wsgi: extract __create_one_user__ helper from create_users

Refactor create_users to delegate per-user DB creation to a shared
__create_one_user__ helper. No behaviour change — preparation for
reuse by the forthcoming create_test_users command.

1 files changed, 17 insertions, 13 deletions

diff --git a/gn_auth/wsgi.py b/gn_auth/wsgi.py
index 12c64fe..3b3b60b 100644
--- a/gn_auth/wsgi.py
+++ b/gn_auth/wsgi.py
@@ -134,6 +134,21 @@ def register_admin():
 
 _VALID_ROLES_ = ("system-admin", "none")
 
+def __create_one_user__(cursor, name: str, email: str, password: str, role: str) -> dict:
+    """Create a single user in the DB and return their credential record."""
+    user = save_user(cursor, email, name, verified=True)
+    set_user_password(cursor, user, password)
+    assign_default_roles(cursor, user)
+    if role == "system-admin":
+        grant_sysadmin_role(cursor, user)
+    return {
+        "user_id": str(user.user_id),
+        "name": user.name,
+        "email": user.email,
+        "password": password,
+        "role": role,
+    }
+
 
 def __parse_user_spec__(spec: str) -> dict:
     """Parse 'key=value,key=value,...' into a dict."""
@@ -198,19 +213,8 @@ def create_users(user_specs, output_path):
                     file=sys.stderr)
                 sys.exit(1)
 
-            user = save_user(cursor, email, name, verified=True)
-            set_user_password(cursor, user, password)
-            assign_default_roles(cursor, user)
-            if role == "system-admin":
-                grant_sysadmin_role(cursor, user)
-
-            records.append({
-                "user_id": str(user.user_id),
-                "name": user.name,
-                "email": user.email,
-                "password": password,
-                "role": role,
-            })
+            records.append(
+                __create_one_user__(cursor, name, email, password, role))
 
     __write_output__({"users": records}, output_path)