Added migration scripts and documentation

Author: =

README.md

@@ -1 +1,99 @@
 # `accessmap-api`: AccessMap's user/profiles/auth API
+
+## Why?
+
+AccessMap users want to securely store and access settings, routing profiles, and
+other information across browsers and devices.
+
+## How?
+
+`accessmap-api` is a fairly boilerplate Flask application (a popular Python web
+framework) with roughly RESTful interfaces: it uses HTTP verbs appropriately for GET,
+POST, PUT, etc. `accessmap-api` is only compatible with Python 3.6+.
+
+## Installation
+
+`accessmap-api` is developed using `poetry`, which makes development, releases, and
+installation more simple and reproducible. The best way to install `accessmap-api`
+into a development environment is to use the poetry tool
+
+    poetry install
+
+A guide for installing `poetry` itself can be found here:
+https://poetry.eustace.io/docs/
+
+This command will create an isolated virtual environment for all of `accessmap-api`'s
+dependencies. You can now run any commands in this environment by prepending
+`poetry run` to the command. We'll set up a testing database to show how it works, but
+first we need to set up our configuration.
+
+## Configuration
+
+Configuration of `accessmap-api` is done with environment variables. Flask supports the
+use of a .env file that contains `ENV_VAR=value` lines or using the default environment
+variables available on the system. Note that system environment variables will
+supercede entries in the .env file.
+
+*Please note that all of the following environment variables that are marked "required"
+are necessary for `accessmap-api` to function correctly and securetly.*
+
+- `SECRET_KEY` (required): This is a secret used to sign / secure sessions during a
+request context. It is very imporatnt to keep this value secure, particularly if your
+application is exposed to the internet. It is a best practice to generate the value of
+most secrets using a secure hashing algorithm with a good source of entropy - something
+like `ssh-keygen`.
+
+- `JWT_SECRET_KEY` (required): This is a secret used to sign JWTs issued by
+`accessmap-api` and is the most important secret to get correct, as JWTs will be
+publicly sent to clients (over HTTPS). It must be kept private and generated using best
+practices (like `ssh-keygen`).
+
+- `SQLALCHEMY_DATABASE_URI`: An SQLAlchemy-compatible database URI. This defauls to
+an SQLite3 database stored at `/tmp/accessmap-api.db` (for development), but can be
+any valid SQLAlchemy URI for postgres, mysql, etc.
+
+- `OAUTH_CACHE_DIR`: A path used to cache OAuth data - i.e. user-authorized
+token information. This makes auth workflows more efficient. This defaults to
+`/tmp/accessmap-api-cache`.
+
+- `OSM_CLIENT_ID` (required): AccessMap currently uses OpenStreetMap for
+authentication. This is the OAuth 1.0a client ID of your registered application.
+
+- `OSM_CLIENT_SECRET` (required): AccessMap currently uses OpenStreetMap for
+authentication. This is the OAuth 1.0a client secret of your registered application.
+
+- `OSM_URI`: The base API path to use when talking to OpenStreetMap for authentication.
+It is important to use the testing/development server(s) when trying out new features
+that might impact the data on OpenStreetMap or expose a client's credentials, so this
+is set to the primary OpenStreetMap testing URI by default. For production applications
+using HTTPS and secure secrets, use `https://api.openstreetmap.org`. Keep in mind that
+you will need to separately register OAuth 1.0a applications for the testing
+OpenStreetMap API vs. the main one, so they will have different `OSM_CLIENT_ID` and
+`OSM_CLIENT_SECRET` credentials.
+
+- `CONSUMER_CALLBACK_URI` (required): as a security precaution, this API will currently
+only send OAuth callback redirects to a URI (URL) defined by this environment variable.
+The callback URI defined by this variable will be appended with `access_token` and
+`refresh_token` URL parameters defining a JWT access token and a JWT refresh token for
+use with protected `accessmap-api` endpoints. `CONSUMER_CALLBACK_URI` should therefore
+be a client URI such as an instance of `accessmap-webapp`, e.g.
+`http://localhost:3000/callback` in development mode.
+
+## Creating and migrating the database
+
+`accessmap-api` uses `Flask-Migrate`, which uses the `alembic` library to manage
+database migrations. To initialize a database, run:
+
+    poetry run flask db upgrade
+
+If you make changes to the database and need to create a new migration, run:
+
+    poetry run flask db migrate
+
+## Running `accessmap-api`
+
+By default, `accessmap-api` runs a `werkzeug` development server. For a production
+system, you should use a WSGI framework. `accessmap-api` comes with a script to assist
+deployments using a WSGI runner: `wsgi.py`. It is important to note that it is
+currently hard-coded to assume that you are running `accessmap-api` at the `/api`
+subdirectory of your production host, for example `https://example.com/api`.

accessmapapi/__init__.py

@@ -2,35 +2,62 @@
 
 from dotenv import load_dotenv
 from flask import Flask
-from flask_sqlalchemy import SQLAlchemy
+from flask_migrate import Migrate
 
 from . import auth
 from . import jwt
-from .models import init_app as db_init_app
+from .exceptions import MissingConfigError
+from .models import db, init_app as db_init_app
 from . import blueprints
 
 
+REQUIRED = [
+    "SECRET_KEY",
+    "SQLALCHEMY_DATABASE_URI",
+    "OAUTH_CACHE_DIR",
+    "JWT_SECRET_KEY",
+    "OSM_CLIENT_ID",
+    "OSM_CLIENT_SECRET",
+    "OSM_URI",
+    "CONSUMER_CALLBACK_URI"
+]
+
+
+DEFAULTS = {
+    "SQLALCHEMY_DATABASE_URI": "sqlite:////tmp/accessmap-api.db",
+    "OAUTH_CACHE_DIR": "/tmp/accessmap-api-cache",
+    "OSM_URI": "https://master.apis.dev.openstreetmap.org/"
+}
+
+
 def create_app():
     app = Flask(__name__)
 
     # Config
     # TODO: do checks on env variable inputs
     load_dotenv()  # TODO: make optional / part of dev only? Try/except/fail?
     app.config.from_mapping(
-        SECRET_KEY=os.getenv("FLASK_SECRET"),
-        SQLALCHEMY_DATABASE_URI=os.getenv("SQLALCHEMY_DATABASE_URI"),
+        SECRET_KEY=os.getenv("SECRET_KEY"),
+        SQLALCHEMY_DATABASE_URI=os.getenv("SQLALCHEMY_DATABASE_URI", DEFAULTS["SQLALCHEMY_DATABASE_URI"]),
         SQLALCHEMY_TRACK_MODIFICATIONS=False,
-        OAUTH_CACHE_DIR=os.getenv("OAUTH_CACHE_DIR"),
-        JWT_SECRET_KEY=os.getenv("JWT_SECRET"),
+        OAUTH_CACHE_DIR=os.getenv("OAUTH_CACHE_DIR", DEFAULTS["OAUTH_CACHE_DIR"]),
+        JWT_SECRET_KEY=os.getenv("JWT_SECRET_KEY"),
         JWT_IDENTITY_CLAIM="sub",
         OSM_CLIENT_ID=os.getenv("OSM_CLIENT_ID"),
         OSM_CLIENT_SECRET=os.getenv("OSM_CLIENT_SECRET"),
-        OSM_URI=os.getenv("OSM_URI"),
+        OSM_URI=os.getenv("OSM_URI", DEFAULTS["OSM_URI"]),
         CONSUMER_CALLBACK_URI=os.getenv("CONSUMER_CALLBACK_URI")
     )
+    for env_var in REQUIRED:
+        env = app.config.get(env_var, None)
+        if env is None:
+            raise MissingConfigError("{} environment variable not set.".format(env_var))
 
     # Attach database
-    db_init_app(app)
+    db.init_app(app)
+
+    # Attach migration scripts (Alembic / Flask-Migrate)
+    migrate = Migrate(app, db)
 
     # Add oauth interface
     auth.init_app(app)

accessmapapi/exceptions.py

@@ -0,0 +1,5 @@
+"""Exceptions for accessmap-api."""
+
+
+class MissingConfigError(Exception):
+    pass

accessmapapi/models.py

@@ -9,18 +9,7 @@
 db = SQLAlchemy()
 
 
-def init_db():
-    db.create_all()
-
-
-@click.command("init-db")
-@with_appcontext
-def init_db_command():
-    init_db()
-    click.echo("Initialized the database.")
-
-
-def init_app(app):
+def init_app(app, db):
     app.cli.add_command(init_db_command)
     db.init_app(app)
 

migrations/README

@@ -0,0 +1 @@
+Generic single-database configuration.

migrations/alembic.ini

@@ -0,0 +1,45 @@
+# A generic, single database configuration.
+
+[alembic]
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

migrations/env.py

@@ -0,0 +1,95 @@
+from __future__ import with_statement
+
+import logging
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+fileConfig(config.config_file_name)
+logger = logging.getLogger('alembic.env')
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+from flask import current_app
+config.set_main_option('sqlalchemy.url',
+                       current_app.config.get('SQLALCHEMY_DATABASE_URI'))
+target_metadata = current_app.extensions['migrate'].db.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline():
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url, target_metadata=target_metadata, literal_binds=True
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online():
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+
+    # this callback is used to prevent an auto-migration from being generated
+    # when there are no changes to the schema
+    # reference: http://alembic.zzzcomputing.com/en/latest/cookbook.html
+    def process_revision_directives(context, revision, directives):
+        if getattr(config.cmd_opts, 'autogenerate', False):
+            script = directives[0]
+            if script.upgrade_ops.is_empty():
+                directives[:] = []
+                logger.info('No changes in schema detected.')
+
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix='sqlalchemy.',
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            process_revision_directives=process_revision_directives,
+            **current_app.extensions['migrate'].configure_args
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

migrations/script.py.mako

@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade():
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade():
+    ${downgrades if downgrades else "pass"}