fix(security): add authentication to history routes

backend/app/config.py

@@ -41,6 +41,17 @@ def _bool_env(name: str, default: bool) -> bool:
     return raw_value.strip().lower() in {"1", "true", "yes", "on"}
 
 
+def _required_env(name: str) -> str:
+    """Get a required environment variable. Raise error if not set."""
+    value = os.getenv(name)
+    if not value or not value.strip():
+        raise ValueError(
+            f"Required environment variable '{name}' is not set. "
+            f"Please set it before starting the application."
+        )
+    return value
+
+
 class Settings:
     """Application settings loaded from environment variables."""
 
@@ -59,7 +70,7 @@ class Settings:
     enable_docs: bool = _bool_env("ENABLE_DOCS", False)
     public_root_info: bool = _bool_env("PUBLIC_ROOT_INFO", False)
     database_url: str = os.getenv("DATABASE_URL", "sqlite:///./assistant.db")
-    jwt_secret: str = os.getenv("JWT_SECRET", "change-this-in-production-min-32-bytes")
+    jwt_secret: str = _required_env("JWT_SECRET")
     jwt_algorithm: str = os.getenv("JWT_ALGORITHM", "HS256")
     access_token_minutes: int = _int_env("ACCESS_TOKEN_MINUTES", 720)
     llm_enabled: bool = _bool_env("LLM_ENABLED", False)

backend/app/routers/history.py

@@ -3,9 +3,11 @@
 """
 
 from __future__ import annotations
-from fastapi import APIRouter, HTTPException, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from pydantic import BaseModel, Field
 
+from ..security import get_current_user
+from ..models import User
 from ..services import database
 
 router = APIRouter()
@@ -29,8 +31,12 @@ class HistoryEntry(BaseModel):
 
 
 @router.post("/", response_model=dict, status_code=201)
-async def save_history(body: HistorySaveRequest):
+async def save_history(
+    body: HistorySaveRequest,
+    current_user: User = Depends(get_current_user),
+):
     entry_id = await database.save_entry(
+        user_id=current_user.id,
         code=body.code,
         language=body.language,
         score=body.score,
@@ -43,21 +49,34 @@ async def save_history(body: HistorySaveRequest):
 async def get_history(
     limit: int = Query(20, ge=1, le=100),
     offset: int = Query(0, ge=0),
+    current_user: User = Depends(get_current_user),
 ):
-    return await database.get_entries(limit=limit, offset=offset)
+    return await database.get_entries(
+        user_id=current_user.id,
+        limit=limit,
+        offset=offset,
+    )
 
 
 @router.get("/search", response_model=list[HistoryEntry])
 async def search_history(
     q: str = Query(..., min_length=1),
     limit: int = Query(20, ge=1, le=100),
+    current_user: User = Depends(get_current_user),
 ):
-    return await database.search_entries(q=q, limit=limit)
+    return await database.search_entries(
+        user_id=current_user.id,
+        q=q,
+        limit=limit,
+    )
 
 
 @router.delete("/{entry_id}", response_model=dict)
-async def delete_history(entry_id: int):
-    deleted = await database.delete_entry(entry_id)
+async def delete_history(
+    entry_id: int,
+    current_user: User = Depends(get_current_user),
+):
+    deleted = await database.delete_entry(entry_id, user_id=current_user.id)
     if not deleted:
         raise HTTPException(status_code=404, detail="History entry not found.")
     return {"id": entry_id, "status": "deleted"}