xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Switch to signed cookie auth and stop leaking player IDs

Browse Source
This commit is contained in:
Frank Tovar
2026-02-05 16:28:22 +01:00
parent 67453d0756
commit a6265e8656
12 changed files with 100 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
Endpoints/SuggestEndpoints.cs
View File

@@ -10,7 +10,9 @@ public static class SuggestEndpoints
{
public static void MapSuggestEndpoints(this IEndpointRouteBuilder app)
{
app.MapGet("/api/suggestions/mine", async (HttpContext ctx, AppDbContext db) =>
var group = app.MapGroup("/api/suggestions").RequireAuthorization();
group.MapGet("/mine", async (HttpContext ctx, AppDbContext db) =>
{
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
if (player is null) return Results.Unauthorized();
@@ -40,7 +42,7 @@ public static class SuggestEndpoints
return Results.Ok(ordered);
});
app.MapPost("/api/suggestions", async ([FromBody] SuggestionRequest request, HttpContext ctx, AppDbContext db, IHttpClientFactory http) =>
group.MapPost("/", async ([FromBody] SuggestionRequest request, HttpContext ctx, AppDbContext db, IHttpClientFactory http) =>
{
if (string.IsNullOrWhiteSpace(request.Name) || request.Name.Length > 100)
{
@@ -103,7 +105,7 @@ public static class SuggestEndpoints
return Results.Created($"/api/suggestions/{suggestion.Id}", new { suggestion.Id });
});
app.MapDelete("/api/suggestions/{id:int}", async (int id, HttpContext ctx, AppDbContext db, IConfiguration config) =>
group.MapDelete("/{id:int}", async (int id, HttpContext ctx, AppDbContext db, IConfiguration config) =>
{
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
if (player is null) return Results.Unauthorized();
@@ -132,7 +134,7 @@ public static class SuggestEndpoints
return Results.NoContent();
});
app.MapPut("/api/suggestions/{id:int}", async (int id, [FromBody] SuggestionRequest request, HttpContext ctx, AppDbContext db, IConfiguration config, IHttpClientFactory http) =>
group.MapPut("/{id:int}", async (int id, [FromBody] SuggestionRequest request, HttpContext ctx, AppDbContext db, IConfiguration config, IHttpClientFactory http) =>
{
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
var isAdmin = await EndpointHelpers.IsAdmin(ctx, db, config);
@@ -200,7 +202,7 @@ public static class SuggestEndpoints
});
});
app.MapGet("/api/suggestions/all", async (HttpContext ctx, AppDbContext db) =>
group.MapGet("/all", async (HttpContext ctx, AppDbContext db) =>
{
var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
if (player is null) return Results.Unauthorized();
@@ -213,7 +215,6 @@ public static class SuggestEndpoints
.Select(s => new
{
s.Id,
s.PlayerId,
s.Name,
s.Genre,
s.Description,
@@ -224,7 +225,8 @@ public static class SuggestEndpoints
s.MaxPlayers,
Author = s.Player!.DisplayName,
s.CreatedAt,
s.ParentSuggestionId
s.ParentSuggestionId,
IsOwner = s.PlayerId == player.Id
})
.ToListAsync();
@@ -242,7 +244,6 @@ public static class SuggestEndpoints
return new
{
s.Id,
s.PlayerId,
s.Name,
s.Genre,
s.Description,
@@ -253,6 +254,7 @@ public static class SuggestEndpoints
s.MaxPlayers,
s.Author,
s.ParentSuggestionId,
s.IsOwner,
LinkedIds = linkedIds,
LinkedTitles = linkedIds
.Where(id => nameLookup.ContainsKey(id))