π Problem Statement
All API endpoints under /api/v1/ (projects, resources, locations,
maintenance-tickets, and sensor-sites) are currently open β any caller
can create, update, or delete records without any authentication or
authorization check. For a university-wide ICT management platform this
is a critical security gap.
β
Acceptance Criteria
π§ Suggested Approach
- Add a
users table with a role column to the data model
- Implement JWT login endpoint (
/api/v1/auth/login)
- Create a FastAPI dependency (
get_current_user) to validate tokens
- Apply role-checking dependencies to each router
π Files Likely Affected
backend/app/main.pybackend/app/api/ β all routersbackend/app/models/ β new User modelbackend/app/services/ β new auth servicebackend/tests/ β new auth test casesbackend/requirements.txt
π Problem Statement
All API endpoints under
/api/v1/(projects, resources, locations,maintenance-tickets, and sensor-sites) are currently open β any caller
can create, update, or delete records without any authentication or
authorization check. For a university-wide ICT management platform this
is a critical security gap.
β Acceptance Criteria
admin,technician,vieweradminandtechnicianonlyviewerrole read-only access (GET endpoints only)401 Unauthorizedfor unauthenticated requests403 Forbiddenwhen a role lacks permissionπ§ Suggested Approach
userstable with arolecolumn to the data model/api/v1/auth/login)get_current_user) to validate tokensπ Files Likely Affected
backend/app/main.pybackend/app/api/β all routersbackend/app/models/β new User modelbackend/app/services/β new auth servicebackend/tests/β new auth test casesbackend/requirements.txt