joshua-sajeev · joshua-sajeev · Sep 22, 2025 · Sep 21, 2025 · Sep 21, 2025 · Sep 21, 2025
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"context"
 	"net/http"
 	"strconv"
 	"strings"
@@ -158,3 +159,7 @@ func (ua *UserAuth) OptionalAuthMiddleware() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func SetUserID(ctx context.Context, userID int) context.Context {
+	return context.WithValue(ctx, "userID", userID)
+}
diff --git a/internal/domain/task/entity.go b/internal/domain/task/entity.go
@@ -3,8 +3,9 @@ package task
 import "time"
 
 type Task struct {
-	ID        int       `json:"id" binding:"gte=1" example:"1" `
+	ID        int       `json:"id" gorm:"primaryKey"`
 	Task      string    `json:"task" binding:"required" example:"Buy milk" gorm:"not null"`
 	Status    string    `json:"status" binding:"required" example:"pending" gorm:"not null"`
+	UserID    int       `json:"user_id" gorm:"not null;index"`
 	CreatedAt time.Time `json:"created_at" example:"2025-08-27 10:35:16.263"`
 }
diff --git a/internal/domain/user/entity.go b/internal/domain/user/entity.go
@@ -1,6 +1,7 @@
 package user
 
 import (
+	"taskflow/internal/domain/task"
 	"time"
 
 	"gorm.io/gorm"
@@ -10,6 +11,7 @@ type User struct {
 	ID        int            `gorm:"primaryKey" json:"id"`
 	Email     string         `gorm:"uniqueIndex;size:255;not null" json:"email"`
 	Password  string         `gorm:"size:255;not null" json:"password,omitempty"`
+	Tasks     []task.Task    `json:"tasks" gorm:"foreignKey:UserID;constraint:OnDelete:CASCADE"`
 	CreatedAt time.Time      `json:"created_at"`
 	UpdatedAt time.Time      `json:"updated_at"`
 	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at"`

diff --git a/internal/handler/task/task_handler.go b/internal/handler/task/task_handler.go
@@ -41,7 +41,14 @@ func (h *TaskHandler) CreateTask(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, common.ErrorResponse{Message: err.Error()})
 		return
 	}
-	if err := h.service.CreateTask(&req); err != nil {
+
+	userID, exists := c.Get("userID")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, common.ErrorResponse{Message: "unauthorized"})
+		return
+	}
+
+	if err := h.service.CreateTask(userID.(int), &req); err != nil {
 		c.JSON(http.StatusBadRequest, common.ErrorResponse{Message: err.Error()})
 		return
 	}
@@ -65,7 +72,13 @@ func (h *TaskHandler) GetTask(c *gin.Context) {
 		return
 	}
 
-	resp, err := h.service.GetTask(id)
+	userID, exists := c.Get("userID")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, common.ErrorResponse{Message: "unauthorized"})
+		return
+	}
+
+	resp, err := h.service.GetTask(userID.(int), id)
 	if err != nil {
 		c.JSON(http.StatusNotFound, common.ErrorResponse{Message: "Task not found"})
 		return
@@ -85,7 +98,13 @@ func (h *TaskHandler) GetTask(c *gin.Context) {
 // @Failure 500 {object} common.ErrorResponse "Internal server error"
 // @Router /tasks [get]
 func (h *TaskHandler) ListTasks(c *gin.Context) {
-	res, err := h.service.ListTasks()
+	userID, exists := c.Get("userID")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, common.ErrorResponse{Message: "unauthorized"})
+		return
+	}
+
+	res, err := h.service.ListTasks(userID.(int))
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, common.ErrorResponse{Message: err.Error()})
 		return
@@ -106,6 +125,12 @@ func (h *TaskHandler) ListTasks(c *gin.Context) {
 // @Failure 404 {object} common.ErrorResponse "Task not found"
 // @Router /tasks/{id}/status [patch]
 func (h *TaskHandler) UpdateStatus(c *gin.Context) {
+	userID, exists := c.Get("userID")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, common.ErrorResponse{Message: "unauthorized"})
+		return
+	}
+
 	id, err := strconv.Atoi(c.Param("id"))
 	if err != nil || id < 1 {
 		c.JSON(http.StatusBadRequest, common.ErrorResponse{Message: "invalid task ID"})
@@ -118,7 +143,7 @@ func (h *TaskHandler) UpdateStatus(c *gin.Context) {
 		return
 	}
 
-	if err := h.service.UpdateStatus(id, req.Status); err != nil {
+	if err := h.service.UpdateStatus(userID.(int), id, req.Status); err != nil {
 		if err == gorm.ErrRecordNotFound {
 			c.JSON(http.StatusNotFound, common.ErrorResponse{Message: "Task not found"})
 			return
@@ -143,14 +168,20 @@ func (h *TaskHandler) UpdateStatus(c *gin.Context) {
 // @Failure 500 {object} common.ErrorResponse "Internal server error"
 // @Router /tasks/{id} [delete]
 func (h *TaskHandler) Delete(c *gin.Context) {
+	userID, exists := c.Get("userID")
+	if !exists {
+		c.JSON(http.StatusUnauthorized, common.ErrorResponse{Message: "unauthorized"})
+		return
+	}
+
 	// Parse ID from path
 	id, err := strconv.Atoi(c.Param("id"))
 	if err != nil || id < 1 {
 		c.JSON(http.StatusBadRequest, common.ErrorResponse{Message: "Invalid ID"})
 		return
 	}
 
-	if err := h.service.Delete(id); err != nil {
+	if err := h.service.Delete(userID.(int), id); err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			c.JSON(http.StatusNotFound, common.ErrorResponse{Message: "Task not found"})
 		} else {

diff --git a/internal/handler/task/task_handler_mock.go b/internal/handler/task/task_handler_mock.go