feat: user history tracking (AAI-698)

[marius-mather]

Description

AAI-698: track history of changes to the user in the backend database (e.g. username, email changes). Use this to enforce no reuse of previously-used usernames

Changes

• BiocommonsUserHistory model to track changes that need to be recorded
• Update existing API routes that perform user updates to record history
• Check for username reuse when updating usernames
• Make BiocommonsUserHistory visible in DB admin view

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have added unit / integration tests that prove my fix is effective or that my feature works
• I have run all tests locally and they pass
• I have updated the documentation (if applicable)
• For any new secrets, I have updated the shared spreadsheet and the GitHub Secrets.

How to Test Manually (if necessary)

Run uv run pytest

Screenshots

User history in DB admin view:

[Copilot]

Pull request overview

Implements backend audit/history tracking for BiocommonsUser changes (email/username/deletion/restoration) and uses that history to prevent username reuse, with corresponding route updates and tests.

Changes:

• Added BiocommonsUserHistory model + relationship on BiocommonsUser, and methods to record history on updates/deletes/restores.
• Updated user/admin routes to use the new model methods when changing email/username.
• Added tests covering history creation and username-reuse prevention behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
db/models.py	Adds BiocommonsUserHistory, wires relationship, and introduces save_history/update_email/update_username helpers.
migrations/versions/44d8dc065b59_user_history.py	Creates the new biocommonsuserhistory table.
routers/user.py	Updates username/email update flows to record history and enforce username reuse rule.
routers/admin.py	Records history for admin-triggered email updates with correct “updated_by”.
tests/test_user.py	Updates email-change test to assert DB history entry instead of Auth0 metadata updates.
tests/db/test_models.py	Adds unit tests for history creation, username update history, and username reuse blocking.

[amandazhuyilan]

Thanks @marius-mather - a few questions:

• Does the user history data gets referenced by Auth0 when new user registers for an account with username/email that exists in the user history?
• Do we have multiple entries for the same user if their email/username is updated multiple times?
• Can we please update the db diagram (we can do this before the pull request is ready to go)

[marius-mather]

@amandazhuyilan :

• It won't be referenced by Auth0, but we need to check it in our registration functions - adding that now!
• Yes, we can have multiple history events for each user, so we will be able to see the full history of changes
• Updating the DB diagram now

[uwwint]

This is a race condition... two threads can pass existing user, cause an Auth0 update, but fail on the local database. I would recommend doing the auth0 change after commit to local db to avoid this.

[uwwint]

and if auth0 fails cleanup local db, rollback.