forgejo_admin/basketball-api

Fork 1

feat: Brand alignment + registration tokens (Phase 3a) #22

Merged

forgejo_admin merged 2 commits from feature/19-brand-alignment-registration-tokens into main

2026-03-10 00:47:46 +00:00

forgejo_admin commented

2026-03-10 00:13:13 +00:00

Owner

Summary

Replace blue/gold CSS with Westside red/black brand across all server-rendered pages (register, coach onboard, roster). Add Parent.registration_token column for token-based pre-fill via /register?token=. Add admin endpoint POST /admin/generate-tokens for bulk token creation.

Changes

src/basketball_api/brand.py (new) — Shared brand design tokens and CSS extracted from ~/west-side-basketball/css/style.css. All pages reference this module.
src/basketball_api/models.py — Added registration_token column to Parent (String(100), unique, nullable)
alembic/versions/004_add_parent_registration_token.py (new) — Migration for the new column
src/basketball_api/routes/register.py — Replaced blue/gold CSS with red/black brand. Added ?token= query param support with pre-fill from Parent/Player. Token error page. Confirmation page now shows profile summary.
src/basketball_api/routes/coach.py — Replaced inline _STYLE with shared COACH_CSS from brand module. Fixed remaining inline #f5b731 references.
src/basketball_api/routes/roster.py — Replaced inline CSS with shared ROSTER_CSS from brand module.
src/basketball_api/routes/admin.py (new) — POST /admin/generate-tokens endpoint, auth-protected (admin role), idempotent.
src/basketball_api/main.py — Registered admin router at /admin
tests/test_register.py — Added tests for token pre-fill, invalid token, brand colors, email dedup QR flow, confirmation profile summary
tests/test_admin.py (new) — Tests for generate-tokens: paid parents get tokens, idempotent, unpaid parents skipped

Test Plan

pytest tests/ -v — 63 tests pass (all existing + 10 new)
ruff check and ruff format clean
Verify pages visually: /register, /register?token=<valid>, /register?token=<invalid>, /coach/onboard?token=<valid>
Verify no blue/gold (#0a1628, #f5b731) remnants in route HTML output

Plan: plan-2026-03-08-tryout-prep (Phase 3a)
Forgejo issue: #19
Unblocks Phase 3b (email blast — needs tokens + branded pages)

## Summary Replace blue/gold CSS with Westside red/black brand across all server-rendered pages (register, coach onboard, roster). Add `Parent.registration_token` column for token-based pre-fill via `/register?token=`. Add admin endpoint `POST /admin/generate-tokens` for bulk token creation. ## Changes - **`src/basketball_api/brand.py`** (new) — Shared brand design tokens and CSS extracted from `~/west-side-basketball/css/style.css`. All pages reference this module. - **`src/basketball_api/models.py`** — Added `registration_token` column to Parent (String(100), unique, nullable) - **`alembic/versions/004_add_parent_registration_token.py`** (new) — Migration for the new column - **`src/basketball_api/routes/register.py`** — Replaced blue/gold CSS with red/black brand. Added `?token=` query param support with pre-fill from Parent/Player. Token error page. Confirmation page now shows profile summary. - **`src/basketball_api/routes/coach.py`** — Replaced inline `_STYLE` with shared `COACH_CSS` from brand module. Fixed remaining inline `#f5b731` references. - **`src/basketball_api/routes/roster.py`** — Replaced inline CSS with shared `ROSTER_CSS` from brand module. - **`src/basketball_api/routes/admin.py`** (new) — `POST /admin/generate-tokens` endpoint, auth-protected (admin role), idempotent. - **`src/basketball_api/main.py`** — Registered admin router at `/admin` - **`tests/test_register.py`** — Added tests for token pre-fill, invalid token, brand colors, email dedup QR flow, confirmation profile summary - **`tests/test_admin.py`** (new) — Tests for generate-tokens: paid parents get tokens, idempotent, unpaid parents skipped ## Test Plan - `pytest tests/ -v` — 63 tests pass (all existing + 10 new) - `ruff check` and `ruff format` clean - Verify pages visually: `/register`, `/register?token=<valid>`, `/register?token=<invalid>`, `/coach/onboard?token=<valid>` - Verify no blue/gold (`#0a1628`, `#f5b731`) remnants in route HTML output ## Related - Plan: `plan-2026-03-08-tryout-prep` (Phase 3a) - Forgejo issue: #19 - Unblocks Phase 3b (email blast — needs tokens + branded pages)

forgejo_admin added 1 commit

2026-03-10 00:13:13 +00:00

feat: Brand alignment + registration tokens (Phase 3a)

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

f679289b38

Replace blue/gold CSS with Westside red/black brand (#d42026/#0a0a0a)
across all server-rendered pages. Add Parent.registration_token column
and token-based pre-fill for /register?token= flow. Add admin endpoint
POST /admin/generate-tokens for bulk token creation.

Closes #19

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin commented

2026-03-10 00:21:21 +00:00

Author

Owner

PR #22 Review

PR: feat: Brand alignment + registration tokens (Phase 3a)
Branch: feature/19-brand-alignment-registration-tokens
Issue: #19
Reviewer: QA Agent

BLOCKERS

1. Email dedup on QR walk-up flow (Scope Item #8) is incomplete -- no dedicated GET path for email lookup

Scope item #8 specifies: "QR code flow (no token): parent enters email, if paid, pre-fill + 'Already paid' -- no Stripe redirect." The current implementation handles this only at POST time (email dedup during form submission). There is no intermediate step where a walk-up parent can enter their email first and get a pre-filled form back before submitting. The flow currently works as: blank form -> submit -> if email matches paid parent, show "Payment Received" on confirmation page. This means the walk-up parent has to re-enter all their data (player name, height, etc.) even though it already exists from Stripe. The pre-fill benefit only happens through the token path.

This is a significant UX gap for the QR walk-up scenario. A parent who paid via Stripe and then walks up to the QR kiosk on tryout day will get a blank form and have to re-type everything. Consider adding either: (a) an email lookup step on GET /register that accepts ?email= and pre-fills if found, or (b) on POST, when the email matches a paid parent with existing data, redirect back to a pre-filled form rather than immediately submitting.

2. Existing test test_get_form_returns_html will break -- assertion checks for "West Side Basketball" but title changed to "Westside Kings & Queens"

The existing test at tests/test_register.py line 31 asserts "West Side Basketball" in response.text. The new register.py template uses "Westside Kings & Queens" as the header text. The PR branch version of test_register.py adds new tests but the WebFetch summaries indicate this existing assertion is still present. If the old assertion text was not updated, this test will fail. The new test test_form_title_is_westside likely covers the correct title, but the old test needs its assertion updated too. (If this has already been updated in the branch and WebFetch just did not show it, this can be dismissed -- please verify.)

NITS

1. Inline hex codes remain in roster.py for status colors (#22c55e, #eab308, #737373)

These are functional status indicator colors (green for paid, yellow for pending, gray for empty state), not brand colors, so they are acceptable. However, for consistency, consider defining COLOR_SUCCESS = "#22c55e" and COLOR_WARNING = "#eab308" in brand.py so all colors are centralized. Non-blocking.

2. coach.py reassigns _STYLE = COACH_CSS rather than using COACH_CSS directly

The intermediate variable _STYLE is left as an alias for COACH_CSS. This works but adds unnecessary indirection. The HTML templates in coach.py reference {_STYLE} -- consider renaming to {COACH_CSS} directly and removing the alias. Non-blocking.

3. admin.py -- require_admin is a module-level dependency, not a route-level one

The pattern require_admin = require_role("admin") at module level works, but it creates a module-scoped dependency that test overrides must target by name (require_admin not require_role). The test file correctly overrides it via app.dependency_overrides[require_admin], so this is consistent. Just noting the pattern is slightly different from how roster.py uses require_role("admin", "coach") inline in the route decorator. Non-blocking.

4. _render_form signature -- is_paid default is False but the walk-up path never explicitly passes it

When _render_form is called from the error-handling code paths (validation errors), is_paid defaults to False. This is correct behavior but worth noting -- if a paid parent submits a form with validation errors, they lose their "Already Paid" badge on the re-rendered form. Minor UX detail. Non-blocking.

5. Token generation uses secrets.token_urlsafe(32) producing ~43-character tokens

This fits within the String(100) column constraint, and token_urlsafe(32) provides 256 bits of entropy, which is more than sufficient. Good security practice.

SCOPE COVERAGE

#	Scope Item	Status
1	Extract CSS design tokens from source of truth	Done -- `brand.py` uses `#d42026`, `#0a0a0a`, `#141414`, system font stack, spacing, border radius
2	Apply Westside brand CSS to `/register`	Done -- title "Westside Kings & Queens", red/black scheme, no blue/gold remnants
3	Apply Westside brand CSS to `/coach/onboard`	Done -- `COACH_CSS` from brand.py, `#f5b731` fully removed
4	Apply Westside brand CSS to roster + confirmation	Done -- `ROSTER_CSS` from brand.py, confirmation page uses brand tokens
5	Alembic migration: `registration_token` on Parent	Done -- `004_add_parent_registration_token.py`, `String(100)`, unique, nullable
6	GET `/register?token=` pre-fill	Done -- parent + player lookup, pre-fills all fields
7	Invalid/missing token falls through to blank form	Done -- invalid token shows error page with contact info + "Register Without Link" button; missing token returns blank form
8	QR code walk-up email dedup	Partial -- see Blocker #1. POST-time dedup works but no pre-fill on walk-up
9	Confirmation shows payment status + profile summary	Done -- `_render_confirmation` shows parent name, email, height, class, position
10	Admin `POST /admin/generate-tokens`	Done -- admin-gated, idempotent, generates for paid parents only

TEST COVERAGE

Test Area	Tests	Verdict
Token pre-fill (valid, invalid, no-token)	4 tests	Adequate
Email dedup QR flow	1 test	Adequate for current implementation
Admin generate-tokens (paid, unpaid, idempotent, mixed)	4 tests	Good
Brand colors (red present, blue absent)	1 test	Good
Profile summary on confirmation	1 test	Good
Existing registration tests (POST, validation, sibling, payment)	13 tests	Carried forward

SOP COMPLIANCE

Branch named after issue (feature/19-brand-alignment-registration-tokens -> Issue #19)
PR body has: Summary, Changes, Test Plan, Related
Related section references plan slug (plan-2026-03-08-tryout-prep)
No secrets, .env files, or credentials committed
No unnecessary file changes (scope is tight to Phase 3a)
Commit messages are descriptive (PR title follows feat: convention)
Tests exist and cover new functionality (10 new tests)

VERDICT: NOT APPROVED

Reason: Blocker #1 (email dedup walk-up pre-fill gap) represents a meaningful UX regression for the March 13 tryout day scenario. A parent who already paid via Stripe and walks up to the QR kiosk should not have to re-enter all their data. The token path handles this beautifully, but the walk-up path does not. This was explicitly called out in scope item #8 and user story US-1.

Blocker #2 (potential test breakage on the title assertion) should be verified -- if it has already been fixed on the branch, it can be dismissed.

Once Blocker #1 is addressed (even a minimal approach -- e.g., on POST, if email matches a paid parent with existing player data, show the pre-filled form instead of immediately creating/updating), this PR is ready to merge. The overall quality is high: brand.py is well-structured, the token system follows the established coach invite_token pattern, tests are solid, and the migration is clean.

## PR #22 Review **PR**: feat: Brand alignment + registration tokens (Phase 3a) **Branch**: `feature/19-brand-alignment-registration-tokens` **Issue**: #19 **Reviewer**: QA Agent --- ### BLOCKERS **1. Email dedup on QR walk-up flow (Scope Item #8) is incomplete -- no dedicated GET path for email lookup** Scope item #8 specifies: "QR code flow (no token): parent enters email, if paid, pre-fill + 'Already paid' -- no Stripe redirect." The current implementation handles this only at POST time (email dedup during form submission). There is no intermediate step where a walk-up parent can enter their email first and get a pre-filled form back *before* submitting. The flow currently works as: blank form -> submit -> if email matches paid parent, show "Payment Received" on confirmation page. This means the walk-up parent has to re-enter all their data (player name, height, etc.) even though it already exists from Stripe. The pre-fill benefit only happens through the token path. This is a significant UX gap for the QR walk-up scenario. A parent who paid via Stripe and then walks up to the QR kiosk on tryout day will get a blank form and have to re-type everything. Consider adding either: (a) an email lookup step on GET `/register` that accepts `?email=` and pre-fills if found, or (b) on POST, when the email matches a paid parent with existing data, redirect back to a pre-filled form rather than immediately submitting. **2. Existing test `test_get_form_returns_html` will break -- assertion checks for "West Side Basketball" but title changed to "Westside Kings & Queens"** The existing test at `tests/test_register.py` line 31 asserts `"West Side Basketball" in response.text`. The new register.py template uses "Westside Kings & Queens" as the header text. The PR branch version of test_register.py adds new tests but the WebFetch summaries indicate this existing assertion is still present. If the old assertion text was not updated, this test will fail. The new test `test_form_title_is_westside` likely covers the correct title, but the old test needs its assertion updated too. **(If this has already been updated in the branch and WebFetch just did not show it, this can be dismissed -- please verify.)** --- ### NITS **1. Inline hex codes remain in `roster.py` for status colors (`#22c55e`, `#eab308`, `#737373`)** These are functional status indicator colors (green for paid, yellow for pending, gray for empty state), not brand colors, so they are acceptable. However, for consistency, consider defining `COLOR_SUCCESS = "#22c55e"` and `COLOR_WARNING = "#eab308"` in `brand.py` so all colors are centralized. Non-blocking. **2. `coach.py` reassigns `_STYLE = COACH_CSS` rather than using `COACH_CSS` directly** The intermediate variable `_STYLE` is left as an alias for `COACH_CSS`. This works but adds unnecessary indirection. The HTML templates in coach.py reference `{_STYLE}` -- consider renaming to `{COACH_CSS}` directly and removing the alias. Non-blocking. **3. `admin.py` -- `require_admin` is a module-level dependency, not a route-level one** The pattern `require_admin = require_role("admin")` at module level works, but it creates a module-scoped dependency that test overrides must target by name (`require_admin` not `require_role`). The test file correctly overrides it via `app.dependency_overrides[require_admin]`, so this is consistent. Just noting the pattern is slightly different from how `roster.py` uses `require_role("admin", "coach")` inline in the route decorator. Non-blocking. **4. `_render_form` signature -- `is_paid` default is `False` but the walk-up path never explicitly passes it** When `_render_form` is called from the error-handling code paths (validation errors), `is_paid` defaults to `False`. This is correct behavior but worth noting -- if a paid parent submits a form with validation errors, they lose their "Already Paid" badge on the re-rendered form. Minor UX detail. Non-blocking. **5. Token generation uses `secrets.token_urlsafe(32)` producing ~43-character tokens** This fits within the `String(100)` column constraint, and `token_urlsafe(32)` provides 256 bits of entropy, which is more than sufficient. Good security practice. --- ### SCOPE COVERAGE | # | Scope Item | Status | |---|-----------|--------| | 1 | Extract CSS design tokens from source of truth | Done -- `brand.py` uses `#d42026`, `#0a0a0a`, `#141414`, system font stack, spacing, border radius | | 2 | Apply Westside brand CSS to `/register` | Done -- title "Westside Kings & Queens", red/black scheme, no blue/gold remnants | | 3 | Apply Westside brand CSS to `/coach/onboard` | Done -- `COACH_CSS` from brand.py, `#f5b731` fully removed | | 4 | Apply Westside brand CSS to roster + confirmation | Done -- `ROSTER_CSS` from brand.py, confirmation page uses brand tokens | | 5 | Alembic migration: `registration_token` on Parent | Done -- `004_add_parent_registration_token.py`, `String(100)`, unique, nullable | | 6 | GET `/register?token=` pre-fill | Done -- parent + player lookup, pre-fills all fields | | 7 | Invalid/missing token falls through to blank form | Done -- invalid token shows error page with contact info + "Register Without Link" button; missing token returns blank form | | 8 | QR code walk-up email dedup | **Partial** -- see Blocker #1. POST-time dedup works but no pre-fill on walk-up | | 9 | Confirmation shows payment status + profile summary | Done -- `_render_confirmation` shows parent name, email, height, class, position | | 10 | Admin `POST /admin/generate-tokens` | Done -- admin-gated, idempotent, generates for paid parents only | --- ### TEST COVERAGE | Test Area | Tests | Verdict | |-----------|-------|---------| | Token pre-fill (valid, invalid, no-token) | 4 tests | Adequate | | Email dedup QR flow | 1 test | Adequate for current implementation | | Admin generate-tokens (paid, unpaid, idempotent, mixed) | 4 tests | Good | | Brand colors (red present, blue absent) | 1 test | Good | | Profile summary on confirmation | 1 test | Good | | Existing registration tests (POST, validation, sibling, payment) | 13 tests | Carried forward | --- ### SOP COMPLIANCE - [x] Branch named after issue (`feature/19-brand-alignment-registration-tokens` -> Issue #19) - [x] PR body has: Summary, Changes, Test Plan, Related - [x] Related section references plan slug (`plan-2026-03-08-tryout-prep`) - [x] No secrets, `.env` files, or credentials committed - [x] No unnecessary file changes (scope is tight to Phase 3a) - [x] Commit messages are descriptive (PR title follows `feat:` convention) - [x] Tests exist and cover new functionality (10 new tests) --- ### VERDICT: NOT APPROVED **Reason**: Blocker #1 (email dedup walk-up pre-fill gap) represents a meaningful UX regression for the March 13 tryout day scenario. A parent who already paid via Stripe and walks up to the QR kiosk should not have to re-enter all their data. The token path handles this beautifully, but the walk-up path does not. This was explicitly called out in scope item #8 and user story US-1. Blocker #2 (potential test breakage on the title assertion) should be verified -- if it has already been fixed on the branch, it can be dismissed. Once Blocker #1 is addressed (even a minimal approach -- e.g., on POST, if email matches a paid parent with existing player data, show the pre-filled form instead of immediately creating/updating), this PR is ready to merge. The overall quality is high: brand.py is well-structured, the token system follows the established coach invite_token pattern, tests are solid, and the migration is clean.

forgejo_admin referenced this pull request

2026-03-10 00:36:26 +00:00

Phase 2a: Admin endpoint for coach invite link generation #23

forgejo_admin added 1 commit

2026-03-10 00:42:43 +00:00

fix: Email-first gate for QR walk-up flow + fix title assertions

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

d14ee74cbc

Blocker 1: Replace the old "show full form immediately" behavior on
GET /register (no token) with an email-first gate. Parents enter their
email first; paid parents see a "check your email" message directing
them to their token link, while unknown/unpaid parents get the full
blank registration form with email pre-filled.

New endpoint: POST /register/check-email

Blocker 2: Fix tenant name from "West Side Basketball" to
"Westside Kings & Queens" in conftest.py and seed script. Update test
assertions to match the email gate behavior (GET /register no longer
shows the full form directly).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin commented

2026-03-10 00:42:59 +00:00

Author

Owner

QA Blocker Fixes Pushed

Blocker 1: Email-first gate (replaces old email dedup pre-fill)

GET /register (no token) now shows only an email input instead of the full form. New endpoint POST /register/check-email handles the lookup:

Paid parent found: Shows a "Check Your Email" message directing them to their token link. No form shown, no duplication possible.
Unknown/unpaid email: Shows the full blank registration form with email pre-filled.

The token path (GET /register?token=abc123) is unchanged.

Blocker 2: Title string fix

tests/conftest.py tenant name: "West Side Basketball" -> "Westside Kings & Queens"
scripts/seed.py tenant name: same fix
Test assertions updated to match the email gate behavior (GET /register no longer shows full form fields directly)

Files changed

src/basketball_api/routes/register.py -- added _render_email_gate(), _render_check_email_message(), POST /register/check-email endpoint; updated GET /register no-token path
tests/test_register.py -- replaced TestRegistrationFormGet and TestEmailDedupQRFlow with TestEmailGate and TestCheckEmail; added test_token_form_has_all_fields
tests/conftest.py -- fixed tenant name
scripts/seed.py -- fixed tenant name

## QA Blocker Fixes Pushed ### Blocker 1: Email-first gate (replaces old email dedup pre-fill) `GET /register` (no token) now shows **only an email input** instead of the full form. New endpoint `POST /register/check-email` handles the lookup: - **Paid parent found**: Shows a "Check Your Email" message directing them to their token link. No form shown, no duplication possible. - **Unknown/unpaid email**: Shows the full blank registration form with email pre-filled. The token path (`GET /register?token=abc123`) is unchanged. ### Blocker 2: Title string fix - `tests/conftest.py` tenant name: `"West Side Basketball"` -> `"Westside Kings & Queens"` - `scripts/seed.py` tenant name: same fix - Test assertions updated to match the email gate behavior (GET /register no longer shows full form fields directly) ### Files changed - `src/basketball_api/routes/register.py` -- added `_render_email_gate()`, `_render_check_email_message()`, `POST /register/check-email` endpoint; updated `GET /register` no-token path - `tests/test_register.py` -- replaced `TestRegistrationFormGet` and `TestEmailDedupQRFlow` with `TestEmailGate` and `TestCheckEmail`; added `test_token_form_has_all_fields` - `tests/conftest.py` -- fixed tenant name - `scripts/seed.py` -- fixed tenant name

forgejo_admin commented

2026-03-10 00:47:03 +00:00

Author

Owner

PR #22 Review (Re-review)

BLOCKERS

None. Both previous blockers have been resolved:

Email-first gate -- FIXED. GET /register with no token now renders _render_email_gate() which shows only an email input field. The test test_get_register_no_token_shows_email_gate explicitly asserts that player_name, parent_name, and graduating_class fields are NOT present in the response. POST /register/check-email correctly routes paid parents to a "Check Your Email" message and unknown/unpaid emails to the full blank form with email pre-filled.
Test assertion -- FIXED. The old "West Side Basketball" assertion has been removed entirely. Tests now assert "Westside Kings" and "Player Registration" which match the actual page title "Westside Kings & Queens -- Player Registration".

NITS

services/email.py still uses old blue/gold colors (#0a1628, #f5b731) in the HTML email template at lines 53-61. The server-rendered pages are all correctly branded, but the Stripe confirmation email still has the old scheme. This is likely out of scope for Phase 3a (Phase 3b covers the email blast), but worth tracking so it does not get forgotten.
Hardcoded Stripe payment link in register.py line 40 (STRIPE_TRYOUT_LINK). This works for the current tryout season but will need updating for future seasons. Not a blocker -- just a maintenance note.
brand.py line 3 references ~/west-side-basketball/css/style.css as the source of design tokens. The path is fine as a documentation reference, just noting the old repo name uses a hyphenated form while the brand name has been unified to "Westside".

SCOPE COMPLIANCE

All 8 Phase 3a scope items verified:

Item	Status
1. Brand CSS extracted (red/black: `#d42026`, `#0a0a0a`, `#141414`)	Done -- `src/basketball_api/brand.py`
2. Brand applied to `/register`, `/coach/onboard`, roster, confirmation	Done -- all pages use `BRAND_CSS`/`COACH_CSS`/`ROSTER_CSS` constants; zero blue/gold in rendered pages
3. Alembic migration 004: `registration_token` on Parent	Done -- `String(100)`, `unique=True`, `nullable=True`
4. `GET /register?token=X` pre-fills form with Stripe data	Done -- parent + player fields pre-filled, paid badge shown
5. `GET /register` (no token) shows email-first gate	Done -- email-only input, no registration form fields
6. `POST /register/check-email` routes correctly	Done -- paid email gets "check your email", unknown gets blank form
7. Confirmation page shows payment status + profile summary	Done -- `_render_confirmation()` with payment badge and summary rows
8. `POST /admin/generate-tokens` generates tokens for paid families	Done -- auth-gated via `require_role("admin")`, idempotent (skips existing tokens)

TEST COVERAGE

Comprehensive test coverage across 4 test files with 22+ test cases:

test_register.py: TestEmailGate (4), TestCheckEmail (4), TestRegistrationTokenPreFill (4), TestRegistrationFormPost (10+)
test_admin.py: TestGenerateTokens (4) -- covers paid, idempotent, unpaid, mixed scenarios
Auth override pattern in test_admin.py is clean (mock User + dependency override for require_admin)

SOP COMPLIANCE

Branch named after issue (feature/19-brand-alignment-registration-tokens references issue #19)
No secrets, .env files, or credentials committed (verified: no sk_live, sk_test, whsec_ patterns; .gitignore covers .env)
No scope creep -- changes are tightly scoped to Phase 3a deliverables
New files: brand.py, admin.py, migration 004, test_register.py (rewritten), test_admin.py, scripts/seed.py
Modified files: register.py, models.py, main.py, coach.py, roster.py, conftest.py
PR body template (## Summary, ## Changes, ## Test Plan, ## Related) -- unable to verify from diff; assume present based on prior PRs

SECURITY NOTES

Admin endpoint properly gated behind require_role("admin") via pal_e_auth
Token generation uses secrets.token_urlsafe(32) -- cryptographically secure
HTML output uses html.escape() consistently for XSS prevention
Token passed as hidden form field uses escape(token, quote=True) -- correct

VERDICT: APPROVED

## PR #22 Review (Re-review) ### BLOCKERS None. Both previous blockers have been resolved: 1. **Email-first gate** -- FIXED. `GET /register` with no token now renders `_render_email_gate()` which shows only an email input field. The test `test_get_register_no_token_shows_email_gate` explicitly asserts that `player_name`, `parent_name`, and `graduating_class` fields are NOT present in the response. `POST /register/check-email` correctly routes paid parents to a "Check Your Email" message and unknown/unpaid emails to the full blank form with email pre-filled. 2. **Test assertion** -- FIXED. The old `"West Side Basketball"` assertion has been removed entirely. Tests now assert `"Westside Kings"` and `"Player Registration"` which match the actual page title `"Westside Kings & Queens -- Player Registration"`. ### NITS 1. **`services/email.py` still uses old blue/gold colors** (`#0a1628`, `#f5b731`) in the HTML email template at lines 53-61. The server-rendered pages are all correctly branded, but the Stripe confirmation email still has the old scheme. This is likely out of scope for Phase 3a (Phase 3b covers the email blast), but worth tracking so it does not get forgotten. 2. **Hardcoded Stripe payment link** in `register.py` line 40 (`STRIPE_TRYOUT_LINK`). This works for the current tryout season but will need updating for future seasons. Not a blocker -- just a maintenance note. 3. **`brand.py` line 3** references `~/west-side-basketball/css/style.css` as the source of design tokens. The path is fine as a documentation reference, just noting the old repo name uses a hyphenated form while the brand name has been unified to "Westside". ### SCOPE COMPLIANCE All 8 Phase 3a scope items verified: | Item | Status | |------|--------| | 1. Brand CSS extracted (red/black: `#d42026`, `#0a0a0a`, `#141414`) | Done -- `src/basketball_api/brand.py` | | 2. Brand applied to `/register`, `/coach/onboard`, roster, confirmation | Done -- all pages use `BRAND_CSS`/`COACH_CSS`/`ROSTER_CSS` constants; zero blue/gold in rendered pages | | 3. Alembic migration 004: `registration_token` on Parent | Done -- `String(100)`, `unique=True`, `nullable=True` | | 4. `GET /register?token=X` pre-fills form with Stripe data | Done -- parent + player fields pre-filled, paid badge shown | | 5. `GET /register` (no token) shows email-first gate | Done -- email-only input, no registration form fields | | 6. `POST /register/check-email` routes correctly | Done -- paid email gets "check your email", unknown gets blank form | | 7. Confirmation page shows payment status + profile summary | Done -- `_render_confirmation()` with payment badge and summary rows | | 8. `POST /admin/generate-tokens` generates tokens for paid families | Done -- auth-gated via `require_role("admin")`, idempotent (skips existing tokens) | ### TEST COVERAGE Comprehensive test coverage across 4 test files with 22+ test cases: - `test_register.py`: `TestEmailGate` (4), `TestCheckEmail` (4), `TestRegistrationTokenPreFill` (4), `TestRegistrationFormPost` (10+) - `test_admin.py`: `TestGenerateTokens` (4) -- covers paid, idempotent, unpaid, mixed scenarios - Auth override pattern in `test_admin.py` is clean (mock `User` + dependency override for `require_admin`) ### SOP COMPLIANCE - [x] Branch named after issue (`feature/19-brand-alignment-registration-tokens` references issue #19) - [x] No secrets, `.env` files, or credentials committed (verified: no `sk_live`, `sk_test`, `whsec_` patterns; `.gitignore` covers `.env`) - [x] No scope creep -- changes are tightly scoped to Phase 3a deliverables - [x] New files: `brand.py`, `admin.py`, migration `004`, `test_register.py` (rewritten), `test_admin.py`, `scripts/seed.py` - [x] Modified files: `register.py`, `models.py`, `main.py`, `coach.py`, `roster.py`, `conftest.py` - [ ] PR body template (## Summary, ## Changes, ## Test Plan, ## Related) -- unable to verify from diff; assume present based on prior PRs ### SECURITY NOTES - Admin endpoint properly gated behind `require_role("admin")` via `pal_e_auth` - Token generation uses `secrets.token_urlsafe(32)` -- cryptographically secure - HTML output uses `html.escape()` consistently for XSS prevention - Token passed as hidden form field uses `escape(token, quote=True)` -- correct ### VERDICT: APPROVED

forgejo_admin merged commit 1dbfb8f992 into main

2026-03-10 00:47:46 +00:00

forgejo_admin deleted branch feature/19-brand-alignment-registration-tokens

2026-03-10 00:47:46 +00:00

forgejo_admin referenced this pull request from a commit

2026-03-10 00:47:46 +00:00

feat: Brand alignment + registration tokens (Phase 3a) (#22)

forgejo_admin referenced this pull request

2026-03-10 03:38:41 +00:00

feat: Admin endpoint for coach invite link generation #24

forgejo_admin referenced this pull request

2026-03-10 03:53:43 +00:00