Switch to signed cookie auth and stop leaking player IDs

2026-02-05 16:28:22 +01:00
parent 67453d0756
commit a6265e8656
12 changed files with 100 additions and 84 deletions
--- a/Endpoints/StateEndpoints.cs
+++ b/Endpoints/StateEndpoints.cs
@@ -10,7 +10,9 @@ public static class StateEndpoints
 {
    public static void MapStateEndpoints(this IEndpointRouteBuilder app)
    {
-        app.MapGet("/api/state", async (HttpContext ctx, AppDbContext db) =>
+        var group = app.MapGroup("/api").RequireAuthorization();
+
+        group.MapGet("/state", async (HttpContext ctx, AppDbContext db) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();
@@ -31,7 +33,7 @@ public static class StateEndpoints
            return Results.Ok(summary);
        });

-        app.MapGet("/api/me", async (HttpContext ctx, AppDbContext db) =>
+        group.MapGet("/me", async (HttpContext ctx, AppDbContext db) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();
@@ -39,7 +41,7 @@ public static class StateEndpoints
            return Results.Ok(new { player.Id, player.DisplayName, player.Username, player.IsAdmin, CurrentPhase = phase, player.VotesFinal, player.HasJoker });
        });

-        app.MapPost("/api/me/phase/next", async (HttpContext ctx, AppDbContext db, IConfiguration config) =>
+        group.MapPost("/me/phase/next", async (HttpContext ctx, AppDbContext db, IConfiguration config) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();
@@ -59,7 +61,7 @@ public static class StateEndpoints
            return Results.Ok(new { player.CurrentPhase, appState.ResultsOpen });
        });

-        app.MapPost("/api/me/phase/prev", async (HttpContext ctx, AppDbContext db, IConfiguration config) =>
+        group.MapPost("/me/phase/prev", async (HttpContext ctx, AppDbContext db, IConfiguration config) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();
@@ -76,7 +78,7 @@ public static class StateEndpoints
            return Results.Ok(new { player.CurrentPhase, appState.ResultsOpen });
        });

-        app.MapPost("/api/me/name", async ([FromBody] SetNameRequest request, HttpContext ctx, AppDbContext db) =>
+        group.MapPost("/me/name", async ([FromBody] SetNameRequest request, HttpContext ctx, AppDbContext db) =>
        {
            var name = EndpointHelpers.TrimTo(request.Name, 16);
            if (string.IsNullOrWhiteSpace(name))