budget

stwaddle/budget

Fork 0

Commit Graph

Author	SHA1	Message	Date
Spencer Twaddle	9b1b704ea1	Add rate limiting: global (120/min) and writes (30/min) policies Both policies partition by sub claim with IP fallback. Global limiter applies to all requests; writes policy is applied via [EnableRateLimiting("writes")] on every POST, PUT, and DELETE action across all five controllers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-02 15:56:54 -05:00
Spencer Twaddle	6d1bc2ce2c	Security hardening - Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was being returned to all collaborators (including View-only users) - Remove SharedWithUserId from ShareDto: other users' internal OIDC subs were visible to anyone with read access to a budget - Delete MeController: scaffolding endpoint that returned sub to the browser; no legitimate frontend use case - Restrict /healthz to require authorization: prevents unauthenticated probing of database connectivity - Add input validation annotations to all request DTOs: [Required], [MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on share email — [ApiController] now returns 400 instead of 500 for invalid input hitting DB constraints - Replace User.FindFirst("sub")!.Value with GetUserId() extension across all controllers: returns 401 instead of NullReferenceException (500) if a token lacks a sub claim Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 09:00:33 -05:00
Spencer Twaddle	963e511287	Phase 3: Budget and sharing API - Add BudgetsController: list (owner + shared), create, get, rename, delete - Add BudgetAuthorizationService: Owner / Edit / View / None access levels - Add SharesController: list, add (resolves KnownUser immediately), update permission, revoke - Register BudgetAuthorizationService as scoped service - Add BudgetDto, ShareDto, and associated request DTOs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-25 07:55:07 -05:00

Author

SHA1

Message

Date

Spencer Twaddle

9b1b704ea1

Add rate limiting: global (120/min) and writes (30/min) policies

Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-02 15:56:54 -05:00

Spencer Twaddle

6d1bc2ce2c

Security hardening

- Remove OwnerUserId from BudgetDto: OIDC sub of the budget owner was
  being returned to all collaborators (including View-only users)
- Remove SharedWithUserId from ShareDto: other users' internal OIDC subs
  were visible to anyone with read access to a budget
- Delete MeController: scaffolding endpoint that returned sub to the
  browser; no legitimate frontend use case
- Restrict /healthz to require authorization: prevents unauthenticated
  probing of database connectivity
- Add input validation annotations to all request DTOs: [Required],
  [MaxLength], [Range(0,0.9999)] on EffectiveTaxRate, [EmailAddress] on
  share email — [ApiController] now returns 400 instead of 500 for
  invalid input hitting DB constraints
- Replace User.FindFirst("sub")!.Value with GetUserId() extension across
  all controllers: returns 401 instead of NullReferenceException (500)
  if a token lacks a sub claim

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-25 09:00:33 -05:00

Spencer Twaddle

963e511287

Phase 3: Budget and sharing API

- Add BudgetsController: list (owner + shared), create, get, rename, delete
- Add BudgetAuthorizationService: Owner / Edit / View / None access levels
- Add SharesController: list, add (resolves KnownUser immediately), update permission, revoke
- Register BudgetAuthorizationService as scoped service
- Add BudgetDto, ShareDto, and associated request DTOs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-25 07:55:07 -05:00

3 Commits