Add authentication check to event-related API routes

Ensure that all event-related endpoints verify the presence of a valid authenticated user before proceeding. Raise a 401 Unauthorized error if authentication credentials are missing or invalid, enhancing the security of API routes.
2025-03-09 16:25:48 +01:00
parent c2cdc3c110
commit 4192911538
1 changed files with 36 additions and 0 deletions
--- a/backend/app/api/routes/events/router.py
+++ b/backend/app/api/routes/events/router.py
@@ -36,6 +36,12 @@ def create_event(
        current_user: User = Depends(get_current_user)
 ) -> EventResponse:
    """Create a new event."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        # Check if slug is already taken
        if event.get_by_slug(db, slug=event_in.slug):
@@ -69,6 +75,12 @@ def get_user_events(
        current_user: User = Depends(get_current_user)
 ) -> Dict[str, Any]:
    """Get all events created by the current user with pagination."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        total = event.count_user_events(
            db=db,
@@ -166,6 +178,12 @@ def get_event(
        current_user: User = Depends(get_current_user)
 ) -> EventResponse:
    """Get event by ID."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        event_obj = event.get(db=db, id=event_id)
        if not event_obj:
@@ -209,6 +227,12 @@ def get_public_event(
        current_user: Optional[User] = Depends(get_optional_current_user)
 ) -> EventResponse:
    """Get public event by slug."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        event_obj = event.get_public_event(db=db, slug=slug, access_code=access_code)
        if not event_obj:
@@ -246,6 +270,12 @@ def update_event(
        current_user: User = Depends(get_current_user)
 ) -> EventResponse:
    """Update event."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        event_obj = event.get(db=db, id=event_id)
        if not event_obj:
@@ -304,6 +334,12 @@ def delete_event(
        hard_delete: bool = Query(False, description="Perform hard delete instead of soft delete")
 ):
    """Delete event (soft delete by default)."""
+    if current_user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
    try:
        event_obj = event.get(db=db, id=event_id)
        if not event_obj: