Skip to content

fix(security): add authentication to history routes#958

Open
anshul23102 wants to merge 2 commits into
imDarshanGK:mainfrom
anshul23102:fix/708-history-authentication
Open

fix(security): add authentication to history routes#958
anshul23102 wants to merge 2 commits into
imDarshanGK:mainfrom
anshul23102:fix/708-history-authentication

Conversation

@anshul23102

@anshul23102 anshul23102 commented Jun 8, 2026

Copy link
Copy Markdown

Summary

This PR fixes the critical authentication gap in history routes by requiring authentication on all endpoints and filtering history records by current user. Users can now only access their own analysis history.

Problem

The history routes in backend/app/routers/history.py lacked authentication, exposing all users' code analysis history to any client. Unauthenticated requests could retrieve, search, and delete history entries belonging to other users.

Solution

  1. Added authentication requirement using Depends(get_current_user) to all history endpoints
  2. User-scoped filtering - history records filtered by current_user.id
  3. User tracking - save_entry() now stores user_id for proper data isolation
  4. Delete protection - delete operations now verify user ownership via user_id

Changes

  • backend/app/routers/history.py:
    • Import Depends and get_current_user from security
    • Add current_user parameter to all route handlers
    • Filter all database queries by user_id
    • Include user_id when saving new entries

Security Impact

  • Prevents unauthorized access to other users' analysis history
  • Ensures complete user data isolation
  • Protects sensitive code snippets from exposure

Testing

  • Authenticated users can access only their own history
  • Unauthenticated requests return 401 Unauthorized
  • Users cannot delete or search history belonging to other users
  • History entries are properly associated with creating user

Related Issue

Closes #708

This contribution is part of GSSoC 2026. Please consider adding the gssoc-approved label when reviewed.

@anshul23102
fix(security): enforce JWT_SECRET as required environment variable
522f68e 
- Add _required_env() helper function to enforce mandatory configuration
- Update jwt_secret to use _required_env() instead of fallback to default
- Application now fails fast at startup if JWT_SECRET is not set
- Prevents token forgery attacks from known default secrets

Closes imDarshanGK#707
@anshul23102
fix(security): add authentication to history routes
065f5f0 
- Import get_current_user dependency from security module
- Add authentication requirement to all history endpoints
- Filter history records by current_user.id to prevent cross-user access
- Ensure users can only access their own analysis history
- Save user_id when storing new history entries

Closes imDarshanGK#708
@anshul23102 anshul23102 requested a review from imDarshanGK as a code owner June 8, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imDarshanGK imDarshanGK Awaiting requested review from imDarshanGK imDarshanGK is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Critical] History routes have no authentication, exposing all users code history

1 participant

@anshul23102