Switch to signed cookie auth and stop leaking player IDs

2026-02-05 16:28:22 +01:00
parent 67453d0756
commit a6265e8656
12 changed files with 100 additions and 84 deletions
--- a/Endpoints/VoteEndpoints.cs
+++ b/Endpoints/VoteEndpoints.cs
@@ -10,7 +10,9 @@ public static class VoteEndpoints
 {
    public static void MapVoteEndpoints(this IEndpointRouteBuilder app)
    {
-        app.MapGet("/api/votes/mine", async (HttpContext ctx, AppDbContext db) =>
+        var group = app.MapGroup("/api/votes").RequireAuthorization();
+
+        group.MapGet("/mine", async (HttpContext ctx, AppDbContext db) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();
@@ -25,7 +27,7 @@ public static class VoteEndpoints
            return Results.Ok(votes);
        });

-        app.MapPost("/api/votes", async ([FromBody] VoteRequest request, HttpContext ctx, AppDbContext db) =>
+        group.MapPost("/", async ([FromBody] VoteRequest request, HttpContext ctx, AppDbContext db) =>
        {
            if (request.Score is < 0 or > 10)
                return Results.BadRequest(new { error = "Score must be between 0 and 10." });
@@ -77,7 +79,7 @@ public static class VoteEndpoints
            return Results.Ok(new { SuggestionIds = linkedIds, request.Score });
        });

-        app.MapPost("/api/votes/finalize", async ([FromBody] VoteFinalizeRequest request, HttpContext ctx, AppDbContext db) =>
+        group.MapPost("/finalize", async ([FromBody] VoteFinalizeRequest request, HttpContext ctx, AppDbContext db) =>
        {
            var player = await EndpointHelpers.GetAuthenticatedPlayer(ctx, db);
            if (player is null) return Results.Unauthorized();