feat: Implement user validation and ownership checks for image, reward, and task APIs

- Added `get_validated_user_id` utility function to validate user authentication across multiple APIs. - Updated image upload, request, and listing endpoints to ensure user ownership and proper error handling. - Enhanced reward management endpoints to include user validation and ownership checks. - Modified task management endpoints to enforce user authentication and ownership verification. - Updated models to include `user_id` for images, rewards, tasks, and children to track ownership. - Implemented frontend changes to ensure UI reflects the ownership of tasks and rewards. - Added a new feature specification to prevent deletion of system tasks and rewards.
2026-01-31 19:48:51 -05:00
parent 6f5b61de7f
commit f14de28daa
18 changed files with 361 additions and 121 deletions
--- a/backend/api/user_api.py
+++ b/backend/api/user_api.py
@@ -8,6 +8,7 @@ import string
 import smtplib
 from backend.utils.email_instance import email_sender
 from datetime import datetime, timedelta
+from api.utils import get_validated_user_id

 user_api = Blueprint('user_api', __name__)
 UserQuery = Query()
@@ -18,14 +19,17 @@ def get_current_user():
        return None
    try:
        payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
-        email = payload.get('email')
-        user_dict = users_db.get(UserQuery.email == email)
+        user_id = payload.get('user_id')
+        user_dict = users_db.get(UserQuery.id == user_id)
        return User.from_dict(user_dict) if user_dict else None
    except Exception:
        return None

@user_api.route('/user/profile', methods=['GET'])
 def get_profile():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -38,6 +42,9 @@ def get_profile():

@user_api.route('/user/profile', methods=['PUT'])
 def update_profile():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -57,6 +64,9 @@ def update_profile():

@user_api.route('/user/image', methods=['PUT'])
 def update_image():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -70,6 +80,9 @@ def update_image():

@user_api.route('/user/check-pin', methods=['POST'])
 def check_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -83,6 +96,9 @@ def check_pin():

@user_api.route('/user/has-pin', methods=['GET'])
 def has_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -90,6 +106,9 @@ def has_pin():

@user_api.route('/user/request-pin-setup', methods=['POST'])
 def request_pin_setup():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user or not user.verified:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -108,6 +127,9 @@ def send_pin_setup_email(email, code):

@user_api.route('/user/verify-pin-setup', methods=['POST'])
 def verify_pin_setup():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user or not user.verified:
        return jsonify({'error': 'Unauthorized'}), 401
@@ -127,6 +149,9 @@ def verify_pin_setup():

@user_api.route('/user/set-pin', methods=['POST'])
 def set_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
    user = get_current_user()
    if not user or not user.verified:
        return jsonify({'error': 'Unauthorized'}), 401