Add change password

app/db.py

@@ -1,5 +1,6 @@
 import sqlite3
 from pathlib import Path
+import bcrypt
 
 BASE_DIR = Path(__file__).resolve().parent.parent
 DB_PATH = BASE_DIR / "data" / "app.db"
@@ -8,3 +9,56 @@ DB_PATH = BASE_DIR / "data" / "app.db"
 def get_conn():
     # check_same_thread=False, damit Streamlit mehrere Threads nutzen kann
     return sqlite3.connect(DB_PATH, check_same_thread=False)
+
+def create_user(
+    username: str, 
+    password: str, 
+    role: str = "user",
+    email: str | None = None,
+    firstname: str | None = None,
+    lastname: str | None = None
+) -> bool:
+
+    """
+    Passwort wird als bcrypt-Hash (TEXT) gespeichert.
+    """
+    pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
+
+    try:
+        with closing(get_conn()) as conn, conn:
+            conn.execute(
+                "INSERT INTO users (username, email, password_hash, role, firstname, lastname) VALUES (?, ?, ?, ?, ?, ?)",
+                (username, email, pw_hash, role, firstname, lastname),
+            )
+        return True
+    except Exception:
+        return False
+
+def verify_user(username: str, password: str):
+    """
+    Vergleicht eingegebenes Passwort mit dem gespeicherten bcrypt-Hash.
+    Rückgabe: (True, role) oder (False, None)
+    """
+    with closing(get_conn()) as conn:
+        row = conn.execute(
+            "SELECT password_hash, role FROM users WHERE username = ?",
+            (username,),
+        ).fetchone()
+
+    if not row:
+        return False, None
+
+    stored_hash, role = row
+
+    # stored_hash ist TEXT → zurück nach bytes
+    ok = bcrypt.checkpw(password.encode("utf-8"), stored_hash.encode("utf-8"))
+
+    return (ok, role) if ok else (False, None)
+
+def get_role_for_user(username: str) -> str:
+    with closing(get_conn()) as conn:
+        row = conn.execute(
+            "SELECT role FROM users WHERE username = ?",
+            (username,),
+        ).fetchone()
+    return row[0] if row else "user"