Subscription API and API key injection middleware added

2025-10-19 17:56:09 +05:30
parent 1f087aad4c
commit 2240cefa30
8 changed files with 106 additions and 24 deletions
--- a/backend/api/subscription_api.py
+++ b/backend/api/subscription_api.py
@@ -13,6 +13,7 @@ from functools import lru_cache
 from services.database import get_db
 from services.usage_tracking_service import UsageTrackingService
 from services.pricing_service import PricingService
+from middleware.auth_middleware import get_current_user
 from models.subscription_models import (
    APIProvider, SubscriptionPlan, UserSubscription, UsageSummary,
    APIProviderPricing, UsageAlert, SubscriptionTier, BillingCycle, UsageStatus
@@ -30,10 +31,15 @@ _DASHBOARD_CACHE_TTL_SEC = 2.0
 async def get_user_usage(
    user_id: str,
    billing_period: Optional[str] = Query(None, description="Billing period (YYYY-MM)"),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: Dict[str, Any] = Depends(get_current_user)
 ) -> Dict[str, Any]:
    """Get comprehensive usage statistics for a user."""
    
+    # Verify user can only access their own data
+    if current_user.get('id') != user_id:
+        raise HTTPException(status_code=403, detail="Access denied")
+    
    try:
        usage_service = UsageTrackingService(db)
        stats = usage_service.get_user_usage_stats(user_id, billing_period)
@@ -122,10 +128,15 @@ async def get_subscription_plans(
@router.get("/user/{user_id}/subscription")
 async def get_user_subscription(
    user_id: str,
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: Dict[str, Any] = Depends(get_current_user)
 ) -> Dict[str, Any]:
    """Get user's current subscription information."""
    
+    # Verify user can only access their own data
+    if current_user.get('id') != user_id:
+        raise HTTPException(status_code=403, detail="Access denied")
+    
    try:
        subscription = db.query(UserSubscription).filter(
            UserSubscription.user_id == user_id,
@@ -212,10 +223,15 @@ async def get_user_subscription(
@router.get("/status/{user_id}")
 async def get_subscription_status(
    user_id: str,
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: Dict[str, Any] = Depends(get_current_user)
 ) -> Dict[str, Any]:
    """Get simple subscription status for enforcement checks."""

+    # Verify user can only access their own data
+    if current_user.get('id') != user_id:
+        raise HTTPException(status_code=403, detail="Access denied")
+
    try:
        subscription = db.query(UserSubscription).filter(
            UserSubscription.user_id == user_id,