Add player_id param to jersey and checkout endpoints for multi-player parents

forgejo_admin commented

2026-03-29 23:11:32 +00:00

Contributor

Type

Feature

Lineage

Child of forgejo_admin/westside-landing#196 (spike: player self-service jersey ordering).
Depends on: dual-auth dependency ticket (basketball-api).
Story: WS-S18

Repo

forgejo_admin/basketball-api

User Story

As a parent with multiple players
I want to select which player I'm ordering a jersey for
So that the order is placed for the correct child

Context

Both jersey.py (line 127) and checkout.py (line 147) use parent.players[0] — always grabbing the first player. In the email-link flow this was acceptable because most parents have one player. In the session-auth flow, the parent is identified by email and the SPA dashboard shows ALL their players. Without a player_id parameter, there's no way to order for a specific child.

The account.py /players endpoint already returns all players for a parent, and the frontend my-players/+page.svelte renders them as a list. The jersey flow needs to accept which player was selected.

File Targets

Files the agent should modify or create:

src/basketball_api/routes/jersey.py — add player_id: int | None = Query(None) to jersey_player_info (line 106) and jersey_checkout (line 172); validate player belongs to parent
src/basketball_api/routes/checkout.py — add player_id: int | None = Query(None) to create_checkout_session (line 103); validate player belongs to parent
tests/ — add tests for player_id selection

Files the agent should NOT touch:

src/basketball_api/routes/register.py — unrelated
src/basketball_api/routes/tryouts.py — unrelated

Acceptance Criteria

When I call /jersey/checkout?player_id=5 and player 5 belongs to my parent record, then the order is for player 5
When I call /jersey/checkout?player_id=99 and player 99 does NOT belong to my parent, then I get 403
When I call /jersey/checkout without player_id, then it defaults to parent.players[0] (backwards-compatible)
Same behavior applies to /jersey/player-info and /checkout/create-session

Test Expectations

Unit test: explicit player_id resolves correct player
Unit test: missing player_id defaults to first player
Unit test: wrong player_id (not owned by parent) returns 403
Run command: pytest tests/ -k "player_id or jersey or checkout"

Constraints

player_id must be optional (None default) to preserve backwards compatibility
Validation must check player.parent_id == parent.id — no cross-parent access
Depends on dual-auth dependency being merged first

Checklist

PR opened
Tests pass
No unrelated changes

westside-basketball — project this affects
forgejo_admin/westside-landing#196 — parent spike issue

### Type Feature ### Lineage Child of `forgejo_admin/westside-landing#196` (spike: player self-service jersey ordering). Depends on: dual-auth dependency ticket (basketball-api). Story: WS-S18 ### Repo `forgejo_admin/basketball-api` ### User Story As a parent with multiple players I want to select which player I'm ordering a jersey for So that the order is placed for the correct child ### Context Both `jersey.py` (line 127) and `checkout.py` (line 147) use `parent.players[0]` — always grabbing the first player. In the email-link flow this was acceptable because most parents have one player. In the session-auth flow, the parent is identified by email and the SPA dashboard shows ALL their players. Without a `player_id` parameter, there's no way to order for a specific child. The `account.py` `/players` endpoint already returns all players for a parent, and the frontend `my-players/+page.svelte` renders them as a list. The jersey flow needs to accept which player was selected. ### File Targets Files the agent should modify or create: - `src/basketball_api/routes/jersey.py` — add `player_id: int | None = Query(None)` to `jersey_player_info` (line 106) and `jersey_checkout` (line 172); validate player belongs to parent - `src/basketball_api/routes/checkout.py` — add `player_id: int | None = Query(None)` to `create_checkout_session` (line 103); validate player belongs to parent - `tests/` — add tests for player_id selection Files the agent should NOT touch: - `src/basketball_api/routes/register.py` — unrelated - `src/basketball_api/routes/tryouts.py` — unrelated ### Acceptance Criteria - [ ] When I call `/jersey/checkout?player_id=5` and player 5 belongs to my parent record, then the order is for player 5 - [ ] When I call `/jersey/checkout?player_id=99` and player 99 does NOT belong to my parent, then I get 403 - [ ] When I call `/jersey/checkout` without `player_id`, then it defaults to `parent.players[0]` (backwards-compatible) - [ ] Same behavior applies to `/jersey/player-info` and `/checkout/create-session` ### Test Expectations - [ ] Unit test: explicit `player_id` resolves correct player - [ ] Unit test: missing `player_id` defaults to first player - [ ] Unit test: wrong `player_id` (not owned by parent) returns 403 - Run command: `pytest tests/ -k "player_id or jersey or checkout"` ### Constraints - `player_id` must be optional (`None` default) to preserve backwards compatibility - Validation must check `player.parent_id == parent.id` — no cross-parent access - Depends on dual-auth dependency being merged first ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `westside-basketball` — project this affects - `forgejo_admin/westside-landing#196` — parent spike issue