BUG: [Security] Inconsistent authentication on backend routes

[sharma-sugurthi]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

🌟 Feature Description
I propose we standardize the usage of the @require_auth decorator across all our backend routes. Right now, it looks like only some files are checking if a user is logged in, while others are completely open.

🔍 Problem Statement
While digging through the route files, I noticed a pretty big inconsistency:

Protected: medicine.py correctly uses @require_auth to block access if you aren't logged in.

Exposed: weight.py, symptoms.py, discharge.py, and profile.py don't seem to use the decorator at all.

This implies that if session auth is active, these endpoints might be accessible to anyone (even without a login), which is a security risk for user data.

🎯 Expected Outcome
Security: All endpoints that touch sensitive data (Weight, Symptoms, Profile) must require a valid session.

Consistency: Every route file should follow the same pattern (importing and applying require_auth).

Record

• I agree to follow this project's Code of Conduct
• I want to work on this issue

[sharma-sugurthi]

Hi @bhavik-mangla @Zahnentferner @Naren456,
I've completed a thorough investigation of the authentication state in BabyNest.
Critical Finding: No Authentication System Exists
After searching the codebase, I discovered:
❌ No login/signup routes exist
❌ No Flask SECRET_KEY or session configuration in app.py
❌ No code that sets session['user_id'] anywhere
❌ Frontend doesn't use session cookies
Current State:

• medicine.py has @require_auth decorator, but it's broken (would reject all requests)
• All other routes are completely public
• User identification currently uses user_id parameter (insecure)
  Issue BUG: [Security] Inconsistent authentication on backend routes #183's Proposal Would Break the App:
  Adding @require_auth to all routes would cause ALL API calls to return 401
  because no session auth system exists. The frontend would completely break.
  Recommended Solutions:
  Option 1 (Quick Fix): Remove @require_auth from medicine.py
• Achieves consistency (as originally requested)
• Doesn't break functionality
• Acknowledges current reality
  Option 2 (Proper Fix): Implement full authentication system FIRST
• Add Flask session config + SECRET_KEY
• Create /login, /signup routes
• Create users table in database
• Update frontend to use session cookies
• THEN apply @require_auth to all routes

Thoughts? I'm happy to implement either approach!

[Naren456]

@sharma-sugurthi
We dont need any security in app . Its an offline app

[sharma-sugurthi]

@Naren456
the presence of the @require_auth decorator in medicine.py made me off,it made it look like a partial or broken auth system was intended for the project. I also thought some local security might be planned even for an offline-first app.

But yeah if no auth required, that decorator is effectively misleading dead code.

[sharma-sugurthi]

@Zahnentferner @bhavik-mangla @Vivekgupta008

I'm happy to open a quick PR to remove the unused auth logic so the codebase stays clean and doesn't confuse future contributors.