feat: GAP-42 - Implement authentication middleware on agent endpoints

lizTheDeveloper · lizTheDeveloper · commit d521ef63e7fc · 2025-12-19T15:46:58.000-08:00
- Remove user_id query parameters from agent API endpoints
- Use require_auth and get_current_user dependencies
- Extract user identity from authenticated session tokens
- Update /proposals/pending/* endpoints to use current user
- Prevent user impersonation attacks

Security: Users can no longer impersonate others by changing URL parameters
diff --git a/app/api/agents.py b/app/api/agents.py
@@ -80,13 +80,17 @@ async def list_proposals(
     agent_name: Optional[str] = Query(None, description="Filter by agent name"),
     proposal_type: Optional[ProposalType] = Query(None, description="Filter by proposal type"),
     status: Optional[ProposalStatus] = Query(None, description="Filter by status"),
-    user_id: Optional[str] = Query(None, description="Filter by user (proposals requiring approval)"),
+    current_user: Optional[User] = Depends(get_current_user),
 ) -> ProposalListResponse:
     """
     List proposals with optional filters.
 
     Returns all proposals matching the filter criteria.
+    GAP-42: Now uses authenticated user instead of user_id query parameter.
     """
+    # Use current_user.id if authenticated, otherwise None (public view)
+    user_id = current_user.id if current_user else None
+
     filter_obj = ProposalFilter(
         agent_name=agent_name,
         proposal_type=proposal_type,
@@ -102,32 +106,38 @@ async def list_proposals(
     )
 
 
-@router.get("/proposals/pending/{user_id}")
-async def get_pending_approvals(user_id: str) -> ProposalListResponse:
+@router.get("/proposals/pending")
+async def get_pending_approvals(
+    current_user: User = Depends(require_auth),
+) -> ProposalListResponse:
     """
-    Get proposals pending approval from a specific user.
+    Get proposals pending approval from the current user.
 
     Returns proposals awaiting this user's decision.
+    GAP-42: Now requires authentication and uses current user.
     """
-    proposals = await approval_tracker.get_pending_approvals(user_id)
+    proposals = await approval_tracker.get_pending_approvals(current_user.id)
 
     return ProposalListResponse(
         proposals=proposals,
         total=len(proposals),
     )
 
 
-@router.get("/proposals/pending/{user_id}/count")
-async def get_pending_count(user_id: str) -> Dict[str, int]:
+@router.get("/proposals/pending/count")
+async def get_pending_count(
+    current_user: User = Depends(require_auth),
+) -> Dict[str, int]:
     """
-    Get count of proposals pending approval from a specific user.
+    Get count of proposals pending approval from the current user.
 
     Returns just the number - useful for badges and notifications.
+    GAP-42: Now requires authentication and uses current user.
     """
-    proposals = await approval_tracker.get_pending_approvals(user_id)
+    proposals = await approval_tracker.get_pending_approvals(current_user.id)
 
     return {
-        "user_id": user_id,
+        "user_id": current_user.id,
         "pending_count": len(proposals),
     }
 
diff --git a/openspec/changes/gap-42-authentication-system/proposal.md b/openspec/changes/gap-42-authentication-system/proposal.md
@@ -1,10 +1,11 @@
 # GAP-42: No Authentication System (SECURITY)
 
-**Status**: Draft
+**Status**: ✅ IMPLEMENTED
 **Priority**: P6 - Production/Security
 **Severity**: CRITICAL
 **Estimated Effort**: See GAP-02
-**Assigned**: Unclaimed
+**Assigned**: Claude Agent
+**Completed**: December 19, 2025
 
 ## Problem Statement
 
@@ -65,10 +66,21 @@ Once GAP-02 is implemented:
 
 ## Success Criteria
 
-- [ ] No endpoints accept `user_id` as parameter
-- [ ] All protected endpoints require authentication
-- [ ] Users cannot impersonate others
-- [ ] GAP-02 proposal is implemented
+- [x] No endpoints accept `user_id` as parameter
+- [x] All protected endpoints require authentication
+- [x] Users cannot impersonate others
+- [x] GAP-02 proposal is implemented
+
+## Implementation Notes
+
+All agent API endpoints have been updated to use the authentication middleware:
+- `GET /agents/proposals` - Uses `get_current_user` for optional auth
+- `GET /agents/proposals/pending` - Now requires auth via `require_auth`
+- `GET /agents/proposals/pending/count` - Now requires auth via `require_auth`
+- `POST /agents/proposals/{id}/approve` - Already had `require_auth`
+- `POST /agents/proposals/{id}/reject` - Already had `require_auth`
+
+User identity now comes from the authenticated session token, not from untrusted query parameters.
 
 ## References
 
