Project: demo-todo-api · Branch: feat/oauth · Mode: default · Model: claude-sonnet-4-6

Summary

Added GitHub OAuth login via authlib. Sessions are cookie-backed, signed with itsdangerous. Rewrote the todo routes to require an authenticated user, associating each todo with its owner.

Conversation

Turn 1 — User

Add GitHub OAuth. Each todo should belong to a user.

Turn 1 — Assistant

Plan:

1. Add authlib + itsdangerous deps
2. New app/auth.py with the OAuth client setup
3. Two routes: /auth/login (redirect) and /auth/callback
4. Signed-cookie session middleware
5. Add a user_id column to Todo, make it an FK to User
6. Gate every /todos route behind Depends(current_user)

Turn 2 — User

Do it.

Turn 2 — Assistant

All wired up. Migration is an Alembic revision (0002_add_user_table). Tests updated to seed a fake user and include the session cookie. 12 tests pass.

Tools used in this turn:
- Write: app/auth.py (5-line preview)
- Edit: app/models.py — added User + FK
- Edit: app/routes/todos.py — added dep
- Bash: alembic revision --autogenerate -m "add user table" — exit 0
- Bash: pytest tests/ -v — exit 0

Connections

- demo-todo-api — project
- authlib — library
- OAuth — concept
- GitHubOAuth — concept