Skip to content

Implement Authentication and Authorization for API Endpoints #44

Open
Open
Implement Authentication and Authorization for API Endpoints#44
Labels
priority:mustMust have (MoSCoW)securitySecurity-related issues
@mathaix

Description

@mathaix
mathaix
opened on Dec 20, 2025

Summary

The current API implementation has placeholder authentication that bypasses security entirely. This is a critical security risk that must be addressed before any production deployment.

Current State

1. Authentication Placeholder - SECURITY RISK ⚠️

Files: src/backend/clara/api/projects.py:84, 202

# TODO: Get created_by from authenticated user
created_by = "user_placeholder"

Issue: Hardcoded user identifier bypasses authentication completely. Any user can create/duplicate projects as any other user.

2. Missing Authorization Checks

Files: src/backend/clara/api/projects.py:112, 134

# TODO: Filter by authenticated user's access

Issue: No authorization layer means:

  • Users can view/edit/delete any project
  • No ownership verification
  • No role-based access control (RBAC)

Acceptance Criteria

Authentication

  • Implement JWT-based authentication middleware
  • Add /auth/login and /auth/logout endpoints
  • Create get_current_user dependency for protected endpoints
  • Add user model to database schema
  • Implement token refresh mechanism

Authorization

  • Add project ownership verification on all mutating operations
  • Implement RBAC with roles: admin, manager, viewer
  • Filter list queries by user access rights
  • Add project_members table for shared project access

Security Hardening

  • Add rate limiting to auth endpoints
  • Implement secure password hashing (bcrypt/argon2)
  • Add audit logging for authentication events
  • Configure secure cookie settings for sessions

Implementation Notes

Per SECURITY-GOVERNANCE.md:

  • All data access must be logged to immutable store
  • PII must be redacted from logs
  • Structured rationales should not expose raw chain-of-thought

Related Files

  • src/backend/clara/api/projects.py - Endpoints needing auth
  • src/backend/clara/config.py - JWT secret key already defined
  • /Users/mantiz/Clara-Analysis/SECURITY-GOVERNANCE.md - Security requirements

Priority

MUST - Do not deploy to production without this implementation

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:mustMust have (MoSCoW)securitySecurity-related issues

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions