Add dual-auth dependency for jersey and checkout routes #255

New issue

Closed

opened 2026-03-29 23:11:19 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-29 23:11:19 +00:00

Contributor

Copy link

Type

Feature

Lineage

Child of forgejo_admin/westside-landing#196 (spike: player self-service jersey ordering).
Story: WS-S18 — "As a parent, I want to receive a branded email with jersey ordering link so that I can order without bringing cash"

Repo

forgejo_admin/basketball-api

User Story

As a logged-in parent
I want to access jersey ordering and checkout using my Keycloak session
So that I can order directly from my profile without needing the email token link

Context

The jersey and checkout routes currently authenticate exclusively via Parent.registration_token passed as a ?token= query param. This works for email-link flows but blocks self-service ordering from the SPA where parents are already authenticated via Keycloak JWT.

The account route (account.py line 57) already demonstrates the pattern: Parent.email.ilike(user.email) resolves a Parent from a Keycloak session. This ticket creates a reusable dependency that accepts EITHER auth method.

register.py and tryouts.py also use registration_token but in completely separate code paths with no shared helpers — zero blast radius.

File Targets

Files the agent should modify or create:

• src/basketball_api/auth.py — add get_parent_dual_auth(token: str | None, credentials, db) dependency that tries token first, then Keycloak JWT + email lookup
• src/basketball_api/routes/jersey.py — lines 109-122 (jersey_player_info) and lines 227-235 (jersey_checkout): replace inline Parent.registration_token lookup with new dependency
• src/basketball_api/routes/checkout.py — lines 115-122 (create_checkout_session): replace inline Parent.registration_token lookup with new dependency
• tests/ — add tests for both auth paths

Files the agent should NOT touch:

• src/basketball_api/routes/register.py — uses registration_token in separate code paths
• src/basketball_api/routes/tryouts.py — uses registration_token in separate code paths

Acceptance Criteria

• When I call /jersey/player-info?token=abc123, then the existing token auth works unchanged
• When I call /jersey/player-info with a Keycloak Bearer token (no ?token=), then it resolves the parent via email match
• When I call /jersey/checkout or /checkout/create-session with either auth method, then both work
• When I call with neither token nor Bearer, then I get 401
• When register.py and tryouts.py are diffed, then zero changes

Test Expectations

• Unit test: get_parent_dual_auth returns Parent when given valid registration token
• Unit test: get_parent_dual_auth returns Parent when given valid Keycloak JWT with matching email
• Unit test: get_parent_dual_auth raises 401 when neither auth method provided
• Unit test: get_parent_dual_auth raises 404 when Keycloak email matches no parent
• Integration test: /jersey/player-info works with both auth methods
• Run command: pytest tests/ -k "dual_auth or jersey or checkout"

Constraints

• The token query param must remain optional (not removed) for backwards compatibility
• Follow the existing dependency injection pattern from auth.py (get_current_user)
• The dependency must eagerly load Parent.players relationship (use joinedload)

Checklist

• PR opened
• Tests pass
• No unrelated changes

Related

• westside-basketball — project this affects
• forgejo_admin/westside-landing#196 — parent spike issue

### Type Feature ### Lineage Child of `forgejo_admin/westside-landing#196` (spike: player self-service jersey ordering). Story: WS-S18 — "As a parent, I want to receive a branded email with jersey ordering link so that I can order without bringing cash" ### Repo `forgejo_admin/basketball-api` ### User Story As a logged-in parent I want to access jersey ordering and checkout using my Keycloak session So that I can order directly from my profile without needing the email token link ### Context The jersey and checkout routes currently authenticate exclusively via `Parent.registration_token` passed as a `?token=` query param. This works for email-link flows but blocks self-service ordering from the SPA where parents are already authenticated via Keycloak JWT. The account route (`account.py` line 57) already demonstrates the pattern: `Parent.email.ilike(user.email)` resolves a Parent from a Keycloak session. This ticket creates a reusable dependency that accepts EITHER auth method. `register.py` and `tryouts.py` also use `registration_token` but in completely separate code paths with no shared helpers — zero blast radius. ### File Targets Files the agent should modify or create: - `src/basketball_api/auth.py` — add `get_parent_dual_auth(token: str | None, credentials, db)` dependency that tries token first, then Keycloak JWT + email lookup - `src/basketball_api/routes/jersey.py` — lines 109-122 (`jersey_player_info`) and lines 227-235 (`jersey_checkout`): replace inline `Parent.registration_token` lookup with new dependency - `src/basketball_api/routes/checkout.py` — lines 115-122 (`create_checkout_session`): replace inline `Parent.registration_token` lookup with new dependency - `tests/` — add tests for both auth paths Files the agent should NOT touch: - `src/basketball_api/routes/register.py` — uses `registration_token` in separate code paths - `src/basketball_api/routes/tryouts.py` — uses `registration_token` in separate code paths ### Acceptance Criteria - [ ] When I call `/jersey/player-info?token=abc123`, then the existing token auth works unchanged - [ ] When I call `/jersey/player-info` with a Keycloak Bearer token (no `?token=`), then it resolves the parent via email match - [ ] When I call `/jersey/checkout` or `/checkout/create-session` with either auth method, then both work - [ ] When I call with neither token nor Bearer, then I get 401 - [ ] When register.py and tryouts.py are diffed, then zero changes ### Test Expectations - [ ] Unit test: `get_parent_dual_auth` returns Parent when given valid registration token - [ ] Unit test: `get_parent_dual_auth` returns Parent when given valid Keycloak JWT with matching email - [ ] Unit test: `get_parent_dual_auth` raises 401 when neither auth method provided - [ ] Unit test: `get_parent_dual_auth` raises 404 when Keycloak email matches no parent - [ ] Integration test: `/jersey/player-info` works with both auth methods - Run command: `pytest tests/ -k "dual_auth or jersey or checkout"` ### Constraints - The `token` query param must remain optional (not removed) for backwards compatibility - Follow the existing dependency injection pattern from `auth.py` (`get_current_user`) - The dependency must eagerly load `Parent.players` relationship (use `joinedload`) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `westside-basketball` — project this affects - `forgejo_admin/westside-landing#196` — parent spike issue

forgejo_admin referenced this issue from ldraney/westside-app 2026-03-29 23:12:45 +00:00

Spike: Player self-service jersey ordering from profile #196

forgejo_admin referenced this issue from a commit 2026-03-30 16:15:15 +00:00

feat: add dual-auth dependency for jersey and checkout routes (#255)

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-30 16:15:42 +00:00

feat: add dual-auth dependency for jersey and checkout routes (#255) #258

forgejo_admin added the

status:approved

label 2026-03-30 16:16:28 +00:00

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-30 16:19:14 +00:00

feat: add dual-auth dependency for jersey and checkout routes (#255) #258

forgejo_admin closed this issue 2026-03-30 21:00:53 +00:00

forgejo_admin referenced this issue from a commit 2026-03-30 21:00:55 +00:00

feat: add dual-auth dependency for jersey and checkout routes (#255) (#258)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/payment-links-outstanding-balance

monthly-payment-email-may

510-grant-tournament-tables-to-ro-role

458-skip-proration-v2

458-skip-proration

466-cherry-pick-first-payment

458-merge-first-payment-blast

369-first-payment-email-blast

408-player-nickname

313-local-first-week-email

320-mjml-sponsor-outreach-template

270-contract-reminder-email

205-clean-test-data-from-production-db-playe

114-email-verification

147-feat-add-get-jersey-player-info-endpoint

124-feat-many-to-many-player-team-assignment

125-feat-add-new-players-manually-seydou-gou

126-feat-team-placement-congratulations-emai

121-admin-teams-spa-endpoints

70-add-graduating-class-to-roster-api-respo

59-fix-auth-test

62-phase-4l-sveltekit-dashboard-wkq-tailsca

11-phase-1a-fix-ci-pipeline-venv-in-test-st

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/basketball-api#255

No description provided.