Security hardening

- Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was being returned to all collaborators (including View-only users) - Remove SharedWithUserId from ShareDto: other users' internal OIDC subs were visible to anyone with read access to a budget - Delete MeController: scaffolding endpoint that returned sub to the browser; no legitimate frontend use case - Restrict /healthz to require authorization: prevents unauthenticated probing of database connectivity - Add input validation annotations to all request DTOs: [Required], [MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on share email — [ApiController] now returns 400 instead of 500 for invalid input hitting DB constraints - Replace User.FindFirst("sub")!.Value with GetUserId() extension across all controllers: returns 401 instead of NullReferenceException (500) if a token lacks a sub claim Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-25 09:00:33 -05:00
parent a8cf6957b5
commit 6d1bc2ce2c
14 changed files with 131 additions and 77 deletions
@@ -13,63 +13,72 @@ namespace Budget.Api.Controllers;
 [Authorize]
 public class BudgetsController(AppDbContext db, BudgetAuthorizationService authz) : ControllerBase
 {
-    private string UserId => User.FindFirst("sub")!.Value;
+    private IActionResult? TryGetUserId(out string userId)
+    {
+        var id = User.GetUserId();
+        if (id is null) { userId = string.Empty; return Unauthorized(); }
+        userId = id;
+        return null;
+    }

    [HttpGet]
    public async Task<IActionResult> List()
    {
-        var userId = UserId;
+        if (TryGetUserId(out var userId) is { } err) return err;
        var budgets = await db.Budgets
            .Where(b => b.OwnerUserId == userId ||
                        b.Shares.Any(s => s.SharedWithUserId == userId && !s.IsPending))
-            .Select(b => new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt))
+            .Select(b => new BudgetDto(b.Id, b.Name, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt))
            .ToListAsync();
-
        return Ok(budgets);
    }

    [HttpPost]
    public async Task<IActionResult> Create([FromBody] CreateBudgetRequest req)
    {
+        if (TryGetUserId(out var userId) is { } err) return err;
        var budget = new Models.Budget
        {
            Id = Guid.NewGuid(),
            Name = req.Name,
-            OwnerUserId = UserId,
+            OwnerUserId = userId,
            CreatedAt = DateTimeOffset.UtcNow,
            UpdatedAt = DateTimeOffset.UtcNow,
        };
        db.Budgets.Add(budget);
        await db.SaveChangesAsync();
        return CreatedAtAction(nameof(Get), new { id = budget.Id },
-            new BudgetDto(budget.Id, budget.Name, budget.OwnerUserId, budget.EffectiveTaxRate, budget.CreatedAt, budget.UpdatedAt));
+            new BudgetDto(budget.Id, budget.Name, budget.EffectiveTaxRate, budget.CreatedAt, budget.UpdatedAt));
    }

    [HttpGet("{id:guid}")]
    public async Task<IActionResult> Get(Guid id)
    {
-        if (!await authz.CanReadAsync(id, UserId)) return Forbid();
+        if (TryGetUserId(out var userId) is { } err) return err;
+        if (!await authz.CanReadAsync(id, userId)) return Forbid();
        var b = await db.Budgets.FindAsync(id);
        if (b is null) return NotFound();
-        return Ok(new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
+        return Ok(new BudgetDto(b.Id, b.Name, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
    }

    [HttpPut("{id:guid}")]
    public async Task<IActionResult> Update(Guid id, [FromBody] UpdateBudgetRequest req)
    {
-        if (!await authz.CanWriteAsync(id, UserId)) return Forbid();
+        if (TryGetUserId(out var userId) is { } err) return err;
+        if (!await authz.CanWriteAsync(id, userId)) return Forbid();
        var b = await db.Budgets.FindAsync(id);
        if (b is null) return NotFound();
        b.Name = req.Name;
        b.UpdatedAt = DateTimeOffset.UtcNow;
        await db.SaveChangesAsync();
-        return Ok(new BudgetDto(b.Id, b.Name, b.OwnerUserId, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
+        return Ok(new BudgetDto(b.Id, b.Name, b.EffectiveTaxRate, b.CreatedAt, b.UpdatedAt));
    }

    [HttpDelete("{id:guid}")]
    public async Task<IActionResult> Delete(Guid id)
    {
-        if (!await authz.IsOwnerAsync(id, UserId)) return Forbid();
+        if (TryGetUserId(out var userId) is { } err) return err;
+        if (!await authz.IsOwnerAsync(id, userId)) return Forbid();
        var b = await db.Budgets.FindAsync(id);
        if (b is null) return NotFound();
        db.Budgets.Remove(b);