Added soft deletes to all deletion functions and added deleted_at filters as required

gatehouse_app/api/v1/external_auth/admin.py

@@ -21,7 +21,7 @@ def admin_list_app_providers():
         return api_response(success=False, message="Admin access required", status=403, error_type="FORBIDDEN")
 
     PROVIDERS = [{"id": "google", "name": "Google"}, {"id": "github", "name": "GitHub"}, {"id": "microsoft", "name": "Microsoft"}]
-    db_configs = {c.provider_type: c for c in ApplicationProviderConfig.query.all()}
+    db_configs = {c.provider_type: c for c in ApplicationProviderConfig.query.filter_by(deleted_at=None).all()}
 
     result = []
     for p in PROVIDERS:
@@ -64,7 +64,7 @@ def admin_configure_app_provider(provider: str):
     if not client_id:
         return api_response(success=False, message="client_id is required", status=400, error_type="VALIDATION_ERROR")
 
-    cfg = ApplicationProviderConfig.query.filter_by(provider_type=provider).first()
+    cfg = ApplicationProviderConfig.query.filter_by(provider_type=provider, deleted_at=None).first()
     if cfg:
         cfg.client_id = client_id
         if client_secret:
@@ -90,7 +90,6 @@ def admin_delete_app_provider(provider: str):
     from gatehouse_app.models.auth.authentication_method import ApplicationProviderConfig
     from gatehouse_app.models import OrganizationMember
     from gatehouse_app.utils.constants import OrganizationRole
-    from gatehouse_app.extensions import db
 
     admin_memberships = OrganizationMember.query.filter(
         OrganizationMember.user_id == g.current_user.id,
@@ -100,10 +99,9 @@ def admin_delete_app_provider(provider: str):
     if not admin_memberships:
         return api_response(success=False, message="Admin access required", status=403, error_type="FORBIDDEN")
 
-    cfg = ApplicationProviderConfig.query.filter_by(provider_type=provider).first()
+    cfg = ApplicationProviderConfig.query.filter_by(provider_type=provider, deleted_at=None).first()
     if not cfg:
         return api_response(success=False, message=f"Provider '{provider}' is not configured", status=404, error_type="NOT_FOUND")
 
-    db.session.delete(cfg)
-    db.session.commit()
+    cfg.delete()
     return api_response(message=f"{provider.capitalize()} OAuth provider configuration removed")

gatehouse_app/api/v1/external_auth/oauth.py

@@ -174,6 +174,7 @@ def select_organization():
 
         auth_method = AuthenticationMethod.query.filter_by(
             method_type=state_record.provider_type,
+            deleted_at=None,
         ).order_by(AuthenticationMethod.created_at.desc()).first()
 
         if not auth_method:
@@ -181,11 +182,11 @@ def select_organization():
 
         user = auth_method.user
 
-        org = Organization.query.get(organization_id)
+        org = Organization.query.filter_by(id=organization_id, deleted_at=None).first()
         if not org:
             return api_response(success=False, message="Organization not found", status=404, error_type="NOT_FOUND")
 
-        member = OrganizationMember.query.filter_by(user_id=user.id, organization_id=organization_id).first()
+        member = OrganizationMember.query.filter_by(user_id=user.id, organization_id=organization_id, deleted_at=None).first()
         if not member:
             return api_response(success=False, message="You are not a member of this organization", status=403, error_type="FORBIDDEN")
 

gatehouse_app/api/v1/external_auth/providers.py

@@ -14,13 +14,13 @@ from gatehouse_app.api.v1.external_auth._helpers import get_provider_type, _get_
 def list_providers():
     from gatehouse_app.models.auth.authentication_method import ApplicationProviderConfig
 
-    app_configs = {c.provider_type.lower(): c for c in ApplicationProviderConfig.query.filter_by(is_enabled=True).all()}
+    app_configs = {c.provider_type.lower(): c for c in ApplicationProviderConfig.query.filter_by(is_enabled=True, deleted_at=None).all()}
 
     user_orgs = g.current_user.get_organizations()
     org_configs = {}
     if user_orgs:
         organization_id = user_orgs[0].id
-        org_level = ExternalProviderConfig.query.filter_by(organization_id=organization_id).all()
+        org_level = ExternalProviderConfig.query.filter_by(organization_id=organization_id, deleted_at=None).all()
         org_configs = {c.provider_type.lower(): c for c in org_level}
 
     def provider_info(provider_id, name):
@@ -50,11 +50,11 @@ def get_provider_config(provider: str):
         return api_response(success=False, message="No organizations found for user", status=400, error_type="BAD_REQUEST")
 
     organization_id = user_orgs[0].id
-    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id).first()
+    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id, deleted_at=None).first()
     if not member or member.role not in [OrganizationRole.OWNER, OrganizationRole.ADMIN]:
         return api_response(success=False, message="Admin access required", status=403, error_type="FORBIDDEN")
 
-    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value).first()
+    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value, deleted_at=None).first()
     if not config:
         return api_response(success=False, message=f"{provider.title()} OAuth is not configured", status=404, error_type="NOT_FOUND")
 
@@ -74,7 +74,7 @@ def create_or_update_provider_config(provider: str):
         return api_response(success=False, message="No organizations found for user", status=400, error_type="BAD_REQUEST")
 
     organization_id = user_orgs[0].id
-    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id).first()
+    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id, deleted_at=None).first()
     if not member or member.role not in [OrganizationRole.OWNER, OrganizationRole.ADMIN]:
         return api_response(success=False, message="Admin access required", status=403, error_type="FORBIDDEN")
 
@@ -85,7 +85,7 @@ def create_or_update_provider_config(provider: str):
     if not client_id:
         return api_response(success=False, message="client_id is required", status=400, error_type="VALIDATION_ERROR")
 
-    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value).first()
+    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value, deleted_at=None).first()
     is_new = config is None
 
     if config:
@@ -137,11 +137,11 @@ def delete_provider_config(provider: str):
         return api_response(success=False, message="No organizations found for user", status=400, error_type="BAD_REQUEST")
 
     organization_id = user_orgs[0].id
-    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id).first()
+    member = OrganizationMember.query.filter_by(user_id=g.current_user.id, organization_id=organization_id, deleted_at=None).first()
     if not member or member.role not in [OrganizationRole.OWNER, OrganizationRole.ADMIN]:
         return api_response(success=False, message="Admin access required", status=403, error_type="FORBIDDEN")
 
-    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value).first()
+    config = ExternalProviderConfig.query.filter_by(organization_id=organization_id, provider_type=provider_type.value, deleted_at=None).first()
     if not config:
         return api_response(success=False, message=f"{provider.title()} OAuth is not configured", status=404, error_type="NOT_FOUND")
 

gatehouse_app/api/v1/oidc.py

@@ -819,9 +819,9 @@ def oidc_register():
 
     org_id = data.get("organization_id")
     if org_id:
-        organization = Organization.query.get(org_id)
+        organization = Organization.query.filter_by(id=org_id, deleted_at=None).first()
     else:
-        organization = Organization.query.filter_by(is_active=True).first()
+        organization = Organization.query.filter_by(is_active=True, deleted_at=None).first()
 
     if not organization:
         organization = Organization(

gatehouse_app/api/v1/organizations/members.py

@@ -158,7 +158,7 @@ def send_mfa_reminder(org_id, user_id):
     if not user:
         return api_response(success=False, message="User not found", status=404)
 
-    compliance = MfaPolicyCompliance.query.filter_by(user_id=user_id, organization_id=org_id).first()
+    compliance = MfaPolicyCompliance.query.filter_by(user_id=user_id, organization_id=org_id, deleted_at=None).first()
     policy = OrganizationSecurityPolicy.query.filter_by(organization_id=org_id).first()
 
     if compliance and policy and compliance.deadline_at:

gatehouse_app/api/v1/ssh/certs.py

@@ -68,7 +68,7 @@ def sign_certificate():
     )
 
     allowed_principal_names = set()
-    memberships = OrganizationMember.query.filter_by(user_id=user_id).all()
+    memberships = OrganizationMember.query.filter_by(user_id=user_id, deleted_at=None).all()
     for om in memberships:
         org = om.organization
         if not org or org.deleted_at is not None: