Step 2 follow-up: use any usable Mealie token for the boot backfill

System MEALIE_API_TOKEN is 401 (legacy 'Cauldron' token from Mealie mint long ago, since rotated/expired). The backfill tries it first; on 401 falls back to any stored per-user token via the new db.first_usable_mealie_token helper. Cobb's user is admin in Mealie and his token returns the full group catalog, so the backfill works without minting a fresh system token.
2026-04-30 11:53:34 -07:00 · 2026-04-30 11:53:34 -07:00 · 5e62da2013
commit 5e62da2013
parent f74a627ac7
2 changed files with 36 additions and 4 deletions
--- a/cauldron/db.py
+++ b/cauldron/db.py
@ -375,6 +375,23 @@ class DB:

    # --- mealie token ops ---------------------------------------------------

+    def first_usable_mealie_token(self) -> dict | None:
+        """Return the freshest (last_validated DESC) per-user encrypted Mealie
+        token row. Used at boot as a fallback when the system MEALIE_API_TOKEN
+        env is dead — group admins can list foods, so any user's token works
+        for the backfill scan."""
+        with self.conn() as c, c.cursor() as cur:
+            cur.execute(
+                """SELECT authentik_sub, encrypted_token
+                   FROM cauldron_user_mealie_tokens
+                   WHERE last_failure_at IS NULL OR
+                         last_validated > COALESCE(last_failure_at, '1970-01-01')
+                   ORDER BY last_validated DESC, created_at DESC
+                   LIMIT 1"""
+            )
+            row = cur.fetchone()
+            return dict(row) if row else None
+
    def get_user_mealie_token_blob(self, sub: str) -> bytes | None:
        with self.conn() as c, c.cursor() as cur:
            cur.execute(