Skip to content

feat(learning-path): add server-side API with token-based ownership verification#830

Open
nancysangani wants to merge 1 commit into
komalharshita:mainfrom
nancysangani:fix/learning-path-authorization
Open

feat(learning-path): add server-side API with token-based ownership verification#830
nancysangani wants to merge 1 commit into
komalharshita:mainfrom
nancysangani:fix/learning-path-authorization

Conversation

@nancysangani

@nancysangani nancysangani commented Jun 9, 2026

Copy link
Copy Markdown

Summary

Adds a server-side /api/learning-path/<path_id> endpoint (POST / GET / PUT)
with ownership verification baked in from the start. Each learning path is
bound to an owner token at creation time. Every subsequent read or write must
present that same token — requests with a missing or wrong token receive
403 Forbidden before any data is read or modified. Token comparisons use
secrets.compare_digest (constant-time) to prevent timing-based enumeration.

Related Issue

Closes #736

Type of Change

  • Feature — adds new functionality
  • Test — adds or updates tests

What Was Changed

File Change made
utils/learning_path.py New module: in-memory store, token-based ownership, PathNotFoundError / PathAlreadyExistsError / AuthorizationError hierarchy, _clear_all() test helper
routes/main_routes.py Three new routes: POST (create), GET (read), PUT (update); all enforce token ownership before touching data
tests/test_learning_path.py 40 new tests across 8 classes covering all success paths, all error paths, and explicit cross-user data isolation

How to Test This PR

  1. git checkout fix/learning-path-authorization
  2. pip install -r requirements.txt
  3. python tests/test_learning_path.py
  4. Manually with curl:
# Create
curl -s -X POST http://localhost:5000/api/learning-path/my-path \
  -H "Content-Type: application/json" \
  -H "X-Learning-Path-Token: mysecrettoken" \
  -d '{"step": 1}'

# Read with correct token -> 200
curl -s http://localhost:5000/api/learning-path/my-path \
  -H "X-Learning-Path-Token: mysecrettoken"

# Read with wrong token -> 403
curl -s http://localhost:5000/api/learning-path/my-path \
  -H "X-Learning-Path-Token: wrongtoken"

Test Results

40 passed, 0 failed out of 40 tests

Self-Review Checklist

  • Branch name follows convention (fix/)
  • python tests/test_learning_path.py → 40 passed, 0 failed
  • All new flake8 errors introduced by this PR are zero (pre-existing errors in main_routes.py are unchanged from main)
  • No print() or console.log() debug statements
  • Every new function has a docstring
  • Files modified are scoped to the linked issue only

@vercel

vercel Bot commented Jun 9, 2026

Copy link
Copy Markdown

@nancysangani is attempting to deploy a commit to the komalsony234-1530's projects Team on Vercel.

A member of the Team first needs to authorize it.

@nancysangani

nancysangani commented Jun 9, 2026

Copy link
Copy Markdown
Author

Hi @komalharshita, please review the PR when you get a chance. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:performance type:security type:testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] User Learning Path Data Exposed - No Authorization

1 participant

@nancysangani