Add multi-user authentication with JWT

- Users table with email/bcrypt-hashed password; register and login via /auth/ endpoints
- JWT tokens (30-day expiry) stored in localStorage; all API routes require Bearer auth
- All data (varieties, batches, settings, notification logs) scoped to the authenticated user
- Login/register screen overlays the app; sidebar shows user email and logout button
- Scheduler sends daily ntfy summaries for every configured user
- DB schema rewritten for multi-user; SECRET_KEY added to env

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/auth.py

@@ -0,0 +1,47 @@
+import os
+from datetime import datetime, timedelta
+
+import bcrypt
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from jose import JWTError, jwt
+from sqlalchemy.orm import Session
+
+from database import get_db
+from models import User
+
+SECRET_KEY = os.environ.get("SECRET_KEY", "changeme-please-set-a-real-secret-in-env")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_DAYS = 30
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return bcrypt.checkpw(plain.encode(), hashed.encode())
+
+
+def hash_password(password: str) -> str:
+    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+
+
+def create_access_token(user_id: int) -> str:
+    expire = datetime.utcnow() + timedelta(days=ACCESS_TOKEN_EXPIRE_DAYS)
+    return jwt.encode({"sub": str(user_id), "exp": expire}, SECRET_KEY, algorithm=ALGORITHM)
+
+
+def get_current_user(token: str = Depends(oauth2_scheme), db: Session = Depends(get_db)) -> User:
+    exc = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or expired token",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        user_id = int(payload.get("sub"))
+    except (JWTError, TypeError, ValueError):
+        raise exc
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise exc
+    return user

backend/main.py

@@ -9,6 +9,7 @@ from apscheduler.triggers.cron import CronTrigger
 from database import SessionLocal
 from models import Settings, NotificationLog
 from routers import varieties, batches, dashboard, settings, notifications
+from routers import auth as auth_router
 from routers.notifications import build_daily_summary, send_ntfy
 
 logging.basicConfig(level=logging.INFO)
@@ -20,13 +21,13 @@ scheduler = AsyncIOScheduler()
 async def scheduled_daily_notification():
     db = SessionLocal()
     try:
-        s = db.query(Settings).filter(Settings.id == 1).first()
-        if not s or not s.ntfy_topic:
-            logger.info("Daily notification skipped: ntfy not configured")
-            return
-        summary = build_daily_summary(db)
-        ok, detail = await send_ntfy(s, "Sproutly Daily Summary", summary, db)
-        logger.info(f"Daily notification: {detail}")
+        all_settings = db.query(Settings).filter(Settings.ntfy_topic.isnot(None)).all()
+        for s in all_settings:
+            if not s.ntfy_topic:
+                continue
+            summary = build_daily_summary(db, s.user_id)
+            ok, detail = await send_ntfy(s, "Sproutly Daily Summary", summary, db)
+            logger.info(f"Daily notification for user {s.user_id}: {detail}")
     except Exception as e:
         logger.error(f"Daily notification error: {e}")
         log = NotificationLog(message="scheduler error", status="failed", error=str(e))
@@ -37,8 +38,9 @@ async def scheduled_daily_notification():
 
 
 def get_notification_schedule(db) -> tuple[int, int]:
+    """Use the earliest configured notification time across all users."""
     try:
-        s = db.query(Settings).filter(Settings.id == 1).first()
+        s = db.query(Settings).filter(Settings.ntfy_topic.isnot(None)).first()
         if s and s.notification_time:
             h, m = s.notification_time.split(":")
             return int(h), int(m)
@@ -65,7 +67,7 @@ async def lifespan(app: FastAPI):
     scheduler.shutdown()
 
 
-app = FastAPI(title="Sproutly API", version="1.0.0", lifespan=lifespan)
+app = FastAPI(title="Sproutly API", version="2.0.0", lifespan=lifespan)
 
 app.add_middleware(
     CORSMiddleware,
@@ -74,6 +76,7 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
+app.include_router(auth_router.router)
 app.include_router(varieties.router)
 app.include_router(batches.router)
 app.include_router(dashboard.router)

backend/models.py

@@ -35,10 +35,25 @@ class BatchStatus(str, enum.Enum):
     failed = "failed"
 
 
+class User(Base):
+    __tablename__ = "users"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    email = Column(String(255), unique=True, nullable=False)
+    hashed_password = Column(String(255), nullable=False)
+    created_at = Column(DateTime, server_default=func.now())
+
+    varieties = relationship("Variety", back_populates="user", cascade="all, delete-orphan")
+    batches = relationship("Batch", back_populates="user", cascade="all, delete-orphan")
+    settings = relationship("Settings", back_populates="user", uselist=False, cascade="all, delete-orphan")
+    notification_logs = relationship("NotificationLog", back_populates="user", cascade="all, delete-orphan")
+
+
 class Variety(Base):
     __tablename__ = "varieties"
 
     id = Column(Integer, primary_key=True, index=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
     name = Column(String(100), nullable=False)
     variety_name = Column(String(100))
     category = Column(Enum(Category), default=Category.vegetable)
@@ -54,6 +69,7 @@ class Variety(Base):
     notes = Column(Text)
     created_at = Column(DateTime, server_default=func.now())
 
+    user = relationship("User", back_populates="varieties")
     batches = relationship("Batch", back_populates="variety", cascade="all, delete-orphan")
 
 
@@ -61,6 +77,7 @@ class Batch(Base):
     __tablename__ = "batches"
 
     id = Column(Integer, primary_key=True, index=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
     variety_id = Column(Integer, ForeignKey("varieties.id"), nullable=False)
     label = Column(String(100))
     quantity = Column(Integer, default=1)
@@ -72,13 +89,15 @@ class Batch(Base):
     notes = Column(Text)
     created_at = Column(DateTime, server_default=func.now())
 
+    user = relationship("User", back_populates="batches")
     variety = relationship("Variety", back_populates="batches")
 
 
 class Settings(Base):
     __tablename__ = "settings"
 
-    id = Column(Integer, primary_key=True, default=1)
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), unique=True, nullable=False)
     last_frost_date = Column(Date)
     first_frost_fall_date = Column(Date)
     ntfy_topic = Column(String(200))
@@ -90,12 +109,17 @@ class Settings(Base):
     ntfy_password = Column(String(200))
     ntfy_api_key = Column(String(200))
 
+    user = relationship("User", back_populates="settings")
+
 
 class NotificationLog(Base):
     __tablename__ = "notification_log"
 
     id = Column(Integer, primary_key=True, index=True)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), nullable=True)
     sent_at = Column(DateTime, server_default=func.now())
     message = Column(Text)
     status = Column(String(20))
     error = Column(Text)
+
+    user = relationship("User", back_populates="notification_logs")

backend/requirements.txt

@@ -7,3 +7,6 @@ python-dotenv==1.0.1
 httpx==0.27.0
 apscheduler==3.10.4
 pydantic==2.7.1
+python-jose[cryptography]==3.3.0
+bcrypt==4.1.3
+email-validator==2.1.1

backend/routers/auth.py

@@ -0,0 +1,33 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+
+from auth import create_access_token, get_current_user, hash_password, verify_password
+from database import get_db
+from models import User
+from schemas import Token, UserCreate, UserLogin, UserOut
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+
+@router.post("/register", response_model=UserOut, status_code=201)
+def register(data: UserCreate, db: Session = Depends(get_db)):
+    if db.query(User).filter(User.email == data.email).first():
+        raise HTTPException(status_code=400, detail="Email already registered")
+    user = User(email=data.email, hashed_password=hash_password(data.password))
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+    return user
+
+
+@router.post("/login", response_model=Token)
+def login(data: UserLogin, db: Session = Depends(get_db)):
+    user = db.query(User).filter(User.email == data.email).first()
+    if not user or not verify_password(data.password, user.hashed_password):
+        raise HTTPException(status_code=401, detail="Invalid email or password")
+    return {"access_token": create_access_token(user.id), "token_type": "bearer"}
+
+
+@router.get("/me", response_model=UserOut)
+def me(current_user: User = Depends(get_current_user)):
+    return current_user

backend/routers/batches.py

@@ -1,36 +1,39 @@
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session, joinedload
 from typing import List
+
+from auth import get_current_user
 from database import get_db
-from models import Batch, Variety
-from schemas import BatchCreate, BatchUpdate, BatchOut
+from models import Batch, User, Variety
+from schemas import BatchCreate, BatchOut, BatchUpdate
 
 router = APIRouter(prefix="/batches", tags=["batches"])
 
 
 @router.get("/", response_model=List[BatchOut])
-def list_batches(db: Session = Depends(get_db)):
+def list_batches(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
     return (
         db.query(Batch)
         .options(joinedload(Batch.variety))
+        .filter(Batch.user_id == current_user.id)
         .order_by(Batch.sow_date.desc().nullslast(), Batch.created_at.desc())
         .all()
     )
 
 
 @router.get("/{batch_id}", response_model=BatchOut)
-def get_batch(batch_id: int, db: Session = Depends(get_db)):
-    b = db.query(Batch).options(joinedload(Batch.variety)).filter(Batch.id == batch_id).first()
+def get_batch(batch_id: int, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    b = db.query(Batch).options(joinedload(Batch.variety)).filter(Batch.id == batch_id, Batch.user_id == current_user.id).first()
     if not b:
         raise HTTPException(status_code=404, detail="Batch not found")
     return b
 
 
 @router.post("/", response_model=BatchOut, status_code=201)
-def create_batch(data: BatchCreate, db: Session = Depends(get_db)):
-    if not db.query(Variety).filter(Variety.id == data.variety_id).first():
+def create_batch(data: BatchCreate, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    if not db.query(Variety).filter(Variety.id == data.variety_id, Variety.user_id == current_user.id).first():
         raise HTTPException(status_code=404, detail="Variety not found")
-    b = Batch(**data.model_dump())
+    b = Batch(**data.model_dump(), user_id=current_user.id)
     db.add(b)
     db.commit()
     db.refresh(b)
@@ -38,8 +41,8 @@ def create_batch(data: BatchCreate, db: Session = Depends(get_db)):
 
 
 @router.put("/{batch_id}", response_model=BatchOut)
-def update_batch(batch_id: int, data: BatchUpdate, db: Session = Depends(get_db)):
-    b = db.query(Batch).filter(Batch.id == batch_id).first()
+def update_batch(batch_id: int, data: BatchUpdate, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    b = db.query(Batch).filter(Batch.id == batch_id, Batch.user_id == current_user.id).first()
     if not b:
         raise HTTPException(status_code=404, detail="Batch not found")
     for field, value in data.model_dump().items():
@@ -50,8 +53,8 @@ def update_batch(batch_id: int, data: BatchUpdate, db: Session = Depends(get_db)
 
 
 @router.delete("/{batch_id}", status_code=204)
-def delete_batch(batch_id: int, db: Session = Depends(get_db)):
-    b = db.query(Batch).filter(Batch.id == batch_id).first()
+def delete_batch(batch_id: int, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    b = db.query(Batch).filter(Batch.id == batch_id, Batch.user_id == current_user.id).first()
     if not b:
         raise HTTPException(status_code=404, detail="Batch not found")
     db.delete(b)

backend/routers/dashboard.py

@@ -2,9 +2,11 @@ from datetime import date, timedelta
 from typing import List, Optional
 from fastapi import APIRouter, Depends
 from sqlalchemy.orm import Session, joinedload
+
+from auth import get_current_user
 from database import get_db
-from models import Variety, Batch, Settings, BatchStatus
-from schemas import DashboardOut, Task, TimelineEntry, BatchOut
+from models import Batch, BatchStatus, Settings, User, Variety
+from schemas import BatchOut, DashboardOut, Task, TimelineEntry
 
 router = APIRouter(prefix="/dashboard", tags=["dashboard"])
 
@@ -45,15 +47,13 @@ def day_of_year(d: date) -> int:
 
 
 @router.get("/", response_model=DashboardOut)
-def get_dashboard(db: Session = Depends(get_db)):
-    settings = db.query(Settings).filter(Settings.id == 1).first()
+def get_dashboard(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    settings = db.query(Settings).filter(Settings.user_id == current_user.id).first()
     today = date.today()
     last_frost = None
 
     if settings and settings.last_frost_date:
         last_frost = settings.last_frost_date.replace(year=today.year)
-        # If last frost has passed this year, use next year's date for planning
-        # but keep this year for historical display
         planning_frost = last_frost
         if last_frost < today - timedelta(days=60):
             planning_frost = last_frost.replace(year=today.year + 1)
@@ -63,12 +63,11 @@ def get_dashboard(db: Session = Depends(get_db)):
     all_tasks: List[Task] = []
     timeline: List[TimelineEntry] = []
 
-    varieties = db.query(Variety).all()
+    varieties = db.query(Variety).filter(Variety.user_id == current_user.id).all()
 
     for v in varieties:
         full_name = f"{v.name} ({v.variety_name})" if v.variety_name else v.name
 
-        # --- Timeline entry ---
         entry = TimelineEntry(
             variety_id=v.id,
             name=v.name,
@@ -89,9 +88,8 @@ def get_dashboard(db: Session = Depends(get_db)):
                 else:
                     td = planning_frost - timedelta(weeks=abs(v.weeks_to_garden))
                 entry.garden_day = day_of_year(td)
-                entry.end_day = day_of_year(td) + 80  # rough season length
+                entry.end_day = day_of_year(td) + 80
 
-            # --- Tasks from variety schedule (only within 30 days) ---
             if v.weeks_to_start:
                 start_date = planning_frost - timedelta(weeks=v.weeks_to_start)
                 days = (start_date - today).days
@@ -133,11 +131,10 @@ def get_dashboard(db: Session = Depends(get_db)):
 
         timeline.append(entry)
 
-    # --- Tasks from active batches ---
     batches = (
         db.query(Batch)
         .options(joinedload(Batch.variety))
-        .filter(Batch.status.in_(ACTIVE_STATUSES))
+        .filter(Batch.user_id == current_user.id, Batch.status.in_(ACTIVE_STATUSES))
         .all()
     )
 
@@ -173,7 +170,6 @@ def get_dashboard(db: Session = Depends(get_db)):
                 today, color, batch_id=b.id,
             ))
 
-    # Deduplicate and filter to -7 to +30 day window
     seen = set()
     filtered = []
     for t in all_tasks:
@@ -184,11 +180,9 @@ def get_dashboard(db: Session = Depends(get_db)):
 
     filtered.sort(key=lambda t: t.days_away)
 
-    # Active batches for display
     active_batch_objs = [b for b in batches if b.status != BatchStatus.garden]
 
-    # Stats
-    all_batches = db.query(Batch).all()
+    all_batches = db.query(Batch).filter(Batch.user_id == current_user.id).all()
     stats = {
         "total_varieties": len(varieties),
         "total_batches": len(all_batches),

backend/routers/notifications.py

@@ -3,8 +3,10 @@ from datetime import date, timedelta
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 import httpx
+
+from auth import get_current_user
 from database import get_db
-from models import Settings, Variety, Batch, NotificationLog, BatchStatus
+from models import Batch, BatchStatus, NotificationLog, Settings, User, Variety
 
 router = APIRouter(prefix="/notifications", tags=["notifications"])
 
@@ -14,8 +16,8 @@ ACTIVE_STATUSES = [
 ]
 
 
-def build_daily_summary(db: Session) -> str:
-    settings = db.query(Settings).filter(Settings.id == 1).first()
+def build_daily_summary(db: Session, user_id: int) -> str:
+    settings = db.query(Settings).filter(Settings.user_id == user_id).first()
     today = date.today()
     lines = [f"Sproutly Daily Summary — {today.strftime('%A, %B %d')}"]
     lines.append("")
@@ -32,7 +34,7 @@ def build_daily_summary(db: Session) -> str:
             lines.append(f"Last frost in {days_to_frost} days ({last_frost.strftime('%B %d')})!")
             lines.append("")
 
-        varieties = db.query(Variety).all()
+        varieties = db.query(Variety).filter(Variety.user_id == user_id).all()
         for v in varieties:
             full_name = f"{v.name} ({v.variety_name})" if v.variety_name else v.name
 
@@ -59,7 +61,7 @@ def build_daily_summary(db: Session) -> str:
 
     batches = (
         db.query(Batch)
-        .filter(Batch.status.in_(ACTIVE_STATUSES))
+        .filter(Batch.user_id == user_id, Batch.status.in_(ACTIVE_STATUSES))
         .all()
     )
     for b in batches:
@@ -112,44 +114,34 @@ async def send_ntfy(settings: Settings, title: str, message: str, db: Session, p
 
     try:
         async with httpx.AsyncClient(timeout=10) as client:
-            resp = await client.post(
-                url,
-                content=message.encode("utf-8"),
-                headers=headers,
-            )
+            resp = await client.post(url, content=message.encode("utf-8"), headers=headers)
             resp.raise_for_status()
 
-        log = NotificationLog(message=message, status="sent")
+        log = NotificationLog(message=message, status="sent", user_id=settings.user_id)
         db.add(log)
         db.commit()
         return True, "sent"
 
     except Exception as e:
-        log = NotificationLog(message=message, status="failed", error=str(e))
+        log = NotificationLog(message=message, status="failed", error=str(e), user_id=settings.user_id)
         db.add(log)
         db.commit()
         return False, str(e)
 
 
 @router.post("/test")
-async def send_test_notification(db: Session = Depends(get_db)):
-    settings = db.query(Settings).filter(Settings.id == 1).first()
-    ok, detail = await send_ntfy(
-        settings,
-        "Sproutly Test",
-        "Your Sproutly notifications are working!",
-        db,
-        priority="default",
-    )
+async def send_test_notification(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    settings = db.query(Settings).filter(Settings.user_id == current_user.id).first()
+    ok, detail = await send_ntfy(settings, "Sproutly Test", "Your Sproutly notifications are working!", db)
     if not ok:
         raise HTTPException(status_code=400, detail=detail)
     return {"status": "sent"}
 
 
 @router.post("/daily")
-async def send_daily_summary(db: Session = Depends(get_db)):
-    settings = db.query(Settings).filter(Settings.id == 1).first()
-    summary = build_daily_summary(db)
+async def send_daily_summary(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    settings = db.query(Settings).filter(Settings.user_id == current_user.id).first()
+    summary = build_daily_summary(db, current_user.id)
     ok, detail = await send_ntfy(settings, "Sproutly Daily Summary", summary, db)
     if not ok:
         raise HTTPException(status_code=400, detail=detail)
@@ -157,6 +149,12 @@ async def send_daily_summary(db: Session = Depends(get_db)):
 
 
 @router.get("/log")
-def get_notification_log(db: Session = Depends(get_db)):
-    logs = db.query(NotificationLog).order_by(NotificationLog.sent_at.desc()).limit(50).all()
+def get_notification_log(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    logs = (
+        db.query(NotificationLog)
+        .filter(NotificationLog.user_id == current_user.id)
+        .order_by(NotificationLog.sent_at.desc())
+        .limit(50)
+        .all()
+    )
     return [{"id": l.id, "sent_at": l.sent_at, "status": l.status, "message": l.message, "error": l.error} for l in logs]

backend/routers/settings.py

@@ -1,29 +1,32 @@
 from fastapi import APIRouter, Depends
 from sqlalchemy.orm import Session
+
+from auth import get_current_user
 from database import get_db
-from models import Settings
-from schemas import SettingsUpdate, SettingsOut
+from models import Settings, User
+from schemas import SettingsOut, SettingsUpdate
 
 router = APIRouter(prefix="/settings", tags=["settings"])
 
 
-@router.get("/", response_model=SettingsOut)
-def get_settings(db: Session = Depends(get_db)):
-    s = db.query(Settings).filter(Settings.id == 1).first()
+def _get_or_create(db: Session, user_id: int) -> Settings:
+    s = db.query(Settings).filter(Settings.user_id == user_id).first()
     if not s:
-        s = Settings(id=1)
+        s = Settings(user_id=user_id)
         db.add(s)
         db.commit()
         db.refresh(s)
     return s
 
 
+@router.get("/", response_model=SettingsOut)
+def get_settings(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    return _get_or_create(db, current_user.id)
+
+
 @router.put("/", response_model=SettingsOut)
-def update_settings(data: SettingsUpdate, db: Session = Depends(get_db)):
-    s = db.query(Settings).filter(Settings.id == 1).first()
-    if not s:
-        s = Settings(id=1)
-        db.add(s)
+def update_settings(data: SettingsUpdate, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    s = _get_or_create(db, current_user.id)
     for field, value in data.model_dump(exclude_unset=True).items():
         setattr(s, field, value)
     db.commit()

backend/routers/varieties.py

@@ -1,29 +1,31 @@
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
 from typing import List
+
+from auth import get_current_user
 from database import get_db
-from models import Variety
-from schemas import VarietyCreate, VarietyUpdate, VarietyOut
+from models import User, Variety
+from schemas import VarietyCreate, VarietyOut, VarietyUpdate
 
 router = APIRouter(prefix="/varieties", tags=["varieties"])
 
 
 @router.get("/", response_model=List[VarietyOut])
-def list_varieties(db: Session = Depends(get_db)):
-    return db.query(Variety).order_by(Variety.category, Variety.name).all()
+def list_varieties(db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    return db.query(Variety).filter(Variety.user_id == current_user.id).order_by(Variety.category, Variety.name).all()
 
 
 @router.get("/{variety_id}", response_model=VarietyOut)
-def get_variety(variety_id: int, db: Session = Depends(get_db)):
-    v = db.query(Variety).filter(Variety.id == variety_id).first()
+def get_variety(variety_id: int, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    v = db.query(Variety).filter(Variety.id == variety_id, Variety.user_id == current_user.id).first()
     if not v:
         raise HTTPException(status_code=404, detail="Variety not found")
     return v
 
 
 @router.post("/", response_model=VarietyOut, status_code=201)
-def create_variety(data: VarietyCreate, db: Session = Depends(get_db)):
-    v = Variety(**data.model_dump())
+def create_variety(data: VarietyCreate, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    v = Variety(**data.model_dump(), user_id=current_user.id)
     db.add(v)
     db.commit()
     db.refresh(v)
@@ -31,8 +33,8 @@ def create_variety(data: VarietyCreate, db: Session = Depends(get_db)):
 
 
 @router.put("/{variety_id}", response_model=VarietyOut)
-def update_variety(variety_id: int, data: VarietyUpdate, db: Session = Depends(get_db)):
-    v = db.query(Variety).filter(Variety.id == variety_id).first()
+def update_variety(variety_id: int, data: VarietyUpdate, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    v = db.query(Variety).filter(Variety.id == variety_id, Variety.user_id == current_user.id).first()
     if not v:
         raise HTTPException(status_code=404, detail="Variety not found")
     for field, value in data.model_dump().items():
@@ -43,8 +45,8 @@ def update_variety(variety_id: int, data: VarietyUpdate, db: Session = Depends(g
 
 
 @router.delete("/{variety_id}", status_code=204)
-def delete_variety(variety_id: int, db: Session = Depends(get_db)):
-    v = db.query(Variety).filter(Variety.id == variety_id).first()
+def delete_variety(variety_id: int, db: Session = Depends(get_db), current_user: User = Depends(get_current_user)):
+    v = db.query(Variety).filter(Variety.id == variety_id, Variety.user_id == current_user.id).first()
     if not v:
         raise HTTPException(status_code=404, detail="Variety not found")
     db.delete(v)

backend/schemas.py

@@ -1,10 +1,35 @@
 from __future__ import annotations
 from datetime import date, datetime
 from typing import Optional, List
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr
 from models import Category, SunRequirement, WaterNeeds, BatchStatus
 
 
+# --- Auth ---
+
+class UserCreate(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class UserLogin(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class UserOut(BaseModel):
+    id: int
+    email: str
+    created_at: Optional[datetime] = None
+
+    model_config = {"from_attributes": True}
+
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str
+
+
 # --- Variety ---
 
 class VarietyBase(BaseModel):