Problem
All users in an instance share a single user_token. Any user who knows another user's submission_id can read their result via GET /results/{id}.
Solution
- External auth layer issues a unique token per user instead of one shared token per instance
- TEE service tracks ownership:
token → set(submission_ids) per instance
GET /results/{id} enforces: token must own the submission_id, otherwise returns 403- Users can hold memberships across multiple instances
Open design questions
- What should admin see? Current architecture gives admin full result access, but the TEE trust model may require restricting this (e.g., only aggregated stats, not per-submission scores)
- Should admin access be configurable per skill via the
SkillCard?
Relevant code
api/routes.py — _tokens dict, GET /results/{id}tests/test_e2e.py — documented limitation comment
Problem
All users in an instance share a single
user_token. Any user who knows another user'ssubmission_idcan read their result viaGET /results/{id}.Solution
token → set(submission_ids)per instanceGET /results/{id}enforces: token must own thesubmission_id, otherwise returns403Open design questions
SkillCard?Relevant code
api/routes.py—_tokensdict,GET /results/{id}tests/test_e2e.py— documented limitation comment