Standardize API Authentication

[theiris6]

…ication checks.

Description

Required authentication for retrieving general and privacy settings by adding AuthenticationHelpers and a pre-request 401 check to SettingsApi

Secured public activity type endpoints with the same helper and 401 check, preventing unauthenticated access to activity type data

Registered ActivityTypesPublicApi and SettingsApi with the authentication helper in the API root to propagate auth details across the documentation and modules

Introduced tests confirming that unauthenticated requests to settings and activity type endpoints return 401 responses, safeguarding configuration and activity type data.

Fixes # (issue)

Type of change

Multiple endpoints return empty results (200) without authentication. Standardize authentication across all endpoints even when returning empty data arrays.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Test with this script :
thoth-tech/doubtfire-astro#34

• Test A
• Test B

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if appropriate
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have created or extended unit tests to address my new additions
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

If you have any questions, please contact @macite or @jakerenzella.

[samindiii]

This block is being repeated in multiple APIs, would it be better to maybe move it to a shared require_authentication! helper in AuthenticationHelpers just to keep the code DRY?

[theiris6]

Thanks for the suggestion, Samindi! I actually tested moving this into a shared require_authentication! helper, but ran into issues that the helper didn’t behave consistently across all API classes (some edge cases weren’t triggering authentication as expected).

Given that, I think keeping the before block inline here is currently the safer option. It ensures the authentication logic runs exactly as intended for this endpoint without introducing unexpected side effects. We can definitely revisit a shared helper later if we find a reliable implementation that works across all APIs.

[ibi420]

Hi Iris,

Good work on this. As Samindi mentioned, creating a shared auth_helper class would help reduce code duplication, and this will be included in the handover documentation for next semester. From my testing, the functionality works as expected, and the script you created effectively verifies this. Well done.