Skip to content

feat: Add curriculum/lesson APIs and harden authentication#15

Open
atharva-nagane wants to merge 1 commit into
eellak:masterfrom
atharva-nagane:feature/backend-curriculum-auth-hardening
Open

feat: Add curriculum/lesson APIs and harden authentication#15
atharva-nagane wants to merge 1 commit into
eellak:masterfrom
atharva-nagane:feature/backend-curriculum-auth-hardening

Conversation

@atharva-nagane

Copy link
Copy Markdown

Changes

  • Curriculum/Lesson CRUD APIs: Add user-scoped REST endpoints for creating, reading, updating, and deleting curriculums and lessons. Uses new Pydantic schemas (CurriculumCreate, CurriculumUpdate, LessonCreate, LessonUpdate, CurriculumResponse, LessonResponse) for validation.

    • GET /curriculums — List user's curriculums
    • POST /curriculums — Create curriculum
    • PUT /curriculums/{id} — Update curriculum
    • DELETE /curriculums/{id} — Delete curriculum
    • GET /curriculums/{curriculum_id}/lessons — List lessons in curriculum
    • POST /curriculums/{curriculum_id}/lessons — Create lesson
    • PUT /curriculums/{curriculum_id}/lessons/{lesson_id} — Update lesson
    • DELETE /curriculums/{curriculum_id}/lessons/{lesson_id} — Delete lesson
  • Authentication Hardening:

    • Activation gate: /token now rejects non-activated users (401)
    • JWT expiry: Tokens expire after 30 minutes (configurable via ACCESS_TOKEN_EXPIRE_MINUTES env var)
    • Email verification: POST /users/verify-email flips activated flag
    • Password fix: /users/me/password now requires current password and correctly hashes the new one

Files Changed

  • back-end/models/models.py: Updated UpdateUserPasswordRequest (add current_password, rename password to new_password); added Curriculum/Lesson schemas
  • back-end/utils/utils_jwt.py: Added exp claim, made ACCESS_TOKEN_EXPIRE_MINUTES configurable
  • back-end/main.py:
    • /token: Added activation check
    • /users/me/password: Added old-password verification, fixed hashing
    • /users/verify-email: New endpoint for activation
    • /curriculums*: 4 new endpoints for curriculum CRUD
    • /curriculums/{curriculum_id}/lessons*: 4 new endpoints for lesson CRUD
    • Helper functions: _get_owned_curriculum, _get_owned_lesson for ownership checks

Security & Ownership

  • All curriculum/lesson endpoints enforce user ownership (users can only manage their own data)
  • Admin endpoints (/users/{user_id}/role, /users/{user_id}/beta_tester, /users/{user_id}/activated) remain unchanged and admin-only
  • Password change requires proof of old password

Testing

cd back-end
pip install -r requirements.txt
pytest tests/test_main.py -v

@atharva-nagane

Copy link
Copy Markdown
Author

Hi team,
I'm Atharva Nagane, excited to contribute to FOSSBot. This is my first PR to the project.

What this PR does:

  1. Makes curriculum/lesson tables usable — The DB tables existed but had no API routes. Now users can manage their own learning materials via REST endpoints.
  2. Hardens authentication — Adds activation gates, JWT expiry, and fixes a critical password bug (was storing plaintext instead of hashes).

Background:
I'm familiar with FastAPI, SQLAlchemy, and auth flows. I'd love to keep contributing and help expand FOSSBot's backend capabilities. Happy to iterate on feedback!

Looking forward to your review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant