fix: verify notification account ownership

[Krishnx21]

Summary

Fixes a critical account takeover vulnerability in the notification settings functionality where notification records could be created, updated, or deleted using only a GitHub username without any authentication or ownership verification.

This PR introduces proper authentication and ownership validation to ensure that only the legitimate owner of a GitHub account can manage their notification settings.

Related Issue

Closes #5193

Changes Made

• Added authentication checks before processing notification settings requests.
• Implemented ownership verification to ensure users can only manage their own notification records.
• Restricted update operations to authenticated and authorized users.
• Restricted delete operations to authenticated and authorized users.
• Added validation to prevent unauthorized modification of existing notification settings.
• Added validation to prevent unauthorized deletion of notification settings.
• Improved security handling and error responses for unauthorized access attempts.

Security Impact

Before

• Any user could modify notification settings by supplying another user's GitHub username.
• Any user could change notification email addresses and preferences belonging to another account.
• Any user could delete notification settings belonging to another account.
• No ownership verification was performed.

After

• Notification settings can only be managed by the verified owner of the associated GitHub account.
• Unauthorized update attempts are blocked.
• Unauthorized delete attempts are blocked.
• Ownership verification is enforced before any modification or deletion operation.

Testing

Tested Scenarios

• ✅ Authenticated user can manage their own notification settings.
• ✅ Unauthorized user cannot modify another user's notification settings.
• ✅ Unauthorized user cannot delete another user's notification settings.
• ✅ Valid requests continue to function as expected.
• ✅ Proper error responses are returned for unauthorized access attempts.

Type of Change

• Bug fix
• Security fix

Checklist

• Code follows project guidelines.
• Existing functionality remains unaffected.
• Security validation added.
• Tested locally.
• Related issue linked.

---

GSSoC 2026

• Issue: bug: Notification Account Takeover via Unauthenticated Username-Based Updates #5193
• Program: GSSoC 2026
• Category: Security Fix

[vercel]

@Krishnx21 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 991acaf56e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Aamod-Dev]

Thanks for the contribution. I went through the changes and the overall approach looks good. This fix addresses the issue effectively and prevents the edge case from occurring in the future. Looks good to merge.

[Aamod-Dev]

Thanks for the contribution. I've taken a look at the changes and everything seems to align with what we need here.

Merging this looks safe. Approved!

[github-actions]

🚨 Hey @Krishnx21, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[Krishnx21]

@Aamod007 can you check this one ?

[github-actions]

🎉 Congratulations @Krishnx21! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨