harden telegram webapp production readiness

app/api/cars.py

@@ -2,16 +2,23 @@ from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.api.deps import get_current_telegram_user
 from app.db.session import get_session
 from app.models.car import Car
+from app.models.user import User
 from app.schemas.car import CarCreate, CarRead, CarUpdate
 
 router = APIRouter(prefix="/cars", tags=["cars"])
 
 
 @router.post("", response_model=CarRead, status_code=status.HTTP_201_CREATED)
-async def create_car(payload: CarCreate, session: AsyncSession = Depends(get_session)) -> Car:
-    car = Car(**payload.model_dump())
+async def create_car(
+    payload: CarCreate,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> Car:
+    data = payload.model_dump(exclude={"owner_id"})
+    car = Car(**data, owner_id=current_user.id)
     session.add(car)
     await session.commit()
     await session.refresh(car)
@@ -19,28 +26,45 @@ async def create_car(payload: CarCreate, session: AsyncSession = Depends(get_ses
 
 
 @router.get("", response_model=list[CarRead])
-async def list_cars(owner_id: int, session: AsyncSession = Depends(get_session)) -> list[Car]:
+async def list_cars(
+    owner_id: int | None = None,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> list[Car]:
+    if owner_id is not None and owner_id != current_user.id:
+        raise HTTPException(status_code=403, detail="Forbidden")
     result = await session.execute(
-        select(Car).where(Car.owner_id == owner_id).order_by(Car.created_at.desc())
+        select(Car).where(Car.owner_id == current_user.id).order_by(Car.created_at.desc())
     )
     return list(result.scalars())
 
 
 @router.get("/{car_id}", response_model=CarRead)
-async def get_car(car_id: int, session: AsyncSession = Depends(get_session)) -> Car:
+async def get_car(
+    car_id: int,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> Car:
     car = await session.get(Car, car_id)
     if car is None:
         raise HTTPException(status_code=404, detail="Car not found")
+    if car.owner_id != current_user.id:
+        raise HTTPException(status_code=403, detail="Forbidden")
     return car
 
 
 @router.patch("/{car_id}", response_model=CarRead)
 async def update_car(
-    car_id: int, payload: CarUpdate, session: AsyncSession = Depends(get_session)
+    car_id: int,
+    payload: CarUpdate,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
 ) -> Car:
     car = await session.get(Car, car_id)
     if car is None:
         raise HTTPException(status_code=404, detail="Car not found")
+    if car.owner_id != current_user.id:
+        raise HTTPException(status_code=403, detail="Forbidden")
     for field, value in payload.model_dump(exclude_unset=True).items():
         setattr(car, field, value)
     await session.commit()
@@ -49,9 +73,15 @@ async def update_car(
 
 
 @router.delete("/{car_id}", status_code=status.HTTP_204_NO_CONTENT)
-async def delete_car(car_id: int, session: AsyncSession = Depends(get_session)) -> None:
+async def delete_car(
+    car_id: int,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> None:
     car = await session.get(Car, car_id)
     if car is None:
         raise HTTPException(status_code=404, detail="Car not found")
+    if car.owner_id != current_user.id:
+        raise HTTPException(status_code=403, detail="Forbidden")
     await session.delete(car)
     await session.commit()