Spaces:
Sleeping
Sleeping
Claude Code - Backend Implementation Specialist
Deploy AI-powered Todo application to Hugging Face Spaces
f2b5c2a | """ | |
| Security guard for user authorization checks. | |
| This module ensures that all tool operations are authorized | |
| and that users can only access their own data. | |
| """ | |
| import logging | |
| from typing import Optional | |
| from sqlmodel import Session, select | |
| from src.models.task import Task | |
| logger = logging.getLogger(__name__) | |
| class SecurityGuard: | |
| """ | |
| Security guard for validating user authorization. | |
| All MCP tools must use this guard to verify that: | |
| 1. User is authenticated (user_id is valid) | |
| 2. User owns the resources they're trying to access | |
| 3. No cross-user data access is possible | |
| """ | |
| async def validate_task_ownership( | |
| db: Session, | |
| task_id: int, | |
| user_id: int | |
| ) -> Optional[Task]: | |
| """ | |
| Validate that a task belongs to the authenticated user. | |
| Args: | |
| db: Database session | |
| task_id: Task ID to validate | |
| user_id: Authenticated user ID | |
| Returns: | |
| Task object if valid, None if not found or unauthorized | |
| Raises: | |
| ValueError: If task doesn't belong to user | |
| """ | |
| statement = select(Task).where( | |
| Task.id == task_id, | |
| Task.user_id == user_id | |
| ) | |
| task = db.exec(statement).first() | |
| if not task: | |
| logger.warning(f"Task {task_id} not found or unauthorized for user {user_id}") | |
| raise ValueError(f"Task not found or access denied") | |
| return task | |
| def validate_user_id(user_id: int) -> None: | |
| """ | |
| Validate that user_id is provided and valid. | |
| Args: | |
| user_id: User ID to validate | |
| Raises: | |
| ValueError: If user_id is invalid | |
| """ | |
| if not user_id or user_id <= 0: | |
| logger.error(f"Invalid user_id: {user_id}") | |
| raise ValueError("Invalid user_id") | |
| async def validate_conversation_ownership( | |
| db: Session, | |
| conversation_id: int, | |
| user_id: int | |
| ) -> bool: | |
| """ | |
| Validate that a conversation belongs to the authenticated user. | |
| Args: | |
| db: Database session | |
| conversation_id: Conversation ID to validate | |
| user_id: Authenticated user ID | |
| Returns: | |
| True if valid, False otherwise | |
| """ | |
| from src.models.conversation import Conversation | |
| statement = select(Conversation).where( | |
| Conversation.id == conversation_id, | |
| Conversation.user_id == user_id | |
| ) | |
| conversation = db.exec(statement).first() | |
| if not conversation: | |
| logger.warning(f"Conversation {conversation_id} not found or unauthorized for user {user_id}") | |
| return False | |
| return True | |
| # Singleton instance | |
| security_guard = SecurityGuard() | |