Security hardening
- Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was
being returned to all collaborators (including View-only users)
- Remove SharedWithUserId from ShareDto: other users' internal OIDC subs
were visible to anyone with read access to a budget
- Delete MeController: scaffolding endpoint that returned sub to the
browser; no legitimate frontend use case
- Restrict /healthz to require authorization: prevents unauthenticated
probing of database connectivity
- Add input validation annotations to all request DTOs: [Required],
[MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on
share email — [ApiController] now returns 400 instead of 500 for
invalid input hitting DB constraints
- Replace User.FindFirst("sub")!.Value with GetUserId() extension across
all controllers: returns 401 instead of NullReferenceException (500)
if a token lacks a sub claim
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Spencer Twaddle
@@ -13,7 +13,13 @@ namespace Budget.Api.Controllers;
|
||||
[Authorize]
|
||||
public class IncomesController(AppDbContext db, BudgetAuthorizationService authz) : ControllerBase
|
||||
{
|
||||
private string UserId => User.FindFirst("sub")!.Value;
|
||||
private IActionResult? TryGetUserId(out string userId)
|
||||
{
|
||||
var id = User.GetUserId();
|
||||
if (id is null) { userId = string.Empty; return Unauthorized(); }
|
||||
userId = id;
|
||||
return null;
|
||||
}
|
||||
|
||||
private static IncomeDto ToDto(Income i) => new(
|
||||
i.Id, i.BudgetId, i.Name, i.Frequency, i.Amount,
|
||||
@@ -24,7 +30,8 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
|
||||
[HttpGet]
|
||||
public async Task<IActionResult> List(Guid budgetId)
|
||||
{
|
||||
if (!await authz.CanReadAsync(budgetId, UserId)) return Forbid();
|
||||
if (TryGetUserId(out var userId) is { } err) return err;
|
||||
if (!await authz.CanReadAsync(budgetId, userId)) return Forbid();
|
||||
var incomes = await db.Incomes
|
||||
.Where(i => i.BudgetId == budgetId)
|
||||
.OrderBy(i => i.SortOrder)
|
||||
@@ -35,7 +42,8 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
|
||||
[HttpPost]
|
||||
public async Task<IActionResult> Create(Guid budgetId, [FromBody] CreateIncomeRequest req)
|
||||
{
|
||||
if (!await authz.CanWriteAsync(budgetId, UserId)) return Forbid();
|
||||
if (TryGetUserId(out var userId) is { } err) return err;
|
||||
if (!await authz.CanWriteAsync(budgetId, userId)) return Forbid();
|
||||
var maxOrder = await db.Incomes.Where(i => i.BudgetId == budgetId).MaxAsync(i => (int?)i.SortOrder) ?? -1;
|
||||
var income = new Income
|
||||
{
|
||||
@@ -54,7 +62,8 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
|
||||
[HttpPut("{incomeId:guid}")]
|
||||
public async Task<IActionResult> Update(Guid budgetId, Guid incomeId, [FromBody] UpdateIncomeRequest req)
|
||||
{
|
||||
if (!await authz.CanWriteAsync(budgetId, UserId)) return Forbid();
|
||||
if (TryGetUserId(out var userId) is { } err) return err;
|
||||
if (!await authz.CanWriteAsync(budgetId, userId)) return Forbid();
|
||||
var income = await db.Incomes.FirstOrDefaultAsync(i => i.Id == incomeId && i.BudgetId == budgetId);
|
||||
if (income is null) return NotFound();
|
||||
income.Name = req.Name;
|
||||
@@ -67,7 +76,8 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
|
||||
[HttpDelete("{incomeId:guid}")]
|
||||
public async Task<IActionResult> Delete(Guid budgetId, Guid incomeId)
|
||||
{
|
||||
if (!await authz.CanWriteAsync(budgetId, UserId)) return Forbid();
|
||||
if (TryGetUserId(out var userId) is { } err) return err;
|
||||
if (!await authz.CanWriteAsync(budgetId, userId)) return Forbid();
|
||||
var income = await db.Incomes.FirstOrDefaultAsync(i => i.Id == incomeId && i.BudgetId == budgetId);
|
||||
if (income is null) return NotFound();
|
||||
db.Incomes.Remove(income);
|
||||
@@ -78,7 +88,8 @@ public class IncomesController(AppDbContext db, BudgetAuthorizationService authz
|
||||
[HttpPut("order")]
|
||||
public async Task<IActionResult> Reorder(Guid budgetId, [FromBody] ReorderIncomesRequest req)
|
||||
{
|
||||
if (!await authz.CanWriteAsync(budgetId, UserId)) return Forbid();
|
||||
if (TryGetUserId(out var userId) is { } err) return err;
|
||||
if (!await authz.CanWriteAsync(budgetId, userId)) return Forbid();
|
||||
var incomes = await db.Incomes.Where(i => i.BudgetId == budgetId).ToListAsync();
|
||||
var lookup = incomes.ToDictionary(i => i.Id);
|
||||
for (int idx = 0; idx < req.OrderedIds.Count; idx++)
|
||||
|
||||
Reference in New Issue
Block a user