Spencer Twaddle
9b1b704ea1
Both policies partition by sub claim with IP fallback. Global limiter
applies to all requests; writes policy is applied via
[EnableRateLimiting("writes")] on every POST, PUT, and DELETE action
across all five controllers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
90 lines
3.5 KiB
C#
90 lines
3.5 KiB
C#
using Budget.Api.Data;
|
|
using Budget.Api.DTOs;
|
|
using Budget.Api.Models;
|
|
using Budget.Api.Services;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Microsoft.AspNetCore.RateLimiting;
|
|
using Microsoft.EntityFrameworkCore;
|
|
|
|
namespace Budget.Api.Controllers;
|
|
|
|
[ApiController]
|
|
[Route("api/budgets/{budgetId:guid}/shares")]
|
|
[Authorize]
|
|
public class SharesController(AppDbContext db, BudgetAuthorizationService authz) : ControllerBase
|
|
{
|
|
private IActionResult? TryGetUserId(out string userId)
|
|
{
|
|
var id = User.GetUserId();
|
|
if (id is null) { userId = string.Empty; return Unauthorized(); }
|
|
userId = id;
|
|
return null;
|
|
}
|
|
|
|
[HttpGet]
|
|
public async Task<IActionResult> List(Guid budgetId)
|
|
{
|
|
if (TryGetUserId(out var userId) is { } err) return err;
|
|
if (!await authz.CanReadAsync(budgetId, userId)) return Forbid();
|
|
var shares = await db.BudgetShares
|
|
.Where(s => s.BudgetId == budgetId)
|
|
.Select(s => new ShareDto(s.Id, s.SharedWithEmail, s.Permission, s.IsPending, s.CreatedAt))
|
|
.ToListAsync();
|
|
return Ok(shares);
|
|
}
|
|
|
|
[HttpPost]
|
|
[EnableRateLimiting("writes")]
|
|
public async Task<IActionResult> Add(Guid budgetId, [FromBody] CreateShareRequest req)
|
|
{
|
|
if (TryGetUserId(out var userId) is { } err) return err;
|
|
if (!await authz.IsOwnerAsync(budgetId, userId)) return Forbid();
|
|
|
|
var existing = await db.BudgetShares
|
|
.FirstOrDefaultAsync(s => s.BudgetId == budgetId && s.SharedWithEmail == req.Email);
|
|
if (existing is not null) return Conflict("A share for that email already exists.");
|
|
|
|
var knownUser = await db.KnownUsers.FirstOrDefaultAsync(u => u.Email == req.Email);
|
|
var share = new BudgetShare
|
|
{
|
|
Id = Guid.NewGuid(),
|
|
BudgetId = budgetId,
|
|
SharedWithEmail = req.Email,
|
|
SharedWithUserId = knownUser?.Id,
|
|
IsPending = knownUser is null,
|
|
Permission = req.Permission,
|
|
CreatedAt = DateTimeOffset.UtcNow,
|
|
};
|
|
db.BudgetShares.Add(share);
|
|
await db.SaveChangesAsync();
|
|
return Ok(new ShareDto(share.Id, share.SharedWithEmail, share.Permission, share.IsPending, share.CreatedAt));
|
|
}
|
|
|
|
[HttpPut("{shareId:guid}")]
|
|
[EnableRateLimiting("writes")]
|
|
public async Task<IActionResult> Update(Guid budgetId, Guid shareId, [FromBody] UpdateShareRequest req)
|
|
{
|
|
if (TryGetUserId(out var userId) is { } err) return err;
|
|
if (!await authz.IsOwnerAsync(budgetId, userId)) return Forbid();
|
|
var share = await db.BudgetShares.FirstOrDefaultAsync(s => s.Id == shareId && s.BudgetId == budgetId);
|
|
if (share is null) return NotFound();
|
|
share.Permission = req.Permission;
|
|
await db.SaveChangesAsync();
|
|
return Ok(new ShareDto(share.Id, share.SharedWithEmail, share.Permission, share.IsPending, share.CreatedAt));
|
|
}
|
|
|
|
[HttpDelete("{shareId:guid}")]
|
|
[EnableRateLimiting("writes")]
|
|
public async Task<IActionResult> Revoke(Guid budgetId, Guid shareId)
|
|
{
|
|
if (TryGetUserId(out var userId) is { } err) return err;
|
|
if (!await authz.IsOwnerAsync(budgetId, userId)) return Forbid();
|
|
var share = await db.BudgetShares.FirstOrDefaultAsync(s => s.Id == shareId && s.BudgetId == budgetId);
|
|
if (share is null) return NotFound();
|
|
db.BudgetShares.Remove(share);
|
|
await db.SaveChangesAsync();
|
|
return NoContent();
|
|
}
|
|
}
|