Finished endpoints and tests

Author: Oyvind Timian Dokk Husveg

exercise.tests/IntegrationTests/PostTests.cs

@@ -4,7 +4,7 @@ namespace exercise.wwwapi.DTOs.Posts
 {
     public class CreatePostCommentDTO
     {
-        public required int Userid { get; set; }
+        //public required int Userid { get; set; }
         public required string Content { get; set; }
     }
 }

exercise.wwwapi/DTOs/Posts/CreatePostCommentDTO.cs

@@ -7,7 +7,6 @@ namespace exercise.wwwapi.DTOs.Posts
 {
     public class CreatePostDTO
     {
-        public required int Userid { get; set; }
         public required string Content { get; set; }
 
     }

exercise.wwwapi/DTOs/Posts/CreatePostDTO.cs

@@ -65,7 +65,7 @@ public class PersonData
             {"abstract", 51 }
         };
         private List<string> _passwordHashes = new List<string> {
-            "$2a$11$mbfii1SzR9B7ZtKbYydLOuAPBSA2ziAP0CrsdU8QgubGo2afw7Wuy", // Timianerkul1!
+            "$2a$11$mbfii1SzR9B7ZtKbYydLOuAPBSA2ziAP0CrsdU8QgubGo2afw7Wuy", // Timianerkul1! //apparently this hash isnt right...
             "$2a$11$5ttNr5DmMLFlyVVv7PFkQOhIstdGTBmSdhMHaQcUOZ8zAgsCqFT6e", // SuperHash!4
             "$2a$11$KBLC6riEn/P78lLCwyi0MO9DrlxapLoGhCfdgXwLU2s44P.StKO/6", // Neidintulling!l33t
             "$2a$11$DFMtyLv243uk2liVbzCxXeshisouexhitDg5OUuBU.4LVn//QG5O."  // lettPassord123!

exercise.wwwapi/Data/PersonData.cs

@@ -57,12 +57,11 @@ public class PostData
         };
         DateTime somedate = new DateTime(2020, 12, 05, 0, 0, 0, DateTimeKind.Utc);
         private List<Post> _posts = new List<Post>();
-        private int numusers = 300;
         public PostData(List<User> users)
         {
             Random random = new Random(1);
 
-            for (int i = 1; i < 25; i++)
+            for (int i = 1; i < users.Count / 5; i++)
             {
                 string subject = _subject[random.Next(9-1)];
                 string obj = _objects[random.Next(16-1)];

exercise.wwwapi/Data/PostData.cs

@@ -3,11 +3,13 @@
 using exercise.wwwapi.DTOs;
 using exercise.wwwapi.DTOs.GetUsers;
 using exercise.wwwapi.DTOs.Posts;
+using exercise.wwwapi.Helpers;
 using exercise.wwwapi.Models;
 using exercise.wwwapi.Repository;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Hosting;
 using System.Security.Claims;
 
 namespace exercise.wwwapi.Endpoints
@@ -19,63 +21,70 @@ public static void ConfigurePostEndpoints(this WebApplication app)
             var posts = app.MapGroup("posts");
             posts.MapPost("/", CreatePost).WithSummary("Create post");
             posts.MapGet("/", GetAllPosts).WithSummary("Get all posts");
-            posts.MapPatch("/{id}", UpdatePost).WithSummary("Update a certain post");
-            posts.MapDelete("/{id}", DeletePost).WithSummary("Remove a certain post");
+            posts.MapPatch("/{postid}", UpdatePost).WithSummary("Update a certain post");
+            posts.MapDelete("/{postid}", DeletePost).WithSummary("Remove a certain post");
 
             posts.MapPost("/{postId}/comments", AddCommentToPost).WithSummary("Add a new comment to a post");
             posts.MapGet("/{postId}/comments", GetCommentsForPost).WithSummary("Get comments for a specific post");
 
             // Standalone comment endpoints for editing/deleting
             var comments = app.MapGroup("comments");
-            comments.MapPatch("/{id}", UpdateComment).WithSummary("Edit an existing comment");
-            comments.MapDelete("/{id}", DeleteCommentById).WithSummary("Remove an existing comment");
+            comments.MapPatch("/{commentId}", UpdateComment).WithSummary("Edit an existing comment");
+            comments.MapDelete("/{commentId}", DeleteCommentById).WithSummary("Remove an existing comment");
 
             // Endpoints to get by user
             posts.MapGet("/user/{userId}", GetPostsByUser).WithSummary("Get posts by a specific user");
             comments.MapGet("/user/{userId}", GetCommentsByUser).WithSummary("Get comments by a specific user");
         }
 
-
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
-        public static IResult CreatePost(IRepository<User> userservice, IRepository<Post> postservice, IMapper mapper, CreatePostDTO request)
+        public static IResult CreatePost(
+            IRepository<User> userservice, 
+            IRepository<Post> postservice, 
+            IMapper mapper, 
+            ClaimsPrincipal user,
+            CreatePostDTO request
+            )
         {
-
-            User? user = userservice.GetById(request.Userid);
+            int? userid = user.UserRealId();
+            User? dbUser = userservice.GetById(userid);
             if (user == null)
                 return Results.NotFound(new ResponseDTO<Object>{Message = "Invalid userID"});
 
             if (string.IsNullOrWhiteSpace(request.Content))
                 return Results.BadRequest(new ResponseDTO<Object> { Message = "Content cannot be empty" });
 
-            Post post = new Post() { CreatedAt = DateTime.UtcNow, NumLikes = 0, UserId=request.Userid, Content=request.Content };
+            Post post = new Post() { CreatedAt = DateTime.UtcNow, NumLikes = 0, UserId= dbUser.Id, Content=request.Content };
 
             // is a try catch needed here?
             postservice.Insert(post);
             postservice.Save();
 
 
-            UserBasicDTO userBasicDTO = mapper.Map<UserBasicDTO>(user);
+            UserBasicDTO userBasicDTO = mapper.Map<UserBasicDTO>(dbUser);
             PostDTO postDTO = mapper.Map<PostDTO>(post);
             postDTO.User = userBasicDTO;
 
             ResponseDTO<PostDTO> response = new ResponseDTO<PostDTO>
             {
-                Message = "success",
+                Message = "Success",
                 Data = postDTO
             };
 
             return Results.Created($"/posts/{post.Id}", response);
         }
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         public static IResult GetAllPosts(IRepository<Post> service, IMapper mapper)
         {
             IEnumerable<Post> results = service.GetWithIncludes(q => q.Include(p => p.User).Include(p => p.Comments).ThenInclude(c => c.User));
             IEnumerable<PostDTO> postDTOs = mapper.Map<IEnumerable<PostDTO>>(results);
             ResponseDTO<IEnumerable<PostDTO>> response = new ResponseDTO<IEnumerable<PostDTO>>()
             {
-                Message = "success",
+                Message = "Success",
                 Data = postDTOs
             };
             return TypedResults.Ok(response);
@@ -84,28 +93,25 @@ public static IResult GetAllPosts(IRepository<Post> service, IMapper mapper)
         [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
-        public static IResult UpdatePost(IRepository<Post> service, IMapper mapper, ClaimsPrincipal user, int id, UpdatePostDTO request)
+        [ProducesResponseType(StatusCodes.Status403Forbidden)]
+
+        public static IResult UpdatePost(IRepository<Post> service, IMapper mapper, ClaimsPrincipal user, int postid, UpdatePostDTO request)
         {
             if (string.IsNullOrWhiteSpace(request.Content)) return TypedResults.BadRequest(new ResponseDTO<object>{
                     Message = "Content cannot be empty"
                 });
 
-            Post? post = service.GetById(id, q=>q.Include(p => p.User));
-
-            
+            Post? post = service.GetById(postid, q=>q.Include(p => p.User));
 
             if (post == null) return TypedResults.NotFound(new ResponseDTO<Object> { Message = "Post not found" });
 
-            var currentUserId = user.FindFirstValue(ClaimTypes.NameIdentifier);
-            if (post.UserId.ToString() != currentUserId)
+            Console.WriteLine($"Role:{user.Role()} {Roles.student}| {post.UserId} {user.UserRealId()}");
+            if (post.UserId != user.UserRealId() && user.Role() == (int)Roles.student)
             {
-                // Create your custom response object
                 var forbiddenResponse = new ResponseDTO<object>
                 {
                     Message = "You are not authorized to edit this post."
                 };
-
-                // Return it as JSON with a 403 Forbidden status code
                 return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
             }
 
@@ -122,23 +128,41 @@ public static IResult UpdatePost(IRepository<Post> service, IMapper mapper, Clai
             return TypedResults.Ok(new ResponseDTO<PostDTO> { Message = "Success", Data = postDTO });
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
-        private static IResult DeletePost(IRepository<Post> service, int id)
+        [ProducesResponseType(StatusCodes.Status403Forbidden)]
+        private static IResult DeletePost(IRepository<Post> service, ClaimsPrincipal user, int postid)
         {
-            Post? post = service.GetById(id, q => q.Include(p => p.User).Include(p => p.Comments).ThenInclude(c => c.User));
+            Post? post = service.GetById(postid, q => q.Include(p => p.User).Include(p => p.Comments).ThenInclude(c => c.User));
             if (post == null) return TypedResults.NotFound(new ResponseDTO<Object> { Message = "Post not found" });
 
-            service.Delete(id);
+            if (user.Role() == (int)Roles.student && post.UserId != user.UserRealId())
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to delete this post."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
+            service.Delete(postid);
             service.Save();
 
             return TypedResults.Ok(new ResponseDTO<PostDTO> { Message = "Success" });
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status201Created)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
-        private static IResult AddCommentToPost(IRepository<PostComment> commentService, IRepository<Post> postService, IRepository<User> userService, IMapper mapper, int postId, CreatePostCommentDTO request)
+        private static IResult AddCommentToPost(
+            IRepository<PostComment> commentService, 
+            IRepository<Post> postService, 
+            IRepository<User> userService, 
+            IMapper mapper, 
+            ClaimsPrincipal user,
+            int postId, 
+            CreatePostCommentDTO request)
         {
             // Check if post exists
             var post = postService.GetById(postId);
@@ -148,8 +172,8 @@ private static IResult AddCommentToPost(IRepository<PostComment> commentService,
             }
 
             // Check if user exists
-            var user = userService.GetById(request.Userid);
-            if (user == null)
+            var dbUser = userService.GetById(user.UserRealId());
+            if (dbUser == null)
             {
                 return TypedResults.NotFound(new ResponseDTO<object> { Message = "User not found." });
             }
@@ -163,7 +187,7 @@ private static IResult AddCommentToPost(IRepository<PostComment> commentService,
             var comment = new PostComment
             {
                 Content = request.Content,
-                UserId = request.Userid,
+                UserId = dbUser.Id,
                 PostId = postId,
                 CreatedAt = DateTime.UtcNow
             };
@@ -177,6 +201,7 @@ private static IResult AddCommentToPost(IRepository<PostComment> commentService,
             return TypedResults.Created($"/comments/{comment.Id}", new ResponseDTO<PostCommentDTO> { Message = "Success", Data = commentDto });
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         private static IResult GetCommentsForPost(IRepository<Post> postservice, IMapper mapper, int postId)
         {
@@ -190,17 +215,29 @@ private static IResult GetCommentsForPost(IRepository<Post> postservice, IMapper
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
-        private static IResult UpdateComment(IRepository<PostComment> service, IMapper mapper, int id, CreatePostCommentDTO request)
+        private static IResult UpdateComment(
+            IRepository<PostComment> service, 
+            IMapper mapper, 
+            ClaimsPrincipal user, 
+            int commentId, 
+            CreatePostCommentDTO request)
         {
             if (string.IsNullOrWhiteSpace(request.Content))
             {
                 return TypedResults.BadRequest(new ResponseDTO<object> { Message = "Content cannot be empty." });
             }
 
-            var comment = service.GetById(id, q => q.Include(c => c.User));
-            if (comment == null)
+            var comment = service.GetById(commentId, q => q.Include(c => c.User));
+            if (comment == null) return TypedResults.NotFound(new ResponseDTO<object> { Message = "Comment not found." });
+
+            //Console.WriteLine($"Role:{user.Role()} {Roles.student.ToString()}| {comment.UserId} {user.UserRealId()}");
+            if (comment.UserId != user.UserRealId() && user.Role() == (int)Roles.student)
             {
-                return TypedResults.NotFound(new ResponseDTO<object> { Message = "Comment not found." });
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to edit this comment."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
             }
 
             comment.Content = request.Content;
@@ -213,22 +250,33 @@ private static IResult UpdateComment(IRepository<PostComment> service, IMapper m
             return TypedResults.Ok(new ResponseDTO<PostComment> { Message = "Comment updated successfully.", Data = commentDto });
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
-        private static IResult DeleteCommentById(IRepository<PostComment> service, int id)
+        private static IResult DeleteCommentById(IRepository<PostComment> service, ClaimsPrincipal user, int commentId)
         {
-            var comment = service.GetById(id);
+            var comment = service.GetById(commentId);
             if (comment == null)
             {
                 return TypedResults.NotFound(new ResponseDTO<object> { Message = "Comment not found." });
             }
 
-            service.Delete(id);
+            if (user.Role() == (int)Roles.student && comment.UserId != user.UserRealId())
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to delete this comment."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
+
+            service.Delete(commentId);
             service.Save();
 
             return TypedResults.Ok(new ResponseDTO<object> { Message = "Comment deleted successfully." });
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
         private static IResult GetPostsByUser(IRepository<Post> service, IMapper mapper, int userid)
@@ -245,6 +293,7 @@ private static IResult GetPostsByUser(IRepository<Post> service, IMapper mapper,
             return TypedResults.Ok(response);
         }
 
+        [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status404NotFound)]
         private static IResult GetCommentsByUser(IRepository<PostComment> service, IMapper mapper, int userid)

exercise.wwwapi/Endpoints/PostEndpoints.cs

@@ -103,13 +103,16 @@ private static IResult Login(LoginRequestDTO request, IRepository<User> service,
 
             // Check for valid password
             string validationResult = Validator.Password(request.password);
+            Console.WriteLine($"Password: {validationResult}");
             if (validationResult != "Accepted") return TypedResults.BadRequest(new ResponseDTO<string>() { Message = "Invalid email and/or password provided" });
+            
 
             //email doesn't exist, should probably be 404 user not found, but should maybe just say invalid email or password
             //check if email is in database
             var emailExists = service.GetAllFiltered(q => q.Email == request.email);
+            Console.WriteLine($"Email doesnt exists? {emailExists.Count() == 0}");
             if (emailExists.Count() == 0) return TypedResults.BadRequest(new ResponseDTO<Object>() { Message = "Invalid email and/or password provided"});
-
+            
 
 
             User user = service.GetAll().FirstOrDefault(u => u.Email == request.email)!;
@@ -118,6 +121,7 @@ private static IResult Login(LoginRequestDTO request, IRepository<User> service,
             if (!BCrypt.Net.BCrypt.Verify(request.password, user.PasswordHash))
             {
                 // should probably be 401 unauthorized
+                Console.WriteLine($"Password hashes doesnt match:\n{request.password}\n{user.PasswordHash}");
                 return Results.BadRequest(new ResponseDTO<Object>() { Message = "Invalid email and/or password provided" });
             }
 
@@ -227,8 +231,10 @@ private static string CreateToken(User user, IConfigurationSettings config)
             List<Claim> claims = new List<Claim>
             {
                 new Claim(ClaimTypes.Sid, user.Id.ToString()),
+                new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
                 new Claim(ClaimTypes.Name, user.Username),
-                new Claim(ClaimTypes.Email, user.Email)
+                new Claim(ClaimTypes.Email, user.Email),
+                new Claim(ClaimTypes.Role, ((int)user.Role).ToString())
             };
 
             var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(config.GetValue("AppSettings:Token")));