[HIGH] Credential minting doesn't verify quiz belongs to specified course

[DeFiVC]

Description

In src/modules/credentials/credential.service.ts:31-41, the mint method accepts courseId and submissionId as independent parameters. The submission lookup only filters by submissionId + userId — it never joins with quizzes to verify quizzes.courseId === courseId.

A user could pass a passing quiz for Course A and mint a credential for Course B.

Impact

Users can obtain credentials for courses they never completed.

File

src/modules/credentials/credential.service.ts:31-41

Suggested Fix

Join the submission query with the quizzes table to verify that quizzes.courseId matches the requested courseId.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!

[gloskull]

Hello, I have 4 years of experience delivering solutions for projects like this, covering backend, frontend, and smart contract development. After carefully reviewing your requirements, I have a clear understanding of the task and am confident in my ability to deliver a clean, efficient, and thoroughly tested solution on time. I prioritize code quality, maintainability, and industry best practices throughout the development process.
My PR will be submitted in under 10hours.