current_user.id, org_id)
data = org.to_dict(include_stats=True)
data['current_user_role'] = membership.role if membership else None
return jsonify(data)
@organizations_bp.route('/api/<int:org_id>/switch', methods=['POST'])
@login_required
def api_switch(org_id):
"""API: Switch to different organization."""
try:
org = switch_organization(org_id)
return jsonify({
'success': True,
'organization': org.to_dict()
})
except (PermissionError, ValueError) as e:
return jsonify({
'success': False,
'error': str(e)
}), 403
@organizations_bp.route('/api/<int:org_id>/members', methods=['GET'])
@login_required
@require_organization_access(admin_only=True)
def api_members(org_id):
"""API: List organization members."""
org = Organization.query.get_or_404(org_id)
members = org.get_members()
return jsonify({
'members': [m.to_dict(include_user=True) for m in members]
})

106
app/routes/projects.py
View File

@@ -6,19 +6,11 @@ from app.models import Project, TimeEntry, Task, Client
from datetime import datetime
from decimal import Decimal
from app.utils.db import safe_commit
from app.utils.tenancy import (
get_current_organization_id,
get_current_organization,
scoped_query,
require_organization_access,
ensure_organization_access
)
projects_bp = Blueprint('projects', __name__)
@projects_bp.route('/projects')
@login_required
@require_organization_access()
def list_projects():
"""List all projects"""
page = request.args.get('page', 1, type=int)
@@ -26,8 +18,7 @@ def list_projects():
client_name = request.args.get('client', '').strip()
search = request.args.get('search', '').strip()
# Use scoped query to automatically filter by organization
query = scoped_query(Project)
query = Project.query
if status == 'active':
query = query.filter_by(status='active')
elif status == 'archived':
@@ -51,8 +42,8 @@ def list_projects():
error_out=False
)
# Get clients for filter dropdown (scoped to current org)
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
# Get clients for filter dropdown
clients = Client.get_active_clients()
client_list = [c.name for c in clients]
return render_template(
@@ -64,7 +55,6 @@ def list_projects():
@projects_bp.route('/projects/create', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def create_project():
"""Create a new project"""
if not current_user.is_admin:
@@ -75,9 +65,6 @@ def create_project():
flash('Only administrators can create projects', 'error')
return redirect(url_for('projects.list_projects'))
# Get current organization
org_id = get_current_organization_id()
if request.method == 'POST':
name = request.form.get('name', '').strip()
client_id = request.form.get('client_id', '').strip()
@@ -90,12 +77,11 @@ def create_project():
budget_threshold_raw = request.form.get('budget_threshold_percent', '').strip()
try:
current_app.logger.info(
"POST /projects/create user=%s name=%s client_id=%s billable=%s org_id=%s",
"POST /projects/create user=%s name=%s client_id=%s billable=%s",
current_user.username,
name or '<empty>',
client_id or '<empty>',
billable,
org_id,
)
except Exception:
pass
@@ -107,19 +93,17 @@ def create_project():
current_app.logger.warning("Validation failed: missing required fields for project creation")
except Exception:
pass
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/create.html', clients=clients)
return render_template('projects/create.html', clients=Client.get_active_clients())
# Get client and validate (must be in same organization)
client = scoped_query(Client).filter_by(id=client_id).first()
# Get client and validate
client = Client.query.get(client_id)
if not client:
flash('Selected client not found in your organization', 'error')
flash('Selected client not found', 'error')
try:
current_app.logger.warning("Validation failed: client not found or not in org (id=%s, org=%s)", client_id, org_id)
current_app.logger.warning("Validation failed: client not found (id=%s)", client_id)
except Exception:
pass
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/create.html', clients=clients)
return render_template('projects/create.html', clients=Client.get_active_clients())
# Validate hourly rate
try:
@@ -146,20 +130,18 @@ def create_project():
flash('Invalid budget threshold percent (0-100)', 'error')
return render_template('projects/create.html', clients=Client.get_active_clients())
# Check if project name already exists (within organization)
if scoped_query(Project).filter_by(name=name).first():
flash('A project with this name already exists in your organization', 'error')
# Check if project name already exists
if Project.query.filter_by(name=name).first():
flash('A project with this name already exists', 'error')
try:
current_app.logger.warning("Validation failed: duplicate project name '%s' in org %s", name, org_id)
current_app.logger.warning("Validation failed: duplicate project name '%s'", name)
except Exception:
pass
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/create.html', clients=clients)
return render_template('projects/create.html', clients=Client.get_active_clients())
# Create project with organization_id
# Create project
project = Project(
name=name,
organization_id=org_id, # ✅ Set organization
client_id=client_id,
description=description,
billable=billable,
@@ -170,24 +152,20 @@ def create_project():
)
db.session.add(project)
if not safe_commit('create_project', {'name': name, 'client_id': client_id, 'org_id': org_id}):
if not safe_commit('create_project', {'name': name, 'client_id': client_id}):
flash('Could not create project due to a database error. Please check server logs.', 'error')
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/create.html', clients=clients)
return render_template('projects/create.html', clients=Client.get_active_clients())
flash(f'Project "{name}" created successfully', 'success')
return redirect(url_for('projects.view_project', project_id=project.id))
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/create.html', clients=clients)
return render_template('projects/create.html', clients=Client.get_active_clients())
@projects_bp.route('/projects/<int:project_id>')
@login_required
@require_organization_access()
def view_project(project_id):
"""View project details and time entries"""
# Use scoped query to ensure project belongs to current organization
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
project = Project.query.get_or_404(project_id)
# Get time entries for this project
page = request.args.get('page', 1, type=int)
@@ -221,15 +199,13 @@ def view_project(project_id):
@projects_bp.route('/projects/<int:project_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_project(project_id):
"""Edit project details"""
if not current_user.is_admin:
flash('Only administrators can edit projects', 'error')
return redirect(url_for('projects.view_project', project_id=project_id))
# Use scoped query to ensure project belongs to current organization
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
project = Project.query.get_or_404(project_id)
if request.method == 'POST':
name = request.form.get('name', '').strip()
@@ -246,12 +222,11 @@ def edit_project(project_id):
flash('Project name and client are required', 'error')
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
# Get client and validate (must be in same organization)
client = scoped_query(Client).filter_by(id=client_id).first()
# Get client and validate
client = Client.query.get(client_id)
if not client:
flash('Selected client not found in your organization', 'error')
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/edit.html', project=project, clients=clients)
flash('Selected client not found', 'error')
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
# Validate hourly rate
try:
@@ -278,15 +253,13 @@ def edit_project(project_id):
raise ValueError('Invalid threshold')
except Exception:
flash('Invalid budget threshold percent (0-100)', 'error')
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/edit.html', project=project, clients=clients)
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
# Check if project name already exists (excluding current project, within organization)
existing = scoped_query(Project).filter_by(name=name).first()
# Check if project name already exists (excluding current project)
existing = Project.query.filter_by(name=name).first()
if existing and existing.id != project.id:
flash('A project with this name already exists in your organization', 'error')
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/edit.html', project=project, clients=clients)
flash('A project with this name already exists', 'error')
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
# Update project
project.name = name
@@ -301,25 +274,22 @@ def edit_project(project_id):
if not safe_commit('edit_project', {'project_id': project.id}):
flash('Could not update project due to a database error. Please check server logs.', 'error')
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/edit.html', project=project, clients=clients)
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
flash(f'Project "{name}" updated successfully', 'success')
return redirect(url_for('projects.view_project', project_id=project.id))
clients = scoped_query(Client).filter_by(status='active').order_by(Client.name).all()
return render_template('projects/edit.html', project=project, clients=clients)
return render_template('projects/edit.html', project=project, clients=Client.get_active_clients())
@projects_bp.route('/projects/<int:project_id>/archive', methods=['POST'])
@login_required
@require_organization_access()
def archive_project(project_id):
"""Archive a project"""
if not current_user.is_admin:
flash('Only administrators can archive projects', 'error')
return redirect(url_for('projects.view_project', project_id=project_id))
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
project = Project.query.get_or_404(project_id)
if project.status == 'archived':
flash('Project is already archived', 'info')
@@ -331,14 +301,13 @@ def archive_project(project_id):
@projects_bp.route('/projects/<int:project_id>/unarchive', methods=['POST'])
@login_required
@require_organization_access()
def unarchive_project(project_id):
"""Unarchive a project"""
if not current_user.is_admin:
flash('Only administrators can unarchive projects', 'error')
return redirect(url_for('projects.view_project', project_id=project_id))
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
project = Project.query.get_or_404(project_id)
if project.status == 'active':
flash('Project is already active', 'info')
@@ -350,10 +319,13 @@ def unarchive_project(project_id):
@projects_bp.route('/projects/<int:project_id>/delete', methods=['POST'])
@login_required
@require_organization_access(admin_only=True)
def delete_project(project_id):
"""Delete a project (only if no time entries exist)"""
project = scoped_query(Project).filter_by(id=project_id).first_or_404()
if not current_user.is_admin:
flash('Only administrators can delete projects', 'error')
return redirect(url_for('projects.view_project', project_id=project_id))
project = Project.query.get_or_404(project_id)
# Check if project has time entries
if project.time_entries.count() > 0:

189
app/routes/promo_codes.py
View File

@@ -1,189 +0,0 @@
"""Promo Code Routes"""
from flask import Blueprint, request, jsonify, render_template, redirect, url_for, flash
from flask_login import login_required, current_user
from app.utils.promo_code_service import promo_code_service
from app.utils.tenancy import get_current_organization
from app.models.promo_code import PromoCode
from app import db
promo_codes_bp = Blueprint('promo_codes', __name__, url_prefix='/promo-codes')
@promo_codes_bp.route('/validate', methods=['POST'])
def validate_promo_code():
"""Validate a promo code (public endpoint for signup flow)"""
data = request.get_json() or {}
code = data.get('code', '').strip()
if not code:
return jsonify({
'valid': False,
'message': 'Please enter a promo code'
}), 400
is_valid, promo_code, message = promo_code_service.validate_promo_code(code)
if is_valid:
return jsonify({
'valid': True,
'code': promo_code.code,
'description': promo_code.get_discount_description(),
'message': message
})
else:
return jsonify({
'valid': False,
'message': message
}), 400
@promo_codes_bp.route('/apply', methods=['POST'])
@login_required
def apply_promo_code():
"""Apply a promo code to the current organization"""
organization = get_current_organization()
if not organization:
return jsonify({
'success': False,
'message': 'Organization not found'
}), 404
data = request.get_json() or {}
code = data.get('code', '').strip()
if not code:
return jsonify({
'success': False,
'message': 'Please enter a promo code'
}), 400
success, stripe_coupon_id, message = promo_code_service.apply_promo_code(
code=code,
organization=organization,
user_id=current_user.id
)
if success:
return jsonify({
'success': True,
'stripe_coupon_id': stripe_coupon_id,
'message': message
})
else:
return jsonify({
'success': False,
'message': message
}), 400
@promo_codes_bp.route('/admin', methods=['GET'])
@login_required
def admin_promo_codes():
"""Admin page for managing promo codes"""
# Check if user is admin
if not current_user.is_admin:
flash('Access denied. Admin privileges required.', 'error')
return redirect(url_for('main.dashboard'))
promo_codes = PromoCode.query.order_by(PromoCode.created_at.desc()).all()
return render_template('admin/promo_codes.html', promo_codes=promo_codes)
@promo_codes_bp.route('/admin/create', methods=['POST'])
@login_required
def admin_create_promo_code():
"""Create a new promo code (admin only)"""
# Check if user is admin
if not current_user.is_admin:
return jsonify({'success': False, 'message': 'Access denied'}), 403
data = request.get_json() or {}
try:
from datetime import datetime
# Parse valid_until if provided
valid_until = None
if data.get('valid_until'):
valid_until = datetime.fromisoformat(data['valid_until'])
promo_code = promo_code_service.create_promo_code(
code=data['code'],
discount_type=data['discount_type'],
discount_value=float(data['discount_value']),
duration=data.get('duration', 'once'),
duration_in_months=data.get('duration_in_months'),
description=data.get('description'),
max_redemptions=data.get('max_redemptions'),
valid_until=valid_until,
first_time_only=data.get('first_time_only', False),
sync_to_stripe=True
)
return jsonify({
'success': True,
'message': 'Promo code created successfully',
'promo_code': {
'id': promo_code.id,
'code': promo_code.code,
'description': promo_code.get_discount_description()
}
})
except Exception as e:
return jsonify({
'success': False,
'message': str(e)
}), 400
@promo_codes_bp.route('/admin/<int:promo_code_id>/deactivate', methods=['POST'])
@login_required
def admin_deactivate_promo_code(promo_code_id):
"""Deactivate a promo code (admin only)"""
# Check if user is admin
if not current_user.is_admin:
return jsonify({'success': False, 'message': 'Access denied'}), 403
promo_code = PromoCode.query.get_or_404(promo_code_id)
promo_code.is_active = False
db.session.commit()
# Deactivate in Stripe
promo_code_service.deactivate_promo_code(promo_code.code)
return jsonify({
'success': True,
'message': 'Promo code deactivated'
})
@promo_codes_bp.route('/admin/<int:promo_code_id>/stats', methods=['GET'])
@login_required
def admin_promo_code_stats(promo_code_id):
"""Get statistics for a promo code (admin only)"""
# Check if user is admin
if not current_user.is_admin:
return jsonify({'success': False, 'message': 'Access denied'}), 403
promo_code = PromoCode.query.get_or_404(promo_code_id)
redemptions = promo_code_service.get_redemptions(promo_code)
return jsonify({
'code': promo_code.code,
'description': promo_code.description,
'times_redeemed': promo_code.times_redeemed,
'max_redemptions': promo_code.max_redemptions,
'is_active': promo_code.is_active,
'is_valid': promo_code.is_valid,
'redemptions': [{
'organization_id': r.organization_id,
'redeemed_at': r.redeemed_at.isoformat(),
'redeemed_by': r.redeemed_by
} for r in redemptions]
})

53
app/routes/reports.py
View File

@@ -6,33 +6,23 @@ from datetime import datetime, timedelta
import csv
import io
import pytz
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
reports_bp = Blueprint('reports', __name__)
@reports_bp.route('/reports')
@login_required
@require_organization_access()
def reports():
"""Main reports page"""
org_id = get_current_organization_id()
# Aggregate totals (scope by organization and user unless admin)
# Aggregate totals (scope by user unless admin)
totals_query = db.session.query(db.func.sum(TimeEntry.duration_seconds)).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None)
)
billable_query = db.session.query(db.func.sum(TimeEntry.duration_seconds)).filter(
TimeEntry.organization_id == org_id,
TimeEntry.end_time.isnot(None),
TimeEntry.billable == True
)
entries_query = scoped_query(TimeEntry).filter(TimeEntry.end_time.isnot(None))
entries_query = TimeEntry.query.filter(TimeEntry.end_time.isnot(None))
if not current_user.is_admin:
totals_query = totals_query.filter(TimeEntry.user_id == current_user.id)
@@ -45,7 +35,7 @@ def reports():
summary = {
'total_hours': round(total_seconds / 3600, 2),
'billable_hours': round(billable_seconds / 3600, 2),
'active_projects': scoped_query(Project).filter_by(status='active').count(),
'active_projects': Project.query.filter_by(status='active').count(),
'total_users': User.query.filter_by(is_active=True).count(),
}
@@ -55,17 +45,15 @@ def reports():
@reports_bp.route('/reports/project')
@login_required
@require_organization_access()
def project_report():
"""Project-based time report"""
org_id = get_current_organization_id()
project_id = request.args.get('project_id', type=int)
start_date = request.args.get('start_date')
end_date = request.args.get('end_date')
user_id = request.args.get('user_id', type=int)
# Get projects for filter (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get projects for filter
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
users = User.query.filter_by(is_active=True).order_by(User.username).all()
# Parse dates
@@ -81,8 +69,8 @@ def project_report():
flash('Invalid date format', 'error')
return render_template('reports/project_report.html', projects=projects, users=users)
# Get time entries (scoped to organization)
query = scoped_query(TimeEntry).filter(
# Get time entries
query = TimeEntry.query.filter(
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_dt,
TimeEntry.start_time <= end_dt
@@ -165,10 +153,8 @@ def project_report():
@reports_bp.route('/reports/user')
@login_required
@require_organization_access()
def user_report():
"""User-based time report"""
org_id = get_current_organization_id()
user_id = request.args.get('user_id', type=int)
start_date = request.args.get('start_date')
end_date = request.args.get('end_date')
@@ -176,7 +162,7 @@ def user_report():
# Get users for filter
users = User.query.filter_by(is_active=True).order_by(User.username).all()
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
# Parse dates
if not start_date:
@@ -192,7 +178,7 @@ def user_report():
return render_template('reports/user_report.html', users=users, projects=projects)
# Get time entries
query = scoped_query(TimeEntry).filter(
query = TimeEntry.query.filter(
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_dt,
TimeEntry.start_time <= end_dt
@@ -251,10 +237,8 @@ def user_report():
@reports_bp.route('/reports/export/csv')
@login_required
@require_organization_access()
def export_csv():
"""Export time entries as CSV"""
org_id = get_current_organization_id()
start_date = request.args.get('start_date')
end_date = request.args.get('end_date')
user_id = request.args.get('user_id', type=int)
@@ -274,7 +258,7 @@ def export_csv():
return redirect(url_for('reports.reports'))
# Get time entries
query = scoped_query(TimeEntry).filter(
query = TimeEntry.query.filter(
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_dt,
TimeEntry.start_time <= end_dt
@@ -335,7 +319,6 @@ def export_csv():
@reports_bp.route('/reports/summary')
@login_required
@require_organization_access()
def summary_report():
"""Summary report with key metrics"""
# Get date range
@@ -361,14 +344,14 @@ def summary_report():
# Get top projects
if current_user.is_admin:
# For admins, show all projects
projects = scoped_query(Project).filter_by(status='active').all()
projects = Project.query.filter_by(status='active').all()
else:
# For users, show only their projects
project_ids = db.session.query(TimeEntry.project_id).filter(
TimeEntry.user_id == current_user.id
).distinct().all()
project_ids = [pid[0] for pid in project_ids]
projects = scoped_query(Project).filter(Project.id.in_(project_ids)).all()
projects = Project.query.filter(Project.id.in_(project_ids)).all()
# Sort projects by total hours
project_stats = []
@@ -395,17 +378,15 @@ def summary_report():
@reports_bp.route('/reports/tasks')
@login_required
@require_organization_access()
def task_report():
"""Report of finished tasks within a project, including hours spent per task"""
org_id = get_current_organization_id()
project_id = request.args.get('project_id', type=int)
user_id = request.args.get('user_id', type=int)
start_date = request.args.get('start_date')
end_date = request.args.get('end_date')
# Filters data (scoped to organization)
projects = scoped_query(Project).order_by(Project.name).all()
# Filters data
projects = Project.query.order_by(Project.name).all()
users = User.query.filter_by(is_active=True).order_by(User.username).all()
# Default date range: last 30 days
@@ -421,8 +402,8 @@ def task_report():
flash('Invalid date format', 'error')
return render_template('reports/task_report.html', projects=projects, users=users)
# Base tasks query: finished tasks (scoped to organization)
tasks_query = scoped_query(Task).filter(Task.status == 'done')
# Base tasks query: finished tasks
tasks_query = Task.query.filter(Task.status == 'done')
if project_id:
tasks_query = tasks_query.filter(Task.project_id == project_id)
@@ -441,7 +422,7 @@ def task_report():
task_rows = []
total_hours = 0.0
for task in tasks:
te_query = scoped_query(TimeEntry).filter(
te_query = TimeEntry.query.filter(
TimeEntry.task_id == task.id,
TimeEntry.end_time.isnot(None),
TimeEntry.start_time >= start_dt,

261
app/routes/security.py
View File

@@ -1,261 +0,0 @@
"""
Security Routes - 2FA/MFA Management
"""
from flask import Blueprint, render_template, request, redirect, url_for, flash, session, current_app, jsonify
from flask_login import login_required, current_user
from app import db, limiter
from app.models import User
from app.utils.db import safe_commit
from flask_babel import gettext as _
import pyotp
import qrcode
import io
import base64
security_bp = Blueprint('security', __name__, url_prefix='/security')
@security_bp.route('/2fa/setup', methods=['GET'])
@login_required
@limiter.limit("10 per hour")
def setup_2fa():
"""Display 2FA setup page"""
if current_user.totp_enabled:
flash(_('Two-factor authentication is already enabled for your account.'), 'info')
return redirect(url_for('security.manage_2fa'))
# Generate a new TOTP secret
secret = pyotp.random_base32()
session['pending_totp_secret'] = secret
# Generate QR code
totp = pyotp.TOTP(secret)
provisioning_uri = totp.provisioning_uri(
name=current_user.email or current_user.username,
issuer_name=current_app.config.get('COMPANY_NAME', 'TimeTracker')
)
# Create QR code image
qr = qrcode.QRCode(version=1, box_size=10, border=5)
qr.add_data(provisioning_uri)
qr.make(fit=True)
img = qr.make_image(fill_color="black", back_color="white")
buffer = io.BytesIO()
img.save(buffer, format='PNG')
buffer.seek(0)
qr_code_data = base64.b64encode(buffer.getvalue()).decode()
return render_template('security/setup_2fa.html',
secret=secret,
qr_code_data=qr_code_data,
provisioning_uri=provisioning_uri)
@security_bp.route('/2fa/verify', methods=['POST'])
@login_required
@limiter.limit("10 per hour")
def verify_2fa_setup():
"""Verify and enable 2FA"""
token = request.form.get('token', '').strip()
secret = session.get('pending_totp_secret')
if not secret:
flash(_('2FA setup session expired. Please try again.'), 'error')
return redirect(url_for('security.setup_2fa'))
if not token:
flash(_('Please enter the 6-digit code from your authenticator app.'), 'error')
return redirect(url_for('security.setup_2fa'))
# Verify the token
totp = pyotp.TOTP(secret)
if not totp.verify(token, valid_window=1):
flash(_('Invalid code. Please try again.'), 'error')
return redirect(url_for('security.setup_2fa'))
# Enable 2FA for the user
current_user.totp_secret = secret
current_user.totp_enabled = True
# Generate backup codes
backup_codes = current_user.generate_backup_codes()
if not safe_commit():
flash(_('Failed to enable two-factor authentication. Please try again.'), 'error')
return redirect(url_for('security.setup_2fa'))
# Clear the pending secret from session
session.pop('pending_totp_secret', None)
flash(_('Two-factor authentication has been enabled successfully!'), 'success')
return render_template('security/backup_codes.html',
backup_codes=backup_codes,
is_setup=True)
@security_bp.route('/2fa/disable', methods=['POST'])
@login_required
@limiter.limit("5 per hour")
def disable_2fa():
"""Disable 2FA for the current user"""
password = request.form.get('password', '')
# Verify password before disabling 2FA
if not current_user.check_password(password):
flash(_('Incorrect password. Two-factor authentication was not disabled.'), 'error')
return redirect(url_for('security.manage_2fa'))
current_user.totp_secret = None
current_user.totp_enabled = False
current_user.backup_codes = None
if not safe_commit():
flash(_('Failed to disable two-factor authentication. Please try again.'), 'error')
return redirect(url_for('security.manage_2fa'))
flash(_('Two-factor authentication has been disabled.'), 'warning')
return redirect(url_for('main.dashboard'))
@security_bp.route('/2fa/manage', methods=['GET'])
@login_required
def manage_2fa():
"""Manage 2FA settings"""
return render_template('security/manage_2fa.html')
@security_bp.route('/2fa/backup-codes/regenerate', methods=['POST'])
@login_required
@limiter.limit("3 per hour")
def regenerate_backup_codes():
"""Regenerate backup codes"""
if not current_user.totp_enabled:
flash(_('Two-factor authentication is not enabled.'), 'error')
return redirect(url_for('security.manage_2fa'))
password = request.form.get('password', '')
# Verify password before regenerating backup codes
if not current_user.check_password(password):
flash(_('Incorrect password. Backup codes were not regenerated.'), 'error')
return redirect(url_for('security.manage_2fa'))
# Generate new backup codes
backup_codes = current_user.generate_backup_codes()
if not safe_commit():
flash(_('Failed to regenerate backup codes. Please try again.'), 'error')
return redirect(url_for('security.manage_2fa'))
flash(_('New backup codes have been generated. Please save them securely.'), 'success')
return render_template('security/backup_codes.html',
backup_codes=backup_codes,
is_setup=False)
@security_bp.route('/2fa/verify-login', methods=['GET', 'POST'])
@limiter.limit("10 per hour")
def verify_2fa_login():
"""Verify 2FA during login"""
# Check if user is in the 2FA verification flow
pending_user_id = session.get('pending_2fa_user_id')
if not pending_user_id:
flash(_('No pending 2FA verification. Please log in again.'), 'error')
return redirect(url_for('auth.login'))
user = User.query.get(pending_user_id)
if not user or not user.totp_enabled:
session.pop('pending_2fa_user_id', None)
flash(_('Invalid 2FA verification state. Please log in again.'), 'error')
return redirect(url_for('auth.login'))
if request.method == 'GET':
return render_template('security/verify_2fa_login.html')
# POST - verify the token
token = request.form.get('token', '').strip()
use_backup = request.form.get('use_backup') == 'true'
if not token:
flash(_('Please enter the verification code.'), 'error')
return render_template('security/verify_2fa_login.html')
is_valid = False
if use_backup:
# Verify backup code
is_valid = user.verify_backup_code(token)
if is_valid:
safe_commit()
flash(_('Backup code used successfully. Please generate new backup codes.'), 'warning')
else:
# Verify TOTP token
is_valid = user.verify_totp(token)
if not is_valid:
flash(_('Invalid verification code. Please try again.'), 'error')
return render_template('security/verify_2fa_login.html')
# 2FA verification successful - complete login
from flask_login import login_user
session.pop('pending_2fa_user_id', None)
login_user(user, remember=session.get('remember_me', False))
user.update_last_login()
flash(_('Login successful!'), 'success')
next_page = session.pop('next_after_2fa', None) or url_for('main.dashboard')
return redirect(next_page)
@security_bp.route('/password/change', methods=['GET', 'POST'])
@login_required
@limiter.limit("10 per hour")
def change_password():
"""Change user password"""
from app.utils.password_policy import PasswordPolicy
if request.method == 'GET':
# Check if password is expired
is_expired, days_remaining = PasswordPolicy.check_password_expiry(current_user)
policy_description = PasswordPolicy.get_policy_description()
return render_template('security/change_password.html',
password_expired=is_expired,
days_remaining=days_remaining,
policy_description=policy_description)
# POST - change password
current_password = request.form.get('current_password', '')
new_password = request.form.get('new_password', '')
confirm_password = request.form.get('confirm_password', '')
# Verify current password
if not current_user.check_password(current_password):
flash(_('Current password is incorrect.'), 'error')
return redirect(url_for('security.change_password'))
# Verify new passwords match
if new_password != confirm_password:
flash(_('New passwords do not match.'), 'error')
return redirect(url_for('security.change_password'))
# Set new password (validation happens in set_password)
try:
current_user.set_password(new_password, validate=True)
if not safe_commit():
flash(_('Failed to change password. Please try again.'), 'error')
return redirect(url_for('security.change_password'))
flash(_('Your password has been changed successfully.'), 'success')
return redirect(url_for('main.dashboard'))
except ValueError as e:
flash(str(e), 'error')
return redirect(url_for('security.change_password'))

96
app/routes/tasks.py
View File

@@ -7,17 +7,11 @@ from datetime import datetime, date
from decimal import Decimal
from app.utils.db import safe_commit
from app.utils.timezone import now_in_app_timezone
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
tasks_bp = Blueprint('tasks', __name__)
@tasks_bp.route('/tasks')
@login_required
@require_organization_access()
def list_tasks():
"""List all tasks with filtering options"""
page = request.args.get('page', 1, type=int)
@@ -29,7 +23,7 @@ def list_tasks():
overdue_param = request.args.get('overdue', '').strip().lower()
overdue = overdue_param in ['1', 'true', 'on', 'yes']
query = scoped_query(Task)
query = Task.query
# Apply filters
if status:
@@ -76,9 +70,9 @@ def list_tasks():
error_out=False
)
# Get filter options (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
users = User.query.order_by(User.username).all() # Users are global, not org-scoped
# Get filter options
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
users = User.query.order_by(User.username).all()
return render_template(
'tasks/list.html',
@@ -96,11 +90,8 @@ def list_tasks():
@tasks_bp.route('/tasks/create', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def create_task():
"""Create a new task"""
org_id = get_current_organization_id()
if request.method == 'POST':
project_id = request.form.get('project_id', type=int)
name = request.form.get('name', '').strip()
@@ -115,10 +106,10 @@ def create_task():
flash('Project and task name are required', 'error')
return render_template('tasks/create.html')
# Validate project exists (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id).first()
# Validate project exists
project = Project.query.get(project_id)
if not project:
flash('Selected project does not exist in your organization', 'error')
flash('Selected project does not exist', 'error')
return render_template('tasks/create.html')
# Parse estimated hours
@@ -137,10 +128,9 @@ def create_task():
flash('Invalid due date format', 'error')
return render_template('tasks/create.html')
# Create task with organization_id
# Create task
task = Task(
project_id=project_id,
organization_id=org_id,
name=name,
description=description,
priority=priority,
@@ -158,18 +148,17 @@ def create_task():
flash(f'Task "{name}" created successfully', 'success')
return redirect(url_for('tasks.view_task', task_id=task.id))
# Get available projects and users for form (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get available projects and users for form
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
users = User.query.order_by(User.username).all()
return render_template('tasks/create.html', projects=projects, users=users)
@tasks_bp.route('/tasks/<int:task_id>')
@login_required
@require_organization_access()
def view_task(task_id):
"""View task details"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
# Check if user has access to this task
if not current_user.is_admin and task.assigned_to != current_user.id and task.created_by != current_user.id:
@@ -189,11 +178,9 @@ def view_task(task_id):
@tasks_bp.route('/tasks/<int:task_id>/edit', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_task(task_id):
"""Edit task details"""
org_id = get_current_organization_id()
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
# Check if user can edit this task
if not current_user.is_admin and task.created_by != current_user.id:
@@ -250,21 +237,21 @@ def edit_task(task_id):
if not task.started_at:
task.started_at = now_in_app_timezone()
task.updated_at = now_in_app_timezone()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='reopen', details='Task reopened to In Progress'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='reopen', details='Task reopened to In Progress'))
if not safe_commit('edit_task_reopen_in_progress', {'task_id': task.id}):
flash('Could not update status due to a database error. Please check server logs.', 'error')
return render_template('tasks/edit.html', task=task)
else:
task.start_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='start', details=f"Task moved from {previous_status} to In Progress"))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='start', details=f"Task moved from {previous_status} to In Progress"))
safe_commit('log_task_start_from_edit', {'task_id': task.id})
elif selected_status == 'done':
task.complete_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='complete', details='Task completed'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='complete', details='Task completed'))
safe_commit('log_task_complete_from_edit', {'task_id': task.id})
elif selected_status == 'cancelled':
task.cancel_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='cancel', details='Task cancelled'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='cancel', details='Task cancelled'))
safe_commit('log_task_cancel_from_edit', {'task_id': task.id})
else:
# Reopen or move to non-special states
@@ -274,7 +261,7 @@ def edit_task(task_id):
task.status = selected_status
task.updated_at = now_in_app_timezone()
event_name = 'reopen' if previous_status == 'done' and selected_status in ['todo', 'review'] else ('pause' if selected_status == 'todo' else ('review' if selected_status == 'review' else 'status_change'))
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event=event_name, details=f"Task moved from {previous_status} to {selected_status}"))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event=event_name, details=f"Task moved from {previous_status} to {selected_status}"))
if not safe_commit('edit_task_status_change', {'task_id': task.id, 'status': selected_status}):
flash('Could not update status due to a database error. Please check server logs.', 'error')
return render_template('tasks/edit.html', task=task)
@@ -292,19 +279,17 @@ def edit_task(task_id):
flash(f'Task "{name}" updated successfully', 'success')
return redirect(url_for('tasks.view_task', task_id=task.id))
# Get available projects and users for form (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get available projects and users for form
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
users = User.query.order_by(User.username).all()
return render_template('tasks/edit.html', task=task, projects=projects, users=users)
@tasks_bp.route('/tasks/<int:task_id>/status', methods=['POST'])
@login_required
@require_organization_access()
def update_task_status(task_id):
"""Update task status"""
org_id = get_current_organization_id()
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
new_status = request.form.get('status', '').strip()
# Check if user can update this task
@@ -329,22 +314,22 @@ def update_task_status(task_id):
if not task.started_at:
task.started_at = now_in_app_timezone()
task.updated_at = now_in_app_timezone()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='reopen', details='Task reopened to In Progress'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='reopen', details='Task reopened to In Progress'))
if not safe_commit('update_task_status_reopen_in_progress', {'task_id': task.id, 'status': new_status}):
flash('Could not update status due to a database error. Please check server logs.', 'error')
return redirect(url_for('tasks.view_task', task_id=task.id))
else:
previous_status = task.status
task.start_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='start', details=f"Task moved from {previous_status} to In Progress"))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='start', details=f"Task moved from {previous_status} to In Progress"))
safe_commit('log_task_start', {'task_id': task.id})
elif new_status == 'done':
task.complete_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='complete', details='Task completed'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='complete', details='Task completed'))
safe_commit('log_task_complete', {'task_id': task.id})
elif new_status == 'cancelled':
task.cancel_task()
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event='cancel', details='Task cancelled'))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event='cancel', details='Task cancelled'))
safe_commit('log_task_cancel', {'task_id': task.id})
else:
# For other transitions, handle reopening from done and local timestamps
@@ -362,7 +347,7 @@ def update_task_status(task_id):
'review': 'review',
}
event_name = event_map.get(new_status, 'status_change')
db.session.add(TaskActivity(task_id=task.id, organization_id=org_id, user_id=current_user.id, event=event_name, details=f"Task moved from {previous_status} to {new_status}"))
db.session.add(TaskActivity(task_id=task.id, user_id=current_user.id, event=event_name, details=f"Task moved from {previous_status} to {new_status}"))
if not safe_commit('update_task_status', {'task_id': task.id, 'status': new_status}):
flash('Could not update status due to a database error. Please check server logs.', 'error')
return redirect(url_for('tasks.view_task', task_id=task.id))
@@ -375,10 +360,9 @@ def update_task_status(task_id):
@tasks_bp.route('/tasks/<int:task_id>/priority', methods=['POST'])
@login_required
@require_organization_access()
def update_task_priority(task_id):
"""Update task priority"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
new_priority = request.form.get('priority', '').strip()
# Check if user can update this task
@@ -396,10 +380,9 @@ def update_task_priority(task_id):
@tasks_bp.route('/tasks/<int:task_id>/assign', methods=['POST'])
@login_required
@require_organization_access()
def assign_task(task_id):
"""Assign task to a user"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
user_id = request.form.get('user_id', type=int)
# Check if user can assign this task
@@ -423,10 +406,9 @@ def assign_task(task_id):
@tasks_bp.route('/tasks/<int:task_id>/delete', methods=['POST'])
@login_required
@require_organization_access()
def delete_task(task_id):
"""Delete a task"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
# Check if user can delete this task
if not current_user.is_admin and task.created_by != current_user.id:
@@ -449,7 +431,6 @@ def delete_task(task_id):
@tasks_bp.route('/tasks/my-tasks')
@login_required
@require_organization_access()
def my_tasks():
"""Show current user's tasks with filters and pagination"""
page = request.args.get('page', 1, type=int)
@@ -461,7 +442,7 @@ def my_tasks():
overdue_param = request.args.get('overdue', '').strip().lower()
overdue = overdue_param in ['1', 'true', 'on', 'yes']
query = scoped_query(Task)
query = Task.query
# Restrict to current user's tasks depending on task_type filter
if task_type == 'assigned':
@@ -509,8 +490,8 @@ def my_tasks():
Task.created_at.asc()
).paginate(page=page, per_page=20, error_out=False)
# Provide projects for filter dropdown (scoped to organization)
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Provide projects for filter dropdown
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
return render_template(
'tasks/my_tasks.html',
@@ -527,29 +508,21 @@ def my_tasks():
@tasks_bp.route('/tasks/overdue')
@login_required
@require_organization_access()
def overdue_tasks():
"""Show all overdue tasks"""
if not current_user.is_admin:
flash('Only administrators can view all overdue tasks', 'error')
return redirect(url_for('tasks.list_tasks'))
# Get overdue tasks scoped to organization
org_id = get_current_organization_id()
today = date.today()
tasks = scoped_query(Task).filter(
Task.due_date < today,
Task.status.in_(['todo', 'in_progress', 'review'])
).order_by(Task.priority.desc(), Task.due_date.asc()).all()
tasks = Task.get_overdue_tasks()
return render_template('tasks/overdue.html', tasks=tasks)
@tasks_bp.route('/api/tasks/<int:task_id>')
@login_required
@require_organization_access()
def api_task(task_id):
"""API endpoint to get task details"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
# Check if user has access to this task
if not current_user.is_admin and task.assigned_to != current_user.id and task.created_by != current_user.id:
@@ -559,10 +532,9 @@ def api_task(task_id):
@tasks_bp.route('/api/tasks/<int:task_id>/status', methods=['PUT'])
@login_required
@require_organization_access()
def api_update_status(task_id):
"""API endpoint to update task status"""
task = scoped_query(Task).filter_by(id=task_id).first_or_404()
task = Task.query.get_or_404(task_id)
data = request.get_json()
new_status = data.get('status', '').strip()

144
app/routes/timer.py
View File

@@ -7,43 +7,36 @@ from app.utils.timezone import parse_local_datetime, utc_to_local
from datetime import datetime
import json
from app.utils.db import safe_commit
from app.utils.tenancy import (
get_current_organization_id,
scoped_query,
require_organization_access
)
timer_bp = Blueprint('timer', __name__)
@timer_bp.route('/timer/start', methods=['POST'])
@login_required
@require_organization_access()
def start_timer():
"""Start a new timer for the current user"""
org_id = get_current_organization_id()
project_id = request.form.get('project_id', type=int)
task_id = request.form.get('task_id', type=int)
notes = request.form.get('notes', '').strip()
current_app.logger.info("POST /timer/start user=%s project_id=%s task_id=%s org_id=%s", current_user.username, project_id, task_id, org_id)
current_app.logger.info("POST /timer/start user=%s project_id=%s task_id=%s", current_user.username, project_id, task_id)
if not project_id:
flash('Project is required', 'error')
current_app.logger.warning("Start timer failed: missing project_id")
return redirect(url_for('main.dashboard'))
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
current_app.logger.warning("Start timer failed: invalid or inactive project_id=%s in org_id=%s", project_id, org_id)
current_app.logger.warning("Start timer failed: invalid or inactive project_id=%s", project_id)
return redirect(url_for('main.dashboard'))
# If a task is provided, validate it belongs to the project (and organization)
# If a task is provided, validate it belongs to the project
if task_id:
task = scoped_query(Task).filter_by(id=task_id, project_id=project_id).first()
task = Task.query.filter_by(id=task_id, project_id=project_id).first()
if not task:
flash('Selected task is invalid for the chosen project', 'error')
current_app.logger.warning("Start timer failed: task_id=%s does not belong to project_id=%s in org_id=%s", task_id, project_id, org_id)
current_app.logger.warning("Start timer failed: task_id=%s does not belong to project_id=%s", task_id, project_id)
return redirect(url_for('main.dashboard'))
else:
task = None
@@ -55,12 +48,11 @@ def start_timer():
current_app.logger.info("Start timer blocked: user already has an active timer")
return redirect(url_for('main.dashboard'))
# Create new timer with organization_id
# Create new timer
from app.models.time_entry import local_now
new_timer = TimeEntry(
user_id=current_user.id,
project_id=project_id,
organization_id=org_id,
task_id=task.id if task else None,
start_time=local_now(),
notes=notes if notes else None,
@@ -96,18 +88,16 @@ def start_timer():
@timer_bp.route('/timer/start/<int:project_id>')
@login_required
@require_organization_access()
def start_timer_for_project(project_id):
"""Start a timer for a specific project (GET route for direct links)"""
org_id = get_current_organization_id()
task_id = request.args.get('task_id', type=int)
current_app.logger.info("GET /timer/start/%s user=%s task_id=%s org_id=%s", project_id, current_user.username, task_id, org_id)
current_app.logger.info("GET /timer/start/%s user=%s task_id=%s", project_id, current_user.username, task_id)
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
current_app.logger.warning("Start timer (GET) failed: invalid or inactive project_id=%s in org_id=%s", project_id, org_id)
current_app.logger.warning("Start timer (GET) failed: invalid or inactive project_id=%s", project_id)
return redirect(url_for('main.dashboard'))
# Check if user already has an active timer
@@ -117,12 +107,11 @@ def start_timer_for_project(project_id):
current_app.logger.info("Start timer (GET) blocked: user already has an active timer")
return redirect(url_for('main.dashboard'))
# Create new timer with organization_id
# Create new timer
from app.models.time_entry import local_now
new_timer = TimeEntry(
user_id=current_user.id,
project_id=project_id,
organization_id=org_id,
task_id=task_id,
start_time=local_now(),
source='auto'
@@ -147,7 +136,7 @@ def start_timer_for_project(project_id):
current_app.logger.warning("Socket emit failed for timer_started (GET): %s", e)
if task_id:
task = scoped_query(Task).filter_by(id=task_id).first()
task = Task.query.get(task_id)
task_name = task.name if task else "Unknown Task"
flash(f'Timer started for {project.name} - {task_name}', 'success')
else:
@@ -157,7 +146,6 @@ def start_timer_for_project(project_id):
@timer_bp.route('/timer/stop', methods=['POST'])
@login_required
@require_organization_access()
def stop_timer():
"""Stop the current user's active timer"""
active_timer = current_user.active_timer
@@ -189,7 +177,6 @@ def stop_timer():
@timer_bp.route('/timer/status')
@login_required
@require_organization_access()
def timer_status():
"""Get current timer status as JSON"""
active_timer = current_user.active_timer
@@ -213,10 +200,9 @@ def timer_status():
@timer_bp.route('/timer/edit/<int:timer_id>', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def edit_timer(timer_id):
"""Edit a completed timer entry"""
timer = scoped_query(TimeEntry).filter_by(id=timer_id).first_or_404()
timer = TimeEntry.query.get_or_404(timer_id)
# Check if user can edit this timer
if timer.user_id != current_user.id and not current_user.is_admin:
@@ -234,27 +220,27 @@ def edit_timer(timer_id):
# Update project if changed
new_project_id = request.form.get('project_id', type=int)
if new_project_id and new_project_id != timer.project_id:
new_project = scoped_query(Project).filter_by(id=new_project_id, status='active').first()
new_project = Project.query.filter_by(id=new_project_id, status='active').first()
if new_project:
timer.project_id = new_project_id
else:
flash('Invalid project selected', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=[] if not new_project_id else scoped_query(Task).filter_by(project_id=new_project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=[] if not new_project_id else Task.query.filter_by(project_id=new_project_id).order_by(Task.name).all())
# Update task if changed
new_task_id = request.form.get('task_id', type=int)
if new_task_id != timer.task_id:
if new_task_id:
new_task = scoped_query(Task).filter_by(id=new_task_id, project_id=timer.project_id).first()
new_task = Task.query.filter_by(id=new_task_id, project_id=timer.project_id).first()
if new_task:
timer.task_id = new_task_id
else:
flash('Invalid task selected for the chosen project', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all())
else:
timer.task_id = None
@@ -276,15 +262,15 @@ def edit_timer(timer_id):
if new_start_time > current_time:
flash('Start time cannot be in the future', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all())
timer.start_time = new_start_time
except ValueError:
flash('Invalid start date/time format', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all())
if end_date and end_time:
try:
@@ -296,8 +282,8 @@ def edit_timer(timer_id):
if new_end_time <= timer.start_time:
flash('End time must be after start time', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all())
timer.end_time = new_end_time
# Recalculate duration
@@ -305,8 +291,8 @@ def edit_timer(timer_id):
except ValueError:
flash('Invalid end date/time format', 'error')
return render_template('timer/edit_timer.html', timer=timer,
projects=scoped_query(Project).filter_by(status='active').order_by(Project.name).all(),
tasks=scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all())
projects=Project.query.filter_by(status='active').order_by(Project.name).all(),
tasks=Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all())
# Update source if provided
new_source = request.form.get('source')
@@ -320,22 +306,21 @@ def edit_timer(timer_id):
flash('Timer updated successfully', 'success')
return redirect(url_for('main.dashboard'))
# Get projects and tasks for admin users (scoped to organization)
# Get projects and tasks for admin users
projects = []
tasks = []
if current_user.is_admin:
projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
projects = Project.query.filter_by(status='active').order_by(Project.name).all()
if timer.project_id:
tasks = scoped_query(Task).filter_by(project_id=timer.project_id).order_by(Task.name).all()
tasks = Task.query.filter_by(project_id=timer.project_id).order_by(Task.name).all()
return render_template('timer/edit_timer.html', timer=timer, projects=projects, tasks=tasks)
@timer_bp.route('/timer/delete/<int:timer_id>', methods=['POST'])
@login_required
@require_organization_access()
def delete_timer(timer_id):
"""Delete a timer entry"""
timer = scoped_query(TimeEntry).filter_by(id=timer_id).first_or_404()
timer = TimeEntry.query.get_or_404(timer_id)
# Check if user can delete this timer
if timer.user_id != current_user.id and not current_user.is_admin:
@@ -358,12 +343,10 @@ def delete_timer(timer_id):
@timer_bp.route('/timer/manual', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def manual_entry():
"""Create a manual time entry"""
org_id = get_current_organization_id()
# Get active projects for dropdown (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get active projects for dropdown (used for both GET and error re-renders on POST)
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
# Get project_id and task_id from query parameters for pre-filling
project_id = request.args.get('project_id', type=int)
@@ -386,16 +369,16 @@ def manual_entry():
return render_template('timer/manual_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
return render_template('timer/manual_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
# Validate task if provided (scoped to organization)
# Validate task if provided
if task_id:
task = scoped_query(Task).filter_by(id=task_id, project_id=project_id).first()
task = Task.query.filter_by(id=task_id, project_id=project_id).first()
if not task:
flash('Invalid task selected', 'error')
return render_template('timer/manual_entry.html', projects=active_projects,
@@ -416,11 +399,10 @@ def manual_entry():
return render_template('timer/manual_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
# Create manual entry with organization_id
# Create manual entry
entry = TimeEntry(
user_id=current_user.id,
project_id=project_id,
organization_id=org_id,
task_id=task_id,
start_time=start_time_parsed,
end_time=end_time_parsed,
@@ -437,7 +419,7 @@ def manual_entry():
selected_project_id=project_id, selected_task_id=task_id)
if task_id:
task = scoped_query(Task).filter_by(id=task_id).first()
task = Task.query.get(task_id)
task_name = task.name if task else "Unknown Task"
flash(f'Manual entry created for {project.name} - {task_name}', 'success')
else:
@@ -450,31 +432,28 @@ def manual_entry():
@timer_bp.route('/timer/manual/<int:project_id>')
@login_required
@require_organization_access()
def manual_entry_for_project(project_id):
"""Create a manual time entry for a specific project"""
task_id = request.args.get('task_id', type=int)
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
return redirect(url_for('main.dashboard'))
# Get active projects for dropdown (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get active projects for dropdown
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
return render_template('timer/manual_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
@timer_bp.route('/timer/bulk', methods=['GET', 'POST'])
@login_required
@require_organization_access()
def bulk_entry():
"""Create bulk time entries for multiple days"""
org_id = get_current_organization_id()
# Get active projects for dropdown (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get active projects for dropdown
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
# Get project_id and task_id from query parameters for pre-filling
project_id = request.args.get('project_id', type=int)
@@ -498,16 +477,16 @@ def bulk_entry():
return render_template('timer/bulk_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
return render_template('timer/bulk_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)
# Validate task if provided (scoped to organization)
# Validate task if provided
if task_id:
task = scoped_query(Task).filter_by(id=task_id, project_id=project_id).first()
task = Task.query.filter_by(id=task_id, project_id=project_id).first()
if not task:
flash('Invalid task selected', 'error')
return render_template('timer/bulk_entry.html', projects=active_projects,
@@ -574,8 +553,8 @@ def bulk_entry():
start_datetime = datetime.combine(date_obj, start_time_obj)
end_datetime = datetime.combine(date_obj, end_time_obj)
# Check for overlapping entries (scoped to organization)
overlapping = scoped_query(TimeEntry).filter(
# Check for overlapping entries
overlapping = TimeEntry.query.filter(
TimeEntry.user_id == current_user.id,
TimeEntry.start_time <= end_datetime,
TimeEntry.end_time >= start_datetime,
@@ -601,7 +580,6 @@ def bulk_entry():
entry = TimeEntry(
user_id=current_user.id,
project_id=project_id,
organization_id=org_id,
task_id=task_id,
start_time=start_datetime,
end_time=end_datetime,
@@ -621,7 +599,7 @@ def bulk_entry():
task_name = ""
if task_id:
task = scoped_query(Task).filter_by(id=task_id).first()
task = Task.query.get(task_id)
task_name = f" - {task.name}" if task else ""
flash(f'Successfully created {len(created_entries)} time entries for {project.name}{task_name}', 'success')
@@ -639,28 +617,26 @@ def bulk_entry():
@timer_bp.route('/timer/calendar')
@login_required
@require_organization_access()
def calendar_view():
"""Calendar UI combining day/week/month with list toggle."""
# Provide projects for quick assignment during drag-create (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Provide projects for quick assignment during drag-create
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
return render_template('timer/calendar.html', projects=active_projects)
@timer_bp.route('/timer/bulk/<int:project_id>')
@login_required
@require_organization_access()
def bulk_entry_for_project(project_id):
"""Create bulk time entries for a specific project"""
task_id = request.args.get('task_id', type=int)
# Check if project exists and is active (scoped to organization)
project = scoped_query(Project).filter_by(id=project_id, status='active').first()
# Check if project exists and is active
project = Project.query.filter_by(id=project_id, status='active').first()
if not project:
flash('Invalid project selected', 'error')
return redirect(url_for('main.dashboard'))
# Get active projects for dropdown (scoped to organization)
active_projects = scoped_query(Project).filter_by(status='active').order_by(Project.name).all()
# Get active projects for dropdown
active_projects = Project.query.filter_by(status='active').order_by(Project.name).all()
return render_template('timer/bulk_entry.html', projects=active_projects,
selected_project_id=project_id, selected_task_id=task_id)

77
app/templates/auth/2fa_backup_codes.html
View File

@@ -1,77 +0,0 @@
{% extends "base.html" %}
{% block title %}Backup Codes - TimeTracker{% endblock %}
{% block content %}
<div class="container mt-5">
<div class="row justify-content-center">
<div class="col-md-6">
<div class="card">
<div class="card-header bg-success text-white">
<h4 class="mb-0"><i class="bi bi-check-circle"></i> 2FA Enabled Successfully!</h4>
</div>
<div class="card-body">
<div class="alert alert-warning">
<strong>Important:</strong> Save these backup codes in a safe place. Each code can only be used once.
</div>
<div class="card bg-light p-3 mb-3">
<div class="row">
{% for code in backup_codes %}
<div class="col-md-6 mb-2">
<code class="d-block p-2 bg-white border rounded text-center">{{ code }}</code>
</div>
{% endfor %}
</div>
</div>
<div class="d-grid gap-2">
<button class="btn btn-outline-primary" onclick="copyAllCodes()">
<i class="bi bi-clipboard"></i> Copy All Codes
</button>
<button class="btn btn-outline-secondary" onclick="printCodes()">
<i class="bi bi-printer"></i> Print Codes
</button>
<a href="{{ url_for('auth_extended.settings') }}" class="btn btn-primary">
Continue to Settings
</a>
</div>
</div>
</div>
</div>
</div>
</div>
<script>
const backupCodes = {{ backup_codes | tojson }};
function copyAllCodes() {
const codesText = backupCodes.join('\n');
navigator.clipboard.writeText(codesText).then(() => {
alert('Backup codes copied to clipboard!');
});
}
function printCodes() {
window.print();
}
</script>
<style media="print">
body * {
visibility: hidden;
}
.card, .card * {
visibility: visible;
}
.card {
position: absolute;
left: 0;
top: 0;
}
.btn {
display: none;
}
</style>
{% endblock %}

99
app/templates/auth/accept_invitation.html
View File

@@ -1,99 +0,0 @@
{% extends "base.html" %}
{% block title %}Accept Invitation - TimeTracker{% endblock %}
{% block content %}
<div class="container-fluid h-100">
<div class="row justify-content-center align-items-center h-100">
<div class="col-md-6 col-lg-5">
<div class="card shadow-sm">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="mb-2">You're Invited!</h2>
<p class="text-muted">
{{ inviter.display_name if inviter else 'Someone' }} has invited you to join
</p>
</div>
<div class="card bg-light mb-4">
<div class="card-body">
<h5 class="card-title">{{ organization.name }}</h5>
<p class="card-text mb-2">
<strong>Your Role:</strong>
<span class="badge bg-primary">{{ membership.role.capitalize() }}</span>
</p>
{% if inviter %}
<p class="card-text mb-0">
<strong>Invited by:</strong> {{ inviter.display_name }}
</p>
{% endif %}
</div>
</div>
<form method="POST" action="{{ url_for('auth_extended.accept_invitation', token=token) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="full_name" class="form-label">Full Name (optional)</label>
<input type="text"
class="form-control"
id="full_name"
name="full_name"
placeholder="John Doe">
</div>
<div class="mb-3">
<label for="password" class="form-label">Choose Password</label>
<input type="password"
class="form-control"
id="password"
name="password"
required
minlength="8"
placeholder="••••••••">
<small class="form-text text-muted">At least 8 characters</small>
</div>
<div class="mb-4">
<label for="password_confirm" class="form-label">Confirm Password</label>
<input type="password"
class="form-control"
id="password_confirm"
name="password_confirm"
required
minlength="8"
placeholder="••••••••">
</div>
<button type="submit" class="btn btn-success w-100 mb-3">
Accept Invitation
</button>
<div class="text-center">
<p class="mb-0 text-muted small">
By accepting, you agree to join this organization
</p>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<style>
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
}
.card {
border: none;
border-radius: 12px;
}
.btn-success {
padding: 12px;
font-weight: 500;
}
</style>
{% endblock %}

63
app/templates/auth/enable_2fa.html
View File

@@ -1,63 +0,0 @@
{% extends "base.html" %}
{% block title %}Enable 2FA - TimeTracker{% endblock %}
{% block content %}
<div class="container mt-5">
<div class="row justify-content-center">
<div class="col-md-6">
<div class="card">
<div class="card-header">
<h4 class="mb-0">Enable Two-Factor Authentication</h4>
</div>
<div class="card-body">
<div class="text-center mb-4">
<p>Scan this QR code with your authenticator app:</p>
<img src="{{ qr_code }}" alt="QR Code" class="img-fluid" style="max-width: 300px;">
</div>
<div class="alert alert-info">
<strong>Can't scan?</strong> Enter this code manually: <code>{{ secret }}</code>
</div>
<form method="POST" action="{{ url_for('auth_extended.enable_2fa') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="token" class="form-label">Verification Code</label>
<input type="text"
class="form-control"
id="token"
name="token"
required
autofocus
pattern="[0-9]{6}"
placeholder="123456"
maxlength="6">
<small class="form-text text-muted">Enter the 6-digit code from your authenticator app</small>
</div>
<div class="d-grid gap-2">
<button type="submit" class="btn btn-primary">Verify and Enable 2FA</button>
<a href="{{ url_for('auth_extended.settings') }}" class="btn btn-outline-secondary">Cancel</a>
</div>
</form>
</div>
</div>
<div class="card mt-3">
<div class="card-body">
<h6>Recommended Authenticator Apps:</h6>
<ul>
<li>Google Authenticator (iOS/Android)</li>
<li>Microsoft Authenticator (iOS/Android)</li>
<li>Authy (iOS/Android/Desktop)</li>
<li>1Password (Cross-platform)</li>
</ul>
</div>
</div>
</div>
</div>
</div>
{% endblock %}

59
app/templates/auth/forgot_password.html
View File

@@ -1,59 +0,0 @@
{% extends "base.html" %}
{% block title %}Forgot Password - TimeTracker{% endblock %}
{% block content %}
<div class="container-fluid h-100">
<div class="row justify-content-center align-items-center h-100">
<div class="col-md-5 col-lg-4">
<div class="card shadow-sm">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="mb-2">Reset Password</h2>
<p class="text-muted">Enter your email to receive a reset link</p>
</div>
<form method="POST" action="{{ url_for('auth_extended.forgot_password') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-4">
<label for="email" class="form-label">Email</label>
<input type="email"
class="form-control"
id="email"
name="email"
required
autofocus
placeholder="john@example.com">
</div>
<button type="submit" class="btn btn-primary w-100 mb-3">
Send Reset Link
</button>
<div class="text-center">
<p class="mb-0">Remember your password? <a href="{{ url_for('auth.login') }}">Log in</a></p>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<style>
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
}
.card {
border: none;
border-radius: 12px;
}
.btn-primary {
padding: 12px;
font-weight: 500;
}
</style>
{% endblock %}

36
app/templates/auth/login.html
View File

@@ -551,29 +551,6 @@
</div>
</div>
<div class="form-group">
<label for="password" class="form-label">{{ _('Password') }}</label>
<div class="input-wrapper">
<input type="password"
class="form-control"
id="password"
name="password"
placeholder="{{ _('Enter your password') }}"
aria-required="true">
<i class="fas fa-lock input-icon"></i>
</div>
<small class="text-muted" style="font-size: 0.8125rem; color: var(--gray-500); margin-top: 0.25rem; display: block;">
{{ _('Leave blank for passwordless login if enabled') }}
</small>
</div>
<div class="form-group" style="margin-bottom: 1rem;">
<label style="display: flex; align-items: center; gap: 0.5rem; cursor: pointer; font-weight: 500; color: var(--gray-700); font-size: 0.875rem;">
<input type="checkbox" name="remember" style="width: 1rem; height: 1rem; accent-color: var(--primary-color);">
<span>{{ _('Remember me') }}</span>
</label>
</div>
<button type="submit" class="btn btn-primary" id="submitBtn">
<i class="fas fa-sign-in-alt"></i>
<span id="btnText">{{ _('Sign In') }}</span>
@@ -687,26 +664,17 @@
// Add smooth input animations
const usernameInput = document.getElementById('username');
const passwordInput = document.getElementById('password');
if (usernameInput) {
usernameInput.addEventListener('input', function() {
this.style.borderColor = '';
});
}
if (passwordInput) {
passwordInput.addEventListener('input', function() {
this.style.borderColor = '';
});
}
}
// Keyboard shortcut: Enter to submit
document.addEventListener('keydown', function(e) {
if (e.key === 'Enter' && form && document.activeElement) {
const activeId = document.activeElement.id;
if (activeId === 'username' || activeId === 'password') {
form.requestSubmit();
}
if (e.key === 'Enter' && form && document.activeElement && document.activeElement.id === 'username') {
form.requestSubmit();
}
});
</script>

72
app/templates/auth/reset_password.html
View File

@@ -1,72 +0,0 @@
{% extends "base.html" %}
{% block title %}Reset Password - TimeTracker{% endblock %}
{% block content %}
<div class="container-fluid h-100">
<div class="row justify-content-center align-items-center h-100">
<div class="col-md-5 col-lg-4">
<div class="card shadow-sm">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="mb-2">Set New Password</h2>
<p class="text-muted">Choose a strong password</p>
</div>
<form method="POST" action="{{ url_for('auth_extended.reset_password', token=token) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="password" class="form-label">New Password</label>
<input type="password"
class="form-control"
id="password"
name="password"
required
autofocus
minlength="8"
placeholder="••••••••">
<small class="form-text text-muted">At least 8 characters</small>
</div>
<div class="mb-4">
<label for="password_confirm" class="form-label">Confirm Password</label>
<input type="password"
class="form-control"
id="password_confirm"
name="password_confirm"
required
minlength="8"
placeholder="••••••••">
</div>
<button type="submit" class="btn btn-primary w-100 mb-3">
Reset Password
</button>
<div class="text-center">
<p class="mb-0"><a href="{{ url_for('auth.login') }}">Back to login</a></p>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<style>
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
}
.card {
border: none;
border-radius: 12px;
}
.btn-primary {
padding: 12px;
font-weight: 500;
}
</style>
{% endblock %}

200
app/templates/auth/settings.html
View File

@@ -1,200 +0,0 @@
{% extends "base.html" %}
{% block title %}Account Settings - TimeTracker{% endblock %}
{% block content %}
<div class="container mt-4">
<div class="row">
<div class="col-md-3">
<div class="list-group">
<a href="#profile" class="list-group-item list-group-item-action active" data-bs-toggle="list">
<i class="bi bi-person"></i> Profile
</a>
<a href="#security" class="list-group-item list-group-item-action" data-bs-toggle="list">
<i class="bi bi-shield-lock"></i> Security
</a>
<a href="#sessions" class="list-group-item list-group-item-action" data-bs-toggle="list">
<i class="bi bi-devices"></i> Sessions
</a>
</div>
</div>
<div class="col-md-9">
<div class="tab-content">
<!-- Profile Tab -->
<div class="tab-pane fade show active" id="profile">
<div class="card">
<div class="card-header">
<h5 class="mb-0">Profile Information</h5>
</div>
<div class="card-body">
<form method="POST" action="{{ url_for('auth.edit_profile') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label class="form-label">Username</label>
<input type="text" class="form-control" value="{{ current_user.username }}" disabled>
</div>
<div class="mb-3">
<label class="form-label">Email</label>
<input type="email" class="form-control" value="{{ current_user.email or 'Not set' }}" disabled>
{% if current_user.email %}
<small class="form-text">
{% if current_user.email_verified %}
<span class="badge bg-success">Verified</span>
{% else %}
<span class="badge bg-warning">Not Verified</span>
{% endif %}
</small>
{% endif %}
</div>
<div class="mb-3">
<label for="full_name" class="form-label">Full Name</label>
<input type="text"
class="form-control"
id="full_name"
name="full_name"
value="{{ current_user.full_name or '' }}">
</div>
<div class="mb-3">
<label for="preferred_language" class="form-label">Preferred Language</label>
<select class="form-select" id="preferred_language" name="preferred_language">
{% for code, name in config.LANGUAGES.items() %}
<option value="{{ code }}" {% if current_user.preferred_language == code %}selected{% endif %}>
{{ name }}
</option>
{% endfor %}
</select>
</div>
<button type="submit" class="btn btn-primary">Save Changes</button>
</form>
</div>
</div>
</div>
<!-- Security Tab -->
<div class="tab-pane fade" id="security">
<!-- Change Email -->
<div class="card mb-3">
<div class="card-header">
<h5 class="mb-0">Change Email</h5>
</div>
<div class="card-body">
<form method="POST" action="{{ url_for('auth_extended.change_email') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="new_email" class="form-label">New Email</label>
<input type="email" class="form-control" id="new_email" name="new_email" required>
</div>
<div class="mb-3">
<label for="password" class="form-label">Confirm Password</label>
<input type="password" class="form-control" id="password" name="password" required>
</div>
<button type="submit" class="btn btn-primary">Update Email</button>
</form>
</div>
</div>
<!-- Change Password -->
<div class="card mb-3">
<div class="card-header">
<h5 class="mb-0">Change Password</h5>
</div>
<div class="card-body">
<form method="POST" action="{{ url_for('auth_extended.change_password') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="current_password" class="form-label">Current Password</label>
<input type="password" class="form-control" id="current_password" name="current_password" required>
</div>
<div class="mb-3">
<label for="new_password" class="form-label">New Password</label>
<input type="password" class="form-control" id="new_password" name="new_password" required minlength="8">
</div>
<div class="mb-3">
<label for="confirm_password" class="form-label">Confirm New Password</label>
<input type="password" class="form-control" id="confirm_password" name="confirm_password" required minlength="8">
</div>
<button type="submit" class="btn btn-primary">Change Password</button>
</form>
</div>
</div>
<!-- Two-Factor Authentication -->
<div class="card">
<div class="card-header">
<h5 class="mb-0">Two-Factor Authentication</h5>
</div>
<div class="card-body">
{% if current_user.totp_enabled %}
<div class="alert alert-success">
<i class="bi bi-shield-check"></i> 2FA is currently <strong>enabled</strong>
</div>
<form method="POST" action="{{ url_for('auth_extended.disable_2fa') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="password" class="form-label">Confirm Password to Disable</label>
<input type="password" class="form-control" id="password" name="password" required>
</div>
<button type="submit" class="btn btn-danger">Disable 2FA</button>
</form>
{% else %}
<p>Add an extra layer of security to your account with two-factor authentication.</p>
<a href="{{ url_for('auth_extended.enable_2fa') }}" class="btn btn-success">Enable 2FA</a>
{% endif %}
</div>
</div>
</div>
<!-- Sessions Tab -->
<div class="tab-pane fade" id="sessions">
<div class="card">
<div class="card-header">
<h5 class="mb-0">Active Sessions</h5>
</div>
<div class="card-body">
{% if active_tokens %}
<div class="list-group">
{% for token in active_tokens %}
<div class="list-group-item">
<div class="d-flex justify-content-between align-items-start">
<div>
<h6 class="mb-1">{{ token.device_name or 'Unknown Device' }}</h6>
<p class="mb-1 text-muted small">
<i class="bi bi-geo-alt"></i> {{ token.ip_address or 'Unknown location' }}
</p>
<p class="mb-0 text-muted small">
Last active: {{ token.last_used_at.strftime('%Y-%m-%d %H:%M') if token.last_used_at else 'Unknown' }}
</p>
</div>
<form method="POST" action="{{ url_for('auth_extended.revoke_session', token_id=token.id) }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" class="btn btn-sm btn-outline-danger">Revoke</button>
</form>
</div>
</div>
{% endfor %}
</div>
{% else %}
<p class="text-muted">No active sessions</p>
{% endif %}
</div>
</div>
</div>
</div>
</div>
</div>
</div>
{% endblock %}

116
app/templates/auth/signup.html
View File

@@ -1,116 +0,0 @@
{% extends "base.html" %}
{% block title %}Sign Up - TimeTracker{% endblock %}
{% block content %}
<div class="container-fluid h-100">
<div class="row justify-content-center align-items-center h-100">
<div class="col-md-5 col-lg-4">
<div class="card shadow-sm">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="mb-2">Create Account</h2>
<p class="text-muted">Join TimeTracker today</p>
</div>
<!-- Flash Messages -->
{% with messages = get_flashed_messages(with_categories=true) %}
{% if messages %}
{% for category, message in messages %}
<div class="alert alert-{{ 'danger' if category == 'error' else category }} alert-dismissible fade show" role="alert">
<i class="fas fa-{{ 'check-circle' if category == 'success' else 'exclamation-circle' if category == 'error' else 'exclamation-triangle' if category == 'warning' else 'info-circle' }} me-2"></i>
{{ message }}
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
</div>
{% endfor %}
{% endif %}
{% endwith %}
<form method="POST" action="{{ url_for('auth_extended.signup') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text"
class="form-control"
id="username"
name="username"
required
autofocus
minlength="3"
placeholder="johndoe">
<small class="form-text text-muted">At least 3 characters</small>
</div>
<div class="mb-3">
<label for="email" class="form-label">Email</label>
<input type="email"
class="form-control"
id="email"
name="email"
required
placeholder="john@example.com">
</div>
<div class="mb-3">
<label for="full_name" class="form-label">Full Name (optional)</label>
<input type="text"
class="form-control"
id="full_name"
name="full_name"
placeholder="John Doe">
</div>
<div class="mb-3">
<label for="password" class="form-label">Password</label>
<input type="password"
class="form-control"
id="password"
name="password"
required
minlength="12"
placeholder="••••••••">
<small class="form-text text-muted">Must be at least 12 characters, with uppercase, lowercase, number, and special character</small>
</div>
<div class="mb-4">
<label for="password_confirm" class="form-label">Confirm Password</label>
<input type="password"
class="form-control"
id="password_confirm"
name="password_confirm"
required
minlength="12"
placeholder="••••••••">
</div>
<button type="submit" class="btn btn-primary w-100 mb-3">
Create Account
</button>
<div class="text-center">
<p class="mb-0">Already have an account? <a href="{{ url_for('auth.login') }}">Log in</a></p>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<style>
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
}
.card {
border: none;
border-radius: 12px;
}
.btn-primary {
padding: 12px;
font-weight: 500;
}
</style>
{% endblock %}

106
app/templates/auth/verify_2fa.html
View File

@@ -1,106 +0,0 @@
{% extends "base.html" %}
{% block title %}Two-Factor Authentication - TimeTracker{% endblock %}
{% block content %}
<div class="container-fluid h-100">
<div class="row justify-content-center align-items-center h-100">
<div class="col-md-5 col-lg-4">
<div class="card shadow-sm">
<div class="card-body p-5">
<div class="text-center mb-4">
<h2 class="mb-2">Two-Factor Authentication</h2>
<p class="text-muted">Enter the code from your authenticator app</p>
</div>
<form method="POST" action="{{ url_for('auth_extended.verify_2fa') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="use_backup" value="false">
<div class="mb-4">
<label for="token" class="form-label">Verification Code</label>
<input type="text"
class="form-control text-center"
id="token"
name="token"
required
autofocus
pattern="[0-9]{6}"
placeholder="123456"
maxlength="6"
style="font-size: 24px; letter-spacing: 0.5em;">
</div>
<button type="submit" class="btn btn-primary w-100 mb-3">
Verify
</button>
<div class="text-center">
<button type="button" class="btn btn-link" onclick="showBackupCodeForm()">
Use backup code
</button>
</div>
</form>
<!-- Backup code form (hidden by default) -->
<form method="POST" action="{{ url_for('auth_extended.verify_2fa') }}" id="backupCodeForm" style="display: none;">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="use_backup" value="true">
<div class="mb-4">
<label for="backup_token" class="form-label">Backup Code</label>
<input type="text"
class="form-control"
id="backup_token"
name="token"
required
placeholder="xxxx-xxxx-xxxx-xxxx">
<small class="form-text text-muted">Use one of your saved backup codes</small>
</div>
<button type="submit" class="btn btn-primary w-100 mb-3">
Verify Backup Code
</button>
<div class="text-center">
<button type="button" class="btn btn-link" onclick="showNormalForm()">
Back to authenticator
</button>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<script>
function showBackupCodeForm() {
document.querySelector('form:first-of-type').style.display = 'none';
document.getElementById('backupCodeForm').style.display = 'block';
document.getElementById('backup_token').focus();
}
function showNormalForm() {
document.getElementById('backupCodeForm').style.display = 'none';
document.querySelector('form:first-of-type').style.display = 'block';
document.getElementById('token').focus();
}
</script>
<style>
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
}
.card {
border: none;
border-radius: 12px;
}
.btn-primary {
padding: 12px;
font-weight: 500;
}
</style>
{% endblock %}

51
app/templates/billing/action_required.html
View File

@@ -1,51 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Payment Action Required</title>
</head>
<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
<div style="background-color: #ff9800; color: white; padding: 20px; border-radius: 5px 5px 0 0;">
<h1 style="margin: 0;">⚡ Payment Action Required</h1>
</div>
<div style="background-color: #f8f9fa; padding: 20px; border: 1px solid #dee2e6; border-top: none; border-radius: 0 0 5px 5px;">
<p>Hello {{ user.display_name }},</p>
<p>Your payment for <strong>{{ organization.name }}</strong> requires additional authentication.</p>
<div style="background-color: #fff; border-left: 4px solid #ff9800; padding: 15px; margin: 20px 0;">
<p style="margin: 0;">Your bank requires you to confirm this payment (e.g., 3D Secure, two-factor authentication).</p>
</div>
<p><strong>What you need to do:</strong></p>
<ol>
<li>Click the button below to complete authentication</li>
<li>Follow your bank's instructions</li>
<li>Complete the verification process</li>
</ol>
<div style="text-align: center; margin: 30px 0;">
<a href="{{ invoice.hosted_invoice_url if invoice.hosted_invoice_url else url_for('billing.portal', _external=True) }}"
style="display: inline-block; background-color: #ff9800; color: white; padding: 12px 30px; text-decoration: none; border-radius: 5px; font-weight: bold;">
Complete Authentication
</a>
</div>
<p><strong>Why is this required?</strong></p>
<p>Strong Customer Authentication (SCA) is a European regulation that requires additional verification for online payments to reduce fraud and make online payments more secure.</p>
<p><strong>Need help?</strong></p>
<p>If you have any questions or encounter any issues, please contact our support team.</p>
<p>Best regards,<br>
The TimeTracker Team</p>
</div>
<div style="text-align: center; margin-top: 20px; color: #6c757d; font-size: 12px;">
<p>This is an automated message from TimeTracker</p>
</div>
</body>
</html>

308
app/templates/billing/index.html
View File

@@ -1,308 +0,0 @@
{% extends "base.html" %}
{% block title %}Billing & Subscription{% endblock %}
{% block content %}
<div class="container-fluid mt-4">
<div class="row">
<div class="col-12">
<h1 class="mb-4">
<i class="fas fa-credit-card"></i> Billing & Subscription
</h1>
</div>
</div>
<!-- Subscription Status Card -->
<div class="row mb-4">
<div class="col-lg-8">
<div class="card">
<div class="card-header bg-primary text-white">
<h5 class="mb-0"><i class="fas fa-star"></i> Current Subscription</h5>
</div>
<div class="card-body">
{% if organization.has_active_subscription %}
<div class="d-flex justify-content-between align-items-center mb-3">
<div>
<h4 class="mb-1">{{ organization.subscription_plan_display }}</h4>
<p class="text-muted mb-0">
{% if organization.subscription_plan == 'team' %}
{{ organization.subscription_quantity }} seat(s)
{% endif %}
</p>
</div>
<div>
{% if organization.is_on_trial %}
<span class="badge badge-warning badge-lg">
<i class="fas fa-clock"></i> Trial: {{ organization.trial_days_remaining }} days left
</span>
{% else %}
<span class="badge badge-success badge-lg">
<i class="fas fa-check-circle"></i> Active
</span>
{% endif %}
</div>
</div>
{% if organization.has_billing_issue %}
<div class="alert alert-danger">
<i class="fas fa-exclamation-triangle"></i>
<strong>Billing Issue Detected</strong>
<p class="mb-0">There was a problem with your last payment. Please update your payment method.</p>
</div>
{% endif %}
<div class="row mt-3">
<div class="col-md-6">
<p class="mb-1"><strong>Status:</strong> {{ organization.stripe_subscription_status|title }}</p>
<p class="mb-1"><strong>Members:</strong> {{ organization.member_count }}</p>
{% if organization.subscription_plan == 'team' %}
<p class="mb-1"><strong>Seats:</strong> {{ organization.subscription_quantity }}</p>
{% endif %}
</div>
<div class="col-md-6">
{% if organization.next_billing_date %}
<p class="mb-1"><strong>Next Billing Date:</strong> {{ organization.next_billing_date.strftime('%B %d, %Y') }}</p>
{% endif %}
{% if organization.is_on_trial and organization.trial_ends_at %}
<p class="mb-1"><strong>Trial Ends:</strong> {{ organization.trial_ends_at.strftime('%B %d, %Y') }}</p>
{% endif %}
</div>
</div>
<div class="mt-4">
<a href="{{ url_for('billing.portal') }}" class="btn btn-primary">
<i class="fas fa-cog"></i> Manage Subscription
</a>
{% if organization.subscription_plan == 'team' %}
<button type="button" class="btn btn-outline-primary" data-toggle="modal" data-target="#changeSeatModal">
<i class="fas fa-users"></i> Change Seats
</button>
{% endif %}
</div>
{% else %}
<!-- No active subscription -->
<div class="text-center py-4">
<i class="fas fa-star fa-3x text-muted mb-3"></i>
<h4>No Active Subscription</h4>
<p class="text-muted mb-4">Choose a plan to get started</p>
<div class="row">
<div class="col-md-6 mb-3">
<div class="card">
<div class="card-body">
<h5 class="card-title">Single User</h5>
<h3 class="mb-3">€5<small class="text-muted">/month</small></h3>
<ul class="list-unstyled mb-4">
<li><i class="fas fa-check text-success"></i> 1 User</li>
<li><i class="fas fa-check text-success"></i> Unlimited Projects</li>
<li><i class="fas fa-check text-success"></i> Time Tracking</li>
<li><i class="fas fa-check text-success"></i> Reports & Invoicing</li>
</ul>
<a href="{{ url_for('billing.subscribe', plan='single') }}" class="btn btn-primary btn-block">
Subscribe
</a>
</div>
</div>
</div>
<div class="col-md-6 mb-3">
<div class="card border-primary">
<div class="card-body">
<span class="badge badge-primary mb-2">Popular</span>
<h5 class="card-title">Team</h5>
<h3 class="mb-3">€6<small class="text-muted">/user/month</small></h3>
<ul class="list-unstyled mb-4">
<li><i class="fas fa-check text-success"></i> Unlimited Users</li>
<li><i class="fas fa-check text-success"></i> Unlimited Projects</li>
<li><i class="fas fa-check text-success"></i> Time Tracking</li>
<li><i class="fas fa-check text-success"></i> Reports & Invoicing</li>
<li><i class="fas fa-check text-success"></i> Team Collaboration</li>
</ul>
<a href="{{ url_for('billing.subscribe', plan='team') }}" class="btn btn-primary btn-block">
Subscribe
</a>
</div>
</div>
</div>
</div>
</div>
{% endif %}
</div>
</div>
</div>
<!-- Billing Summary Card -->
<div class="col-lg-4">
<div class="card">
<div class="card-header">
<h5 class="mb-0"><i class="fas fa-chart-line"></i> Usage Summary</h5>
</div>
<div class="card-body">
<div class="mb-3">
<div class="d-flex justify-content-between mb-1">
<span>Members</span>
<strong>{{ organization.member_count }}</strong>
</div>
{% if organization.subscription_plan == 'team' and organization.subscription_quantity %}
<div class="progress" style="height: 8px;">
<div class="progress-bar" role="progressbar"
style="width: {{ (organization.member_count / organization.subscription_quantity * 100)|round|int }}%">
</div>
</div>
<small class="text-muted">{{ organization.subscription_quantity - organization.member_count }} seat(s) available</small>
{% endif %}
</div>
<div class="mb-3">
<div class="d-flex justify-content-between">
<span>Projects</span>
<strong>{{ organization.project_count }}</strong>
</div>
</div>
{% if upcoming_invoice %}
<hr>
<h6 class="mb-2">Next Invoice</h6>
<div class="d-flex justify-content-between">
<span>Amount</span>
<strong>{{ upcoming_invoice.currency }} {{ "%.2f"|format(upcoming_invoice.amount_due) }}</strong>
</div>
<div class="d-flex justify-content-between text-muted">
<small>Due: {{ upcoming_invoice.period_end.strftime('%b %d, %Y') }}</small>
</div>
{% endif %}
</div>
</div>
<!-- Payment Methods Card -->
{% if payment_methods %}
<div class="card mt-3">
<div class="card-header">
<h5 class="mb-0"><i class="fas fa-credit-card"></i> Payment Method</h5>
</div>
<div class="card-body">
{% for pm in payment_methods %}
<div class="d-flex align-items-center">
<i class="fab fa-cc-{{ pm.card.brand }} fa-2x mr-3"></i>
<div>
<div>{{ pm.card.brand|upper }} •••• {{ pm.card.last4 }}</div>
<small class="text-muted">Expires {{ pm.card.exp_month }}/{{ pm.card.exp_year }}</small>
</div>
</div>
{% endfor %}
<a href="{{ url_for('billing.portal') }}" class="btn btn-sm btn-outline-primary mt-3">
Update Payment Method
</a>
</div>
</div>
{% endif %}
</div>
</div>
<!-- Invoices Section -->
{% if invoices %}
<div class="row">
<div class="col-12">
<div class="card">
<div class="card-header">
<h5 class="mb-0"><i class="fas fa-file-invoice"></i> Recent Invoices</h5>
</div>
<div class="card-body">
<div class="table-responsive">
<table class="table table-hover">
<thead>
<tr>
<th>Invoice</th>
<th>Date</th>
<th>Amount</th>
<th>Status</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
{% for invoice in invoices %}
<tr>
<td>{{ invoice.number or invoice.id[:8] }}</td>
<td>{{ invoice.created.strftime('%b %d, %Y') }}</td>
<td>{{ invoice.currency|upper }} {{ "%.2f"|format(invoice.amount_paid) }}</td>
<td>
{% if invoice.paid %}
<span class="badge badge-success">Paid</span>
{% elif invoice.status == 'open' %}
<span class="badge badge-warning">Open</span>
{% else %}
<span class="badge badge-secondary">{{ invoice.status|title }}</span>
{% endif %}
</td>
<td>
{% if invoice.invoice_pdf %}
<a href="{{ invoice.invoice_pdf }}" target="_blank" class="btn btn-sm btn-outline-primary">
<i class="fas fa-download"></i> PDF
</a>
{% endif %}
{% if invoice.hosted_invoice_url %}
<a href="{{ invoice.hosted_invoice_url }}" target="_blank" class="btn btn-sm btn-outline-secondary">
<i class="fas fa-external-link-alt"></i> View
</a>
{% endif %}
</td>
</tr>
{% endfor %}
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
{% endif %}
</div>
<!-- Change Seats Modal -->
<div class="modal fade" id="changeSeatModal" tabindex="-1" role="dialog">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title">Change Seat Count</h5>
<button type="button" class="close" data-dismiss="modal">
<span>&times;</span>
</button>
</div>
<form id="changeSeatForm" action="{{ url_for('billing.portal') }}" method="post">
<div class="modal-body">
<p>Current seat count: <strong>{{ organization.subscription_quantity }}</strong></p>
<p>Active members: <strong>{{ organization.member_count }}</strong></p>
<div class="alert alert-info">
<i class="fas fa-info-circle"></i>
Changes will be prorated on your next invoice.
</div>
<p class="text-muted">To change your seat count, please use the Stripe Customer Portal.</p>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
<a href="{{ url_for('billing.portal') }}" class="btn btn-primary">Go to Portal</a>
</div>
</form>
</div>
</div>
</div>
<style>
.badge-lg {
font-size: 1rem;
padding: 0.5rem 1rem;
}
.card {
box-shadow: 0 0.125rem 0.25rem rgba(0,0,0,0.075);
border: none;
}
.card-header {
border-bottom: 2px solid #e9ecef;
}
</style>
{% endblock %}

51
app/templates/billing/payment_failed.html
View File

@@ -1,51 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Payment Failed</title>
</head>
<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
<div style="background-color: #dc3545; color: white; padding: 20px; border-radius: 5px 5px 0 0;">
<h1 style="margin: 0;">⚠️ Payment Failed</h1>
</div>
<div style="background-color: #f8f9fa; padding: 20px; border: 1px solid #dee2e6; border-top: none; border-radius: 0 0 5px 5px;">
<p>Hello {{ user.display_name }},</p>
<p>We were unable to process your payment for <strong>{{ organization.name }}</strong>.</p>
<div style="background-color: #fff; border-left: 4px solid #dc3545; padding: 15px; margin: 20px 0;">
<p style="margin: 0;"><strong>Invoice Amount:</strong> {{ invoice.currency|upper }} {{ "%.2f"|format(invoice.amount_due / 100) }}</p>
<p style="margin: 5px 0 0 0;"><strong>Attempt Count:</strong> {{ invoice.attempt_count }}</p>
</div>
<p><strong>What happens next?</strong></p>
<ul>
<li>We'll automatically retry the payment in a few days</li>
<li>Your service will continue during this grace period</li>
<li>If payment continues to fail, your subscription may be suspended</li>
</ul>
<p><strong>Action Required:</strong></p>
<p>Please update your payment method to avoid service interruption:</p>
<div style="text-align: center; margin: 30px 0;">
<a href="{{ url_for('billing.portal', _external=True) }}"
style="display: inline-block; background-color: #dc3545; color: white; padding: 12px 30px; text-decoration: none; border-radius: 5px; font-weight: bold;">
Update Payment Method
</a>
</div>
<p>If you have any questions or need assistance, please don't hesitate to contact us.</p>
<p>Best regards,<br>
The TimeTracker Team</p>
</div>
<div style="text-align: center; margin-top: 20px; color: #6c757d; font-size: 12px;">
<p>This is an automated message from TimeTracker</p>
</div>
</body>
</html>

51
app/templates/billing/subscription_cancelled.html
View File

@@ -1,51 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Subscription Cancelled</title>
</head>
<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
<div style="background-color: #6c757d; color: white; padding: 20px; border-radius: 5px 5px 0 0;">
<h1 style="margin: 0;">Subscription Cancelled</h1>
</div>
<div style="background-color: #f8f9fa; padding: 20px; border: 1px solid #dee2e6; border-top: none; border-radius: 0 0 5px 5px;">
<p>Hello {{ user.display_name }},</p>
<p>We're writing to let you know that your subscription for <strong>{{ organization.name }}</strong> has been cancelled.</p>
<div style="background-color: #fff; border-left: 4px solid #dc3545; padding: 15px; margin: 20px 0;">
<p style="margin: 0;"><strong>Organization:</strong> {{ organization.name }}</p>
<p style="margin: 5px 0 0 0;"><strong>Status:</strong> Suspended</p>
</div>
<p><strong>What this means:</strong></p>
<ul>
<li>Your account has been suspended</li>
<li>You no longer have access to premium features</li>
<li>Your data is safely stored and can be restored if you resubscribe</li>
</ul>
<p><strong>Want to keep using TimeTracker?</strong></p>
<p>You can reactivate your subscription at any time.</p>
<div style="text-align: center; margin: 30px 0;">
<a href="{{ url_for('billing.index', _external=True) }}"
style="display: inline-block; background-color: #28a745; color: white; padding: 12px 30px; text-decoration: none; border-radius: 5px; font-weight: bold;">
Reactivate Subscription
</a>
</div>
<p>If you cancelled by mistake or have any questions, please contact our support team.</p>
<p>We're sorry to see you go!<br>
The TimeTracker Team</p>
</div>
<div style="text-align: center; margin-top: 20px; color: #6c757d; font-size: 12px;">
<p>This is an automated message from TimeTracker</p>
</div>
</body>
</html>

56
app/templates/billing/trial_ending.html
View File

@@ -1,56 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Your Trial is Ending Soon</title>
</head>
<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
<div style="background-color: #ffc107; color: #000; padding: 20px; border-radius: 5px 5px 0 0;">
<h1 style="margin: 0;">⏰ Your Trial is Ending Soon</h1>
</div>
<div style="background-color: #f8f9fa; padding: 20px; border: 1px solid #dee2e6; border-top: none; border-radius: 0 0 5px 5px;">
<p>Hello {{ user.display_name }},</p>
<p>Your free trial for <strong>{{ organization.name }}</strong> is ending soon!</p>
<div style="background-color: #fff; border-left: 4px solid #ffc107; padding: 15px; margin: 20px 0; text-align: center;">
<h2 style="margin: 0; color: #ffc107;">{{ days_remaining }} Days Remaining</h2>
</div>
<p><strong>What happens when the trial ends?</strong></p>
<ul>
<li>Your subscription will automatically convert to a paid plan</li>
<li>You'll be charged based on your current plan and number of users</li>
<li>All your data and settings will be preserved</li>
</ul>
<p><strong>Current Plan:</strong> {{ organization.subscription_plan_display }}</p>
<div style="text-align: center; margin: 30px 0;">
<a href="{{ url_for('billing.index', _external=True) }}"
style="display: inline-block; background-color: #007bff; color: white; padding: 12px 30px; text-decoration: none; border-radius: 5px; font-weight: bold;">
Review Billing Settings
</a>
</div>
<p>Want to make changes? You can:</p>
<ul>
<li>Change your plan</li>
<li>Update payment methods</li>
<li>Adjust the number of seats</li>
</ul>
<p>If you have any questions, please contact us. We're here to help!</p>
<p>Best regards,<br>
The TimeTracker Team</p>
</div>
<div style="text-align: center; margin-top: 20px; color: #6c757d; font-size: 12px;">
<p>This is an automated message from TimeTracker</p>
</div>
</body>
</html>

85
app/templates/components/onboarding_widget.html
View File

@@ -1,85 +0,0 @@
{% if checklist and not checklist.dismissed and not checklist.is_complete %}
<div class="card shadow-sm border-0 mb-4" style="
border-radius: 12px;
overflow: hidden;
border-left: 4px solid #667eea !important;
">
<div class="card-body p-4">
<div class="d-flex justify-content-between align-items-center mb-3">
<h5 class="card-title mb-0">
<i class="fas fa-list-check" style="color: #667eea;"></i>
{{ _('Getting Started') }}
</h5>
<span class="badge bg-primary" style="font-size: 14px; padding: 6px 12px;">
{{ checklist.completion_percentage }}% {{ _('Complete') }}
</span>
</div>
<div class="progress mb-3" style="height: 8px; border-radius: 10px;">
<div class="progress-bar" role="progressbar"
style="width: {{ checklist.completion_percentage }}%; background: linear-gradient(90deg, #667eea, #764ba2);"
aria-valuenow="{{ checklist.completion_percentage }}"
aria-valuemin="0"
aria-valuemax="100">
</div>
</div>
<p class="text-muted mb-3" style="font-size: 14px;">
{{ _('Complete these tasks to get the most out of TimeTracker:') }}
</p>
{% set next_task = checklist.get_next_task() %}
{% if next_task %}
<div class="d-flex align-items-start p-3 mb-3" style="
background: #f8f9fa;
border-radius: 8px;
border-left: 3px solid #667eea;
">
<div style="font-size: 24px; color: #667eea; margin-right: 15px;">
<i class="{{ next_task.icon }}"></i>
</div>
<div class="flex-grow-1">
<div style="font-weight: 600; color: #2c3e50; margin-bottom: 5px;">
{{ _('Next:') }} {{ _(next_task.title) }}
</div>
<div style="font-size: 13px; color: #6c757d;">
{{ _(next_task.description) }}
</div>
</div>
</div>
{% endif %}
<div class="d-flex gap-2">
<a href="{{ url_for('onboarding.checklist') }}" class="btn btn-primary btn-sm flex-grow-1">
<i class="fas fa-arrow-right"></i> {{ _('Continue Setup') }}
</a>
<button class="btn btn-outline-secondary btn-sm" onclick="dismissOnboarding()" title="{{ _('Dismiss') }}">
<i class="fas fa-times"></i>
</button>
</div>
</div>
</div>
<script>
function dismissOnboarding() {
if (!confirm('{{ _("Dismiss the onboarding checklist? You can always access it later.") }}')) {
return;
}
fetch('/onboarding/api/checklist/dismiss', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
})
.then(response => response.json())
.then(data => {
if (data.success) {
location.reload();
}
})
.catch(error => console.error('Error:', error));
}
</script>
{% endif %}

86
app/templates/components/trial_banner.html
View File

@@ -1,86 +0,0 @@
{% if organization and organization.is_on_trial %}
<div class="trial-banner alert alert-warning alert-dismissible fade show" role="alert" style="
background: linear-gradient(135deg, #fff3cd 0%, #ffe69c 100%);
border: 2px solid #ffc107;
border-radius: 12px;
padding: 20px;
margin-bottom: 25px;
box-shadow: 0 4px 15px rgba(255, 193, 7, 0.2);
">
<div class="d-flex align-items-center">
<div style="font-size: 48px; margin-right: 20px; color: #f57c00;">
<i class="fas fa-gift"></i>
</div>
<div class="flex-grow-1">
<h4 class="alert-heading mb-2" style="color: #856404;">
<strong>🎉 {{ _('Free Trial Active!') }}</strong>
</h4>
<p class="mb-2" style="color: #856404; font-size: 16px;">
{% if organization.trial_days_remaining > 1 %}
{{ _('You have') }} <strong>{{ organization.trial_days_remaining }} {{ _('days') }}</strong> {{ _('remaining in your trial.') }}
{% elif organization.trial_days_remaining == 1 %}
{{ _('Your trial ends') }} <strong>{{ _('tomorrow') }}</strong>!
{% else %}
{{ _('Your trial ends') }} <strong>{{ _('today') }}</strong>!
{% endif %}
{{ _('Explore all features with no limits!') }}
</p>
<p class="mb-0" style="font-size: 14px; color: #856404;">
<i class="fas fa-calendar-alt"></i>
{{ _('Trial expires on:') }} <strong>{{ organization.trial_ends_at.strftime('%B %d, %Y') }}</strong>
</p>
</div>
<div class="ms-3">
{% if organization.stripe_customer_id %}
<a href="{{ url_for('billing.index') }}" class="btn btn-warning btn-lg" style="
background: #f57c00;
border: none;
font-weight: 600;
box-shadow: 0 2px 8px rgba(245, 124, 0, 0.3);
">
<i class="fas fa-credit-card"></i> {{ _('Add Payment Method') }}
</a>
{% else %}
<a href="{{ url_for('billing.subscribe', plan='team') }}" class="btn btn-warning btn-lg" style="
background: #f57c00;
border: none;
font-weight: 600;
box-shadow: 0 2px 8px rgba(245, 124, 0, 0.3);
">
<i class="fas fa-rocket"></i> {{ _('Upgrade Now') }}
</a>
{% endif %}
</div>
</div>
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="{{ _('Close') }}"></button>
</div>
{% endif %}
{% if organization and organization.has_billing_issue %}
<div class="alert alert-danger alert-dismissible fade show" role="alert" style="
border-radius: 12px;
padding: 20px;
margin-bottom: 25px;
">
<div class="d-flex align-items-center">
<div style="font-size: 48px; margin-right: 20px;">
<i class="fas fa-exclamation-triangle"></i>
</div>
<div class="flex-grow-1">
<h4 class="alert-heading mb-2">
<strong>{{ _('Payment Issue Detected') }}</strong>
</h4>
<p class="mb-0">
{{ _('We couldn\'t process your payment. Please update your payment method to continue using TimeTracker.') }}
</p>
</div>
<div class="ms-3">
<a href="{{ url_for('billing.index') }}" class="btn btn-danger btn-lg">
<i class="fas fa-credit-card"></i> {{ _('Update Payment') }}
</a>
</div>
</div>
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="{{ _('Close') }}"></button>
</div>
{% endif %}

718
app/templates/marketing/faq.html
View File

@@ -1,718 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="TimeTracker FAQ - Frequently Asked Questions about privacy, security, pricing, export, refunds, and VAT">
<title>FAQ - TimeTracker</title>
<!-- Bootstrap CSS -->
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Font Awesome -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
<style>
:root {
--primary-color: #4a90e2;
--text-dark: #2c3e50;
--text-light: #7f8c8d;
--bg-light: #f8f9fa;
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
color: var(--text-dark);
line-height: 1.6;
}
.hero-section {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
padding: 80px 0 40px;
text-align: center;
}
.hero-section h1 {
font-size: 3rem;
font-weight: 700;
margin-bottom: 1rem;
}
.faq-section {
padding: 60px 0;
background: white;
}
.faq-category {
margin-bottom: 50px;
}
.faq-category h2 {
color: var(--primary-color);
font-size: 2rem;
margin-bottom: 30px;
padding-bottom: 15px;
border-bottom: 3px solid var(--primary-color);
}
.faq-item {
margin-bottom: 25px;
border: 1px solid #e9ecef;
border-radius: 10px;
overflow: hidden;
transition: box-shadow 0.3s;
}
.faq-item:hover {
box-shadow: 0 4px 12px rgba(0,0,0,0.1);
}
.faq-question {
background: var(--bg-light);
padding: 20px 25px;
cursor: pointer;
transition: background 0.3s;
display: flex;
justify-content: space-between;
align-items: center;
}
.faq-question:hover {
background: #e9ecef;
}
.faq-question h3 {
margin: 0;
font-size: 1.2rem;
font-weight: 600;
color: var(--text-dark);
}
.faq-question i {
font-size: 1.2rem;
color: var(--primary-color);
transition: transform 0.3s;
}
.faq-question.active i {
transform: rotate(180deg);
}
.faq-answer {
padding: 0 25px;
max-height: 0;
overflow: hidden;
transition: max-height 0.3s ease, padding 0.3s ease;
}
.faq-answer.show {
padding: 20px 25px;
max-height: 1000px;
}
.faq-answer p {
margin-bottom: 10px;
}
.faq-answer ul {
margin-left: 20px;
}
.faq-answer code {
background: #f4f4f4;
padding: 2px 8px;
border-radius: 4px;
color: #e74c3c;
}
.faq-search {
margin-bottom: 40px;
}
.faq-search input {
padding: 15px 20px;
font-size: 1.1rem;
border-radius: 50px;
border: 2px solid #e9ecef;
}
.faq-search input:focus {
border-color: var(--primary-color);
box-shadow: 0 0 0 0.2rem rgba(74, 144, 226, 0.25);
}
.cta-section {
background: var(--bg-light);
padding: 60px 0;
text-align: center;
}
.cta-section h2 {
margin-bottom: 20px;
}
.highlight-box {
background: #fff3cd;
border-left: 4px solid #ffc107;
padding: 15px;
margin: 15px 0;
border-radius: 4px;
}
.footer {
background: var(--text-dark);
color: white;
padding: 40px 0 20px;
}
.footer a {
color: white;
text-decoration: none;
}
.footer a:hover {
color: var(--primary-color);
}
</style>
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-expand-lg navbar-light bg-white shadow-sm">
<div class="container">
<a class="navbar-brand" href="/">
<i class="fas fa-clock text-primary"></i> <strong>TimeTracker</strong>
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav ms-auto">
<li class="nav-item">
<a class="nav-link" href="/">Home</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/#pricing">Pricing</a>
</li>
<li class="nav-item">
<a class="nav-link active" href="/faq">FAQ</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://github.com/drytrix/TimeTracker" target="_blank">
<i class="fab fa-github"></i> GitHub
</a>
</li>
<li class="nav-item">
<a class="nav-link btn btn-outline-primary ms-2" href="/login">Sign In</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- Hero Section -->
<section class="hero-section">
<div class="container">
<h1><i class="fas fa-question-circle"></i> Frequently Asked Questions</h1>
<p class="lead">Find answers to common questions about TimeTracker</p>
</div>
</section>
<!-- FAQ Section -->
<section class="faq-section">
<div class="container">
<!-- Search Box -->
<div class="faq-search">
<input type="text"
id="faq-search"
class="form-control"
placeholder="Search FAQs...">
</div>
<!-- Getting Started -->
<div class="faq-category">
<h2><i class="fas fa-rocket"></i> Getting Started</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>How do I get started with TimeTracker?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Getting started is easy:</p>
<ol>
<li><strong>Cloud Hosted:</strong> Click "Start Free Trial" on our homepage, create an account, and start tracking immediately. No credit card required for the 14-day trial.</li>
<li><strong>Self-Hosted:</strong> Clone the repository from GitHub, follow the Docker setup instructions in the README, and deploy to your own server.</li>
</ol>
<p>Both options include all features from day one.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Do I need a credit card for the free trial?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>No! You can start using TimeTracker immediately without providing any payment information. After 14 days, you'll be prompted to add payment details if you want to continue using the cloud-hosted service.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What's the difference between cloud-hosted and self-hosted?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p><strong>Cloud-Hosted (Paid):</strong></p>
<ul>
<li>We host, maintain, and update everything</li>
<li>Automatic backups and 99.9% uptime SLA</li>
<li>Email support included</li>
<li>SSL/HTTPS included</li>
<li>Pay monthly per user</li>
</ul>
<p><strong>Self-Hosted (Free):</strong></p>
<ul>
<li>You manage your own server</li>
<li>Full control over data and infrastructure</li>
<li>All features included at no cost</li>
<li>Community support via GitHub</li>
<li>You handle updates and backups</li>
</ul>
</div>
</div>
</div>
<!-- Privacy & Security -->
<div class="faq-category">
<h2><i class="fas fa-shield-alt"></i> Privacy & Security</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Is my data secure and private?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Absolutely! We take security and privacy very seriously:</p>
<ul>
<li><strong>Encryption:</strong> All data is encrypted in transit (SSL/TLS) and at rest</li>
<li><strong>GDPR Compliant:</strong> We follow all EU data protection regulations</li>
<li><strong>No Data Sharing:</strong> We never sell or share your data with third parties</li>
<li><strong>Regular Backups:</strong> Automated daily backups with point-in-time recovery</li>
<li><strong>Access Control:</strong> Role-based permissions and secure authentication</li>
</ul>
<div class="highlight-box">
<strong>💡 Maximum Privacy:</strong> For complete control, use the self-hosted option to keep all data on your own servers.
</div>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Where is my data stored?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p><strong>Cloud-Hosted:</strong> Data is stored in secure EU data centers (Frankfurt, Germany) to ensure GDPR compliance.</p>
<p><strong>Self-Hosted:</strong> Data is stored wherever you deploy the application—your own server, cloud provider, or on-premises.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Who can access my data?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Only you and your team members. Each organization's data is completely isolated using row-level security. Our staff cannot access your data except in rare cases with your explicit permission for technical support.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Do you use cookies or tracking?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>We use essential cookies only:</p>
<ul>
<li><strong>Session cookies:</strong> Required for login and authentication</li>
<li><strong>No marketing cookies:</strong> We don't use Google Analytics or other tracking</li>
<li><strong>No third-party trackers:</strong> Your activity is private</li>
</ul>
</div>
</div>
</div>
<!-- Data Export & Portability -->
<div class="faq-category">
<h2><i class="fas fa-download"></i> Data Export & Portability</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Can I export my data?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! You can export all your data at any time:</p>
<ul>
<li><strong>CSV Export:</strong> Export time entries, projects, invoices to CSV format</li>
<li><strong>PDF Reports:</strong> Generate and download professional PDF reports</li>
<li><strong>Full Data Export:</strong> Contact support for a complete database export</li>
<li><strong>API Access:</strong> Use our REST API to programmatically export data</li>
</ul>
<p>There is no vendor lock-in—your data is always yours to take with you.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What format is the exported data in?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Exports are available in:</p>
<ul>
<li><strong>CSV:</strong> Compatible with Excel, Google Sheets, and most accounting software</li>
<li><strong>PDF:</strong> Professional invoices and reports</li>
<li><strong>JSON:</strong> Machine-readable format via API</li>
</ul>
<p>All timestamps use ISO 8601 format for maximum compatibility.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Can I import data from other time tracking tools?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! If your current tool exports to CSV, you can import that data. Contact support for assistance with bulk imports or migration from specific tools.</p>
</div>
</div>
</div>
<!-- Pricing & Billing -->
<div class="faq-category">
<h2><i class="fas fa-euro-sign"></i> Pricing & Billing</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>How does pricing work?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>We offer three options:</p>
<ul>
<li><strong>Self-Hosted:</strong> Free forever with all features</li>
<li><strong>Single User:</strong> €5/month for one user account</li>
<li><strong>Team:</strong> €6/user/month with unlimited users</li>
</ul>
<p>All cloud-hosted plans include automatic backups, updates, SSL, and support.</p>
<div class="highlight-box">
<strong>🎁 Early Adopter Discount:</strong> Use code <code>EARLY2025</code> for 20% off your first 3 months!
</div>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What payment methods do you accept?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>We accept:</p>
<ul>
<li>All major credit cards (Visa, MasterCard, American Express)</li>
<li>Debit cards</li>
<li>SEPA direct debit (EU customers)</li>
</ul>
<p>All payments are processed securely through Stripe.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Can I upgrade or downgrade my plan?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! You can change your plan at any time:</p>
<ul>
<li><strong>Upgrade:</strong> Immediate access to new features, prorated billing</li>
<li><strong>Add/Remove Users:</strong> Changes take effect immediately with automatic proration</li>
<li><strong>Downgrade:</strong> Applies at next billing cycle, unused time credited</li>
</ul>
<p>All changes are handled automatically through your billing portal.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Do you offer annual billing?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! Annual billing includes a 15% discount (equivalent to 2 months free). Combined with the early adopter discount, you can save significantly!</p>
</div>
</div>
</div>
<!-- Refunds & Cancellation -->
<div class="faq-category">
<h2><i class="fas fa-undo"></i> Refunds & Cancellation</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What's your refund policy?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>We offer a 30-day money-back guarantee:</p>
<ul>
<li>If you're not satisfied within 30 days, contact us for a full refund</li>
<li>No questions asked—we want happy customers</li>
<li>Refunds typically processed within 5-7 business days</li>
</ul>
<p>The free trial doesn't count toward the 30 days—it starts from your first paid billing cycle.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>How do I cancel my subscription?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>You can cancel anytime:</p>
<ol>
<li>Go to Settings → Billing</li>
<li>Click "Cancel Subscription"</li>
<li>Confirm cancellation</li>
</ol>
<p>Your account remains active until the end of your billing period. After cancellation, you can export all your data before the account closes.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What happens to my data after I cancel?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>After cancellation:</p>
<ul>
<li><strong>30 days:</strong> Your account is frozen but data is retained</li>
<li><strong>During freeze:</strong> You can reactivate or export data anytime</li>
<li><strong>After 30 days:</strong> Data is permanently deleted per GDPR requirements</li>
</ul>
<p>We recommend exporting your data before canceling to ensure you have a backup.</p>
</div>
</div>
</div>
<!-- VAT & Invoicing -->
<div class="faq-category">
<h2><i class="fas fa-file-invoice"></i> VAT & Invoicing</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>How does VAT work for EU customers?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>VAT is handled automatically:</p>
<ul>
<li><strong>Individuals:</strong> VAT is applied based on your country</li>
<li><strong>EU Businesses:</strong> Provide your VAT ID for reverse charge (no VAT charged)</li>
<li><strong>Non-EU:</strong> No VAT applied</li>
</ul>
<p>All invoices include proper VAT information and are compliant with local regulations.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Do you provide invoices?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! Invoices are generated automatically:</p>
<ul>
<li>Sent via email after each billing cycle</li>
<li>Available in your billing portal</li>
<li>Include all required tax information</li>
<li>PDF format, ready for accounting</li>
</ul>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Can I add my company details to invoices?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! In your billing settings, you can add:</p>
<ul>
<li>Company name</li>
<li>Billing address</li>
<li>VAT ID</li>
<li>Tax registration number</li>
</ul>
<p>These details will appear on all future invoices.</p>
</div>
</div>
</div>
<!-- Technical Support -->
<div class="faq-category">
<h2><i class="fas fa-life-ring"></i> Support & Help</h2>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>What kind of support do you provide?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Support varies by plan:</p>
<ul>
<li><strong>Self-Hosted:</strong> Community support via GitHub issues and discussions</li>
<li><strong>Single User:</strong> Email support with 24-48 hour response time</li>
<li><strong>Team:</strong> Priority email support (12-24 hours) + video call onboarding</li>
</ul>
<p>All plans include access to our comprehensive documentation and knowledge base.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Do you offer training or onboarding?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Team plan subscribers receive:</p>
<ul>
<li>One-on-one onboarding call (30 minutes)</li>
<li>Walkthrough of all features</li>
<li>Help setting up projects and workflows</li>
<li>Best practices guide</li>
</ul>
<p>For larger teams (10+ users), we can provide custom training sessions.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h3>Is there a system status page?</h3>
<i class="fas fa-chevron-down"></i>
</div>
<div class="faq-answer">
<p>Yes! Visit <a href="/status" target="_blank">status.timetracker.com</a> to see:</p>
<ul>
<li>Current system status</li>
<li>Uptime statistics</li>
<li>Scheduled maintenance</li>
<li>Incident history</li>
</ul>
</div>
</div>
</div>
</div>
</section>
<!-- CTA Section -->
<section class="cta-section">
<div class="container">
<h2>Still have questions?</h2>
<p class="lead">We're here to help! Contact our support team or start your free trial today.</p>
<div class="mt-4">
<a href="/contact" class="btn btn-primary btn-lg me-2">
<i class="fas fa-envelope"></i> Contact Support
</a>
<a href="/signup" class="btn btn-success btn-lg">
<i class="fas fa-rocket"></i> Start Free Trial
</a>
</div>
</div>
</section>
<!-- Footer -->
<footer class="footer">
<div class="container">
<div class="row">
<div class="col-md-4">
<h5><i class="fas fa-clock"></i> TimeTracker</h5>
<p class="text-muted">Professional time tracking made simple.</p>
</div>
<div class="col-md-4">
<h6>Quick Links</h6>
<ul class="list-unstyled">
<li><a href="/">Home</a></li>
<li><a href="/#pricing">Pricing</a></li>
<li><a href="/faq">FAQ</a></li>
<li><a href="/privacy">Privacy Policy</a></li>
<li><a href="/terms">Terms of Service</a></li>
</ul>
</div>
<div class="col-md-4">
<h6>Connect</h6>
<ul class="list-unstyled">
<li><a href="https://github.com/drytrix/TimeTracker">GitHub</a></li>
<li><a href="/support">Support</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</div>
</div>
<hr class="border-secondary mt-4">
<div class="text-center">
<p class="text-muted mb-0">&copy; 2025 TimeTracker. Open source under GPL-3.0.</p>
</div>
</div>
</footer>
<!-- Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
<script>
function toggleFaq(element) {
const answer = element.nextElementSibling;
const allQuestions = document.querySelectorAll('.faq-question');
const allAnswers = document.querySelectorAll('.faq-answer');
// Close all other FAQs
allQuestions.forEach(q => {
if (q !== element) {
q.classList.remove('active');
}
});
allAnswers.forEach(a => {
if (a !== answer) {
a.classList.remove('show');
}
});
// Toggle current FAQ
element.classList.toggle('active');
answer.classList.toggle('show');
}
// FAQ Search
document.getElementById('faq-search').addEventListener('input', function(e) {
const searchTerm = e.target.value.toLowerCase();
const faqItems = document.querySelectorAll('.faq-item');
faqItems.forEach(item => {
const question = item.querySelector('.faq-question h3').textContent.toLowerCase();
const answer = item.querySelector('.faq-answer').textContent.toLowerCase();
if (question.includes(searchTerm) || answer.includes(searchTerm)) {
item.style.display = 'block';
} else {
item.style.display = 'none';
}
});
});
</script>
</body>
</html>

989
app/templates/marketing/landing.html
View File

@@ -1,989 +0,0 @@
<!DOCTYPE html>
<html lang="{{ current_language_code|default('en') }}">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="TimeTracker - Professional time tracking for freelancers and teams. Self-hosted or cloud-hosted with 14-day free trial.">
<meta name="keywords" content="time tracking, project management, invoicing, freelancer tools, team productivity">
<title>TimeTracker - Professional Time Tracking Made Simple</title>
<!-- Bootstrap CSS -->
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Font Awesome -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
<!-- Custom CSS -->
<style>
:root {
--primary-color: #4a90e2;
--secondary-color: #2ecc71;
--accent-color: #e74c3c;
--text-dark: #2c3e50;
--text-light: #7f8c8d;
--bg-light: #f8f9fa;
--shadow: 0 4px 6px rgba(0,0,0,0.1);
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
color: var(--text-dark);
line-height: 1.6;
}
/* Hero Section */
.hero {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
padding: 120px 0 80px;
text-align: center;
position: relative;
overflow: hidden;
}
.hero::before {
content: '';
position: absolute;
top: 0;
left: 0;
right: 0;
bottom: 0;
background: url('data:image/svg+xml,<svg width="60" height="60" xmlns="http://www.w3.org/2000/svg"><path d="M30 0L0 30L30 60L60 30Z" fill="rgba(255,255,255,0.03)"/></svg>');
animation: float 20s infinite linear;
}
@keyframes float {
from { transform: translateY(0) rotate(0deg); }
to { transform: translateY(-60px) rotate(360deg); }
}
.hero h1 {
font-size: 3.5rem;
font-weight: 700;
margin-bottom: 1.5rem;
position: relative;
z-index: 1;
}
.hero p.lead {
font-size: 1.5rem;
margin-bottom: 2rem;
opacity: 0.95;
position: relative;
z-index: 1;
}
.hero .btn {
padding: 15px 40px;
font-size: 1.2rem;
border-radius: 50px;
margin: 0 10px;
position: relative;
z-index: 1;
}
.btn-primary-custom {
background: white;
color: var(--primary-color);
border: none;
box-shadow: 0 4px 15px rgba(0,0,0,0.2);
}
.btn-primary-custom:hover {
transform: translateY(-2px);
box-shadow: 0 6px 20px rgba(0,0,0,0.25);
}
.btn-outline-custom {
background: transparent;
color: white;
border: 2px solid white;
}
.btn-outline-custom:hover {
background: white;
color: var(--primary-color);
}
/* Features Section */
.features {
padding: 80px 0;
background: white;
}
.feature-card {
text-align: center;
padding: 30px;
border-radius: 10px;
transition: transform 0.3s;
height: 100%;
}
.feature-card:hover {
transform: translateY(-5px);
box-shadow: var(--shadow);
}
.feature-card i {
font-size: 3rem;
color: var(--primary-color);
margin-bottom: 1rem;
}
.feature-card h3 {
font-size: 1.5rem;
margin-bottom: 1rem;
color: var(--text-dark);
}
/* Pricing Section */
.pricing {
padding: 80px 0;
background: var(--bg-light);
}
.pricing-card {
background: white;
border-radius: 15px;
padding: 40px;
box-shadow: var(--shadow);
transition: transform 0.3s, box-shadow 0.3s;
height: 100%;
position: relative;
}
.pricing-card:hover {
transform: translateY(-10px);
box-shadow: 0 8px 25px rgba(0,0,0,0.15);
}
.pricing-card.featured {
border: 3px solid var(--primary-color);
}
.pricing-badge {
position: absolute;
top: -15px;
right: 30px;
background: var(--secondary-color);
color: white;
padding: 5px 20px;
border-radius: 20px;
font-weight: bold;
font-size: 0.9rem;
}
.pricing-card h3 {
font-size: 1.8rem;
margin-bottom: 1rem;
color: var(--text-dark);
}
.price {
font-size: 3rem;
font-weight: 700;
color: var(--primary-color);
margin: 20px 0;
}
.price small {
font-size: 1.2rem;
color: var(--text-light);
}
.price-features {
list-style: none;
padding: 0;
margin: 30px 0;
text-align: left;
}
.price-features li {
padding: 12px 0;
border-bottom: 1px solid #eee;
}
.price-features li:last-child {
border-bottom: none;
}
.price-features i.fa-check {
color: var(--secondary-color);
margin-right: 10px;
}
.price-features i.fa-times {
color: #ddd;
margin-right: 10px;
}
/* Comparison Table */
.comparison-table {
margin-top: 60px;
}
.comparison-table table {
background: white;
border-radius: 10px;
overflow: hidden;
box-shadow: var(--shadow);
}
.comparison-table th {
background: var(--primary-color);
color: white;
padding: 20px;
font-weight: 600;
}
.comparison-table td {
padding: 15px 20px;
border-bottom: 1px solid #eee;
}
.comparison-table tr:last-child td {
border-bottom: none;
}
.comparison-table .feature-name {
font-weight: 500;
}
/* Social Proof */
.social-proof {
padding: 60px 0;
background: white;
text-align: center;
}
.stats {
display: flex;
justify-content: space-around;
flex-wrap: wrap;
margin-top: 40px;
}
.stat-item {
flex: 1;
min-width: 200px;
padding: 20px;
}
.stat-number {
font-size: 3rem;
font-weight: 700;
color: var(--primary-color);
}
.stat-label {
font-size: 1.1rem;
color: var(--text-light);
margin-top: 10px;
}
/* CTA Section */
.cta {
padding: 80px 0;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
text-align: center;
}
.cta h2 {
font-size: 2.5rem;
margin-bottom: 1.5rem;
}
/* FAQ Section */
.faq {
padding: 80px 0;
background: white;
}
.faq-item {
margin-bottom: 20px;
}
.faq-question {
background: var(--bg-light);
padding: 20px;
border-radius: 8px;
cursor: pointer;
transition: background 0.3s;
}
.faq-question:hover {
background: #e9ecef;
}
.faq-question h4 {
margin: 0;
display: flex;
justify-content: space-between;
align-items: center;
}
.faq-answer {
padding: 20px;
display: none;
}
.faq-answer.show {
display: block;
}
/* Footer */
.footer {
background: var(--text-dark);
color: white;
padding: 40px 0 20px;
}
.footer a {
color: white;
text-decoration: none;
}
.footer a:hover {
color: var(--primary-color);
}
/* Responsive */
@media (max-width: 768px) {
.hero h1 {
font-size: 2.5rem;
}
.hero p.lead {
font-size: 1.2rem;
}
.pricing-card {
margin-bottom: 30px;
}
}
</style>
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-expand-lg navbar-dark" style="background: rgba(0,0,0,0.1); position: absolute; width: 100%; z-index: 10;">
<div class="container">
<a class="navbar-brand" href="/">
<i class="fas fa-clock"></i> TimeTracker
</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav ms-auto">
<li class="nav-item">
<a class="nav-link" href="#features">Features</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#pricing">Pricing</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#faq">FAQ</a>
</li>
<li class="nav-item">
<a class="nav-link" href="https://github.com/drytrix/TimeTracker" target="_blank">
<i class="fab fa-github"></i> GitHub
</a>
</li>
<!-- Language Selector -->
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" id="langDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
<i class="fas fa-globe"></i> <span id="current-lang">EN</span>
</a>
<ul class="dropdown-menu dropdown-menu-end" aria-labelledby="langDropdown">
<li><a class="dropdown-item" href="#" onclick="setLanguage('en'); return false;">🇬🇧 English</a></li>
<li><a class="dropdown-item" href="#" onclick="setLanguage('de'); return false;">🇩🇪 Deutsch</a></li>
<li><a class="dropdown-item" href="#" onclick="setLanguage('fr'); return false;">🇫🇷 Français</a></li>
<li><a class="dropdown-item" href="#" onclick="setLanguage('it'); return false;">🇮🇹 Italiano</a></li>
<li><a class="dropdown-item" href="#" onclick="setLanguage('nl'); return false;">🇳🇱 Nederlands</a></li>
<li><a class="dropdown-item" href="#" onclick="setLanguage('fi'); return false;">🇫🇮 Suomi</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link btn btn-outline-light ms-2" href="/login">Sign In</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- Hero Section -->
<section class="hero">
<div class="container">
<h1>Professional Time Tracking Made Simple</h1>
<p class="lead">Track time, manage projects, and generate invoices with ease. Self-hosted or cloud-hosted.</p>
<div class="mt-4">
<a href="/signup" class="btn btn-primary-custom btn-lg">
<i class="fas fa-rocket"></i> Start Free Trial
</a>
<a href="https://github.com/drytrix/TimeTracker" class="btn btn-outline-custom btn-lg">
<i class="fab fa-github"></i> Self-Host
</a>
</div>
<p class="mt-3">
<small><i class="fas fa-check-circle"></i> 14-day free trial • No credit card required • Cancel anytime</small>
</p>
</div>
</section>
<!-- Features Section -->
<section class="features" id="features">
<div class="container">
<div class="text-center mb-5">
<h2 class="display-4">Everything You Need to Track Time</h2>
<p class="lead text-muted">Powerful features for freelancers, teams, and businesses</p>
</div>
<div class="row g-4">
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-clock"></i>
<h3>Smart Time Tracking</h3>
<p>Automatic timers with idle detection, manual entry, and real-time updates. Never lose track of your time.</p>
</div>
</div>
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-project-diagram"></i>
<h3>Project Management</h3>
<p>Organize work by clients and projects with billing rates, estimates, and progress tracking.</p>
</div>
</div>
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-file-invoice-dollar"></i>
<h3>Professional Invoicing</h3>
<p>Generate branded PDF invoices with customizable layouts and automatic calculations.</p>
</div>
</div>
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-chart-line"></i>
<h3>Analytics & Reports</h3>
<p>Comprehensive reports with visual analytics, trends, and data export capabilities.</p>
</div>
</div>
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-users"></i>
<h3>Team Collaboration</h3>
<p>Multi-user support with role-based access control and team productivity metrics.</p>
</div>
</div>
<div class="col-md-4">
<div class="feature-card">
<i class="fas fa-mobile-alt"></i>
<h3>Mobile Optimized</h3>
<p>Responsive design that works perfectly on all devices - desktop, tablet, and mobile.</p>
</div>
</div>
</div>
</div>
</section>
<!-- Pricing Section -->
<section class="pricing" id="pricing">
<div class="container">
<div class="text-center mb-5">
<h2 class="display-4">Simple, Transparent Pricing</h2>
<p class="lead text-muted">Choose the plan that fits your needs</p>
<div class="alert alert-success d-inline-block mt-3">
<i class="fas fa-gift"></i> <strong>Early Adopter Discount:</strong> Use code <code>EARLY2025</code> for 20% off first 3 months!
</div>
</div>
<div class="row g-4 justify-content-center">
<!-- Self-Hosted -->
<div class="col-lg-4">
<div class="pricing-card">
<h3><i class="fas fa-server"></i> Self-Hosted</h3>
<div class="price">
Free
<br><small>Forever</small>
</div>
<ul class="price-features">
<li><i class="fas fa-check"></i> Unlimited users</li>
<li><i class="fas fa-check"></i> All features included</li>
<li><i class="fas fa-check"></i> Full data control</li>
<li><i class="fas fa-check"></i> No monthly fees</li>
<li><i class="fas fa-check"></i> Docker support</li>
<li><i class="fas fa-times"></i> Self-manage updates</li>
<li><i class="fas fa-times"></i> Self-manage backups</li>
<li><i class="fas fa-times"></i> Community support only</li>
</ul>
<a href="https://github.com/drytrix/TimeTracker" class="btn btn-outline-primary w-100">
<i class="fab fa-github"></i> Get Started
</a>
</div>
</div>
<!-- Cloud Hosted - Single User -->
<div class="col-lg-4">
<div class="pricing-card">
<h3><i class="fas fa-user"></i> Single User</h3>
<div class="price">
€5
<br><small>/month</small>
</div>
<ul class="price-features">
<li><i class="fas fa-check"></i> 1 user account</li>
<li><i class="fas fa-check"></i> All features included</li>
<li><i class="fas fa-check"></i> Cloud hosted</li>
<li><i class="fas fa-check"></i> Automatic backups</li>
<li><i class="fas fa-check"></i> Automatic updates</li>
<li><i class="fas fa-check"></i> Email support</li>
<li><i class="fas fa-check"></i> 99.9% uptime SLA</li>
<li><i class="fas fa-check"></i> SSL included</li>
</ul>
<a href="/signup?plan=single" class="btn btn-primary w-100">
<i class="fas fa-rocket"></i> Start Free Trial
</a>
<p class="text-center mt-2 small text-muted">14-day free trial</p>
</div>
</div>
<!-- Cloud Hosted - Team -->
<div class="col-lg-4">
<div class="pricing-card featured">
<div class="pricing-badge">Most Popular</div>
<h3><i class="fas fa-users"></i> Team</h3>
<div class="price">
€6
<br><small>/user/month</small>
</div>
<ul class="price-features">
<li><i class="fas fa-check"></i> Unlimited users</li>
<li><i class="fas fa-check"></i> All features included</li>
<li><i class="fas fa-check"></i> Cloud hosted</li>
<li><i class="fas fa-check"></i> Automatic backups</li>
<li><i class="fas fa-check"></i> Automatic updates</li>
<li><i class="fas fa-check"></i> Priority support</li>
<li><i class="fas fa-check"></i> 99.9% uptime SLA</li>
<li><i class="fas fa-check"></i> Custom branding</li>
</ul>
<a href="/signup?plan=team" class="btn btn-primary w-100">
<i class="fas fa-rocket"></i> Start Free Trial
</a>
<p class="text-center mt-2 small text-muted">14-day free trial • Add/remove seats anytime</p>
</div>
</div>
</div>
<!-- Comparison Table -->
<div class="comparison-table">
<div class="text-center mb-4">
<h3>Detailed Feature Comparison</h3>
</div>
<div class="table-responsive">
<table class="table">
<thead>
<tr>
<th>Feature</th>
<th class="text-center">Self-Hosted</th>
<th class="text-center">Single User</th>
<th class="text-center">Team</th>
</tr>
</thead>
<tbody>
<tr>
<td class="feature-name">Time Tracking</td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Project Management</td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Professional Invoicing</td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Reports & Analytics</td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Number of Users</td>
<td class="text-center">Unlimited</td>
<td class="text-center">1</td>
<td class="text-center">Unlimited</td>
</tr>
<tr>
<td class="feature-name">Cloud Hosting</td>
<td class="text-center"><i class="fas fa-times text-muted"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Automatic Backups</td>
<td class="text-center"><i class="fas fa-times text-muted"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Automatic Updates</td>
<td class="text-center"><i class="fas fa-times text-muted"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Email Support</td>
<td class="text-center">Community</td>
<td class="text-center">Standard</td>
<td class="text-center">Priority</td>
</tr>
<tr>
<td class="feature-name">99.9% Uptime SLA</td>
<td class="text-center"><i class="fas fa-times text-muted"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
<tr>
<td class="feature-name">Custom Branding</td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
<td class="text-center"><i class="fas fa-times text-muted"></i></td>
<td class="text-center"><i class="fas fa-check text-success"></i></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</section>
<!-- Social Proof -->
<section class="social-proof">
<div class="container">
<h2 class="display-5 mb-4">Trusted by Professionals Worldwide</h2>
<div class="stats">
<div class="stat-item">
<div class="stat-number"><i class="fab fa-github"></i></div>
<div class="stat-label">Open Source</div>
</div>
<div class="stat-item">
<div class="stat-number">14-Day</div>
<div class="stat-label">Free Trial</div>
</div>
<div class="stat-item">
<div class="stat-number">99.9%</div>
<div class="stat-label">Uptime SLA</div>
</div>
<div class="stat-item">
<div class="stat-number"><i class="fas fa-lock"></i></div>
<div class="stat-label">GDPR Compliant</div>
</div>
</div>
</div>
</section>
<!-- FAQ Section -->
<section class="faq" id="faq">
<div class="container">
<div class="text-center mb-5">
<h2 class="display-4">Frequently Asked Questions</h2>
</div>
<div class="row justify-content-center">
<div class="col-lg-8">
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
How does the 14-day free trial work?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>Start using TimeTracker immediately with full access to all features. No credit card required to start. After 14 days, you'll be prompted to add payment information to continue using the service. Cancel anytime during the trial with no charges.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
What's the difference between self-hosted and cloud-hosted?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p><strong>Self-hosted:</strong> Download and run TimeTracker on your own server. You manage updates, backups, and maintenance. Great for maximum control and privacy.</p>
<p><strong>Cloud-hosted:</strong> We handle everything - hosting, updates, backups, security, and support. Just sign up and start tracking time immediately.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
Is my data secure and private?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>Yes! We take security seriously. All data is encrypted in transit (SSL/TLS) and at rest. We're GDPR compliant and never share your data with third parties. For maximum privacy, use the self-hosted option to keep all data on your own servers.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
Can I export my data?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>Absolutely! You can export all your time entries, projects, and reports in CSV format at any time. No vendor lock-in - your data is always yours to take with you.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
What payment methods do you accept?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>We accept all major credit cards (Visa, MasterCard, American Express) through our secure payment processor Stripe. We also support SEPA direct debit for EU customers.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
How does VAT work for EU customers?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>VAT is automatically calculated based on your location. If you're a business in the EU, you can provide your VAT ID for reverse charge. All invoices include proper VAT information for your accounting needs.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
What's your refund policy?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>We offer a 30-day money-back guarantee. If you're not satisfied with TimeTracker within the first 30 days, contact us for a full refund. No questions asked.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
Can I upgrade or downgrade my plan?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>Yes! You can upgrade from Single User to Team at any time. For Team plans, you can add or remove users as needed - billing is automatically prorated. Downgrading is also possible with unused time credited to your account.</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
Do you offer discounts for annual plans?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p>Yes! Annual plans receive a 15% discount. Pay yearly and save approximately 2 months of fees. Plus, use code <code>EARLY2025</code> for an additional 20% off your first year as an early adopter!</p>
</div>
</div>
<div class="faq-item">
<div class="faq-question" onclick="toggleFaq(this)">
<h4>
What support do you provide?
<i class="fas fa-chevron-down"></i>
</h4>
</div>
<div class="faq-answer">
<p><strong>Self-hosted:</strong> Community support via GitHub issues and discussions.</p>
<p><strong>Single User:</strong> Email support with 24-48 hour response time.</p>
<p><strong>Team:</strong> Priority email support with 12-24 hour response time, plus video call support for onboarding.</p>
</div>
</div>
</div>
</div>
</div>
</section>
<!-- CTA Section -->
<section class="cta">
<div class="container">
<h2>Ready to Take Control of Your Time?</h2>
<p class="lead">Start your 14-day free trial today. No credit card required.</p>
<div class="mt-4">
<a href="/signup" class="btn btn-primary-custom btn-lg">
<i class="fas fa-rocket"></i> Start Free Trial
</a>
<a href="https://github.com/drytrix/TimeTracker" class="btn btn-outline-custom btn-lg">
<i class="fab fa-github"></i> View on GitHub
</a>
</div>
</div>
</section>
<!-- Footer -->
<footer class="footer">
<div class="container">
<div class="row">
<div class="col-md-4 mb-4">
<h5><i class="fas fa-clock"></i> TimeTracker</h5>
<p class="text-muted">Professional time tracking made simple.</p>
<div class="mt-3">
<a href="https://github.com/drytrix/TimeTracker" class="me-3">
<i class="fab fa-github fa-2x"></i>
</a>
</div>
</div>
<div class="col-md-2 mb-4">
<h6>Product</h6>
<ul class="list-unstyled">
<li><a href="#features">Features</a></li>
<li><a href="#pricing">Pricing</a></li>
<li><a href="/docs">Documentation</a></li>
<li><a href="/changelog">Changelog</a></li>
</ul>
</div>
<div class="col-md-2 mb-4">
<h6>Resources</h6>
<ul class="list-unstyled">
<li><a href="https://github.com/drytrix/TimeTracker">GitHub</a></li>
<li><a href="/api/docs">API Docs</a></li>
<li><a href="#faq">FAQ</a></li>
<li><a href="/support">Support</a></li>
</ul>
</div>
<div class="col-md-2 mb-4">
<h6>Company</h6>
<ul class="list-unstyled">
<li><a href="/about">About</a></li>
<li><a href="/privacy">Privacy Policy</a></li>
<li><a href="/terms">Terms of Service</a></li>
<li><a href="/contact">Contact</a></li>
</ul>
</div>
<div class="col-md-2 mb-4">
<h6>Connect</h6>
<ul class="list-unstyled">
<li><a href="/login">Sign In</a></li>
<li><a href="/signup">Sign Up</a></li>
<li><a href="/status">System Status</a></li>
</ul>
</div>
</div>
<hr class="border-secondary">
<div class="row">
<div class="col-md-6 text-center text-md-start">
<p class="text-muted mb-0">&copy; 2025 TimeTracker. Open source under GPL-3.0.</p>
</div>
<div class="col-md-6 text-center text-md-end">
<p class="text-muted mb-0">Made with <i class="fas fa-heart text-danger"></i> for productivity</p>
</div>
</div>
</div>
</footer>
<!-- Bootstrap JS -->
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
<script>
function toggleFaq(element) {
const answer = element.nextElementSibling;
const icon = element.querySelector('i');
answer.classList.toggle('show');
if (answer.classList.contains('show')) {
icon.classList.remove('fa-chevron-down');
icon.classList.add('fa-chevron-up');
} else {
icon.classList.remove('fa-chevron-up');
icon.classList.add('fa-chevron-down');
}
}
// Language selector
function setLanguage(lang) {
// Map language codes to display names
const langMap = {
'en': 'EN',
'de': 'DE',
'fr': 'FR',
'it': 'IT',
'nl': 'NL',
'fi': 'FI'
};
// Update display
document.getElementById('current-lang').textContent = langMap[lang] || 'EN';
// Send to server to set session
fetch('/i18n/set-language?lang=' + lang, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
}).then(response => {
if (response.ok) {
// Reload page to apply new language
window.location.reload();
}
}).catch(error => {
console.error('Error setting language:', error);
});
}
// Initialize current language display
document.addEventListener('DOMContentLoaded', function() {
// Check if there's a language in the session/cookie
const currentLang = '{{ current_language_code|default("en") }}';
const langMap = {
'en': 'EN',
'de': 'DE',
'fr': 'FR',
'it': 'IT',
'nl': 'NL',
'fi': 'FI'
};
document.getElementById('current-lang').textContent = langMap[currentLang] || 'EN';
});
// Smooth scrolling for anchor links
document.querySelectorAll('a[href^="#"]').forEach(anchor => {
anchor.addEventListener('click', function (e) {
e.preventDefault();
const target = document.querySelector(this.getAttribute('href'));
if (target) {
target.scrollIntoView({
behavior: 'smooth',
block: 'start'
});
}
});
});
</script>
</body>
</html>

390
app/templates/onboarding/checklist.html
View File

@@ -1,390 +0,0 @@
{% extends "base.html" %}
{% block title %}{{ _('Onboarding Checklist') }}{% endblock %}
{% block extra_css %}
<style>
.onboarding-container {
max-width: 1000px;
margin: 0 auto;
padding: 20px;
}
.onboarding-header {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
padding: 40px;
border-radius: 12px;
margin-bottom: 30px;
box-shadow: 0 4px 15px rgba(0,0,0,0.1);
}
.onboarding-progress {
background: rgba(255,255,255,0.2);
border-radius: 20px;
height: 10px;
overflow: hidden;
margin-top: 20px;
}
.onboarding-progress-bar {
background: #fff;
height: 100%;
transition: width 0.5s ease;
border-radius: 20px;
}
.task-list {
background: white;
border-radius: 12px;
padding: 30px;
box-shadow: 0 2px 10px rgba(0,0,0,0.08);
}
.task-item {
display: flex;
align-items: flex-start;
padding: 20px;
border-bottom: 1px solid #e9ecef;
transition: all 0.3s ease;
border-radius: 8px;
margin-bottom: 10px;
}
.task-item:hover {
background: #f8f9fa;
transform: translateX(5px);
}
.task-item:last-child {
border-bottom: none;
}
.task-item.completed {
opacity: 0.6;
}
.task-checkbox {
width: 28px;
height: 28px;
min-width: 28px;
border: 2px solid #dee2e6;
border-radius: 50%;
margin-right: 20px;
display: flex;
align-items: center;
justify-content: center;
cursor: pointer;
transition: all 0.3s ease;
background: white;
}
.task-checkbox:hover {
border-color: #667eea;
transform: scale(1.1);
}
.task-checkbox.completed {
background: linear-gradient(135deg, #667eea, #764ba2);
border-color: #667eea;
}
.task-checkbox.completed i {
color: white;
font-size: 14px;
}
.task-content {
flex: 1;
}
.task-title {
font-size: 16px;
font-weight: 600;
color: #2c3e50;
margin-bottom: 5px;
display: flex;
align-items: center;
}
.task-icon {
margin-right: 10px;
color: #667eea;
width: 24px;
text-align: center;
}
.task-description {
color: #6c757d;
font-size: 14px;
margin-bottom: 8px;
}
.task-action {
margin-top: 10px;
}
.task-action a {
color: #667eea;
text-decoration: none;
font-size: 14px;
font-weight: 500;
}
.task-action a:hover {
color: #5568d3;
text-decoration: underline;
}
.task-meta {
font-size: 12px;
color: #999;
margin-top: 8px;
}
.completion-badge {
display: inline-flex;
align-items: center;
padding: 6px 12px;
border-radius: 20px;
font-size: 14px;
font-weight: 600;
margin-left: 15px;
}
.completion-badge.complete {
background: #d4edda;
color: #155724;
}
.completion-badge.in-progress {
background: #fff3cd;
color: #856404;
}
.dismiss-banner {
background: #f8f9fa;
padding: 15px;
border-radius: 8px;
text-align: center;
margin-bottom: 20px;
}
.category-badge {
display: inline-block;
padding: 3px 8px;
font-size: 11px;
border-radius: 12px;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 0.5px;
margin-left: 10px;
}
.category-team { background: #e3f2fd; color: #1976d2; }
.category-setup { background: #f3e5f5; color: #7b1fa2; }
.category-usage { background: #e8f5e9; color: #388e3c; }
.category-billing { background: #fff3e0; color: #f57c00; }
</style>
{% endblock %}
{% block content %}
<div class="onboarding-container">
<!-- Header -->
<div class="onboarding-header">
<h1><i class="fas fa-rocket"></i> {{ _('Welcome to TimeTracker!') }}</h1>
<p style="font-size: 18px; margin: 10px 0 0 0;">{{ _('Let\'s get you started with') }} <strong>{{ organization.name }}</strong></p>
<!-- Progress Bar -->
<div class="onboarding-progress">
<div class="onboarding-progress-bar" style="width: {{ checklist.completion_percentage }}%"></div>
</div>
<div style="margin-top: 15px; display: flex; justify-content: space-between; align-items: center;">
<div>
<strong>{{ _('Progress:') }}</strong> {{ checklist.get_completed_count() }} / {{ checklist.get_total_count() }} {{ _('tasks completed') }}
</div>
<div>
{% if checklist.is_complete %}
<span class="completion-badge complete">
<i class="fas fa-check-circle"></i> {{ _('Complete!') }}
</span>
{% else %}
<span class="completion-badge in-progress">
{{ checklist.completion_percentage }}% {{ _('Complete') }}
</span>
{% endif %}
</div>
</div>
</div>
<!-- Dismissed Banner -->
{% if checklist.dismissed %}
<div class="dismiss-banner alert alert-info">
<i class="fas fa-info-circle"></i> {{ _('This checklist has been dismissed. You can still complete tasks!') }}
<button class="btn btn-sm btn-primary ms-3" onclick="restoreChecklist()">
{{ _('Restore Checklist') }}
</button>
</div>
{% endif %}
<!-- Complete Banner -->
{% if checklist.is_complete %}
<div class="alert alert-success">
<i class="fas fa-trophy"></i> <strong>{{ _('Congratulations!') }}</strong>
{{ _('You\'ve completed all onboarding tasks. You\'re all set!') }}
</div>
{% endif %}
<!-- Task List -->
<div class="task-list">
<div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 25px;">
<h3><i class="fas fa-list-check"></i> {{ _('Getting Started Checklist') }}</h3>
{% if not checklist.dismissed and not checklist.is_complete %}
<button class="btn btn-sm btn-outline-secondary" onclick="dismissChecklist()">
<i class="fas fa-times"></i> {{ _('Dismiss') }}
</button>
{% endif %}
</div>
{% for task in tasks %}
<div class="task-item {% if task.completed %}completed{% endif %}" data-task-key="{{ task.key }}">
<div class="task-checkbox {% if task.completed %}completed{% endif %}" onclick="toggleTask('{{ task.key }}', {{ 'true' if task.completed else 'false' }})">
{% if task.completed %}
<i class="fas fa-check"></i>
{% endif %}
</div>
<div class="task-content">
<div class="task-title">
<i class="{{ task.icon }} task-icon"></i>
{{ _(task.title) }}
<span class="category-badge category-{{ task.category }}">{{ _(task.category) }}</span>
</div>
<div class="task-description">
{{ _(task.description) }}
</div>
{% if not task.completed %}
<div class="task-action">
{% if task.key == 'invited_team_member' %}
<a href="{{ url_for('organizations.members') }}">
<i class="fas fa-arrow-right"></i> {{ _('Invite Team Member') }}
</a>
{% elif task.key == 'created_project' %}
<a href="{{ url_for('projects.create_project') }}">
<i class="fas fa-arrow-right"></i> {{ _('Create Project') }}
</a>
{% elif task.key == 'created_time_entry' %}
<a href="{{ url_for('main.dashboard') }}">
<i class="fas fa-arrow-right"></i> {{ _('Start Timer') }}
</a>
{% elif task.key == 'created_client' %}
<a href="{{ url_for('clients.new_client') }}">
<i class="fas fa-arrow-right"></i> {{ _('Add Client') }}
</a>
{% elif task.key == 'added_billing_info' %}
<a href="{{ url_for('billing.index') }}">
<i class="fas fa-arrow-right"></i> {{ _('Go to Billing') }}
</a>
{% elif task.key == 'generated_report' %}
<a href="{{ url_for('reports.index') }}">
<i class="fas fa-arrow-right"></i> {{ _('View Reports') }}
</a>
{% endif %}
</div>
{% else %}
<div class="task-meta">
<i class="fas fa-check-circle"></i> {{ _('Completed') }} {{ task.completed_at }}
</div>
{% endif %}
</div>
</div>
{% endfor %}
</div>
<!-- Help Section -->
<div class="mt-4 text-center">
<p class="text-muted">
<i class="fas fa-question-circle"></i> {{ _('Need help getting started?') }}
<a href="{{ url_for('onboarding.guide') }}">{{ _('View the complete guide') }}</a>
</p>
</div>
</div>
<script>
function toggleTask(taskKey, isCompleted) {
if (isCompleted) {
return; // Already completed, don't allow unchecking
}
// Mark as complete via API
fetch(`/onboarding/api/checklist/complete/${taskKey}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
})
.then(response => response.json())
.then(data => {
if (data.success) {
// Update UI
location.reload();
} else {
alert('Failed to update task: ' + (data.error || 'Unknown error'));
}
})
.catch(error => {
console.error('Error:', error);
alert('Failed to update task');
});
}
function dismissChecklist() {
if (!confirm('{{ _("Are you sure you want to dismiss the onboarding checklist?") }}')) {
return;
}
fetch('/onboarding/api/checklist/dismiss', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
})
.then(response => response.json())
.then(data => {
if (data.success) {
location.reload();
} else {
alert('Failed to dismiss checklist: ' + (data.error || 'Unknown error'));
}
})
.catch(error => {
console.error('Error:', error);
alert('Failed to dismiss checklist');
});
}
function restoreChecklist() {
fetch('/onboarding/api/checklist/restore', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
})
.then(response => response.json())
.then(data => {
if (data.success) {
location.reload();
} else {
alert('Failed to restore checklist: ' + (data.error || 'Unknown error'));
}
})
.catch(error => {
console.error('Error:', error);
alert('Failed to restore checklist');
});
}
</script>
{% endblock %}

159
app/templates/onboarding/welcome.html
View File

@@ -1,159 +0,0 @@
{% extends "base.html" %}
{% block title %}{{ _('Welcome!') }}{% endblock %}
{% block extra_css %}
<style>
.welcome-container {
max-width: 900px;
margin: 50px auto;
text-align: center;
}
.welcome-hero {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
padding: 60px 40px;
border-radius: 16px;
box-shadow: 0 8px 30px rgba(0,0,0,0.12);
margin-bottom: 40px;
}
.welcome-hero h1 {
font-size: 42px;
margin-bottom: 15px;
font-weight: 700;
}
.welcome-hero p {
font-size: 20px;
opacity: 0.95;
}
.quick-actions {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
gap: 20px;
margin-top: 40px;
}
.quick-action-card {
background: white;
padding: 30px;
border-radius: 12px;
box-shadow: 0 3px 15px rgba(0,0,0,0.08);
transition: all 0.3s ease;
text-decoration: none;
color: inherit;
display: block;
}
.quick-action-card:hover {
transform: translateY(-5px);
box-shadow: 0 6px 25px rgba(0,0,0,0.15);
text-decoration: none;
}
.quick-action-icon {
font-size: 42px;
color: #667eea;
margin-bottom: 15px;
}
.quick-action-title {
font-size: 18px;
font-weight: 600;
margin-bottom: 10px;
color: #2c3e50;
}
.quick-action-desc {
font-size: 14px;
color: #6c757d;
}
.trial-banner {
background: #fff3cd;
border: 2px solid #ffc107;
border-radius: 12px;
padding: 20px;
margin-bottom: 30px;
display: flex;
align-items: center;
justify-content: center;
}
.trial-banner-icon {
font-size: 32px;
color: #f57c00;
margin-right: 15px;
}
.trial-banner-text {
text-align: left;
}
</style>
{% endblock %}
{% block content %}
<div class="welcome-container">
<div class="welcome-hero">
<h1>🎉 {{ _('Welcome to TimeTracker!') }}</h1>
<p>{{ _('Your organization') }} <strong>{{ organization.name }}</strong> {{ _('is ready to go!') }}</p>
</div>
{% if organization.is_on_trial %}
<div class="trial-banner">
<div class="trial-banner-icon">
<i class="fas fa-gift"></i>
</div>
<div class="trial-banner-text">
<strong>{{ _('Free Trial Active') }}</strong><br>
{{ _('You have') }} <strong>{{ organization.trial_days_remaining }} {{ _('days') }}</strong> {{ _('left in your trial. Explore all features!') }}
</div>
</div>
{% endif %}
<h2 style="margin-bottom: 30px;">{{ _('Quick Start Guide') }}</h2>
<div class="quick-actions">
<a href="{{ url_for('projects.create_project') }}" class="quick-action-card">
<div class="quick-action-icon">
<i class="fas fa-folder-plus"></i>
</div>
<div class="quick-action-title">{{ _('Create Your First Project') }}</div>
<div class="quick-action-desc">{{ _('Organize your work into projects') }}</div>
</a>
<a href="{{ url_for('organizations.members') }}" class="quick-action-card">
<div class="quick-action-icon">
<i class="fas fa-users"></i>
</div>
<div class="quick-action-title">{{ _('Invite Team Members') }}</div>
<div class="quick-action-desc">{{ _('Collaborate with your team') }}</div>
</a>
<a href="{{ url_for('main.dashboard') }}" class="quick-action-card">
<div class="quick-action-icon">
<i class="fas fa-play-circle"></i>
</div>
<div class="quick-action-title">{{ _('Start Tracking Time') }}</div>
<div class="quick-action-desc">{{ _('Begin logging your work hours') }}</div>
</a>
<a href="{{ url_for('onboarding.checklist') }}" class="quick-action-card">
<div class="quick-action-icon">
<i class="fas fa-list-check"></i>
</div>
<div class="quick-action-title">{{ _('Complete Onboarding') }}</div>
<div class="quick-action-desc">{{ _('Follow our step-by-step checklist') }}</div>
</a>
</div>
<div style="margin-top: 50px;">
<a href="{{ url_for('main.dashboard') }}" class="btn btn-primary btn-lg">
<i class="fas fa-home"></i> {{ _('Go to Dashboard') }}
</a>
</div>
</div>
{% endblock %}

368
app/utils/billing_gates.py
View File

@@ -1,368 +0,0 @@
"""
Billing Gates and Subscription Checks
This module provides decorators and utilities for enforcing subscription
requirements and limits throughout the application.
"""
from functools import wraps
from flask import redirect, url_for, flash, request, current_app
from flask_login import current_user
from app.models.organization import Organization
from app.utils.tenancy import get_current_organization
def require_active_subscription(allow_trial=True, redirect_to='billing.index'):
"""Decorator to require an active subscription for a route.
Args:
allow_trial: Whether to allow trial subscriptions (default: True)
redirect_to: Route name to redirect to if check fails
Usage:
@app.route('/premium-feature')
@login_required
@require_active_subscription()
def premium_feature():
return render_template('premium.html')
"""
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
org = get_current_organization()
if not org:
flash('No organization selected', 'warning')
return redirect(url_for('organizations.index'))
# Check if subscription is active
if not org.has_active_subscription:
flash('This feature requires an active subscription. Please upgrade your plan.', 'warning')
return redirect(url_for(redirect_to))
# Check trial if not allowed
if not allow_trial and org.is_on_trial:
flash('This feature is not available during trial period. Please upgrade to a paid plan.', 'warning')
return redirect(url_for(redirect_to))
# Check for billing issues
if org.has_billing_issue:
flash('Your account has a billing issue. Please update your payment method to continue.', 'danger')
return redirect(url_for(redirect_to))
return f(*args, **kwargs)
return decorated_function
return decorator
def require_plan(min_plan='single_user', redirect_to='billing.index'):
"""Decorator to require a specific subscription plan or higher.
Plan hierarchy: free < single_user < team < enterprise
Args:
min_plan: Minimum required plan ('single_user', 'team', 'enterprise')
redirect_to: Route name to redirect to if check fails
Usage:
@app.route('/team-feature')
@login_required
@require_plan('team')
def team_feature():
return render_template('team.html')
"""
plan_hierarchy = {
'free': 0,
'single_user': 1,
'team': 2,
'enterprise': 3
}
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
org = get_current_organization()
if not org:
flash('No organization selected', 'warning')
return redirect(url_for('organizations.index'))
current_level = plan_hierarchy.get(org.subscription_plan, 0)
required_level = plan_hierarchy.get(min_plan, 1)
if current_level < required_level:
flash(f'This feature requires a {min_plan.replace("_", " ").title()} plan or higher. Please upgrade.', 'warning')
return redirect(url_for(redirect_to))
return f(*args, **kwargs)
return decorated_function
return decorator
def check_user_limit(organization):
"""Check if organization can add more users.
Args:
organization: Organization instance
Returns:
dict with 'allowed', 'current', 'limit', 'message'
"""
if not organization:
return {
'allowed': False,
'current': 0,
'limit': 0,
'message': 'No organization found'
}
current_count = organization.member_count
# For team plans, check against subscription quantity
if organization.subscription_plan == 'team':
limit = organization.subscription_quantity
if current_count >= limit:
return {
'allowed': False,
'current': current_count,
'limit': limit,
'message': f'User limit reached ({limit} users). Upgrade seats to add more users.',
'can_upgrade': True
}
return {
'allowed': True,
'current': current_count,
'limit': limit,
'remaining': limit - current_count,
'message': f'{limit - current_count} user slot(s) available'
}
# For single user plan
if organization.subscription_plan == 'single_user':
if current_count >= 1:
return {
'allowed': False,
'current': current_count,
'limit': 1,
'message': 'Single User plan supports only 1 user. Upgrade to Team plan for multiple users.',
'can_upgrade': True,
'upgrade_to': 'team'
}
return {
'allowed': True,
'current': current_count,
'limit': 1,
'message': 'Can add 1 user'
}
# For free plan or others, check max_users
if organization.max_users is not None:
if current_count >= organization.max_users:
return {
'allowed': False,
'current': current_count,
'limit': organization.max_users,
'message': f'User limit reached ({organization.max_users} users). Upgrade to add more users.',
'can_upgrade': True
}
# No limit
return {
'allowed': True,
'current': current_count,
'limit': organization.max_users,
'message': 'Can add users'
}
def check_project_limit(organization):
"""Check if organization can add more projects.
Args:
organization: Organization instance
Returns:
dict with 'allowed', 'current', 'limit', 'message'
"""
if not organization:
return {
'allowed': False,
'current': 0,
'limit': 0,
'message': 'No organization found'
}
current_count = organization.project_count
# Free plan limits
if organization.subscription_plan == 'free':
limit = organization.max_projects or 3 # Default limit for free
if current_count >= limit:
return {
'allowed': False,
'current': current_count,
'limit': limit,
'message': f'Project limit reached ({limit} projects). Upgrade to create more projects.',
'can_upgrade': True
}
return {
'allowed': True,
'current': current_count,
'limit': limit,
'remaining': limit - current_count,
'message': f'{limit - current_count} project slot(s) available'
}
# Paid plans - check max_projects if set
if organization.max_projects is not None:
if current_count >= organization.max_projects:
return {
'allowed': False,
'current': current_count,
'limit': organization.max_projects,
'message': f'Project limit reached ({organization.max_projects} projects)'
}
# No limit for paid plans
return {
'allowed': True,
'current': current_count,
'limit': organization.max_projects,
'message': 'Can create projects'
}
def check_feature_access(organization, feature_name):
"""Check if organization has access to a specific feature.
Args:
organization: Organization instance
feature_name: Name of feature to check
Returns:
dict with 'allowed', 'reason', 'upgrade_required'
"""
if not organization:
return {
'allowed': False,
'reason': 'No organization found',
'upgrade_required': False
}
# Define feature access matrix
features = {
'advanced_reports': ['team', 'enterprise'],
'api_access': ['team', 'enterprise'],
'custom_branding': ['enterprise'],
'priority_support': ['team', 'enterprise'],
'integrations': ['team', 'enterprise'],
'audit_logs': ['enterprise'],
'sso': ['enterprise'],
}
allowed_plans = features.get(feature_name, [])
if not allowed_plans:
# Feature not defined, allow access
return {
'allowed': True,
'reason': 'Feature available to all'
}
if organization.subscription_plan in allowed_plans:
return {
'allowed': True,
'reason': f'Available on {organization.subscription_plan_display} plan'
}
return {
'allowed': False,
'reason': f'Requires {" or ".join([p.replace("_", " ").title() for p in allowed_plans])} plan',
'upgrade_required': True,
'required_plans': allowed_plans
}
def get_subscription_warning(organization):
"""Get any warnings related to subscription status.
Args:
organization: Organization instance
Returns:
dict with 'type' ('warning', 'danger', 'info'), 'message', or None
"""
if not organization:
return None
# Billing issue
if organization.has_billing_issue:
return {
'type': 'danger',
'message': 'Payment failed. Please update your payment method to avoid service interruption.',
'action_url': url_for('billing.portal'),
'action_text': 'Update Payment Method'
}
# Trial ending soon (< 3 days)
if organization.is_on_trial and organization.trial_days_remaining <= 3:
return {
'type': 'warning',
'message': f'Your trial ends in {organization.trial_days_remaining} day(s). Upgrade to continue using premium features.',
'action_url': url_for('billing.index'),
'action_text': 'View Plans'
}
# Subscription ending soon
if organization.subscription_ends_at:
from datetime import datetime
days_until_end = (organization.subscription_ends_at - datetime.utcnow()).days
if days_until_end <= 7:
return {
'type': 'warning',
'message': f'Your subscription ends in {days_until_end} day(s). Renew to continue service.',
'action_url': url_for('billing.index'),
'action_text': 'Manage Subscription'
}
# Near user limit (> 90% capacity)
if organization.subscription_plan == 'team' and organization.subscription_quantity:
usage_percent = (organization.member_count / organization.subscription_quantity) * 100
if usage_percent >= 90:
return {
'type': 'info',
'message': f'You\'re using {organization.member_count} of {organization.subscription_quantity} seats. Consider adding more seats.',
'action_url': url_for('billing.portal'),
'action_text': 'Add Seats'
}
return None
# Context processor to inject billing info into all templates
def inject_billing_context():
"""Inject billing context into all templates."""
if not current_user.is_authenticated:
return {}
org = get_current_organization()
if not org:
return {}
return {
'subscription_warning': get_subscription_warning(org),
'has_active_subscription': org.has_active_subscription,
'has_billing_issue': org.has_billing_issue,
'is_on_trial': org.is_on_trial,
'trial_days_remaining': org.trial_days_remaining if org.is_on_trial else 0,
}

261
app/utils/data_retention.py
View File

@@ -1,261 +0,0 @@
"""
Data Retention Policy Enforcement
This module provides utilities for enforcing data retention policies
and cleaning up old data according to configured rules.
"""
from datetime import datetime, timedelta
from flask import current_app
from app import db
from app.models import TimeEntry, Task, Invoice, Organization
from app.utils.gdpr import GDPRDeleter
class DataRetentionPolicy:
"""Enforce data retention policies"""
@staticmethod
def cleanup_old_data():
"""
Clean up data that has exceeded retention period.
This should be run as a scheduled task (e.g., daily cron job).
Returns:
dict: Summary of cleanup operations
"""
retention_days = current_app.config.get('DATA_RETENTION_DAYS', 0)
summary = {
'retention_days': retention_days,
'cleanup_date': datetime.utcnow().isoformat(),
'items_cleaned': {
'time_entries': 0,
'completed_tasks': 0,
'old_invoices': 0,
'pending_deletions': 0,
},
'errors': []
}
if retention_days == 0:
current_app.logger.info("Data retention not configured, skipping cleanup")
return summary
cutoff_date = datetime.utcnow() - timedelta(days=retention_days)
current_app.logger.info(f"Starting data retention cleanup. Cutoff date: {cutoff_date}")
try:
# Clean up old completed time entries
# Only delete entries that are completed and not associated with unpaid invoices
old_entries = TimeEntry.query.filter(
TimeEntry.created_at < cutoff_date,
TimeEntry.end_time.isnot(None)
).all()
entries_to_delete = []
for entry in old_entries:
# Check if entry is part of an unpaid invoice
if not DataRetentionPolicy._is_entry_in_unpaid_invoice(entry):
entries_to_delete.append(entry)
for entry in entries_to_delete:
db.session.delete(entry)
summary['items_cleaned']['time_entries'] = len(entries_to_delete)
except Exception as e:
current_app.logger.error(f"Error cleaning up time entries: {e}")
summary['errors'].append(f"Time entries cleanup failed: {str(e)}")
try:
# Clean up old completed tasks
old_tasks = Task.query.filter(
Task.created_at < cutoff_date,
Task.status.in_(['completed', 'cancelled'])
).all()
for task in old_tasks:
db.session.delete(task)
summary['items_cleaned']['completed_tasks'] = len(old_tasks)
except Exception as e:
current_app.logger.error(f"Error cleaning up tasks: {e}")
summary['errors'].append(f"Tasks cleanup failed: {str(e)}")
try:
# Clean up very old draft invoices
# Keep paid/sent invoices for longer (e.g., 7 years for tax purposes)
draft_cutoff = datetime.utcnow() - timedelta(days=90) # Delete drafts older than 90 days
old_drafts = Invoice.query.filter(
Invoice.created_at < draft_cutoff,
Invoice.status == 'draft'
).all()
for invoice in old_drafts:
db.session.delete(invoice)
summary['items_cleaned']['old_invoices'] = len(old_drafts)
except Exception as e:
current_app.logger.error(f"Error cleaning up invoices: {e}")
summary['errors'].append(f"Invoices cleanup failed: {str(e)}")
try:
# Process pending organization deletions
pending_deletions = Organization.query.filter(
Organization.status == 'pending_deletion',
Organization.deleted_at <= datetime.utcnow()
).all()
deleted_count = 0
for org in pending_deletions:
try:
GDPRDeleter.execute_organization_deletion(org.id)
deleted_count += 1
except Exception as e:
current_app.logger.error(f"Failed to delete organization {org.id}: {e}")
summary['errors'].append(f"Organization {org.id} deletion failed: {str(e)}")
summary['items_cleaned']['pending_deletions'] = deleted_count
except Exception as e:
current_app.logger.error(f"Error processing pending deletions: {e}")
summary['errors'].append(f"Pending deletions processing failed: {str(e)}")
# Commit all changes
try:
db.session.commit()
current_app.logger.info(f"Data retention cleanup completed: {summary}")
except Exception as e:
db.session.rollback()
current_app.logger.error(f"Failed to commit cleanup changes: {e}")
summary['errors'].append(f"Commit failed: {str(e)}")
return summary
@staticmethod
def _is_entry_in_unpaid_invoice(time_entry):
"""
Check if a time entry is part of an unpaid invoice.
Args:
time_entry: TimeEntry object
Returns:
bool: True if entry is in an unpaid invoice
"""
from app.models import InvoiceItem
# Find invoice items that reference this time entry
invoice_items = InvoiceItem.query.filter(
InvoiceItem.time_entry_ids.contains(str(time_entry.id))
).all()
for item in invoice_items:
if item.invoice and item.invoice.status in ['sent', 'overdue']:
return True
return False
@staticmethod
def get_retention_summary():
"""
Get a summary of data subject to retention policies.
Returns:
dict: Summary of retainable data
"""
retention_days = current_app.config.get('DATA_RETENTION_DAYS', 0)
if retention_days == 0:
return {
'enabled': False,
'message': 'Data retention policies are not configured'
}
cutoff_date = datetime.utcnow() - timedelta(days=retention_days)
# Count items subject to cleanup
old_entries_count = TimeEntry.query.filter(
TimeEntry.created_at < cutoff_date,
TimeEntry.end_time.isnot(None)
).count()
old_tasks_count = Task.query.filter(
Task.created_at < cutoff_date,
Task.status.in_(['completed', 'cancelled'])
).count()
draft_cutoff = datetime.utcnow() - timedelta(days=90)
old_drafts_count = Invoice.query.filter(
Invoice.created_at < draft_cutoff,
Invoice.status == 'draft'
).count()
pending_deletions_count = Organization.query.filter(
Organization.status == 'pending_deletion',
Organization.deleted_at <= datetime.utcnow()
).count()
return {
'enabled': True,
'retention_days': retention_days,
'cutoff_date': cutoff_date.isoformat(),
'items_eligible_for_cleanup': {
'time_entries': old_entries_count,
'completed_tasks': old_tasks_count,
'draft_invoices': old_drafts_count,
'pending_organization_deletions': pending_deletions_count,
},
'next_cleanup': 'Manual trigger required or configure scheduled task'
}
@staticmethod
def export_before_deletion(organization_id):
"""
Export organization data before deletion for archival purposes.
Args:
organization_id: Organization ID to export
Returns:
dict: Export summary
"""
from app.utils.gdpr import GDPRExporter
import json
import os
try:
# Create exports directory if it doesn't exist
exports_dir = os.path.join(current_app.root_path, '..', 'data', 'exports')
os.makedirs(exports_dir, exist_ok=True)
# Export data
data = GDPRExporter.export_organization_data(organization_id, format='json')
# Save to file
filename = f"org_{organization_id}_export_{datetime.utcnow().strftime('%Y%m%d_%H%M%S')}.json"
filepath = os.path.join(exports_dir, filename)
with open(filepath, 'w') as f:
json.dump(data, f, indent=2)
current_app.logger.info(f"Exported organization {organization_id} data to {filepath}")
return {
'success': True,
'filename': filename,
'filepath': filepath,
'export_date': datetime.utcnow().isoformat()
}
except Exception as e:
current_app.logger.error(f"Failed to export organization {organization_id}: {e}")
return {
'success': False,
'error': str(e)
}

337
app/utils/email_service.py
View File

@@ -1,337 +0,0 @@
"""Email service for sending transactional emails"""
import os
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from flask import current_app, url_for, render_template_string
from datetime import datetime
class EmailService:
"""Service for sending emails"""
def __init__(self, app=None):
self.app = app
if app:
self.init_app(app)
def init_app(self, app):
"""Initialize email service with Flask app"""
self.smtp_host = app.config.get('SMTP_HOST', os.getenv('SMTP_HOST', 'localhost'))
self.smtp_port = int(app.config.get('SMTP_PORT', os.getenv('SMTP_PORT', 587)))
self.smtp_username = app.config.get('SMTP_USERNAME', os.getenv('SMTP_USERNAME'))
self.smtp_password = app.config.get('SMTP_PASSWORD', os.getenv('SMTP_PASSWORD'))
self.smtp_use_tls = app.config.get('SMTP_USE_TLS', os.getenv('SMTP_USE_TLS', 'true').lower() == 'true')
self.smtp_from_email = app.config.get('SMTP_FROM_EMAIL', os.getenv('SMTP_FROM_EMAIL', 'noreply@timetracker.local'))
self.smtp_from_name = app.config.get('SMTP_FROM_NAME', os.getenv('SMTP_FROM_NAME', 'TimeTracker'))
@property
def is_configured(self):
"""Check if email service is properly configured"""
return bool(self.smtp_host and self.smtp_from_email)
def send_email(self, to_email, subject, body_text, body_html=None):
"""Send an email.
Args:
to_email: Recipient email address
subject: Email subject
body_text: Plain text email body
body_html: Optional HTML email body
Returns:
bool: True if sent successfully, False otherwise
"""
if not self.is_configured:
current_app.logger.warning('Email service not configured, skipping email send')
return False
try:
# Create message
msg = MIMEMultipart('alternative')
msg['From'] = f'{self.smtp_from_name} <{self.smtp_from_email}>'
msg['To'] = to_email
msg['Subject'] = subject
msg['Date'] = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S +0000')
# Attach text and HTML parts
msg.attach(MIMEText(body_text, 'plain'))
if body_html:
msg.attach(MIMEText(body_html, 'html'))
# Connect to SMTP server and send
if self.smtp_use_tls:
server = smtplib.SMTP(self.smtp_host, self.smtp_port)
server.starttls()
else:
server = smtplib.SMTP(self.smtp_host, self.smtp_port)
if self.smtp_username and self.smtp_password:
server.login(self.smtp_username, self.smtp_password)
server.send_message(msg)
server.quit()
current_app.logger.info(f'Email sent successfully to {to_email}')
return True
except Exception as e:
current_app.logger.error(f'Failed to send email to {to_email}: {e}')
return False
def send_password_reset_email(self, user, reset_token):
"""Send password reset email to user.
Args:
user: User object
reset_token: PasswordResetToken object
Returns:
bool: True if sent successfully
"""
reset_url = url_for('auth_extended.reset_password', token=reset_token.token, _external=True)
subject = 'Reset Your Password - TimeTracker'
body_text = f"""
Hello {user.display_name},
You requested to reset your password for your TimeTracker account.
Click the link below to reset your password:
{reset_url}
This link will expire in 24 hours.
If you didn't request this password reset, please ignore this email.
Best regards,
TimeTracker Team
"""
body_html = f"""
<!DOCTYPE html>
<html>
<head>
<style>
body {{ font-family: Arial, sans-serif; line-height: 1.6; color: #333; }}
.container {{ max-width: 600px; margin: 0 auto; padding: 20px; }}
.button {{ display: inline-block; padding: 12px 24px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin: 20px 0; }}
.footer {{ margin-top: 30px; padding-top: 20px; border-top: 1px solid #ddd; font-size: 12px; color: #666; }}
</style>
</head>
<body>
<div class="container">
<h2>Reset Your Password</h2>
<p>Hello {user.display_name},</p>
<p>You requested to reset your password for your TimeTracker account.</p>
<p>Click the button below to reset your password:</p>
<a href="{reset_url}" class="button">Reset Password</a>
<p>Or copy and paste this link into your browser:</p>
<p style="word-break: break-all;">{reset_url}</p>
<p><strong>This link will expire in 24 hours.</strong></p>
<p>If you didn't request this password reset, please ignore this email.</p>
<div class="footer">
<p>Best regards,<br>TimeTracker Team</p>
</div>
</div>
</body>
</html>
"""
return self.send_email(user.email, subject, body_text, body_html)
def send_invitation_email(self, inviter, invitee_email, organization, membership):
"""Send organization invitation email.
Args:
inviter: User who sent the invitation
invitee_email: Email of the person being invited
organization: Organization object
membership: Membership object with invitation token
Returns:
bool: True if sent successfully
"""
accept_url = url_for('auth.accept_invitation', token=membership.invitation_token, _external=True)
subject = f'{inviter.display_name} invited you to join {organization.name} on TimeTracker'
body_text = f"""
Hello,
{inviter.display_name} has invited you to join "{organization.name}" on TimeTracker as a {membership.role}.
Click the link below to accept the invitation:
{accept_url}
If you don't have an account yet, you'll be able to create one during the acceptance process.
This invitation link will expire in 7 days.
Best regards,
TimeTracker Team
"""
body_html = f"""
<!DOCTYPE html>
<html>
<head>
<style>
body {{ font-family: Arial, sans-serif; line-height: 1.6; color: #333; }}
.container {{ max-width: 600px; margin: 0 auto; padding: 20px; }}
.button {{ display: inline-block; padding: 12px 24px; background-color: #28a745; color: white; text-decoration: none; border-radius: 4px; margin: 20px 0; }}
.org-info {{ background-color: #f8f9fa; padding: 15px; border-radius: 4px; margin: 20px 0; }}
.footer {{ margin-top: 30px; padding-top: 20px; border-top: 1px solid #ddd; font-size: 12px; color: #666; }}
</style>
</head>
<body>
<div class="container">
<h2>You've Been Invited!</h2>
<p>Hello,</p>
<p><strong>{inviter.display_name}</strong> has invited you to join their organization on TimeTracker.</p>
<div class="org-info">
<p><strong>Organization:</strong> {organization.name}</p>
<p><strong>Your Role:</strong> {membership.role.capitalize()}</p>
</div>
<a href="{accept_url}" class="button">Accept Invitation</a>
<p>Or copy and paste this link into your browser:</p>
<p style="word-break: break-all;">{accept_url}</p>
<p>If you don't have an account yet, you'll be able to create one during the acceptance process.</p>
<p><strong>This invitation link will expire in 7 days.</strong></p>
<div class="footer">
<p>Best regards,<br>TimeTracker Team</p>
</div>
</div>
</body>
</html>
"""
return self.send_email(invitee_email, subject, body_text, body_html)
def send_email_verification(self, user, verification_token):
"""Send email verification email.
Args:
user: User object
verification_token: EmailVerificationToken object
Returns:
bool: True if sent successfully
"""
verify_url = url_for('auth_extended.verify_email', token=verification_token.token, _external=True)
subject = 'Verify Your Email - TimeTracker'
body_text = f"""
Hello {user.display_name},
Please verify your email address for your TimeTracker account.
Click the link below to verify your email:
{verify_url}
This link will expire in 48 hours.
If you didn't create this account, please ignore this email.
Best regards,
TimeTracker Team
"""
body_html = f"""
<!DOCTYPE html>
<html>
<head>
<style>
body {{ font-family: Arial, sans-serif; line-height: 1.6; color: #333; }}
.container {{ max-width: 600px; margin: 0 auto; padding: 20px; }}
.button {{ display: inline-block; padding: 12px 24px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin: 20px 0; }}
.footer {{ margin-top: 30px; padding-top: 20px; border-top: 1px solid #ddd; font-size: 12px; color: #666; }}
</style>
</head>
<body>
<div class="container">
<h2>Verify Your Email</h2>
<p>Hello {user.display_name},</p>
<p>Please verify your email address for your TimeTracker account.</p>
<a href="{verify_url}" class="button">Verify Email</a>
<p>Or copy and paste this link into your browser:</p>
<p style="word-break: break-all;">{verify_url}</p>
<p><strong>This link will expire in 48 hours.</strong></p>
<p>If you didn't create this account, please ignore this email.</p>
<div class="footer">
<p>Best regards,<br>TimeTracker Team</p>
</div>
</div>
</body>
</html>
"""
return self.send_email(user.email, subject, body_text, body_html)
def send_welcome_email(self, user, organization=None):
"""Send welcome email to new user.
Args:
user: User object
organization: Optional organization they're joining
Returns:
bool: True if sent successfully
"""
subject = 'Welcome to TimeTracker!'
org_info = f'\n\nYou\'ve been added to the "{organization.name}" organization.' if organization else ''
body_text = f"""
Hello {user.display_name},
Welcome to TimeTracker! We're excited to have you on board.{org_info}
You can now start tracking your time and managing your projects.
Log in here: {url_for('auth.login', _external=True)}
If you have any questions, feel free to reach out to our support team.
Best regards,
TimeTracker Team
"""
org_html = f'<p>You\'ve been added to the <strong>"{organization.name}"</strong> organization.</p>' if organization else ''
body_html = f"""
<!DOCTYPE html>
<html>
<head>
<style>
body {{ font-family: Arial, sans-serif; line-height: 1.6; color: #333; }}
.container {{ max-width: 600px; margin: 0 auto; padding: 20px; }}
.button {{ display: inline-block; padding: 12px 24px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin: 20px 0; }}
.footer {{ margin-top: 30px; padding-top: 20px; border-top: 1px solid #ddd; font-size: 12px; color: #666; }}
</style>
</head>
<body>
<div class="container">
<h2>Welcome to TimeTracker!</h2>
<p>Hello {user.display_name},</p>
<p>We're excited to have you on board!</p>
{org_html}
<p>You can now start tracking your time and managing your projects.</p>
<a href="{url_for('auth.login', _external=True)}" class="button">Log In</a>
<p>If you have any questions, feel free to reach out to our support team.</p>
<div class="footer">
<p>Best regards,<br>TimeTracker Team</p>
</div>
</div>
</body>
</html>
"""
return self.send_email(user.email, subject, body_text, body_html)
# Global email service instance
email_service = EmailService()

486
app/utils/gdpr.py
View File

@@ -1,486 +0,0 @@
"""
GDPR Compliance Utilities
This module provides data export and deletion functionality for GDPR compliance.
"""
import json
import csv
import io
from datetime import datetime, timedelta
from flask import current_app
from app import db
from app.models import User, TimeEntry, Project, Task, Invoice, InvoiceItem, Client, Comment, Organization
class GDPRExporter:
"""Handle GDPR data export requests"""
@staticmethod
def export_organization_data(organization_id, format='json'):
"""
Export all data for an organization in GDPR-compliant format.
Args:
organization_id: The organization ID to export data for
format: Export format ('json' or 'csv')
Returns:
dict or str: Exported data
"""
from app.models import Membership
organization = Organization.query.get(organization_id)
if not organization:
raise ValueError("Organization not found")
# Collect all organization data
data = {
'export_date': datetime.utcnow().isoformat(),
'organization': {
'id': organization.id,
'name': organization.name,
'slug': organization.slug,
'contact_email': organization.contact_email,
'created_at': organization.created_at.isoformat() if organization.created_at else None,
'status': organization.status,
},
'members': [],
'projects': [],
'clients': [],
'time_entries': [],
'tasks': [],
'invoices': [],
}
# Export members
memberships = Membership.query.filter_by(organization_id=organization_id).all()
for membership in memberships:
user = membership.user
data['members'].append({
'username': user.username,
'email': user.email,
'full_name': user.full_name,
'role': membership.role,
'joined_at': membership.created_at.isoformat() if membership.created_at else None,
})
# Export clients
clients = Client.query.filter_by(organization_id=organization_id).all()
for client in clients:
data['clients'].append({
'name': client.name,
'email': client.email,
'phone': client.phone,
'address': client.address,
'contact_person': client.contact_person,
'created_at': client.created_at.isoformat() if client.created_at else None,
})
# Export projects
projects = Project.query.filter_by(organization_id=organization_id).all()
for project in projects:
data['projects'].append({
'name': project.name,
'description': project.description,
'client': project.client_obj.name if project.client_obj else None,
'billable': project.billable,
'hourly_rate': float(project.hourly_rate) if project.hourly_rate else None,
'status': project.status,
'created_at': project.created_at.isoformat() if project.created_at else None,
})
# Export time entries
time_entries = TimeEntry.query.filter_by(organization_id=organization_id).all()
for entry in time_entries:
data['time_entries'].append({
'user': entry.user.username if entry.user else None,
'project': entry.project.name if entry.project else None,
'start_time': entry.start_time.isoformat() if entry.start_time else None,
'end_time': entry.end_time.isoformat() if entry.end_time else None,
'duration_seconds': entry.duration_seconds,
'notes': entry.notes,
'tags': entry.tags,
'billable': entry.billable,
})
# Export tasks
tasks = Task.query.filter_by(organization_id=organization_id).all()
for task in tasks:
data['tasks'].append({
'name': task.name,
'description': task.description,
'project': task.project.name if task.project else None,
'status': task.status,
'priority': task.priority,
'assigned_to': task.assigned_user.username if task.assigned_user else None,
'created_by': task.creator.username if task.creator else None,
'due_date': task.due_date.isoformat() if task.due_date else None,
'created_at': task.created_at.isoformat() if task.created_at else None,
})
# Export invoices
invoices = Invoice.query.filter_by(organization_id=organization_id).all()
for invoice in invoices:
invoice_data = {
'invoice_number': invoice.invoice_number,
'client_name': invoice.client_name,
'client_email': invoice.client_email,
'issue_date': invoice.issue_date.isoformat() if invoice.issue_date else None,
'due_date': invoice.due_date.isoformat() if invoice.due_date else None,
'status': invoice.status,
'subtotal': float(invoice.subtotal) if invoice.subtotal else None,
'tax_rate': float(invoice.tax_rate) if invoice.tax_rate else None,
'total_amount': float(invoice.total_amount) if invoice.total_amount else None,
'items': [],
}
# Add invoice items
for item in invoice.items:
invoice_data['items'].append({
'description': item.description,
'quantity': float(item.quantity) if item.quantity else None,
'unit_price': float(item.unit_price) if item.unit_price else None,
'total_amount': float(item.total_amount) if item.total_amount else None,
})
data['invoices'].append(invoice_data)
if format == 'csv':
return GDPRExporter._convert_to_csv(data)
return data
@staticmethod
def export_user_data(user_id, format='json'):
"""
Export all data for a specific user.
Args:
user_id: The user ID to export data for
format: Export format ('json' or 'csv')
Returns:
dict or str: Exported data
"""
user = User.query.get(user_id)
if not user:
raise ValueError("User not found")
data = {
'export_date': datetime.utcnow().isoformat(),
'user': {
'username': user.username,
'email': user.email,
'full_name': user.full_name,
'created_at': user.created_at.isoformat() if user.created_at else None,
'last_login': user.last_login.isoformat() if user.last_login else None,
'role': user.role,
'totp_enabled': user.totp_enabled,
},
'time_entries': [],
'tasks_created': [],
'tasks_assigned': [],
'comments': [],
}
# Export time entries
time_entries = TimeEntry.query.filter_by(user_id=user_id).all()
for entry in time_entries:
data['time_entries'].append({
'project': entry.project.name if entry.project else None,
'start_time': entry.start_time.isoformat() if entry.start_time else None,
'end_time': entry.end_time.isoformat() if entry.end_time else None,
'duration_seconds': entry.duration_seconds,
'notes': entry.notes,
'tags': entry.tags,
})
# Export created tasks
created_tasks = Task.query.filter_by(created_by=user_id).all()
for task in created_tasks:
data['tasks_created'].append({
'name': task.name,
'description': task.description,
'project': task.project.name if task.project else None,
'status': task.status,
'created_at': task.created_at.isoformat() if task.created_at else None,
})
# Export assigned tasks
assigned_tasks = Task.query.filter_by(assigned_to=user_id).all()
for task in assigned_tasks:
data['tasks_assigned'].append({
'name': task.name,
'description': task.description,
'project': task.project.name if task.project else None,
'status': task.status,
'due_date': task.due_date.isoformat() if task.due_date else None,
})
# Export comments
try:
comments = Comment.query.filter_by(user_id=user_id).all()
for comment in comments:
data['comments'].append({
'content': comment.content,
'created_at': comment.created_at.isoformat() if comment.created_at else None,
})
except Exception:
# Comment model might not exist
pass
if format == 'csv':
return GDPRExporter._convert_to_csv(data)
return data
@staticmethod
def _convert_to_csv(data):
"""Convert JSON data to CSV format"""
# For simplicity, create a CSV with flattened data
# In production, you might want to create multiple CSV files
output = io.StringIO()
# Write metadata
output.write(f"Export Date,{data['export_date']}\n\n")
# Write each section
for section, items in data.items():
if section == 'export_date':
continue
if isinstance(items, list) and items:
output.write(f"\n{section.upper()}\n")
# Get headers from first item
if isinstance(items[0], dict):
headers = list(items[0].keys())
writer = csv.DictWriter(output, fieldnames=headers)
writer.writeheader()
writer.writerows(items)
output.write('\n')
return output.getvalue()
class GDPRDeleter:
"""Handle GDPR data deletion requests"""
@staticmethod
def request_organization_deletion(organization_id, requested_by_user_id):
"""
Request deletion of an organization and all its data.
Implements grace period before actual deletion.
Args:
organization_id: The organization ID to delete
requested_by_user_id: User who requested the deletion
Returns:
dict: Deletion request details
"""
organization = Organization.query.get(organization_id)
if not organization:
raise ValueError("Organization not found")
# Check if user is an admin of the organization
if not organization.is_admin(requested_by_user_id):
raise PermissionError("Only organization admins can request deletion")
# Calculate deletion date (grace period)
grace_days = current_app.config.get('GDPR_DELETION_DELAY_DAYS', 30)
deletion_date = datetime.utcnow() + timedelta(days=grace_days)
# Mark organization for deletion
organization.deleted_at = deletion_date
organization.status = 'pending_deletion'
db.session.commit()
return {
'organization_id': organization_id,
'deletion_scheduled_for': deletion_date.isoformat(),
'grace_period_days': grace_days,
'can_cancel_until': deletion_date.isoformat(),
}
@staticmethod
def cancel_organization_deletion(organization_id, user_id):
"""
Cancel a pending organization deletion.
Args:
organization_id: The organization ID
user_id: User requesting cancellation
Returns:
bool: Success status
"""
organization = Organization.query.get(organization_id)
if not organization:
raise ValueError("Organization not found")
# Check if user is an admin
if not organization.is_admin(user_id):
raise PermissionError("Only organization admins can cancel deletion")
# Check if deletion is pending
if organization.status != 'pending_deletion':
raise ValueError("No pending deletion to cancel")
# Cancel deletion
organization.deleted_at = None
organization.status = 'active'
db.session.commit()
return True
@staticmethod
def execute_organization_deletion(organization_id):
"""
Permanently delete an organization and all its data.
This should only be called after the grace period has expired.
Args:
organization_id: The organization ID to delete
Returns:
dict: Deletion summary
"""
organization = Organization.query.get(organization_id)
if not organization:
raise ValueError("Organization not found")
# Verify grace period has expired
if organization.deleted_at and datetime.utcnow() < organization.deleted_at:
raise ValueError("Grace period has not expired yet")
# Collect statistics before deletion
stats = {
'organization_id': organization_id,
'organization_name': organization.name,
'members_deleted': organization.member_count,
'projects_deleted': organization.project_count,
'deletion_date': datetime.utcnow().isoformat(),
}
# Delete all related data (CASCADE will handle most of this)
# But we'll be explicit for clarity
# Delete time entries
TimeEntry.query.filter_by(organization_id=organization_id).delete()
# Delete tasks
Task.query.filter_by(organization_id=organization_id).delete()
# Delete invoice items (via invoices cascade)
Invoice.query.filter_by(organization_id=organization_id).delete()
# Delete projects
Project.query.filter_by(organization_id=organization_id).delete()
# Delete clients
Client.query.filter_by(organization_id=organization_id).delete()
# Delete memberships
from app.models import Membership
Membership.query.filter_by(organization_id=organization_id).delete()
# Finally, delete the organization
db.session.delete(organization)
db.session.commit()
return stats
@staticmethod
def delete_user_data(user_id):
"""
Delete a user and anonymize their data.
Args:
user_id: The user ID to delete
Returns:
dict: Deletion summary
"""
user = User.query.get(user_id)
if not user:
raise ValueError("User not found")
stats = {
'user_id': user_id,
'username': user.username,
'deletion_date': datetime.utcnow().isoformat(),
}
# Anonymize time entries instead of deleting
# (needed for billing/audit purposes)
time_entries = TimeEntry.query.filter_by(user_id=user_id).all()
for entry in time_entries:
entry.notes = "[User data deleted]"
# Reassign or delete tasks
created_tasks = Task.query.filter_by(created_by=user_id).all()
for task in created_tasks:
task.created_by = None
assigned_tasks = Task.query.filter_by(assigned_to=user_id).all()
for task in assigned_tasks:
task.assigned_to = None
# Delete user memberships
from app.models import Membership
Membership.query.filter_by(user_id=user_id).delete()
# Finally, delete the user
db.session.delete(user)
db.session.commit()
return stats
@staticmethod
def cleanup_expired_data():
"""
Clean up data that has exceeded retention period.
Should be run as a scheduled task.
Returns:
dict: Cleanup summary
"""
retention_days = current_app.config.get('DATA_RETENTION_DAYS', 0)
if retention_days == 0:
return {'message': 'Data retention not configured'}
cutoff_date = datetime.utcnow() - timedelta(days=retention_days)
# Delete old time entries
old_entries = TimeEntry.query.filter(
TimeEntry.created_at < cutoff_date
).delete()
# Execute pending organization deletions
pending_deletions = Organization.query.filter(
Organization.status == 'pending_deletion',
Organization.deleted_at <= datetime.utcnow()
).all()
deleted_orgs = 0
for org in pending_deletions:
try:
GDPRDeleter.execute_organization_deletion(org.id)
deleted_orgs += 1
except Exception as e:
current_app.logger.error(f"Failed to delete organization {org.id}: {e}")
db.session.commit()
return {
'old_entries_deleted': old_entries,
'organizations_deleted': deleted_orgs,
'cutoff_date': cutoff_date.isoformat(),
}

244
app/utils/jwt_utils.py
View File

@@ -1,244 +0,0 @@
"""JWT utilities for authentication"""
import jwt
from datetime import datetime, timedelta
from flask import current_app
from functools import wraps
from flask import request, jsonify
from flask_login import current_user
def generate_access_token(user_id, organization_id=None, expires_in_minutes=15):
"""Generate a JWT access token.
Args:
user_id: ID of the user
organization_id: Optional organization context
expires_in_minutes: Token validity period in minutes (default 15)
Returns:
JWT token string
"""
payload = {
'user_id': user_id,
'type': 'access',
'exp': datetime.utcnow() + timedelta(minutes=expires_in_minutes),
'iat': datetime.utcnow(),
}
if organization_id:
payload['organization_id'] = organization_id
secret = current_app.config.get('SECRET_KEY')
return jwt.encode(payload, secret, algorithm='HS256')
def decode_access_token(token):
"""Decode and validate a JWT access token.
Args:
token: JWT token string
Returns:
dict: Token payload if valid, None otherwise
"""
try:
secret = current_app.config.get('SECRET_KEY')
payload = jwt.decode(token, secret, algorithms=['HS256'])
# Verify it's an access token
if payload.get('type') != 'access':
return None
return payload
except jwt.ExpiredSignatureError:
current_app.logger.debug('JWT token expired')
return None
except jwt.InvalidTokenError as e:
current_app.logger.debug(f'Invalid JWT token: {e}')
return None
def jwt_required(f):
"""Decorator to require a valid JWT token for API endpoints.
Usage:
@app.route('/api/protected')
@jwt_required
def protected_endpoint():
# Access user via g.current_user or request.jwt_user
return jsonify({'user_id': request.jwt_user['user_id']})
"""
@wraps(f)
def decorated_function(*args, **kwargs):
from flask import g
# Check for token in Authorization header
auth_header = request.headers.get('Authorization', '')
if not auth_header.startswith('Bearer '):
return jsonify({'error': 'Missing or invalid authorization header'}), 401
token = auth_header.replace('Bearer ', '', 1)
payload = decode_access_token(token)
if not payload:
return jsonify({'error': 'Invalid or expired token'}), 401
# Load user and verify they're still active
from app.models import User
user = User.query.get(payload['user_id'])
if not user or not user.is_active:
return jsonify({'error': 'User not found or inactive'}), 401
# Store user info in request context
g.current_user = user
request.jwt_user = payload
return f(*args, **kwargs)
return decorated_function
def jwt_optional(f):
"""Decorator that accepts but doesn't require a JWT token.
If a valid token is provided, user info is available in request context.
If no token or invalid token, the endpoint still executes.
"""
@wraps(f)
def decorated_function(*args, **kwargs):
from flask import g
auth_header = request.headers.get('Authorization', '')
if auth_header.startswith('Bearer '):
token = auth_header.replace('Bearer ', '', 1)
payload = decode_access_token(token)
if payload:
from app.models import User
user = User.query.get(payload['user_id'])
if user and user.is_active:
g.current_user = user
request.jwt_user = payload
return f(*args, **kwargs)
return decorated_function
def get_jwt_identity():
"""Get the current JWT user ID from request context.
Returns:
int: User ID if authenticated via JWT, None otherwise
"""
if hasattr(request, 'jwt_user'):
return request.jwt_user.get('user_id')
return None
def refresh_access_token(refresh_token_string):
"""Generate a new access token using a refresh token.
Args:
refresh_token_string: Refresh token string
Returns:
tuple: (access_token, refresh_token) if successful, (None, None) otherwise
"""
from app.models import RefreshToken
refresh_token = RefreshToken.get_valid_token(refresh_token_string)
if not refresh_token:
return None, None
# Update last used timestamp
refresh_token.update_last_used()
# Generate new access token
access_token = generate_access_token(refresh_token.user_id)
# Optionally rotate refresh token (more secure but requires client to update)
# For now, we'll keep the same refresh token
return access_token, refresh_token.token
def create_token_pair(user_id, organization_id=None, device_id=None, device_name=None,
ip_address=None, user_agent=None):
"""Create both access and refresh tokens for a user.
Args:
user_id: ID of the user
organization_id: Optional organization context
device_id: Unique device identifier
device_name: User-friendly device name
ip_address: IP address of the client
user_agent: User agent string
Returns:
dict: Contains 'access_token', 'refresh_token', and 'expires_in'
"""
from app.models import RefreshToken
# Generate access token
access_token = generate_access_token(user_id, organization_id)
# Create refresh token in database
refresh_token_obj = RefreshToken.create_token(
user_id=user_id,
device_id=device_id,
device_name=device_name,
ip_address=ip_address,
user_agent=user_agent
)
return {
'access_token': access_token,
'refresh_token': refresh_token_obj.token,
'token_type': 'Bearer',
'expires_in': 900, # 15 minutes in seconds
}
def revoke_refresh_token(refresh_token_string):
"""Revoke a refresh token.
Args:
refresh_token_string: Refresh token to revoke
Returns:
bool: True if revoked, False if not found
"""
from app.models import RefreshToken
token = RefreshToken.query.filter_by(token=refresh_token_string).first()
if token:
token.revoke()
return True
return False
def revoke_all_user_tokens(user_id):
"""Revoke all refresh tokens for a user (e.g., on password change).
Args:
user_id: ID of the user
Returns:
int: Number of tokens revoked
"""
from app.models import RefreshToken
tokens = RefreshToken.query.filter_by(user_id=user_id, revoked=False).all()
for token in tokens:
token.revoke()
return len(tokens)

563
app/utils/license_server.py Normal file
View File

@@ -0,0 +1,563 @@
import os
import json
import uuid
import time
import threading
import logging
import requests
from datetime import datetime, timedelta
from typing import Dict, List, Optional, Any
import platform
import socket
logger = logging.getLogger(__name__)
class LicenseServerClient:
"""Client for communicating with the Metrics Server"""
def __init__(self, app_identifier: str = "timetracker", app_version: str = "1.0.0"):
# Server configuration (env-overridable)
# Default targets the public metrics endpoint; override via environment if needed.
default_server_url = "http://metrics.drytrix.com:58082"
configured_server_url = os.getenv("METRICS_SERVER_URL", os.getenv("LICENSE_SERVER_BASE_URL", default_server_url))
self.server_url = self._normalize_base_url(configured_server_url)
self.api_key = os.getenv("METRICS_SERVER_API_KEY", os.getenv("LICENSE_SERVER_API_KEY", "no-license-required"))
self.app_identifier = app_identifier
self.app_version = app_version
# Instance management
self.instance_id = None
self.registration_token = None
self.is_registered = False
self.heartbeat_thread = None
# Timing configuration
self.heartbeat_interval = int(os.getenv("METRICS_HEARTBEAT_SECONDS", os.getenv("LICENSE_HEARTBEAT_SECONDS", "3600"))) # default: 1 hour
self.request_timeout = int(os.getenv("METRICS_SERVER_TIMEOUT_SECONDS", os.getenv("LICENSE_SERVER_TIMEOUT_SECONDS", "30"))) # default: 30s per docs
self.running = False
# System information
self.system_info = self._collect_system_info()
logger.info(f"Metrics server configured: base='{self.server_url}', app='{self.app_identifier}', version='{self.app_version}'")
if not self.api_key:
logger.warning("X-API-Key is empty; server may reject requests. Set LICENSE_SERVER_API_KEY.")
# Registration synchronization and persistence
self._registration_lock = threading.Lock()
self._registration_in_progress = False
self._state_file_path = self._compute_state_file_path()
self._load_persisted_state()
# Offline storage for failed requests
self.offline_data = []
self.max_offline_data = 100
def _collect_system_info(self) -> Dict[str, Any]:
"""Collect system information for registration"""
try:
# Check if analytics are allowed
from app.models import Settings
try:
settings = Settings.get_settings()
if not settings.allow_analytics:
# Return minimal info if analytics are disabled
return {
"os": "Unknown",
"version": "Unknown",
"architecture": "Unknown",
"machine": "Unknown",
"processor": "Unknown",
"hostname": "Unknown",
"local_ip": "Unknown",
"python_version": "Unknown",
"analytics_disabled": True
}
except Exception:
# If we can't get settings, assume analytics are allowed (fallback)
pass
# Get local IP address
hostname = socket.gethostname()
local_ip = socket.gethostbyname(hostname)
return {
"os": platform.system(),
"version": platform.version(),
"architecture": platform.architecture()[0],
"machine": platform.machine(),
"processor": platform.processor(),
"hostname": hostname,
"local_ip": local_ip,
"python_version": platform.python_version(),
"analytics_disabled": False
}
except Exception as e:
logger.warning(f"Could not collect complete system info: {e}")
return {
"os": platform.system(),
"version": "unknown",
"architecture": "unknown",
"analytics_disabled": False
}
def _normalize_base_url(self, base_url: str) -> str:
"""Normalize base URL to avoid duplicate '/api/v1' when building endpoints.
Accepts values with or without trailing slash and with or without '/api/v1'.
Always returns a URL WITHOUT trailing slash and WITHOUT '/api/v1'.
"""
try:
if not base_url:
return ""
url = base_url.strip().rstrip("/")
# If caller provided a base that already includes '/api/v1', strip it.
if url.endswith("/api/v1"):
url = url[: -len("/api/v1")]
url = url.rstrip("/")
return url
except Exception:
# Fallback to provided value if normalization fails
return base_url
def _compute_state_file_path(self) -> str:
"""Compute a per-user path to persist license client state (instance id, token)."""
try:
if os.name == "nt":
base_dir = os.getenv("APPDATA") or os.path.expanduser("~")
app_dir = os.path.join(base_dir, "TimeTracker")
else:
app_dir = os.path.join(os.path.expanduser("~"), ".timetracker")
os.makedirs(app_dir, exist_ok=True)
return os.path.join(app_dir, "license_client_state.json")
except Exception:
# Fallback to current directory
return os.path.join(os.getcwd(), "license_client_state.json")
def _load_persisted_state(self):
"""Load previously persisted state if available (instance id, token)."""
try:
if self._state_file_path and os.path.exists(self._state_file_path):
with open(self._state_file_path, "r", encoding="utf-8") as f:
state = json.load(f)
loaded_instance_id = state.get("instance_id")
loaded_token = state.get("registration_token")
if loaded_instance_id and not self.instance_id:
self.instance_id = loaded_instance_id
if loaded_token:
self.registration_token = loaded_token
logger.info(f"Loaded persisted license client state from '{self._state_file_path}'")
except Exception as e:
logger.warning(f"Failed to load persisted license client state: {e}")
def _persist_state(self):
"""Persist current state (instance id, token) to disk."""
try:
if not self._state_file_path:
return
state = {
"instance_id": self.instance_id,
"registration_token": self.registration_token,
"app_identifier": self.app_identifier,
"app_version": self.app_version,
"updated_at": datetime.now().isoformat()
}
with open(self._state_file_path, "w", encoding="utf-8") as f:
json.dump(state, f, indent=2)
logger.debug(f"Persisted license client state to '{self._state_file_path}'")
except Exception as e:
logger.warning(f"Failed to persist license client state: {e}")
def get_detailed_error_info(self, response) -> Dict[str, Any]:
"""Extract detailed error information from a failed response"""
error_info = {
"status_code": response.status_code,
"reason": response.reason,
"headers": dict(response.headers),
"text": response.text,
"url": response.url,
"elapsed": str(response.elapsed) if hasattr(response, 'elapsed') else "unknown"
}
# Try to parse JSON error response
try:
error_json = response.json()
error_info["json_error"] = error_json
if "error" in error_json:
error_info["error_message"] = error_json["error"]
if "details" in error_json:
error_info["error_details"] = error_json["details"]
if "traceback" in error_json:
error_info["server_traceback"] = error_json["traceback"]
except json.JSONDecodeError:
error_info["json_error"] = None
error_info["parse_error"] = "Response is not valid JSON"
return error_info
def _make_request(self, endpoint: str, method: str = "GET", data: Dict = None) -> Optional[Dict]:
"""Make HTTP request to phone home endpoint with error handling"""
url = f"{self.server_url}{endpoint}"
headers = {
"X-API-Key": self.api_key,
"Content-Type": "application/json"
}
# Log request details
logger.info(f"Making {method} request to phone home endpoint: {url}")
if data:
logger.debug(f"Request data: {json.dumps(data, indent=2)}")
logger.debug(f"Request headers: {headers}")
try:
if method.upper() == "GET":
response = requests.get(url, headers=headers, timeout=self.request_timeout)
elif method.upper() == "POST":
response = requests.post(url, headers=headers, json=data, timeout=self.request_timeout)
else:
logger.error(f"Unsupported HTTP method: {method}")
return None
# Log response details
logger.info(f"Phone home response: {response.status_code} - {response.reason}")
logger.debug(f"Response headers: {dict(response.headers)}")
if response.status_code in [200, 201]:
try:
response_json = response.json()
logger.debug(f"Response body: {json.dumps(response_json, indent=2)}")
return response_json
except json.JSONDecodeError as e:
logger.error(f"Failed to parse JSON response: {e}")
logger.error(f"Raw response text: {response.text}")
return None
else:
# Enhanced error logging with detailed error info
error_info = self.get_detailed_error_info(response)
logger.error(f"Phone home request failed with status {response.status_code}")
logger.error(f"Detailed error info: {json.dumps(error_info, indent=2)}")
# Log specific error details
if "error_message" in error_info:
logger.error(f"Server error message: {error_info['error_message']}")
if "error_details" in error_info:
logger.error(f"Server error details: {error_info['error_details']}")
if "server_traceback" in error_info:
logger.error(f"Server traceback: {error_info['server_traceback']}")
return None
except requests.exceptions.Timeout as e:
logger.error(f"Phone home request timed out after {self.request_timeout} seconds: {e}")
return None
except requests.exceptions.ConnectionError as e:
logger.error(f"Phone home connection error: {e}")
logger.error(f"URL attempted: {url}")
return None
except requests.exceptions.RequestException as e:
logger.error(f"Phone home request exception: {e}")
logger.error(f"Request type: {type(e).__name__}")
return None
except Exception as e:
logger.error(f"Unexpected error in phone home request: {e}")
logger.error(f"Error type: {type(e).__name__}")
logger.error(f"Error details: {str(e)}")
import traceback
logger.error(f"Traceback: {traceback.format_exc()}")
return None
def register_instance(self) -> bool:
"""Register this instance with the phone home service"""
with self._registration_lock:
if self.is_registered:
logger.info("Instance already registered")
return True
# Generate instance ID if not exists (prefer persisted one)
if not self.instance_id:
self.instance_id = str(uuid.uuid4())
registration_data = {
"app_identifier": self.app_identifier,
"version": self.app_version,
"instance_id": self.instance_id,
"system_metadata": self.system_info,
"country": "Unknown", # Could be enhanced with IP geolocation
"city": "Unknown",
"license_id": "NO-LICENSE-REQUIRED"
}
logger.info(f"Registering instance {self.instance_id} with phone home service at {self.server_url}")
logger.info(f"App identifier: {self.app_identifier}, Version: {self.app_version}")
logger.debug(f"System info: {json.dumps(self.system_info, indent=2)}")
logger.debug(f"Full registration data: {json.dumps(registration_data, indent=2)}")
response = self._make_request("/api/v1/register", "POST", registration_data)
if response and "instance_id" in response:
self.instance_id = response["instance_id"]
self.registration_token = response.get("token")
self.is_registered = True
self._persist_state()
logger.info(f"Successfully registered instance {self.instance_id}")
if self.registration_token:
logger.debug(f"Received registration token: {self.registration_token[:10]}...")
return True
else:
logger.error(f"Registration failed - no valid response from phone home service")
logger.error(f"Expected 'instance_id' in response, but got: {response}")
logger.info(f"Phone home service at {self.server_url} is not available - continuing without registration")
return False
def validate_license(self) -> bool:
"""Validate license (always returns True since no license required)"""
if not self.is_registered:
logger.warning("Cannot validate license: instance not registered")
return False
validation_data = {
"app_identifier": self.app_identifier,
"license_id": "NO-LICENSE-REQUIRED",
"instance_id": self.instance_id
}
# Log the complete license validation request (URL, method, headers, body)
validation_url = f"{self.server_url}/api/v1/validate"
validation_headers = {
"X-API-Key": self.api_key,
"Content-Type": "application/json"
}
try:
logger.info("Complete license validation request:")
logger.info(json.dumps({
"url": validation_url,
"method": "POST",
"headers": validation_headers,
"body": validation_data
}, indent=2))
except Exception:
# Fallback logging if JSON serialization fails for any reason
logger.info(f"License validation URL: {validation_url}")
logger.info(f"License validation headers: {validation_headers}")
logger.info(f"License validation body: {validation_data}")
logger.info("Validating metrics token (no license required)")
response = self._make_request("/api/v1/validate", "POST", validation_data)
if response and response.get("valid", False):
logger.info("Phone home token validation successful")
return True
else:
logger.warning("Phone home token validation failed")
return False
def send_heartbeat(self) -> bool:
"""Send heartbeat to phone home service"""
if not self.is_registered:
logger.warning("Cannot send heartbeat: instance not registered")
return False
heartbeat_data = {
"instance_id": self.instance_id
}
logger.debug("Sending heartbeat to phone home service")
response = self._make_request("/api/v1/heartbeat", "POST", heartbeat_data)
if response:
logger.debug("Heartbeat successful")
return True
else:
logger.warning("Heartbeat failed")
return False
def send_usage_data(self, data_points: List[Dict[str, Any]]) -> bool:
"""Send usage data to phone home service"""
if not self.is_registered:
# Store data offline for later transmission
self._store_offline_data(data_points)
return False
# Check if analytics are allowed
try:
from app.models import Settings
settings = Settings.get_settings()
if not settings.allow_analytics:
logger.info("Analytics disabled by user setting - skipping usage data transmission")
return True # Return True to indicate "success" (data was handled appropriately)
except Exception:
# If we can't get settings, assume analytics are allowed (fallback)
pass
usage_data = {
"app_identifier": self.app_identifier,
"instance_id": self.instance_id,
"data": data_points
}
logger.debug(f"Sending {len(data_points)} usage data points")
response = self._make_request("/api/v1/data", "POST", usage_data)
if response:
logger.debug("Usage data sent successfully")
# Try to send any stored offline data
self._send_offline_data()
return True
else:
logger.warning("Failed to send usage data")
self._store_offline_data(data_points)
return False
def _store_offline_data(self, data_points: List[Dict[str, Any]]):
"""Store data points for offline transmission"""
for point in data_points:
# Use local time per project preference
point["timestamp"] = datetime.now().isoformat()
self.offline_data.append(point)
# Keep only the most recent data points
if len(self.offline_data) > self.max_offline_data:
self.offline_data = self.offline_data[-self.max_offline_data:]
logger.debug(f"Stored {len(data_points)} data points offline")
def _send_offline_data(self):
"""Attempt to send stored offline data"""
if not self.offline_data:
return
data_to_send = self.offline_data.copy()
self.offline_data.clear()
logger.info(f"Attempting to send {len(data_to_send)} offline data points to phone home service")
if self.send_usage_data(data_to_send):
logger.info("Successfully sent offline data")
else:
# Put the data back if sending failed
self.offline_data.extend(data_to_send)
logger.warning("Failed to send offline data, will retry later")
def _heartbeat_worker(self):
"""Background worker for sending heartbeats"""
while self.running:
try:
if self.is_registered:
self.send_heartbeat()
else:
# If not registered, try to register again every hour
logger.debug("Attempting to register with phone home service...")
self.register_instance()
time.sleep(self.heartbeat_interval)
except Exception as e:
logger.error(f"Error in heartbeat worker: {e}")
time.sleep(60) # Wait a minute before retrying
def start(self) -> bool:
"""Start the phone home client"""
if self.running:
logger.warning("Phone home client already running")
return True
logger.info(f"Starting phone home client (instance: {id(self)})")
# Try to register instance (but don't fail if it doesn't work)
registration_success = self.register_instance()
if not registration_success:
logger.info("Phone home service not available - client will run in offline mode")
# Start heartbeat thread
self.running = True
self.heartbeat_thread = threading.Thread(target=self._heartbeat_worker, daemon=True)
self.heartbeat_thread.start()
logger.info(f"Phone home client started successfully (instance: {id(self)})")
return True
def stop(self):
"""Stop the phone home client"""
logger.info("Stopping phone home client")
self.running = False
if self.heartbeat_thread and self.heartbeat_thread.is_alive():
self.heartbeat_thread.join(timeout=5)
logger.info("Phone home client stopped")
def check_server_health(self) -> bool:
"""Check if the phone home service is healthy"""
response = self._make_request("/api/v1/status")
return response is not None
def get_status(self) -> Dict[str, Any]:
"""Get current status of the metrics client"""
return {
"is_registered": self.is_registered,
"instance_id": self.instance_id,
"is_running": self.running,
"server_healthy": self.check_server_health(),
"offline_data_count": len(self.offline_data),
"app_identifier": self.app_identifier,
"app_version": self.app_version,
"server_url": self.server_url,
"heartbeat_interval": self.heartbeat_interval,
"analytics_enabled": not bool(self.system_info.get("analytics_disabled", False)),
"system_info": self.system_info
}
# Global instance
license_client = None
_initialization_lock = threading.Lock()
def init_license_client(app_identifier: str = "timetracker", app_version: str = "1.0.0") -> LicenseServerClient:
"""Initialize the global license client instance"""
global license_client
with _initialization_lock:
if license_client is None:
logger.info(f"Creating new license client instance (app: {app_identifier}, version: {app_version})")
license_client = LicenseServerClient(app_identifier, app_version)
logger.info(f"License client initialized (instance: {id(license_client)})")
else:
logger.info(f"License client already initialized, reusing existing instance (instance: {id(license_client)})")
return license_client
def get_license_client() -> Optional[LicenseServerClient]:
"""Get the global license client instance"""
return license_client
def start_license_client() -> bool:
"""Start the global license client"""
global license_client
if license_client is None:
logger.error("License client not initialized")
return False
# Check if already running
if license_client.running:
logger.info("License client already running")
return True
return license_client.start()
def stop_license_client():
"""Stop the global license client"""
global license_client
if license_client:
license_client.stop()
def send_usage_event(event_type: str, event_data: Dict[str, Any] = None):
"""Send a usage event to the metrics server"""
if not license_client:
return False
data_point = {
"key": "usage_event",
"value": event_type,
"type": "string",
"metadata": event_data or {}
}
return license_client.send_usage_data([data_point])

Some files were not shown because too many files have changed in this diff Show More