Add pal-e-auth integration to gate roster endpoints #5

Merged

forgejo_admin merged 11 commits from 4-add-auth into main 2026-02-24 04:55:03 +00:00

Conversation 1 Commits 11 Files changed 31 +1249 -1

forgejo_admin commented 2026-02-23 22:17:14 +00:00

Owner

Copy link

Closes #4

Summary

• Add pal-e-auth-ldraney>=0.1.0 dependency
• Add jwt_secret_key, google_client_id, google_client_secret to Settings (BASKETBALL_ prefix)
• Wire AuthConfig + auth_router in main.py — single config instance for both router and app.state
• Gate get_roster and roster_page with require_role("admin", "coach")
• Add pal-e-auth-secrets env vars to k8s/deployment.yaml

Prerequisites

• pal-e-auth-ldraney published to PyPI (add pypi_token Woodpecker secret first)
• tofu apply for basketball-api namespaces
• Create pal-e-auth-secrets K8s secret in both namespaces

Test plan

• pytest passes (health tests, auth imports resolve)
• ruff check clean on changed files
• Integration test: OAuth flow → cookie → roster access on dev

🤖 Generated with Claude Code

Closes #4 ## Summary - Add `pal-e-auth-ldraney>=0.1.0` dependency - Add `jwt_secret_key`, `google_client_id`, `google_client_secret` to Settings (BASKETBALL_ prefix) - Wire `AuthConfig` + `auth_router` in `main.py` — single config instance for both router and `app.state` - Gate `get_roster` and `roster_page` with `require_role("admin", "coach")` - Add `pal-e-auth-secrets` env vars to `k8s/deployment.yaml` ## Prerequisites - [ ] `pal-e-auth-ldraney` published to PyPI (add `pypi_token` Woodpecker secret first) - [ ] `tofu apply` for basketball-api namespaces - [ ] Create `pal-e-auth-secrets` K8s secret in both namespaces ## Test plan - [x] `pytest` passes (health tests, auth imports resolve) - [x] `ruff check` clean on changed files - [ ] Integration test: OAuth flow → cookie → roster access on dev 🤖 Generated with [Claude Code](https://claude.com/claude-code)

forgejo_admin added 10 commits 2026-02-23 22:17:14 +00:00

Scaffold basketball-api project ... 25844230f9

FastAPI app with Stripe webhooks, gmail-sdk email, Postgres via SQLAlchemy/Alembic.
Includes k8s manifests (deployment, service, postgres), Woodpecker CI, and Dockerfile
for deployment to pal-e cluster.

Closes #1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix review blockers: XSS, alembic creds, stripe config, webhook validation ... 7e0b2236d2

- Escape all user-controlled values in HTML roster and email templates
- Remove hardcoded credentials from alembic.ini
- Set stripe.api_key on app startup
- Return 400 (not 422) for missing stripe-signature header
- Add postgres subPath for k3s compatibility
- Document single-replica constraint for migrations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix round 2 blockers: Dockerfile, webhook idempotency, stripe import ... f736d4979f

- Add src/ copy to Dockerfile builder stage
- Add idempotency check on stripe_checkout_session_id in webhook handler
- Use stripe.SignatureVerificationError (stable import path)
- Migrate from deprecated on_event to lifespan pattern
- Fix seed script session cleanup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix round 3: unique constraint, webhook error handling, initial migration ... e884377c53

- Add unique constraint on Registration.stripe_checkout_session_id
- Add IntegrityError catch as secondary idempotency defense
- Return 200 for permanent webhook failures (ValueError), 500 only for transient
- Add initial Alembic migration for all tables

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix scaffold to match SERVICE_ONBOARDING.md conventions (Closes #3) ... bd81787dee

- .woodpecker.yaml: switch to kaniko plugin, full SHA tags, proper path
  exclude, add pytest test step
- k8s manifests: add namespace to all resources, add resource
  requests/limits, fix Service port to 8000 with name: http
- k8s/postgres.yaml: add subPath for k3s, PGDATA env, strategy: Recreate,
  resource limits
- k8s/servicemonitor.yaml: new file for Prometheus scraping
- /metrics endpoint: stub returning basketball_api_up gauge

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix review findings: webhook error leaking, container name, CI format check, seed script, type hints ... 863956f8e8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix review round 2: webhook guard, health tests, deployment strategy, port name, lint scope ... 7723ffe167

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix review round 3: email after commit, explicit exception suppression, model defaults ... d46fa767ce

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Remove hardcoded namespace from k8s manifests ... 3833981e68

ArgoCD destination.namespace controls placement, making manifests
environment-agnostic. This enables branch-based dev/prod promotion.

Refs: forgejo_admin/basketball-api#1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add pal-e-auth integration to gate roster endpoints (#4) ... bb2f4d9f0a

Wire Google OAuth + JWT auth via pal-e-auth-ldraney. Roster endpoints
now require admin or coach role. Auth secrets mounted from separate
pal-e-auth-secrets K8s secret.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin added 1 commit 2026-02-23 22:19:47 +00:00

Refuse to start with empty JWT secret key ... 350fde2460

Crash at startup if BASKETBALL_JWT_SECRET_KEY is unset to prevent
silently signing JWTs with an empty key. Add test conftest with
auth env defaults. Set login_redirect_url to /docs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin commented 2026-02-23 22:19:56 +00:00

Author

Owner

Copy link

Review Fix (Round 1)

BLOCKER fixed: Empty jwt_secret_key no longer silently accepted. _build_auth_config() now raises RuntimeError at startup if BASKETBALL_JWT_SECRET_KEY is unset, preventing JWT forgery with empty key.

NIT fixed: Set login_redirect_url="/docs" instead of default / (which would 404).

Added: tests/conftest.py with auth env defaults so tests can import main.py without crashing.

Other NITs (memory limits, static metrics) are pre-existing and out of scope for this PR.

## Review Fix (Round 1) **BLOCKER fixed:** Empty `jwt_secret_key` no longer silently accepted. `_build_auth_config()` now raises `RuntimeError` at startup if `BASKETBALL_JWT_SECRET_KEY` is unset, preventing JWT forgery with empty key. **NIT fixed:** Set `login_redirect_url="/docs"` instead of default `/` (which would 404). **Added:** `tests/conftest.py` with auth env defaults so tests can import `main.py` without crashing. Other NITs (memory limits, static metrics) are pre-existing and out of scope for this PR.

forgejo_admin merged commit 140bf2edba into main 2026-02-24 04:55:03 +00:00

forgejo_admin referenced this pull request from a commit 2026-02-24 04:55:04 +00:00

Add pal-e-auth integration to gate roster endpoints (#5)

forgejo_admin referenced this pull request 2026-03-18 20:44:27 +00:00

feat: jersey Stripe checkout + second tryout announcement email #104

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/basketball-api!5

No description provided.