forgejo_admin/basketball-api
1
0
Fork 1
Code Issues 10 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Lock down public tryout endpoints — require auth #91

New issue
Closed
opened 2026-03-16 01:23:36 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-03-16 01:23:36 +00:00
Owner
Copy link

Lineage

plan-2026-03-08-tryout-prep → Phase 11 (discovered scope during 11a)

Repo

forgejo_admin/basketball-api

User Story

As an admin
I want all roster/player endpoints to require authentication
So that parent PII (email, phone) is not exposed to unauthenticated visitors now that tryouts are over and all users have Keycloak accounts

Context

During tryout day, the public roster endpoints were intentionally unauthenticated so parents could check the roster before having accounts. Tryouts are over. All 50 users have Keycloak accounts. There is no longer a reason to serve parent PII without auth.

The public tryout endpoints in routes/tryouts.py currently have NO authentication:

  • GET /api/roster/{tenant_slug} — returns full roster with parent name, email, phone
  • POST /api/roster/{tenant_slug}/check-in/{player_id} — marks player checked in
  • POST /api/roster/{tenant_slug}/assign-number/{player_id} — assigns tryout number

The check-in and assign-number endpoints are also obsolete (tryouts are over) but should still be locked down rather than removed, in case they're needed for future tryouts.

The photo upload endpoint (POST /upload/photo) is also unauthenticated — should require auth too.

File Targets

Files to modify:

  • src/basketball_api/routes/tryouts.py — Add get_current_user dependency to all endpoints
  • src/basketball_api/routes/upload.py — Add get_current_user dependency to photo upload
  • tests/ — Update any tests that call these endpoints without auth mocking

Files NOT to touch:

  • src/basketball_api/routes/players.py — Already requires auth (PR #90)
  • src/basketball_api/routes/teams.py — Already requires auth
  • src/basketball_api/routes/roster.py — Already requires admin/coach role
  • src/basketball_api/auth.py — Auth middleware already works

Acceptance Criteria

  • GET /api/roster/{tenant_slug} returns 401 without auth token
  • GET /api/roster/{tenant_slug} returns roster data with valid auth token (any role)
  • POST /api/roster/{tenant_slug}/check-in/{player_id} returns 401 without auth
  • POST /api/roster/{tenant_slug}/assign-number/{player_id} returns 401 without auth
  • POST /upload/photo returns 401 without auth
  • All existing authenticated endpoints still work

Test Expectations

  • Existing tests updated to provide auth where needed
  • New tests verify 401 on unauthenticated access
  • Run command: cd ~/basketball-api && python -m pytest tests/ -v

Constraints

  • Use get_current_user from auth.py (not require_role) — any authenticated user can access these
  • Do NOT remove the check-in or assign-number endpoints — just add auth
  • Keep the roster response shape identical — only the auth requirement changes
  • The westside-app frontend calls these endpoints server-side with event.locals.accessToken — verify the frontend passes the token

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-westside-basketball
  • PR #90 (player profile endpoints — already auth-gated, discovered this gap during QA review)
### Lineage `plan-2026-03-08-tryout-prep` → Phase 11 (discovered scope during 11a) ### Repo `forgejo_admin/basketball-api` ### User Story As an admin I want all roster/player endpoints to require authentication So that parent PII (email, phone) is not exposed to unauthenticated visitors now that tryouts are over and all users have Keycloak accounts ### Context During tryout day, the public roster endpoints were intentionally unauthenticated so parents could check the roster before having accounts. Tryouts are over. All 50 users have Keycloak accounts. There is no longer a reason to serve parent PII without auth. The public tryout endpoints in `routes/tryouts.py` currently have NO authentication: - `GET /api/roster/{tenant_slug}` — returns full roster with parent name, email, phone - `POST /api/roster/{tenant_slug}/check-in/{player_id}` — marks player checked in - `POST /api/roster/{tenant_slug}/assign-number/{player_id}` — assigns tryout number The check-in and assign-number endpoints are also obsolete (tryouts are over) but should still be locked down rather than removed, in case they're needed for future tryouts. The photo upload endpoint (`POST /upload/photo`) is also unauthenticated — should require auth too. ### File Targets Files to modify: - `src/basketball_api/routes/tryouts.py` — Add `get_current_user` dependency to all endpoints - `src/basketball_api/routes/upload.py` — Add `get_current_user` dependency to photo upload - `tests/` — Update any tests that call these endpoints without auth mocking Files NOT to touch: - `src/basketball_api/routes/players.py` — Already requires auth (PR #90) - `src/basketball_api/routes/teams.py` — Already requires auth - `src/basketball_api/routes/roster.py` — Already requires admin/coach role - `src/basketball_api/auth.py` — Auth middleware already works ### Acceptance Criteria - [ ] `GET /api/roster/{tenant_slug}` returns 401 without auth token - [ ] `GET /api/roster/{tenant_slug}` returns roster data with valid auth token (any role) - [ ] `POST /api/roster/{tenant_slug}/check-in/{player_id}` returns 401 without auth - [ ] `POST /api/roster/{tenant_slug}/assign-number/{player_id}` returns 401 without auth - [ ] `POST /upload/photo` returns 401 without auth - [ ] All existing authenticated endpoints still work ### Test Expectations - [ ] Existing tests updated to provide auth where needed - [ ] New tests verify 401 on unauthenticated access - Run command: `cd ~/basketball-api && python -m pytest tests/ -v` ### Constraints - Use `get_current_user` from `auth.py` (not `require_role`) — any authenticated user can access these - Do NOT remove the check-in or assign-number endpoints — just add auth - Keep the roster response shape identical — only the auth requirement changes - The westside-app frontend calls these endpoints server-side with `event.locals.accessToken` — verify the frontend passes the token ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-westside-basketball` - PR #90 (player profile endpoints — already auth-gated, discovered this gap during QA review)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
hotfix-029-division-enum
205-clean-test-data-from-production-db-playe
114-email-verification
147-feat-add-get-jersey-player-info-endpoint
124-feat-many-to-many-player-team-assignment
125-feat-add-new-players-manually-seydou-gou
126-feat-team-placement-congratulations-emai
121-admin-teams-spa-endpoints
70-add-graduating-class-to-roster-api-respo
59-fix-auth-test
62-phase-4l-sveltekit-dashboard-wkq-tailsca
11-phase-1a-fix-ci-pipeline-venv-in-test-st
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/basketball-api#91
No description provided.