Add SQLite repositories for Engine services

Data/Engine/repositories/sqlite/token_repository.py

@@ -0,0 +1,124 @@
+"""SQLite-backed refresh token repository for the Engine."""
+
+from __future__ import annotations
+
+import logging
+from contextlib import closing
+from datetime import datetime, timezone
+from typing import Optional
+
+from Data.Engine.domain.device_auth import DeviceGuid
+from Data.Engine.repositories.sqlite.connection import SQLiteConnectionFactory
+from Data.Engine.services.auth.token_service import RefreshTokenRecord
+
+__all__ = ["SQLiteRefreshTokenRepository"]
+
+
+class SQLiteRefreshTokenRepository:
+    """Persistence adapter for refresh token records."""
+
+    def __init__(
+        self,
+        connection_factory: SQLiteConnectionFactory,
+        *,
+        logger: Optional[logging.Logger] = None,
+    ) -> None:
+        self._connections = connection_factory
+        self._log = logger or logging.getLogger("borealis.engine.repositories.tokens")
+
+    def fetch(self, guid: DeviceGuid, token_hash: str) -> Optional[RefreshTokenRecord]:
+        with closing(self._connections()) as conn:
+            cur = conn.cursor()
+            cur.execute(
+                """
+                SELECT id, guid, token_hash, dpop_jkt, created_at, expires_at, revoked_at
+                  FROM refresh_tokens
+                 WHERE guid = ?
+                   AND token_hash = ?
+                """,
+                (guid.value, token_hash),
+            )
+            row = cur.fetchone()
+
+        if not row:
+            return None
+
+        return self._row_to_record(row)
+
+    def clear_dpop_binding(self, record_id: str) -> None:
+        with closing(self._connections()) as conn:
+            cur = conn.cursor()
+            cur.execute(
+                "UPDATE refresh_tokens SET dpop_jkt = NULL WHERE id = ?",
+                (record_id,),
+            )
+            conn.commit()
+
+    def touch(
+        self,
+        record_id: str,
+        *,
+        last_used_at: datetime,
+        dpop_jkt: Optional[str],
+    ) -> None:
+        with closing(self._connections()) as conn:
+            cur = conn.cursor()
+            cur.execute(
+                """
+                UPDATE refresh_tokens
+                   SET last_used_at = ?,
+                       dpop_jkt = COALESCE(NULLIF(?, ''), dpop_jkt)
+                 WHERE id = ?
+                """,
+                (
+                    self._isoformat(last_used_at),
+                    (dpop_jkt or "").strip(),
+                    record_id,
+                ),
+            )
+            conn.commit()
+
+    def _row_to_record(self, row: tuple) -> Optional[RefreshTokenRecord]:
+        try:
+            guid = DeviceGuid(row[1])
+        except Exception as exc:
+            self._log.warning("invalid refresh token row guid=%s: %s", row[1], exc)
+            return None
+
+        created_at = self._parse_iso(row[4])
+        expires_at = self._parse_iso(row[5])
+        revoked_at = self._parse_iso(row[6])
+
+        if created_at is None:
+            created_at = datetime.now(tz=timezone.utc)
+
+        return RefreshTokenRecord.from_row(
+            record_id=str(row[0]),
+            guid=guid,
+            token_hash=str(row[2]),
+            dpop_jkt=str(row[3]) if row[3] is not None else None,
+            created_at=created_at,
+            expires_at=expires_at,
+            revoked_at=revoked_at,
+        )
+
+    @staticmethod
+    def _parse_iso(value: Optional[str]) -> Optional[datetime]:
+        if not value:
+            return None
+        raw = str(value).strip()
+        if not raw:
+            return None
+        try:
+            parsed = datetime.fromisoformat(raw)
+        except Exception:
+            return None
+        if parsed.tzinfo is None:
+            return parsed.replace(tzinfo=timezone.utc)
+        return parsed
+
+    @staticmethod
+    def _isoformat(value: datetime) -> str:
+        if value.tzinfo is None:
+            value = value.replace(tzinfo=timezone.utc)
+        return value.astimezone(timezone.utc).isoformat()