Harden user-scoped subscription route access checks

backend/api/subscription/routes/alerts.py

@@ -10,6 +10,8 @@ from loguru import logger
 
 from services.database import get_db
 from models.subscription_models import UsageAlert
+from middleware.auth_middleware import get_current_user
+from ..dependencies import verify_user_access
 
 router = APIRouter()
 
@@ -19,9 +21,12 @@ async def get_usage_alerts(
     user_id: str,
     unread_only: bool = Query(False, description="Only return unread alerts"),
     limit: int = Query(50, ge=1, le=100, description="Maximum number of alerts"),
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: Dict[str, Any] = Depends(get_current_user)
 ) -> Dict[str, Any]:
     """Get usage alerts for a user."""
+
+    verify_user_access(user_id, current_user)
     
     try:
         query = db.query(UsageAlert).filter(
@@ -79,16 +84,20 @@ async def get_usage_alerts(
 @router.post("/alerts/{alert_id}/mark-read")
 async def mark_alert_read(
     alert_id: int,
-    db: Session = Depends(get_db)
+    db: Session = Depends(get_db),
+    current_user: Dict[str, Any] = Depends(get_current_user)
 ) -> Dict[str, Any]:
     """Mark an alert as read."""
     
     try:
         alert = db.query(UsageAlert).filter(UsageAlert.id == alert_id).first()
-        
+
         if not alert:
             raise HTTPException(status_code=404, detail="Alert not found")
-        
+
+        if str(alert.user_id) != str(current_user.get("id")):
+            raise HTTPException(status_code=403, detail="Access denied")
+
         alert.is_read = True
         alert.read_at = datetime.utcnow()
         db.commit()
@@ -98,6 +107,8 @@ async def mark_alert_read(
             "message": "Alert marked as read"
         }
     
+    except HTTPException:
+        raise
     except Exception as e:
         logger.error(f"Error marking alert as read: {e}")
         raise HTTPException(status_code=500, detail=str(e))