refactored to green: all references in urlpatterns thruout project to apps/ dir now skip it & point directly to the app contained w.in (i.e., not apps/lyric/ or apps/dashboard/, but lyric/ or dashboard/ now

.woodpecker.yaml

@@ -6,31 +6,44 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
 
+  - name: redis
+    image: redis:7
+
 steps:
   - name: test-UTs-n-ITs
     image: python:3.13-slim
     environment:
       DATABASE_URL: postgresql://postgres:postgres@postgres/python_tdd_test
+      CELERY_BROKER_URL: redis://redis:6379/0
+      REDIS_URL: redis://redis:6379/1
     commands:
       - pip install -r requirements.txt
       - cd ./src
       - python manage.py test apps
+    when:
+      - event: push
 
   - name: test-FTs
     image: gitea.earthmanrpg.me/discoman/python-tdd-ci:latest
     environment:
       HEADLESS: 1
+      CELERY_BROKER_URL: redis://redis:6379/0
+      REDIS_URL: redis://redis:6379/1
     commands:
+      - pip install -r requirements.txt
       - cd ./src
       - python manage.py collectstatic --noinput
       - python manage.py test functional_tests
+    when:
+      - event: push
 
   - name: screendumps
     image: gitea.earthmanrpg.me/discoman/python-tdd-ci:latest
-    when:
-      - status: failure
     commands:
       - cat ./src/functional_tests/screendumps/*.html || echo "No screendumps found"
+    when:
+      - event: push
+        status: failure
 
   - name: build-and-push
     image: docker:cli
@@ -43,7 +56,7 @@ steps:
       - docker push gitea.earthmanrpg.me/discoman/gamearray:latest
     when:
       - branch: main
-      - event: push
+        event: push
 
   - name: deploy
     image: alpine
@@ -58,5 +71,5 @@ steps:
       - ssh -o StrictHostKeyChecking=no discoman@staging.earthmanrpg.me /opt/gamearray/deploy.sh
     when:
       - branch: main
-      - event: push
+        event: push
     

infra/deploy-playbook.yaml

@@ -114,6 +114,15 @@
           POSTGRES_USER: gamearray
           POSTGRES_PASSWORD: "{{ postgres_password }}"
 
+    - name: Start Redis container
+      community.docker.docker_container:
+        name: gamearray_redis
+        image: redis:7
+        state: started
+        restart_policy: unless-stopped
+        networks:
+          - name: gamearray_net
+
     - name: Run container
       community.docker.docker_container:
         name: gamearray
@@ -124,13 +133,36 @@
           DJANGO_DEBUG_FALSE: "1"
           DJANGO_SECRET_KEY: "{{ secret_key.content | b64decode }}"
           DJANGO_ALLOWED_HOST: "{{ django_allowed_host }}"
+          DJANGO_SUPERUSER_EMAIL: "{{ django_superuser_email }}"
+          DJANGO_SUPERUSER_PASSWORD: "{{ django_superuser_password }}"
           DATABASE_URL: "postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray"
           MAILGUN_API_KEY: "{{  mailgun_api_key }}"
+          CELERY_BROKER_URL: "redis://gamearray_redis:6379/0"
+          REDIS_URL: "redis://gamearray_redis:6379/1"
         networks:
           - name: gamearray_net
         ports:
           127.0.0.1:8888:8888
 
+    - name: Start Celery worker container
+      community.docker.docker_container:
+        name: gamearray_celery
+        image: gitea.earthmanrpg.me/discoman/gamearray:latest
+        state: started
+        recreate: true
+        env:
+          DJANGO_DEBUG_FALSE: "1"
+          DJANGO_SECRET_KEY: "{{ secret_key.content | b64decode }}"
+          DJANGO_ALLOWED_HOST: "{{ django_allowed_host }}"
+          DATABASE_URL: "postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray"
+          MAILGUN_API_KEY: "{{  mailgun_api_key }}"
+          CELERY_BROKER_URL: "redis://gamearray_redis:6379/0"
+          REDIS_URL: "redis://gamearray_redis:6379/1"
+        networks:
+          - name: gamearray_net
+        command: "python -m celery -A core worker -l info"
+
+
     - name: Create static files directory
       ansible.builtin.file:
         path: /var/www/gamearray/static
@@ -149,6 +181,11 @@
         container: gamearray
         command: python manage.py migrate
 
+    - name: Ensure superuser exists
+      community.docker.docker_container_exec:
+        container: gamearray
+        command: python manage.py ensure_superuser
+
   handlers:
     - name: Restart nginx
       ansible.builtin.service:

infra/deploy.sh.j2

@@ -17,9 +17,22 @@ docker run -d --name gamearray \
     -p 127.0.0.1:8888:8888 \
     "$IMAGE"
 
+echo "==> Stopping old celery worker..."
+docker stop gamearray_celery 2>/dev/null || true
+docker rm gamearray_celery 2>/dev/null || true
+
+echo "==> Starting new celery worker..."
+docker run -d --name gamearray_celery \
+    --env-file /opt/gamearray/gamearray.env \
+    --network gamearray_net \
+    "$IMAGE" python -m celery -A core worker -l info
+
 echo "==> Running migrations..."
 docker exec gamearray python ./manage.py migrate
 
+echo "==> Ensuring superuser exists..."
+docker exec gamearray python manage.py ensure_superuser
+
 echo "==> Copying static files..."
 sudo docker cp gamearray:/src/static/. /var/www/gamearray/static/
 

infra/gamearray.env.j2

@@ -1,5 +1,10 @@
 DJANGO_DEBUG_FALSE=1
 DJANGO_SECRET_KEY={{ secret_key.content | b64decode }}
 DJANGO_ALLOWED_HOST={{ django_allowed_host }}
+DJANGO_SUPERUSER_EMAIL={{ django_superuser_email }}
+DJANGO_SUPERUSER_PASSWORD={{ django_superuser_password }}
 DATABASE_URL=postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray
 MAILGUN_API_KEY={{ mailgun_api_key }}
+CELERY_BROKER_URL=redis://gamearray_redis:6379/0
+REDIS_URL=redis://gamearray_redis:6379/1
+

infra/group_vars/staging/vault.yaml

@@ -1,23 +1,28 @@
 $ANSIBLE_VAULT;1.1;AES256
-33616230376431343735626631623932393166343538653732383533323436326335343463646664
-6565373531623465613661613533376231373837326438300a393665613839646231633737313938
-64633035336663313163333634623732323537326363646132313136376131636666636538323066
-3037373930303537320a313062646166353862633836373466316261363939633433663039323866
-62333739303662343836306538393734343830366336323265393138343438363533353166383031
-32313461313137643039376237346633316466646136353038633861333031663164656233366634
-38303363383130376264373861393863623330623733643135643461383132613339376633353031
-32313863323039646534633733383661333361313832333830383066633130396239626661643264
-65636335303339613432326533343337366261356632313639623634386633383836333733663536
-39383361353530646166643531333535356636326535383534326237666638326137616162646261
-65316466323335653932636338653565383038313531383638393839313736643739363037353230
-35653632353531656435396663316537333133653632366437613339303033333536643937353166
-64363037653733303332643931343362303261643432366531326262383465313965633064356338
-31336333373665373035656533633864316139303934623030383934393434356334643962666163
-33343739366336613263333764306365333566363536616662383733616237396563346132336633
-38663239613339376335386233386330396634323033343332366130616162666339393861306336
-35383566383831356530633130313732356331616164646132626665646235396635386237313538
-38656631336261646530303761643334303937613036363766303637376262373466316431323731
-38666462313639353131303134646434646135366136343361353932326165626666306361393431
-62646238323265346263386363373462313766616333326366366461346436383064336535376339
-31356566356336386262393831616631666233633930393263623563386265343237323133313832
-3430363635363332303963316530663765613666306233376463
+65383061626464353936363564313761663834646361326362613934363565623234636337313363
+3933313962643261353830333463336166393030313936370a616234626135633432613366633363
+61633265363937326231623365646336333737306634646335376135633031643564666164336230
+3435353764383936620a396165386538666433356166383661323037333861373632376432313332
+66666236373462363236663335623734633364653539323331396361613738636166323134386466
+66656431663261633036333537373336643866623236643139656662333831366435373837656262
+36333734376363373462643239623437623735373935633732343639313666663436616630363933
+61396530336461393064323161666537646135383462383532363932326132363331633438313138
+61623431326537313637626239653038353263313731303262653537316134383264616661623962
+32333564366362383431336432303964663835363365636434303332613161363930333065336637
+33343466343062306434663765613837343635386630326439303739616166396134393939626434
+62336634303963653230626630636363343730623734626336363039623231633532653330646366
+66613432633834393133386666623466326131386633303264333766306135623337353433306632
+66323733373232383862646661313966366465333463366361366337656537623562613964666631
+65373566316432383134666434393338626138363632633766636561383263333636623530326664
+63333265366132376437396431393535323931383637323833303839336635633735333565333530
+65343263373630633063383931646163323237643436366566363932646566323539373136646433
+37623638333834373537316164633166633738333363656431356163623332396631353864333333
+33306666646532626636376239326438373737383432663539333736363866663938396136383035
+32343534613862653538346430313338326435356230636535343464666262626663376635363835
+65363862663461353464313533313333323863313539643533343431643130383663656161616131
+33323639333564383830346163386362386238323936393832623961646565613961356263356365
+65376431666130356564666236383764316136326366666661326538653133343165326431393564
+36303065366263316232663230343137333231346538633036613066643365616331336135376461
+35613265623134663633303238366363336137383436663836353863623533396236666433303738
+38356361653633323065303035376664326238633066623731623436333332373363636634323433
+393631303539373234386465663630316335

requirements.dev.txt

@@ -9,6 +9,7 @@ dj-database-url
 Django==6.0
 django-stubs==5.2.8
 django-stubs-ext==5.2.8
+djangorestframework
 gunicorn==23.0.0
 h11==0.16.0
 idna==3.11

requirements.txt

@@ -1,10 +1,13 @@
+celery
 cssselect==1.3.0
 Django==6.0
 dj-database-url
 django-stubs==5.2.8
 django-stubs-ext==5.2.8
+djangorestframework
 gunicorn==23.0.0
 lxml==6.0.2
 psycopg2-binary
+redis
 requests==2.31.0
 whitenoise==6.11.0

src/apps/api/serializers.py

@@ -0,0 +1,17 @@
+from rest_framework import serializers
+from apps.dashboard.models import Item, List
+
+
+class ItemSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Item
+        fields = ["id", "text"]
+
+class ListSerializer(serializers.ModelSerializer):
+    name = serializers.ReadOnlyField()
+    url = serializers.CharField(source="get_absolute_url", read_only=True)
+    items = ItemSerializer(many=True, read_only=True, source="item_set")
+
+    class Meta:
+        model = List
+        fields = ["id", "name", "url", "items"]

src/apps/api/tests/integrated/test_views.py

@@ -0,0 +1,62 @@
+from django.test import TestCase
+from rest_framework.test import APIClient
+
+from apps.dashboard.models import Item, List
+from apps.lyric.models import User
+
+class BaseAPITest(TestCase):
+    # Helper fns
+    def setUp(self):
+        self.client = APIClient()
+        self.user = User.objects.create_user("test@example.com")
+        self.client.force_authenticate(user=self.user)
+
+class ListDetailAPITest(BaseAPITest):
+    def test_returns_list_with_items(self):
+        list_ = List.objects.create(owner=self.user)
+        Item.objects.create(text="item 1", list=list_)
+        Item.objects.create(text="item 2", list=list_)
+
+        response = self.client.get(f"/api/lists/{list_.id}/")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data["id"], list_.id)
+        self.assertEqual(len(response.data["items"]), 2)
+
+class ListItemsAPITest(BaseAPITest):
+
+    def test_can_add_item_to_list(self):
+        list_ = List.objects.create(owner=self.user)
+
+        response = self.client.post(
+            f"/api/lists/{list_.id}/items/",
+            {"text": "a new item"},
+        )
+
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(Item.objects.count(), 1)
+        self.assertEqual(Item.objects.first().text, "a new item")
+
+class ListsAPITest(BaseAPITest):
+    def test_get_returns_only_users_lists(self):
+        list1 = List.objects.create(owner=self.user)
+        Item.objects.create(text="item 1", list=list1)
+        other_user = User.objects.create_user("other@example.com")
+        List.objects.create(owner=other_user)
+
+        response = self.client.get("/api/lists/")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data[0]["id"], list1.id)
+
+    def test_post_creates_list_with_item(self):
+        response = self.client.post(
+            "/api/lists/",
+            {"text": "first item"},
+        )
+
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(List.objects.count(), 1)
+        self.assertEqual(List.objects.first().owner, self.user)
+        self.assertEqual(Item.objects.first().text, "first item")

src/apps/api/tests/unit/test_serializers.py

@@ -0,0 +1,20 @@
+from django.test import SimpleTestCase
+from apps.api.serializers import ItemSerializer, ListSerializer
+
+
+class ItemSerializerTest(SimpleTestCase):
+    def test_fields(self):
+        serializer = ItemSerializer()
+        self.assertEqual(
+            set(serializer.fields.keys()),
+            {"id", "text"},
+        )
+
+class ListSerializerTest(SimpleTestCase):
+    def test_fields(self):
+        serializer = ListSerializer()
+        self.assertEqual(
+            set(serializer.fields.keys()),
+            {"id", "name", "url", "items"},
+        )
+        

src/apps/api/urls.py

@@ -0,0 +1,11 @@
+from django.urls import path
+
+from . import views
+
+
+urlpatterns = [
+    path('', views.ListsAPI.as_view(), name='api_lists'),
+    path('<int:list_id>/', views.ListDetailAPI.as_view(), name='api_list_detail'),
+    path('<int:list_id>/items/', views.ListItemsAPI.as_view(), name='api_list_items'),
+]
+

src/apps/api/views.py

@@ -0,0 +1,34 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.views import APIView
+from rest_framework.response import Response
+
+from apps.dashboard.models import Item, List
+from apps.api.serializers import ItemSerializer, ListSerializer
+
+
+class ListDetailAPI(APIView):
+    def get(self, request, list_id):
+        list_ = get_object_or_404(List, id=list_id)
+        serializer = ListSerializer(list_)
+        return Response(serializer.data)
+    
+class ListItemsAPI(APIView):
+    def post(self, request, list_id):
+        list_ = get_object_or_404(List, id=list_id)
+        serializer = ItemSerializer(data=request.data)
+        if serializer.is_valid():
+            serializer.save(list=list_)
+            return Response(serializer.data, status=201)
+        return Response(serializer.errors, status=400)
+    
+class ListsAPI(APIView):
+    def get(self, request):
+        lists = List.objects.filter(owner=request.user)
+        serializer = ListSerializer(lists, many=True)
+        return Response(serializer.data)
+
+    def post(self, request):
+        list_ = List.objects.create(owner=request.user)
+        item = Item.objects.create(text=request.data.get("text", ""), list=list_)
+        serializer = ListSerializer(list_)
+        return Response(serializer.data, status=201)

src/apps/dashboard/tests/integrated/test_models.py

@@ -43,7 +43,7 @@ class ItemModelTest(TestCase):
 class ListModelTest(TestCase):
         def test_get_absolute_url(self):
             mylist = List.objects.create()
-            self.assertEqual(mylist.get_absolute_url(), f"/apps/dashboard/{mylist.id}/")
+            self.assertEqual(mylist.get_absolute_url(), f"/dashboard/{mylist.id}/")
 
         def test_list_items_order(self):
             list1 = List.objects.create()

src/apps/dashboard/tests/integrated/test_views.py

@@ -1,7 +1,7 @@
 import lxml.html
-from unittest import skip
 
 from django.test import TestCase
+from django.urls import reverse
 from django.utils import html
 
 from apps.dashboard.forms import (
@@ -21,26 +21,26 @@ class HomePageTest(TestCase):
         response = self.client.get('/')
         parsed = lxml.html.fromstring(response.content)
         forms = parsed.cssselect('form[method=POST]')
-        self.assertIn("/apps/dashboard/new_list", [form.get("action") for form in forms])
-        [form] = [form for form in forms if form.get("action") == "/apps/dashboard/new_list"]
+        self.assertIn("/dashboard/new_list", [form.get("action") for form in forms])
+        [form] = [form for form in forms if form.get("action") == "/dashboard/new_list"]
         inputs = form.cssselect("input")
         self.assertIn("text", [input.get("name") for input in inputs])
 
 class NewListTest(TestCase):
     def test_can_save_a_POST_request(self):
-        self. client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        self. client.post("/dashboard/new_list", data={"text": "A new list item"})
         self.assertEqual(Item.objects.count(), 1)
         new_item = Item.objects.get()
         self.assertEqual(new_item.text, "A new list item")
 
     def test_redirects_after_POST(self):
-        response = self.client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        response = self.client.post("/dashboard/new_list", data={"text": "A new list item"})
         new_list = List.objects.get()
-        self.assertRedirects(response, f"/apps/dashboard/{new_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{new_list.id}/")
 
     # Post invalid input helper
     def post_invalid_input(self):
-        return self.client.post("/apps/dashboard/new_list", data={"text": ""})
+        return self.client.post("/dashboard/new_list", data={"text": ""})
 
     def test_for_invalid_input_nothing_saved_to_db(self):
         self.post_invalid_input()
@@ -58,12 +58,12 @@ class NewListTest(TestCase):
 class ListViewTest(TestCase):
     def test_uses_list_template(self):
         mylist = List.objects.create()
-        response = self.client.get(f"/apps/dashboard/{mylist.id}/")
+        response = self.client.get(f"/dashboard/{mylist.id}/")
         self.assertTemplateUsed(response, "apps/dashboard/list.html")
 
     def test_renders_input_form(self):
         mylist = List.objects.create()
-        url = f"/apps/dashboard/{mylist.id}/"
+        url = f"/dashboard/{mylist.id}/"
         response = self.client.get(url)
         parsed = lxml.html.fromstring(response.content)
         forms = parsed.cssselect("form[method=POST]")
@@ -80,7 +80,7 @@ class ListViewTest(TestCase):
         other_list = List.objects.create()
         Item.objects.create(text="other list item", list=other_list)
         # When/Act
-        response = self.client.get(f"/apps/dashboard/{correct_list.id}/")
+        response = self.client.get(f"/dashboard/{correct_list.id}/")
         # Then/Assert
         self.assertContains(response, "itemey 1")
         self.assertContains(response, "itemey 2")
@@ -91,7 +91,7 @@ class ListViewTest(TestCase):
         correct_list = List.objects.create()
 
         self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/{correct_list.id}/",
             data={"text": "A new item for an existing list"},
         )
 
@@ -105,16 +105,16 @@ class ListViewTest(TestCase):
         correct_list = List.objects.create()
 
         response = self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/{correct_list.id}/",
             data={"text": "A new item for an existing list"},
         )
 
-        self.assertRedirects(response, f"/apps/dashboard/{correct_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{correct_list.id}/")
 
     # Post invalid input helper
     def post_invalid_input(self):
         mylist = List.objects.create()
-        return self.client.post(f"/apps/dashboard/{mylist.id}/", data={"text": ""})
+        return self.client.post(f"/dashboard/{mylist.id}/", data={"text": ""})
 
     def test_for_invalid_input_nothing_saved_to_db(self):
         self.post_invalid_input()
@@ -140,7 +140,7 @@ class ListViewTest(TestCase):
         Item.objects.create(list=list1, text="lorem ipsum")
 
         response = self.client.post(
-            f"/apps/dashboard/{list1.id}/",
+            f"/dashboard/{list1.id}/",
             data={"text": "lorem ipsum"},
         )
 
@@ -153,26 +153,26 @@ class MyListsTest(TestCase):
     def test_my_lists_url_renders_my_lists_template(self):
         user = User.objects.create(email="a@b.cde")
         self.client.force_login(user)
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
         self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")
 
     def test_passes_correct_owner_to_template(self):
         User.objects.create(email="wrongowner@example.com")
         correct_user = User.objects.create(email="a@b.cde")
         self.client.force_login(correct_user)
-        response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
+        response = self.client.get(f"/dashboard/users/{correct_user.id}/")
         self.assertEqual(response.context["owner"], correct_user)
 
     def test_list_owner_is_saved_if_user_is_authenticated(self):
         user = User.objects.create(email="a@b.cde")
         self.client.force_login(user)
-        self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
+        self.client.post("/dashboard/new_list", data={"text": "new item"})
         new_list = List.objects.get()
         self.assertEqual(new_list.owner, user)
 
     def test_my_lists_redirects_if_not_logged_in(self):
         user  = User.objects.create(email="a@b.cde")
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
         self.assertRedirects(response, "/")
 
     def test_my_lists_returns_403_for_wrong_user(self):
@@ -180,7 +180,7 @@ class MyListsTest(TestCase):
         user1 = User.objects.create(email="a@b.cde")
         user2 = User.objects.create(email="wrongowner@example.com")
         self.client.force_login(user2)
-        response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
+        response = self.client.get(f"/dashboard/users/{user1.id}/")
         # assert 403
         self.assertEqual(response.status_code, 403)
 
@@ -189,16 +189,16 @@ class ShareListTest(TestCase):
         our_list = List.objects.create()
         alice = User.objects.create(email="alice@example.com")
         response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
             data={"recipient": "alice@example.com"},
         )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{our_list.id}/")
 
     def test_post_with_email_adds_user_to_shared_with(self):
         our_list = List.objects.create()
         alice = User.objects.create(email="alice@example.com")
         self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
             data={"recipient": "alice@example.com"},
         )
         self.assertIn(alice, our_list.shared_with.all())
@@ -206,7 +206,37 @@ class ShareListTest(TestCase):
     def test_post_with_nonexistent_email_redirects_to_list(self):
         our_list = List.objects.create()
         response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
             data={"recipient": "nobody@example.com"},
         )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{our_list.id}/")
+
+    def test_share_list_does_not_add_owner_as_recipient(self):
+        owner = User.objects.create(email="owner@example.com")
+        our_list = List.objects.create(owner=owner)
+        self.client.force_login(owner)
+        self.client.post(reverse("share_list", args=[our_list.id]),
+                         data={"recipient": "owner@example.com"})
+        self.assertNotIn(owner, our_list.shared_with.all())
+
+class ViewAuthListTest(TestCase):
+    def setUp(self):
+        self.owner = User.objects.create(email="disco@example.com")
+        self.our_list = List.objects.create(owner=self.owner)
+
+    def test_anonymous_user_is_redirected(self):
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertRedirects(response, "/")
+
+    def test_non_owner_non_shared_user_gets_403(self):
+        stranger = User.objects.create(email="stranger@example.com")
+        self.client.force_login(stranger)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 403)
+
+    def test_shared_with_user_can_access_list(self):
+        guest = User.objects.create(email="guest@example.com")
+        self.our_list.shared_with.add(guest)
+        self.client.force_login(guest)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 200)

src/apps/dashboard/views.py

@@ -1,9 +1,11 @@
 from django.http import HttpResponseForbidden
 from django.shortcuts import redirect, render
+
 from .forms import ExistingListItemForm, ItemForm
 from .models import Item, List
 from apps.lyric.models import User
 
+
 def home_page(request):
     return render(request, "apps/dashboard/home.html", {"form": ItemForm()})
 
@@ -21,6 +23,13 @@ def new_list(request):
 
 def view_list(request, list_id):
     our_list = List.objects.get(id=list_id)
+
+    if our_list.owner:
+        if not request.user.is_authenticated:
+            return redirect("/")
+        if request.user != our_list.owner and request.user not in our_list.shared_with.all():
+            return HttpResponseForbidden()
+
     form = ExistingListItemForm(for_list=our_list)
 
     if request.method == "POST":
@@ -42,6 +51,8 @@ def share_list(request, list_id):
     our_list = List.objects.get(id=list_id)
     try:
         recipient = User.objects.get(email=request.POST["recipient"])
+        if recipient == request.user:
+            return redirect(our_list)
         our_list.shared_with.add(recipient)
     except User.DoesNotExist:
         pass

src/apps/lyric/admin.py

@@ -1,6 +1,11 @@
 from django.contrib import admin
+
 from .models import Token, User
 
 
-admin.site.register(User)
+class UserAdmin(admin.ModelAdmin):
+    list_display = ["email"]
+    search_fields = ["email"]
+
+admin.site.register(User, UserAdmin)
 admin.site.register(Token)

src/apps/lyric/management/commands/ensure_superuser.py

@@ -0,0 +1,21 @@
+import os
+
+from django.core.management.base import BaseCommand
+
+from apps.lyric.models import User
+
+
+class Command(BaseCommand):
+    help = "Create a superuser if none exists"
+
+    def handle(self, *args, **options):
+        if User.objects.filter(is_superuser=True).exists():
+            self.stdout.write("Superuser already exists!")
+            return
+        email = os.environ.get('DJANGO_SUPERUSER_EMAIL')
+        password = os.environ.get('DJANGO_SUPERUSER_PASSWORD')
+        if not email or not password:
+            self.stdout.write("Superuser credentials not set!—skipping")
+            return
+        User.objects.create_superuser(email=email, password=password)
+        self.stdout.write("Superuser created!")

src/apps/lyric/tasks.py

@@ -0,0 +1,24 @@
+import requests
+
+from celery import shared_task
+from django.conf import settings
+
+
+@shared_task
+def send_login_email_task(email, url):
+    message_body = f"Use this magic link to login to your Dashboard:\n\n{url}"
+    # Send mail via Mailgun HTTP API
+    response = requests.post(
+        f"https://api.mailgun.net/v3/{settings.MAILGUN_DOMAIN}/messages",
+        auth=("api", settings.MAILGUN_API_KEY),
+        data={
+            "from": "adman@howdy.earthmanrpg.com",
+            "to": email,
+            "subject": "A magic login link to your Dashboard",
+            "text": message_body,
+        }
+    )
+
+    # Log any errors
+    if response.status_code != 200:
+        print(f"Mailgun API error: {response.status_code}: {response.text}")

src/apps/lyric/tests/integrated/test_admin.py

@@ -0,0 +1,25 @@
+from django.test import TestCase
+
+from apps.lyric.models import User
+
+
+class UserAdminTest(TestCase):
+    def setUp(self):
+        self.superuser = User.objects.create_superuser(
+            email="admin@example.com", password="secret"
+        )
+        self.client.force_login(self.superuser)
+
+    def test_user_changelist_loads(self):
+        response = self.client.get("/admin/lyric/user/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_changelist_displays_email(self):
+        response = self.client.get("/admin/lyric/user/")
+        self.assertContains(response, "admin@example.com")
+
+    def test_user_changelist_search_by_email(self):
+        User.objects.create_superuser(email="other@example.com", password="x")
+        response = self.client.get("/admin/lyric/user/?q=admin")
+        self.assertContains(response, "admin@example.com")
+        self.assertNotContains(response, "other@example.com")

src/apps/lyric/tests/integrated/test_management_commands.py

@@ -0,0 +1,34 @@
+import os
+
+from django.core.management import call_command
+from django.test import TestCase
+from unittest.mock import patch
+
+# from apps.lyric.management.commands.ensure_superuser import EnsureSuperuserCommand
+from apps.lyric.models import User
+
+
+FAKE_ENV = {
+    'DJANGO_SUPERUSER_EMAIL': 'admin@example.com',
+    'DJANGO_SUPERUSER_PASSWORD': 'secret',
+}
+
+
+class EnsureSuperuserCommandTest(TestCase):
+    def test_creates_superuser_if_none_exists(self):
+        with patch.dict('os.environ', FAKE_ENV):
+            call_command('ensure_superuser')
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 1)
+
+    def test_does_not_create_duplicate_if_superuser_exists(self):
+        User.objects.create_superuser(email="admin@example.com", password="secret")
+        with patch.dict('os.environ', FAKE_ENV):
+            call_command('ensure_superuser')
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 1)
+
+    def test_skips_creation_if_credentials_not_set(self):
+        with patch.dict("os.environ", {}):
+            os.environ.pop("DJANGO_SUPERUSER_EMAIL", None)
+            os.environ.pop("DJANGO_SUPERUSER_PASSWORD", None)
+            call_command("ensure_superuser")
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 0)

src/apps/lyric/tests/integrated/test_views.py

@@ -5,29 +5,25 @@ from unittest import mock
 from apps.lyric.models import Token
 
 
-
+@mock.patch("apps.lyric.views.send_login_email_task.delay")
 class SendLoginEmailViewTest(TestCase):
-    def test_redirects_to_home_page(self):
+    def test_redirects_to_home_page(self, mock_delay):
         response = self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
         self.assertRedirects(response, "/")
 
-    @mock.patch("apps.lyric.views.requests.post")
-    def test_sends_mail_to_address_from_post(self, mock_post):
+    def test_sends_mail_to_address_from_post(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
 
-        self.assertEqual(mock_post.called, True)
-        data = mock_post.call_args.kwargs["data"]
-        self.assertEqual(data["subject"], "A magic login link to your Dashboard")
-        self.assertEqual(data["from"], "adman@howdy.earthmanrpg.com")
-        self.assertEqual(data["to"], "discoman@example.com")
+        self.assertEqual(mock_delay.called, True)
+        self.assertEqual(mock_delay.call_args.args[0], "discoman@example.com")
 
-    def test_adds_success_message(self):
+    def test_adds_success_message(self, mock_delay):
         response = self.client.post(
-            "/apps/lyric/send_login_email",
+            "/lyric/send_login_email",
             data={"email": "discoman@example.com"},
             follow=True
         )
@@ -39,28 +35,25 @@ class SendLoginEmailViewTest(TestCase):
         )
         self.assertEqual(message.tags, "success")
 
-    def test_creates_token_associated_with_email(self):
+    def test_creates_token_associated_with_email(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
         token = Token.objects.get()
         self.assertEqual(token.email, "discoman@example.com")
         
-
-    @mock.patch("apps.lyric.views.requests.post")
-    def test_sends_link_to_login_using_token_uid(self, mock_post):
+    def test_sends_link_to_login_using_token_uid(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
 
         token = Token.objects.get()
-        expected_url = f"http://testserver/apps/lyric/login?token={token.uid}"
-        data = mock_post.call_args.kwargs["data"]
-        self.assertIn(expected_url, data["text"])
+        expected_url = f"http://testserver/lyric/login?token={token.uid}"
+        self.assertEqual(mock_delay.call_args.args[1], expected_url)
 
 class LoginViewTest(TestCase):
     def test_redirects_to_home_page(self):
-        response = self.client.get("/apps/lyric/login?token=abc123")
+        response = self.client.get("/lyric/login?token=abc123")
         self.assertRedirects(response, "/")
 
     def test_logs_in_if_given_valid_token(self):
@@ -68,14 +61,14 @@ class LoginViewTest(TestCase):
         self.assertEqual(anon_user.is_authenticated, False)
 
         token = Token.objects.create(email="discoman@example.com")
-        self.client.get(f"/apps/lyric/login?token={token.uid}", follow=True)
+        self.client.get(f"/lyric/login?token={token.uid}", follow=True)
 
         user = auth.get_user(self.client)
         self.assertEqual(user.is_authenticated, True)
         self.assertEqual(user.email, "discoman@example.com")
 
     def test_shows_login_error_if_token_invalid(self):
-        response = self.client.get("/apps/lyric/login?token=invalid-token", follow=True)
+        response = self.client.get("/lyric/login?token=invalid-token", follow=True)
         user = auth.get_user(self.client)
         self.assertEqual(user.is_authenticated, False)
         message = list(response.context["messages"])[0]
@@ -87,7 +80,7 @@ class LoginViewTest(TestCase):
 
     @mock.patch("apps.lyric.views.auth")
     def test_calls_authenticate_with_uid_from_get_request(self, mock_auth):
-        self.client.get("/apps/lyric/login?token=abc123")
+        self.client.get("/lyric/login?token=abc123")
         self.assertEqual(
             mock_auth.authenticate.call_args,
             mock.call(uid="abc123")

src/apps/lyric/tests/unit/test_tasks.py

@@ -0,0 +1,16 @@
+from django.test import SimpleTestCase
+from unittest import mock
+
+from apps.lyric.tasks import send_login_email_task
+
+
+class SendLoginEmailTaskTest(SimpleTestCase):
+    @mock.patch("apps.lyric.tasks.requests.post")
+    def test_sends_mail_via_mailgun(self, mock_post):
+        send_login_email_task("discoman@example.com", "http://example.com/login?token=abc123")
+        self.assertEqual(mock_post.called, True)
+        data = mock_post.call_args.kwargs["data"]
+        self.assertEqual(data["subject"], "A magic login link to your Dashboard")
+        self.assertEqual(data["from"], "adman@howdy.earthmanrpg.com")
+        self.assertEqual(data["to"], "discoman@example.com")
+        self.assertIn("http://example.com/login?token=abc123", data["text"])

src/apps/lyric/views.py

@@ -1,10 +1,10 @@
-import requests
 from django.contrib import auth, messages
-from django.conf import settings
-# from django.core.mail import send_mail
 from django.shortcuts import redirect
 from django.urls import reverse
+
 from .models import Token
+from .tasks import send_login_email_task
+
 
 def send_login_email(request):
     email = request.POST["email"]
@@ -12,26 +12,13 @@ def send_login_email(request):
     url = request.build_absolute_uri(
         reverse("login") + "?token=" + str(token.uid),
     )
-    message_body = f"Use this magic link to login to your Dashboard:\n\n{url}"
-    # Send mail via Mailgun HTTP API
-    response = requests.post(
-        f"https://api.mailgun.net/v3/{settings.MAILGUN_DOMAIN}/messages",
-        auth=("api", settings.MAILGUN_API_KEY),
-        data={
-            "from": "adman@howdy.earthmanrpg.com",
-            "to": email,
-            "subject": "A magic login link to your Dashboard",
-            "text": message_body,
-        },
-    )
-    # Log any errors
-    if response.status_code != 200:
-        print(f"Mailgun API error: {response.status_code}: {response.text}")
 
+    send_login_email_task.delay(email, url)
     messages.success(
         request,
         "Check your email!—there you'll find a magic login link. But hurry… it's only temporary!",
     )
+
     return redirect("/")
 
 def login(request):

src/core/__init__.py

@@ -0,0 +1,3 @@
+from .celery import app as celery_app
+
+__all__ = ("celery_app",)

src/core/celery.py

@@ -0,0 +1,10 @@
+import os
+
+from celery import Celery
+
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'core.settings')
+
+app = Celery('core')
+app.config_from_object('django.conf:settings', namespace='CELERY')
+app.autodiscover_tasks()

src/core/settings.py

@@ -54,8 +54,10 @@ INSTALLED_APPS = [
     # Custom apps
     'apps.dashboard',
     'apps.lyric',
+    'apps.api',
     'functional_tests',
     # Depend apps
+    'rest_framework',
 ]
 
 # if 'DJANGO_DEBUG_FALSE' not in os.environ:
@@ -107,6 +109,17 @@ else:
         }
     }
 
+# Celery & Redis
+CELERY_BROKER_URL = os.environ.get('CELERY_BROKER_URL', 'redis://localhost:6379/0')
+REDIS_URL = os.environ.get('REDIS_URL')
+if REDIS_URL:
+    CACHES = {
+        'default': {
+            'BACKEND': 'django.core.cache.backends.redis.RedisCache',
+            'LOCATION': REDIS_URL,
+        }
+    }
+    SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 
 # Password validation
 # https://docs.djangoproject.com/en/6.0/ref/settings/#auth-password-validators

src/core/urls.py

@@ -6,8 +6,9 @@ from apps.dashboard import views as dash_views
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('', dash_views.home_page, name='home'),
-    path('apps/dashboard/', include('apps.dashboard.urls')),
-    path('apps/lyric/', include('apps.lyric.urls')),
+    path('dashboard/', include('apps.dashboard.urls')),
+    path('lyric/', include('apps.lyric.urls')),
+    path('api/lists/', include('apps.api.urls')),
 ]
 
 # Please remove the following urlpattern

src/functional_tests/test_login.py

@@ -1,9 +1,11 @@
 import re
+
 from unittest.mock import patch
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
 from .base import FunctionalTest
+from apps.lyric.tasks import send_login_email_task
 
 
 TEST_EMAIL = "discoman@example.com"
@@ -11,8 +13,10 @@ SUBJECT = "A magic login link to your Dashboard"
 
 
 class LoginTest(FunctionalTest):
-    @patch('apps.lyric.views.requests.post')
-    def test_login_using_magic_link(self, mock_post):
+    @patch('apps.lyric.tasks.requests.post')
+    @patch('apps.lyric.views.send_login_email_task.delay',
+           side_effect=send_login_email_task)
+    def test_login_using_magic_link(self, mock_delay, mock_post):
         # Mock successful Mailgun API response
         mock_post.return_value.status_code = 200
 

src/functional_tests/test_sharing.py

@@ -1,5 +1,6 @@
 import os
 
+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.common.by import By
 
@@ -57,3 +58,16 @@ class SharingTest(FunctionalTest):
         self.browser = disco_browser
         self.browser.refresh()
         list_page.wait_for_row_in_list_table("At your command, Disco King", 2)
+
+class ListAccessTest(FunctionalTest):
+    def test_stranger_cannot_access_owned_list(self):
+        self.create_pre_authenticated_session("disco@example.com")
+        self.browser.get(self.live_server_url)
+        list_page = ListPage(self).add_list_item("private eye")
+        list_url = self.browser.current_url
+
+        self.browser.delete_cookie(settings.SESSION_COOKIE_NAME)
+        self.browser.get(list_url)
+
+        self.assertNotEqual(self.browser.current_url, list_url)
+

src/functional_tests/test_simple_list_creation.py

@@ -34,7 +34,7 @@ class NewVisitorTest(FunctionalTest):
         list_page.add_list_item("Buy peacock feathers")
 
         edith_dash_url = self.browser.current_url
-        self.assertRegex(edith_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(edith_dash_url, '/dashboard/.+')
 
         self.browser.delete_all_cookies()
 
@@ -46,7 +46,7 @@ class NewVisitorTest(FunctionalTest):
         list_page.add_list_item("Buy milk")
 
         francis_dash_url = self.browser.current_url
-        self.assertRegex(francis_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(francis_dash_url, '/dashboard/.+')
         self.assertNotEqual(francis_dash_url, edith_dash_url)
 
         page_text = self.browser.find_element(By.TAG_NAME, 'body').text