budget

stwaddle/budget

Fork 0

Commit Graph

Author	SHA1	Message	Date
Spencer Twaddle	6d1bc2ce2c	Security hardening - Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was being returned to all collaborators (including View-only users) - Remove SharedWithUserId from ShareDto: other users' internal OIDC subs were visible to anyone with read access to a budget - Delete MeController: scaffolding endpoint that returned sub to the browser; no legitimate frontend use case - Restrict /healthz to require authorization: prevents unauthenticated probing of database connectivity - Add input validation annotations to all request DTOs: [Required], [MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on share email — [ApiController] now returns 400 instead of 500 for invalid input hitting DB constraints - Replace User.FindFirst("sub")!.Value with GetUserId() extension across all controllers: returns 401 instead of NullReferenceException (500) if a token lacks a sub claim Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 09:00:33 -05:00
Spencer Twaddle	f429a747d8	Phase 4: Income API and page - Add FrequencyCalculator static utility (all 9 frequency multipliers) - Add IncomesController: list, create, update, delete, reorder - Add Income DTOs with computed Monthly/Annually fields - Add shared TypeScript types (IncomeDto, OutgoDto, BudgetDto, ShareDto, SummaryDto) - Add API client with Bearer token injection via setTokenProvider - Add FrequencySelect, MoneyDisplay, BudgetNav shared components - Add Income page: sortable table with inline editing, add/delete rows, drag-to-reorder via dnd-kit - Wire TokenWirer in App.tsx to keep API client in sync with auth state Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 07:56:42 -05:00

Author

SHA1

Message

Date

Spencer Twaddle

6d1bc2ce2c

Security hardening

- Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was
  being returned to all collaborators (including View-only users)
- Remove SharedWithUserId from ShareDto: other users' internal OIDC subs
  were visible to anyone with read access to a budget
- Delete MeController: scaffolding endpoint that returned sub to the
  browser; no legitimate frontend use case
- Restrict /healthz to require authorization: prevents unauthenticated
  probing of database connectivity
- Add input validation annotations to all request DTOs: [Required],
  [MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on
  share email — [ApiController] now returns 400 instead of 500 for
  invalid input hitting DB constraints
- Replace User.FindFirst("sub")!.Value with GetUserId() extension across
  all controllers: returns 401 instead of NullReferenceException (500)
  if a token lacks a sub claim

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-25 09:00:33 -05:00

Spencer Twaddle

f429a747d8

Phase 4: Income API and page

- Add FrequencyCalculator static utility (all 9 frequency multipliers)
- Add IncomesController: list, create, update, delete, reorder
- Add Income DTOs with computed Monthly/Annually fields
- Add shared TypeScript types (IncomeDto, OutgoDto, BudgetDto, ShareDto, SummaryDto)
- Add API client with Bearer token injection via setTokenProvider
- Add FrequencySelect, MoneyDisplay, BudgetNav shared components
- Add Income page: sortable table with inline editing, add/delete rows, drag-to-reorder via dnd-kit
- Wire TokenWirer in App.tsx to keep API client in sync with auth state

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-25 07:56:42 -05:00

2 Commits