co_app/app/auth_core.py

from contextlib import closing
import bcrypt

from app.db import get_conn

def verify_user(username: str, password: str):
    """Prüft Username/Passwort gegen die users-Tabelle."""
    with closing(get_conn()) as conn:
        row = conn.execute(
            "SELECT password_hash, role FROM users WHERE username = ?",
            (username,),
        ).fetchone()
    if not row:
        return False, None
    stored_hash, role = row

    # stored_hash ist BLOB -> bytes
    ok = bcrypt.checkpw(password.encode("utf-8"), stored_hash)
    return (ok, role) if ok else (False, None)

def get_role_for_user(username: str) -> str | None:
    """Liest nur die Rolle aus der DB (z.B. wenn du später OIDC nimmst)."""
    with closing(get_conn()) as conn:
        row = conn.execute(
            "SELECT role FROM users WHERE username = ?",
            (username,),
        ).fetchone()
    return row[0] if row else None