Skip to content

fix(api): make record GET endpoint publicly accessible without authentication

mondyagu abhilash requested to merge fix/public-record-get-access into develop

Here is a clean Merge Request title and description in a professional format.

MR Title

feat(api): make record GET endpoint publicly accessible without authentication

MR Description

Summary

This merge request updates the record retrieval endpoint to allow public, unauthenticated access to record data. This enables users to view shared record pages without being redirected to the login page.

Problem

Previously, the GET /api/v1/records/{record_id} endpoint required authentication. As a result:

  • Unauthenticated users were redirected to /login
  • Shared record links could not be viewed publicly
  • Read-only access to records was unnecessarily restricted

Changes Made

Screenshot_from_2026-05-19_11-15-07

before tried to get record asking auth

Screenshot_from_2026-05-19_11-12-42

after changes the record fetch without auth or access token

Backend

  • Removed authentication dependency from:

    • GET /api/v1/records/{record_id}

  • Preserved authentication requirements for all write and action endpoints, including:

    • Create record
    • Update record
    • Delete record
    • Contribute to record
    • Download protected content
    • Like and comment actions

Tests

  • Added integration tests to verify:

    • Unauthenticated requests to the GET endpoint return 200 OK
    • Valid record data is returned without requiring a token
    • Protected endpoints continue to require authentication

Files Modified

  • app/api/v1/endpoints/records.py
  • tests/integration/api/test_records_public_access.py

Acceptance Criteria

  • GET /api/v1/records/{record_id} is accessible without authentication
  • Unauthenticated requests return 200 OK with record data
  • Invalid record IDs return 404 Not Found
  • All write/action endpoints remain protected
  • Existing authenticated functionality remains unchanged

Testing Performed

  1. Started the backend server locally.
  2. Opened Swagger documentation at http://localhost:8000/docs.
  3. Executed GET /api/v1/records/{record_id} without using the Authorize button.
  4. Confirmed the endpoint responded successfully without requiring authentication.
  5. Verified that protected endpoints still display authentication requirements.
  6. Ran integration tests covering public access behavior.

Impact

This change enables public sharing of record pages while maintaining authentication for all modification and contribution actions.

Edited by mondyagu abhilash

Merge request reports