Decouple cross-domain DB queries for per-app database split

Move Ghost membership sync from blog to account service so blog no longer queries account tables (users, ghost_labels, etc.). Account runs membership sync at startup and exposes HTTP action/data endpoints for webhook-triggered syncs and user lookups. Key changes: - account/services/ghost_membership.py: all membership sync functions - account/bp/actions + data: ghost-sync-member, user-by-email, newsletters - blog ghost_sync.py: stripped to content-only (posts, authors, tags) - blog webhook member: delegates to account via call_action() - try_publish: opens federation session when DBs differ - oauth.py callback: uses get_account_session() for OAuthCode - page_configs moved from db_events to db_blog in split script Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 11:32:14 +00:00
parent 50a9e5d952
commit 95bd32bd71
15 changed files with 1007 additions and 808 deletions
--- a/shared/infrastructure/ghost_admin_token.py
+++ b/shared/infrastructure/ghost_admin_token.py
@@ -0,0 +1,46 @@
+import os
+import time
+import jwt  # PyJWT
+from typing import Tuple
+
+
+def _split_key(raw_key: str) -> Tuple[str, bytes]:
+    """
+    raw_key is the 'id:secret' from Ghost.
+    Returns (id, secret_bytes)
+    """
+    key_id, key_secret_hex = raw_key.split(':', 1)
+    secret_bytes = bytes.fromhex(key_secret_hex)
+    return key_id, secret_bytes
+
+
+def make_ghost_admin_jwt() -> str:
+    """
+    Generate a short-lived JWT suitable for Authorization: Ghost <token>
+    """
+    raw_key = os.environ["GHOST_ADMIN_API_KEY"]
+    key_id, secret_bytes = _split_key(raw_key)
+
+    now = int(time.time())
+
+    payload = {
+        "iat": now,
+        "exp": now + 5 * 60,   # now + 5 minutes
+        "aud": "/admin/",
+    }
+
+    headers = {
+        "alg": "HS256",
+        "kid": key_id,
+        "typ": "JWT",
+    }
+
+    token = jwt.encode(
+        payload,
+        secret_bytes,
+        algorithm="HS256",
+        headers=headers,
+    )
+
+    # PyJWT returns str in recent versions; Ghost expects bare token string
+    return token
--- a/shared/infrastructure/oauth.py
+++ b/shared/infrastructure/oauth.py
@@ -22,7 +22,7 @@ from quart import (
 )
 from sqlalchemy import select

-from shared.db.session import get_session
+from shared.db.session import get_session, get_account_session
 from shared.models.oauth_code import OAuthCode
 from shared.infrastructure.urls import account_url, app_url
 from shared.infrastructure.cart_identity import current_cart_identity
@@ -100,7 +100,8 @@ def create_oauth_blueprint(app_name: str) -> Blueprint:
        expected_redirect = app_url(app_name, "/auth/callback")
        now = datetime.now(timezone.utc)

-        async with get_session() as s:
+        # OAuthCode lives in db_account — use account session
+        async with get_account_session() as s:
            async with s.begin():
                result = await s.execute(
                    select(OAuthCode)