fix secrets no longer needed

ci: switch to compose.deploy to force fresh image pull
fix: always pull latest image on redeploy
2026-05-14 23:46:40 +02:00 · 2026-05-12 23:57:45 +02:00 · 2026-05-12 23:25:07 +02:00 · 2026-05-12 23:08:37 +02:00 · 2026-05-12 20:34:42 +02:00 · 2026-05-10 23:43:13 +02:00
33 changed files with 1988 additions and 542 deletions
@@ -0,0 +1,8 @@
 {
  "permissions": {
    "allow": [
      "Bash(git add *)",
      "Bash(git commit *)"
    ]
  }
 }
@@ -7,48 +7,51 @@ on:
 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-java17
    steps:
      # 1. Checkout the code
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
-      # 2. Set up Java and Maven
+      # 2. Build the Spring Boot application using the Maven wrapper (Java 17 pre-installed in runner image)
      - name: Set up JDK (Eclipse Temurin)
        uses: actions/setup-java@v3
        with:
          distribution: "temurin"
          java-version: "17"
          cache: maven
      # 3. Verify Maven installation
      - name: Install Maven
        run: |
          sudo apt-get update
          sudo apt-get install -y maven
          mvn -version
      # 4. Build the Spring Boot application
      - name: Build Spring Boot Application
-        run: |
+        run: ./mvnw clean package -DskipTests
          mvn clean package -DskipTests
-      # 5. Set up Docker
+      # 4. Set up Docker Buildx (enables layer caching)
-      - name: Set up Docker
+      - name: Set up Docker Buildx
-        run: |
+        uses: docker/setup-buildx-action@v3
          docker --version
-      # 6. Build the Docker image
+      # 5. Login to Docker Hub to avoid pull rate limits
-      - name: Build and Package Docker Image
+      - name: Login to Docker Hub
-        run: |
+        uses: docker/login-action@v3
-          docker build -t tea.zendric.de/cedric/xpensely-server:latest .
+        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      # 7. Docker login
+      # 6. Docker login to Gitea registry
      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          registry: tea.zendric.de
          username: ${{ secrets.TEAUSER }}
          password: ${{ secrets.TEAPASSWORD }}
      # 7. Build and push Docker image with layer caching
      - name: Build and Push Docker Image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: tea.zendric.de/cedric/xpensely-server:latest
          cache-from: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache
          cache-to: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache,mode=max
      # 8. Trigger Dokploy to redeploy the dev server automatically via API
      - name: Trigger Dokploy Redeploy
        run: |
-          echo "${{ secrets.TEAPASSWORD }}" | docker login tea.zendric.de -u ${{ secrets.TEAUSER }} --password-stdin
+          curl -X POST "https://dokploy.zendric.de/api/compose.deploy" \
-      # 8. Push Docker image
+            -H "Content-Type: application/json" \
-      - name: Push the Docker Image to registry
+            -H "x-api-key: ${{ secrets.DOKPLOY_API_TOKEN }}" \
-        run: |
+            -d "{\"composeId\": \"${{ secrets.DOKPLOY_COMPOSE_ID }}\"}" \
-          docker push tea.zendric.de/cedric/xpensely-server:latest
+            --fail
@@ -1,5 +1,6 @@
 HELP.md
 target/
 /docs/superpowers
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
@@ -1,52 +0,0 @@
 version: "3.8"
 services:
  xpensely-server:
    build:
      context: .
      dockerfile: Dockerfile
    image: xpensely-server:local
    labels:
      net.unraid.docker.icon: https://tea.zendric.de/Cedric/XpenselyServer/raw/branch/main/src/main/resources/static/xpensely_icon_white.png
    container_name: xpensely-server
    ports:
      - 3636:8080
    environment:
      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
      DB_PORT: 5432
      DB_P_NAME: xpensely
      DB_USERNAME: ${DB_USERNAME}
      DB_PASSWORD: ${DB_PASSWORD}
      SPRING_PROFILES_ACTIVE: test
    depends_on:
      postgresdb:
        condition: service_healthy
    networks:
      - xpensely-network
  postgresdb:
    labels:
      net.unraid.docker.icon: https://raw.githubusercontent.com/docker-library/docs/01c12653951b2fe592c1f93a13b4e289ada0e3a1/postgres/logo.png
    image: postgres:14
    container_name: postgresdb
    ports:
      - 5435:5432
    environment:
      POSTGRES_DB: xpensely
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    networks:
      - xpensely-network
    volumes:
      - db_data:/var/lib/postgresql/data
    restart: unless-stopped
    healthcheck:
      test:
        - CMD-SHELL
        - pg_isready -U ${DB_USERNAME} -d xpensely
      interval: 10s
      timeout: 5s
      retries: 5
 volumes:
  db_data: null
 networks:
  xpensely-network: null
@@ -1,49 +1,41 @@
 version: "3.8"
 services:
  xpensely-server:
-    image: tea.zendric.de/cedric/xpensely-server:0
+    image: tea.zendric.de/cedric/xpensely-server:latest
-    labels:
+    pull_policy: always
-      net.unraid.docker.icon: https://tea.zendric.de/Cedric/XpenselyServer/raw/branch/main/src/main/resources/static/xpensely_icon_white.png
+    restart: always
    container_name: xpensely-server
    ports:
      - 3636:8080
    environment:
      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID}
      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET}
      DB_PORT: 5432
-      DB_P_NAME: xpensely
+      DB_P_NAME: ${POSTGRES_DB}
-      DB_USERNAME: ${DB_USERNAME}
+      DB_USERNAME: ${POSTGRES_USER}
-      DB_PASSWORD: ${DB_PASSWORD}
+      DB_PASSWORD: ${POSTGRES_PASSWORD}
      SPRING_PROFILES_ACTIVE: ${SPRING_PROFILES_ACTIVE}
    depends_on:
      postgresdb:
        condition: service_healthy
    networks:
      - xpensely-network
  postgresdb:
    labels:
      net.unraid.docker.icon: https://raw.githubusercontent.com/docker-library/docs/01c12653951b2fe592c1f93a13b4e289ada0e3a1/postgres/logo.png
    image: postgres:14
-    container_name: postgresdb
+    restart: unless-stopped
    ports:
      - 5435:5432
    environment:
-      POSTGRES_DB: xpensely
+      POSTGRES_DB: ${POSTGRES_DB}
-      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_USER: ${POSTGRES_USER}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - xpensely-network
    volumes:
      - db_data:/var/lib/postgresql/data
      - /mnt/user/appdata/xpensely_backups:/backups
    restart: unless-stopped
    healthcheck:
-      test:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
        - CMD-SHELL
        - pg_isready -U ${DB_USERNAME} -d xpensely
      interval: 10s
      timeout: 5s
      retries: 5
 volumes:
-  db_data: null
+  postgres_data:
 networks:
-  xpensely-network: null
+  xpensely-network:
    driver: bridge
@@ -1,4 +1,4 @@
-FROM openjdk:17-jdk-slim
+FROM eclipse-temurin:21-jdk
 COPY ./target/*.jar app.jar
@@ -0,0 +1,732 @@
 # Xpensely Server — API Reference
 > Last updated: 2026-05-14 · Branch: `dev`
 ## Table of Contents
 1. [Overview](#1-overview)
 2. [Authentication](#2-authentication)
 3. [Rate Limiting](#3-rate-limiting)
 4. [Endpoints](#4-endpoints)
   - 4.1 [Home](#41-home)
   - 4.2 [Users](#42-users)
   - 4.3 [Expense Lists](#43-expense-lists)
 5. [Data Models](#5-data-models)
 6. [Error Handling](#6-error-handling)
 7. [Recent Changes — `feature/security-hardening`](#7-recent-changes)
 ---
 ## 1. Overview
 Xpensely Server is a Spring Boot REST API that manages shared expense lists for pairs of users. It uses Google OAuth2 JWT tokens for authentication. All protected endpoints require a valid Bearer token in the `Authorization` header.
 **Base URL (local dev):** `http://localhost:8080`
 **Content-Type:** `application/json` for all request and response bodies.
 **Public endpoints (no auth required):**
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | `/` | Health check — returns `"Welcome"` |
 | GET | `/api/version` | Returns build version and timestamp |
 | POST | `/api/users/createUser` | Register a new user |
 | GET | `/api/users/byName` | Look up a user by username |
 All other endpoints require authentication (see [Section 2](#2-authentication)).
 ## 2. Authentication
 The server uses **OAuth2 Resource Server** authentication with **Google ID JWT tokens**.
 ### How it works
 1. The client authenticates with Google and receives a Google ID JWT.
 2. Every protected API request must include this token in the header:
 ```
 Authorization: Bearer <google-id-jwt>
 ```
 3. The server validates the JWT signature and extracts the `sub` claim (Google User ID).
 4. The `sub` value is used to look up the registered `AppUser` in the database via `AuthenticatedUserResolver`.
 5. If no `AppUser` exists for that Google ID, the request is rejected with **403 Forbidden**.
 ### Test profile
 When the application runs under the `test` Spring profile (`-Dspring.profiles.active=test`), **all security is disabled** — every endpoint is accessible without a token. This is used for automated tests only.
 ### User registration flow
 Before a user can call any protected endpoint they must first be registered:
 1. Authenticate with Google to obtain a Google ID JWT.
 2. Call `POST /api/users/createUser` with the JWT's `sub` value as `googleId` and a chosen `username`.
 3. All subsequent protected calls use the same JWT — the server resolves the caller automatically.
 ## 3. Rate Limiting
 All requests pass through a `RateLimitFilter` (implemented with **Bucket4j**).
 | Setting | Value |
 |---------|-------|
 | Limit | 60 requests per minute |
 | Window | Rolling 1-minute bucket |
 | Key (authenticated) | JWT `sub` claim (Google User ID) |
 | Key (unauthenticated) | `X-Forwarded-For` header, falling back to remote IP |
 When the limit is exceeded the server responds with:
 ```
 HTTP 429 Too Many Requests
 ```
 No `Retry-After` header is currently returned. Clients should back off and retry after 60 seconds.
 > **Note:** Rate limiting applies in the `!test` profile only. Tests run without rate limiting.
 ## 4. Endpoints
 ### 4.1 Home
 #### `GET /`
 Health check. No authentication required.
 **Response:** `200 OK`
 ```
 Welcome
 ```
 ---
 #### `GET /api/version`
 Returns the application version and build timestamp. No authentication required.
 **Response:** `200 OK`
 ```json
 {
  "version": "0.0.1-SNAPSHOT",
  "builtAt": "2026-05-09T10:00:00Z"
 }
 ```
 | Field | Type | Notes |
 |-------|------|-------|
 | `version` | String | Maven project version |
 | `builtAt` | String (ISO-8601) | UTC timestamp of the build |
 ---
 ### 4.2 Users
 Base path: `/api/users`
 ---
 #### `POST /api/users/createUser` — Register a user
 **Auth required:** No
 **Request body:**
 ```json
 {
  "username": "alice",
  "googleId": "118400012345678901234"
 }
 ```
 | Field | Type | Constraints |
 |-------|------|-------------|
 | `username` | String | Required. 3–30 chars. Pattern: `^[a-zA-Z0-9_.\-]+$` |
 | `googleId` | String | Required. Non-blank. Must match the JWT `sub` from Google. |
 **Success response:** `201 Created` — returns the created [AppUser](#appuser) object.
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 400 | Validation failure (field errors returned as `{"fieldName": "message"}`) |
 | 409 | `username` already taken |
 ---
 #### `GET /api/users` — Get user by ID
 **Auth required:** Yes
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `id` | Long | Yes | Database ID of the user |
 **Success response:** `200 OK` — returns [AppUser](#appuser).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Authenticated user's ID does not match the requested `id` |
 | 404 | No user found for `id` |
 ---
 #### `GET /api/users/byName` — Get user by username
 **Auth required:** No
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `username` | String | Yes | Exact username (case-sensitive) |
 **Success response:** `200 OK` — returns [AppUser](#appuser).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 404 | No user found for `username` |
 ---
 #### `GET /api/users/byGoogleId` — Get user by Google ID
 **Auth required:** Yes
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `id` | String | Yes | Google `sub` claim |
 **Success response:** `200 OK` — returns [AppUser](#appuser).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Requested Google ID does not match the authenticated user's Google ID |
 | 404 | No user found for that Google ID |
 ---
 #### `DELETE /api/users` — Delete a user
 **Auth required:** Yes
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `id` | Long | Yes | Database ID of the user to delete |
 **Success response:** `200 OK` — returns a plain string: `"User deleted: <username>"`.
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Authenticated user's ID does not match the requested `id` |
 | 404 | No user found for `id` |
 ---
 ### 4.3 Expense Lists
 Base path: `/api/expenselist`
 All endpoints in this group require authentication. The authenticated caller is resolved from the JWT and used for ownership checks.
 ---
 #### `GET /api/expenselist/mine` — Get caller's expense lists
 Returns all expense lists where the caller is the owner **or** has been shared the list.
 **Auth required:** Yes
 **Request body:** None
 **Success responses:**
 | Status | Condition |
 |--------|-----------|
 | 200 OK | Returns array of [ExpenseList](#expenselist) |
 | 204 No Content | Caller has no expense lists |
 ```json
 [
  {
    "id": 1,
    "name": "Holiday Trip",
    "inviteCode": null,
    "owner": { "id": 1, "username": "alice" },
    "sharedWith": null,
    "expenses": [],
    "customCategories": []
  }
 ]
 ```
 ---
 #### `GET /api/expenselist/byId` — Get expense list by ID
 **Auth required:** Yes
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `id` | Long | Yes | Expense list database ID |
 The caller must be the owner or the shared user of the list.
 **Success response:** `200 OK` — returns [ExpenseList](#expenselist).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Caller is neither owner nor shared user |
 | 404 | No list found for `id` |
 ---
 #### `POST /api/expenselist/create` — Create an expense list
 **Auth required:** Yes
 **Request body:**
 ```json
 {
  "name": "Road Trip 2026"
 }
 ```
 | Field | Type | Constraints |
 |-------|------|-------------|
 | `name` | String | Required. Max 100 chars. |
 The authenticated caller becomes the `owner` of the new list. The list is initialised with the default Xpensely standard categories.
 **Success response:** `201 Created` — returns the created [ExpenseList](#expenselist).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 400 | Validation failure |
 ---
 #### `DELETE /api/expenselist/{id}` — Delete an expense list
 **Auth required:** Yes
 **Path params:**
 | Param | Type | Description |
 |-------|------|-------------|
 | `id` | Long | Expense list database ID |
 Only the **owner** may delete a list. Deleting a list cascades to all its expenses and custom categories.
 **Success response:** `204 No Content`
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Caller is not the owner |
 | 404 | No list found for `id` |
 ---
 #### `POST /api/expenselist/{id}/add` — Add an expense to a list
 **Auth required:** Yes
 **Path params:**
 | Param | Type | Description |
 |-------|------|-------------|
 | `id` | Long | Expense list database ID |
 **Request body:**
 ```json
 {
  "title": "Dinner",
  "owner": "alice",
  "amount": 42.50,
  "personalUseAmount": 21.25,
  "otherPersonAmount": 21.25,
  "date": "2026-05-09",
  "category": "Food"
 }
 ```
 | Field | Type | Constraints |
 |-------|------|-------------|
 | `title` | String | Required. Max 100 chars. |
 | `owner` | String | Required. Username of the person who paid. |
 | `amount` | Double | Required. Min 0.01. |
 | `personalUseAmount` | Double | Optional. Caller's share. |
 | `otherPersonAmount` | Double | Optional. Other person's share. |
 | `date` | String (ISO-8601) | Required. Format: `YYYY-MM-DD`. |
 | `category` | String | Required. Non-blank category name. |
 **Success response:** `201 Created` — returns the created [Expense](#expense).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 400 | Validation failure |
 | 403 | Caller is not a member (owner or sharedWith) of the list |
 | 404 | List not found |
 ---
 #### `PUT /api/expenselist/{id}/update` — Update an expense
 **Auth required:** Yes
 **Path params:**
 | Param | Type | Description |
 |-------|------|-------------|
 | `id` | Long | Expense list database ID |
 **Request body:**
 ```json
 {
  "id": 7,
  "title": "Dinner (updated)",
  "ownerName": "alice",
  "amount": 50.00,
  "personalUseAmount": 25.00,
  "otherPersonAmount": 25.00,
  "date": "2026-05-09",
  "category": "Food"
 }
 ```
 | Field | Type | Constraints |
 |-------|------|-------------|
 | `id` | Long | Required. ID of the expense to update. |
 | `title` | String | Required. Max 100 chars. |
 | `ownerName` | String | Required. Username of the payer. |
 | `amount` | Double | Required. Min 0.01. |
 | `personalUseAmount` | Double | Optional. |
 | `otherPersonAmount` | Double | Optional. |
 | `date` | String (ISO-8601) | Required. `YYYY-MM-DD`. |
 | `category` | String | Required. |
 Caller must be a member of the list. Expense must belong to the specified list.
 **Success response:** `200 OK` — returns the updated [Expense](#expense).
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 400 | Validation failure or expense does not belong to this list |
 | 403 | Caller is not a member of the list |
 | 404 | List or expense not found |
 ---
 #### `DELETE /api/expenselist/{id}/delete` — Remove an expense from a list
 **Auth required:** Yes
 **Path params:**
 | Param | Type | Description |
 |-------|------|-------------|
 | `id` | Long | Expense list database ID |
 **Query params:**
 | Param | Type | Required | Description |
 |-------|------|----------|-------------|
 | `expenseId` | Long | Yes | ID of the expense to remove |
 Caller must be a member of the list.
 **Success response:** `204 No Content`
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Caller is not a member of the list |
 | 404 | List or expense not found |
 ---
 #### `POST /api/expenselist/{listId}/invite` — Generate an invite code
 Generates (or refreshes) a 6-character uppercase invite code for the list, valid for **1 week**.
 **Auth required:** Yes
 **Path params:**
 | Param | Type | Description |
 |-------|------|-------------|
 | `listId` | Long | Expense list database ID |
 Caller must be the **owner** of the list.
 **Success response:** `200 OK` — returns the invite code as a plain string.
 ```
 AB3X7Q
 ```
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 403 | Caller is not the owner |
 | 404 | List not found |
 ---
 #### `POST /api/expenselist/accept-invite` — Accept an invite
 Joins the caller to a shared expense list using an invite code.
 **Auth required:** Yes
 **Request body:**
 ```json
 {
  "inviteCode": "AB3X7Q"
 }
 ```
 | Field | Type | Constraints |
 |-------|------|-------------|
 | `inviteCode` | String | Required. Exactly 6 characters. |
 **Success response:** `200 OK` — returns a plain string: `"User added to the list"`.
 **Error responses:**
 | Status | Condition |
 |--------|-----------|
 | 400 | Validation failure or caller is already the owner of the list |
 | 404 | Invite code not found or expired |
 | 226 IM Used | List already has a second member (`sharedWith` is not null) |
 ---
 ## 5. Data Models
 ### AppUser
 Returned by all `/api/users` endpoints. Sensitive fields (`googleId`, `createdAt`) are hidden from API responses via `@JsonIgnore`.
 ```json
 {
  "id": 1,
  "username": "alice"
 }
 ```
 | Field | Type | Notes |
 |-------|------|-------|
 | `id` | Long | Auto-generated primary key |
 | `username` | String | Unique. 3–30 chars. |
 ---
 ### ExpenseList
 ```json
 {
  "id": 1,
  "name": "Road Trip",
  "inviteCode": "AB3X7Q",
  "owner": { "id": 1, "username": "alice" },
  "sharedWith": { "id": 2, "username": "bob" },
  "xpenselyStandardCategories": {
    "id": 1,
    "categories": [
      { "id": 1, "name": "Food", "colorCode": "#FF5733" }
    ]
  },
  "customCategories": [],
  "expenses": []
 }
 ```
 | Field | Type | Notes |
 |-------|------|-------|
 | `id` | Long | Auto-generated primary key |
 | `name` | String | Display name of the list |
 | `inviteCode` | String \| null | 6-char code; `null` if not yet generated or expired |
 | `owner` | AppUser | User who created the list |
 | `sharedWith` | AppUser \| null | Second member of the list; `null` until an invite is accepted |
 | `xpenselyStandardCategories` | XpenselyStandardCategories | Default category set assigned at creation |
 | `customCategories` | XpenselyCustomCategory[] | User-defined categories, ordered A→Z |
 | `expenses` | Expense[] | All expenses, ordered by date ASC then id ASC |
 > `inviteCodeExpiration` is hidden from API responses (`@JsonIgnore`).
 ---
 ### Expense
 ```json
 {
  "id": 7,
  "title": "Dinner",
  "owner": { "id": 1, "username": "alice" },
  "amount": 42.50,
  "personalUseAmount": 21.25,
  "otherPersonAmount": 21.25,
  "category": "Food",
  "date": "2026-05-09"
 }
 ```
 | Field | Type | Notes |
 |-------|------|-------|
 | `id` | Long | Auto-generated |
 | `title` | String | Description of the expense |
 | `owner` | AppUser | Who paid |
 | `amount` | Double | Total amount. Min 0.01. |
 | `personalUseAmount` | Double \| null | Caller's share |
 | `otherPersonAmount` | Double \| null | Other member's share |
 | `category` | String | Category name (free text — must match a category on the list) |
 | `date` | String (ISO-8601) | `YYYY-MM-DD` |
 > The `expenseList` back-reference is excluded via `@JsonBackReference` to prevent circular serialisation.
 ---
 ### XpenselyStandardCategories
 A named group of standard categories assigned to every new expense list.
 ```json
 {
  "id": 1,
  "categories": [
    { "id": 1, "name": "Food", "colorCode": "#FF5733" },
    { "id": 2, "name": "Transport", "colorCode": "#3498DB" }
  ]
 }
 ```
 ---
 ### XpenselyCustomCategory
 A user-defined category attached to a specific expense list.
 ```json
 {
  "id": 5,
  "name": "Souvenirs",
  "colorCode": "#9B59B6"
 }
 ```
 | Field | Type | Notes |
 |-------|------|-------|
 | `id` | Long | Auto-generated |
 | `name` | String | Category label |
 | `colorCode` | String | 7-char hex string e.g. `#RRGGBB` |
 > The `expenseList` back-reference is excluded via `@JsonBackReference`.
 ## 6. Error Handling
 All errors are returned as JSON. The `GlobalExceptionHandler` (`@RestControllerAdvice`) maps exceptions to HTTP status codes consistently across every endpoint.
 ### Error response format
 Most errors:
 ```json
 {
  "error": "Human-readable message"
 }
 ```
 Validation errors (`400`):
 ```json
 {
  "username": "size must be between 3 and 30",
  "googleId": "must not be blank"
 }
 ```
 ### Status code reference
 | HTTP Status | Condition | Source |
 |-------------|-----------|--------|
 | 400 Bad Request | Input validation failed (missing/invalid fields) | `MethodArgumentNotValidException` via `@Valid` |
 | 400 Bad Request | Business rule violation (e.g. expense not in this list) | `IllegalArgumentException` |
 | 403 Forbidden | User not registered in the system | `AuthenticatedUserResolver` → `ResponseStatusException(FORBIDDEN)` |
 | 403 Forbidden | Ownership check failed (e.g. deleting someone else's list) | `ResponseStatusException(FORBIDDEN)` in controller |
 | 404 Not Found | Entity does not exist (user, list, expense) | `ResourceNotFoundException` |
 | 409 Conflict | Username already taken | `UsernameAlreadyExistsException` |
 | 429 Too Many Requests | Rate limit exceeded | `RateLimitFilter` (returned directly, not via exception handler) |
 | 500 Internal Server Error | Unexpected runtime or generic exception | `RuntimeException` / `Exception` — message is hidden from client |
 ## 7. Recent Changes — `feature/security-hardening`
 This section summarises API-visible changes introduced on the `feature/security-hardening` branch (commits `3d456f2` → `b1324e3` → `8b96433` → `f0de751`). A developer or agent reading this document should be aware of these differences compared to the `main` branch.
 ---
 ### New: Centralised error handling (`GlobalExceptionHandler`)
 **File:** `src/main/java/.../controller/GlobalExceptionHandler.java`
 All error responses now follow the consistent JSON shape described in [Section 6](#6-error-handling). Previously, individual controllers returned ad-hoc responses, including HTTP 417 and raw stack trace output. Both have been removed. SLF4J logging has been added for server-side error visibility.
 ---
 ### New: `AuthenticatedUserResolver`
 **File:** `src/main/java/.../security/AuthenticatedUserResolver.java`
 A new component that extracts the Google ID from the JWT `sub` claim and resolves the corresponding `AppUser`. Injected into all protected controller methods. Returns `403 Forbidden` if the token is valid but the user has never called `POST /api/users/createUser`.
 ---
 ### New: `RateLimitFilter` — 60 req/min
 **File:** `src/main/java/.../security/RateLimitFilter.java`
 Rate limiting was not present on `main`. See [Section 3](#3-rate-limiting) for full details.
 ---
 ### New: `CreateExpenseListRequest` DTO with validation
 **File:** `src/main/java/.../model/CreateExpenseListRequest.java`
 `POST /api/expenselist/create` previously accepted a raw `ExpenseList` body. It now requires a `CreateExpenseListRequest` with a single validated `name` field (`@NotBlank`, `@Size(max=100)`). Clients must update their request body shape.
 ---
 ### Updated: Validation constraints tightened on existing DTOs
 | DTO | Field | Change |
 |-----|-------|--------|
 | `AppUserCreateRequest` | `username` | Added `@Pattern(regexp="^[a-zA-Z0-9_.\-]+$")` — special characters (other than `_`, `.`, `-`) now rejected |
 | `InviteRequest` | `inviteCode` | Added `@Size(min=6, max=6)` — non-6-char codes now rejected at binding |
 | `ExpenseInput` | `amount` | Added `@DecimalMin("0.01")` — zero and negative amounts now rejected |
 | `ExpenseChangeRequest` | `amount` | Added `@DecimalMin("0.01")` — zero and negative amounts now rejected |
 ---
 ### Updated: `SecurityConfig` — test-profile isolation
 **File:** `src/main/java/.../security/SecurityConfig.java`
 Two separate `SecurityFilterChain` beans now exist:
 - `@Profile("test")` — all endpoints permitted, CSRF disabled (for automated tests only).
 - `@Profile("!test")` — full JWT/OAuth2 enforcement (production behaviour).
 Previously a single config was used for both, which made tests fragile.
 ---
 ### Fixed: `ExpenseListService` — JPQL and exception consistency
 - Single `@Param` used in all JPQL queries (multi-param variant was broken).
 - `ResourceNotFoundException` is now thrown consistently instead of returning `null` or a generic `RuntimeException`.
 - `addExpenseToList` delegates directly to `ExpenseList.addExpense()` rather than looping.
 ---
 ### Fixed: `UserService` — null returns replaced with exceptions
 All not-found paths in `UserService` now throw `ResourceNotFoundException` instead of returning `null`. Callers that previously needed to null-check responses will now receive a `404` response.
@@ -1,110 +1,142 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-	<modelVersion>4.0.0</modelVersion>
+    <modelVersion>4.0.0</modelVersion>
-	<parent>
+    <parent>
-		<groupId>org.springframework.boot</groupId>
+        <groupId>org.springframework.boot</groupId>
-		<artifactId>spring-boot-starter-parent</artifactId>
+        <artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.4.1</version>
+        <version>4.0.6</version>
-		<relativePath/> <!-- lookup parent from repository -->
+        <relativePath/> <!-- lookup parent from repository -->
-	</parent>
+    </parent>
-	<groupId>de.zendric.app</groupId>
+    <groupId>de.zendric.app</groupId>
-	<artifactId>XpenselyServer</artifactId>
+    <artifactId>XpenselyServer</artifactId>
-	<version>1.0.0</version>
+    <version>1.0.0</version>
-	<name>XpenselyServer</name>
+    <name>XpenselyServer</name>
-	<description>XpenselyServer used to handle the Xpensely App</description>
+    <description>XpenselyServer used to handle the Xpensely App</description>
-	<url/>
+    <url/>
-	<licenses>
+    <licenses>
-		<license/>
+        <license/>
-	</licenses>
+    </licenses>
-	<developers>
+    <developers>
-		<developer/>
+        <developer/>
-	</developers>
+    </developers>
-	<scm>
+    <scm>
-		<connection/>
+        <connection/>
-		<developerConnection/>
+        <developerConnection/>
-		<tag/>
+        <tag/>
-		<url/>
+        <url/>
-	</scm>
+    </scm>
-	<properties>
+    <properties>
-		<java.version>17</java.version>
+        <java.version>21</java.version>
-	</properties>
+        <lombok.version>1.18.46</lombok.version>
-	<dependencies>
+    </properties>
-		<dependency>
+    <dependencies>
-			<groupId>org.springframework.boot</groupId>
+        <dependency>
-			<artifactId>spring-boot-starter-data-jpa</artifactId>
+            <groupId>org.springframework.boot</groupId>
-		</dependency>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
-		<dependency>
+        </dependency>
-			<groupId>org.springframework.boot</groupId>
+        <dependency>
-			<artifactId>spring-boot-starter-security</artifactId>
+            <groupId>org.springframework.boot</groupId>
-		</dependency>
+            <artifactId>spring-boot-starter-security</artifactId>
-		<dependency>
+        </dependency>
-        	<groupId>org.springframework.boot</groupId>
+        <dependency>
-        	<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+            <groupId>org.springframework.boot</groupId>
-    	</dependency>
+            <artifactId>spring-boot-starter-validation</artifactId>
-			<dependency>
+        </dependency>
-			<groupId>org.springframework.boot</groupId>
+        <dependency>
-			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+            <groupId>com.bucket4j</groupId>
-		</dependency>
+            <artifactId>bucket4j-core</artifactId>
-		<dependency>
+            <version>8.10.1</version>
-			<groupId>org.springframework.boot</groupId>
+        </dependency>
-			<artifactId>spring-boot-starter-web</artifactId>
+        <dependency>
-		</dependency>
+            <groupId>org.springframework.boot</groupId>
-		<dependency>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
-			<groupId>org.springframework.boot</groupId>
+        </dependency>
-			<artifactId>spring-boot-devtools</artifactId>
+        <dependency>
-			<scope>runtime</scope>
+            <groupId>org.springframework.boot</groupId>
-			<optional>true</optional>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
-		</dependency>
+        </dependency>
-		<dependency>
+        <dependency>
-			<groupId>org.postgresql</groupId>
+            <groupId>org.springframework.boot</groupId>
-			<artifactId>postgresql</artifactId>
+            <artifactId>spring-boot-starter-web</artifactId>
-			<scope>runtime</scope>
+        </dependency>
-		</dependency>
+        <dependency>
-		<dependency>
+            <groupId>org.springframework.boot</groupId>
-			<groupId>org.projectlombok</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
-			<artifactId>lombok</artifactId>
+            <scope>runtime</scope>
-			<optional>true</optional>
+            <optional>true</optional>
-		</dependency>
+        </dependency>
-		<dependency>
+        <dependency>
-			<groupId>org.springframework.boot</groupId>
+            <groupId>org.postgresql</groupId>
-			<artifactId>spring-boot-starter-test</artifactId>
+            <artifactId>postgresql</artifactId>
-			<scope>test</scope>
+            <scope>runtime</scope>
-		</dependency>
+        </dependency>
-		<dependency>
+        <dependency>
-			<groupId>org.springframework.security</groupId>
+            <groupId>org.projectlombok</groupId>
-			<artifactId>spring-security-test</artifactId>
+            <artifactId>lombok</artifactId>
-			<scope>test</scope>
+            <optional>true</optional>
-		</dependency>
+        </dependency>
-	</dependencies>
+        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webmvc-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
-	<build>
+    <build>
-		<plugins>
+        <plugins>
-			<plugin>
+            <plugin>
-				<groupId>org.apache.maven.plugins</groupId>
+                <groupId>org.apache.maven.plugins</groupId>
-				<artifactId>maven-compiler-plugin</artifactId>
+                <artifactId>maven-compiler-plugin</artifactId>
-				<configuration>
+                <configuration>
-					<annotationProcessorPaths>
+                    <annotationProcessorPaths>
-						<path>
+                        <path>
-							<groupId>org.projectlombok</groupId>
+                            <groupId>org.projectlombok</groupId>
-							<artifactId>lombok</artifactId>
+                            <artifactId>lombok</artifactId>
-						</path>
+                        </path>
-					</annotationProcessorPaths>
+                    </annotationProcessorPaths>
-				</configuration>
+                </configuration>
-			</plugin>
+            </plugin>
-			<plugin>
+            <plugin>
-				<groupId>org.springframework.boot</groupId>
+                <groupId>org.springframework.boot</groupId>
-				<artifactId>spring-boot-maven-plugin</artifactId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
-				<configuration>
+                <configuration>
-					<excludes>
+                    <excludes>
-						<exclude>
+                        <exclude>
-							<groupId>org.projectlombok</groupId>
+                            <groupId>org.projectlombok</groupId>
-							<artifactId>lombok</artifactId>
+                            <artifactId>lombok</artifactId>
-						</exclude>
+                        </exclude>
-					</excludes>
+                    </excludes>
-				</configuration>
+                </configuration>
-			</plugin>
+                <executions>
-		</plugins>
+                    <execution>
-	</build>
+                        <goals>
                            <goal>build-info</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
 </project>
@@ -1,35 +1,34 @@
 package de.zendric.app.xpensely_server.controller;
-import org.springframework.beans.factory.annotation.Autowired;
+import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.AppUserCreateRequest;
-import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
+import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
@RestController
@RequestMapping("/api/users")
 public class AppUserController {
-    private UserService userService;
+    private final UserService userService;
    private final AuthenticatedUserResolver authenticatedUserResolver;
-    @Autowired
+    public AppUserController(UserService userService, AuthenticatedUserResolver authenticatedUserResolver) {
    public AppUserController(UserService userService) {
        this.userService = userService;
        this.authenticatedUserResolver = authenticatedUserResolver;
    }
    @GetMapping
-    public AppUser getUser(@RequestParam Long id) {
+    public ResponseEntity<AppUser> getUser(@RequestParam Long id, Authentication authentication) {
-        return userService.getUser(id);
+        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
        assertSelf(self, id);
        return ResponseEntity.ok(userService.getUser(id));
    }
    @GetMapping("/byName")
@@ -38,36 +37,30 @@ public class AppUserController {
    }
    @GetMapping("/byGoogleId")
-    public ResponseEntity<AppUser> getUserByGoogleId(@RequestParam String id) {
+    public ResponseEntity<AppUser> getUserByGoogleId(@RequestParam String id, Authentication authentication) {
-        try {
+        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
-            AppUser userByGoogleId = userService.getUserByGoogleId(id);
+        if (!self.getGoogleId().equals(id))
-            return new ResponseEntity<>(userByGoogleId, HttpStatus.OK);
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
-
+        return ResponseEntity.ok(self);
        } catch (IllegalArgumentException e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @PostMapping("/createUser")
-    public ResponseEntity<AppUser> createUser(@RequestBody AppUserCreateRequest userRequest) {
+    public ResponseEntity<AppUser> createUser(@RequestBody @Valid AppUserCreateRequest userRequest) {
-        try {
+        AppUser convertedUser = userRequest.convertToAppUser();
-            AppUser convertedUser = userRequest.convertToAppUser();
+        AppUser nUser = userService.createUser(convertedUser);
-
+        return new ResponseEntity<>(nUser, HttpStatus.CREATED);
            AppUser nUser = userService.createUser(convertedUser);
            return new ResponseEntity<>(nUser, HttpStatus.CREATED);
        } catch (UsernameAlreadyExistsException e) {
            return new ResponseEntity<>(null, HttpStatus.CONFLICT);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        }
    }
    @DeleteMapping
-    public String deleteUser(@RequestParam Long id) {
+    public ResponseEntity<String> deleteUser(@RequestParam Long id, Authentication authentication) {
        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
        assertSelf(self, id);
        AppUser user = userService.deleteUserById(id);
-        return "User deleted : " + user.getUsername();
+        return ResponseEntity.ok("User deleted: " + user.getUsername());
    }
    private void assertSelf(AppUser authenticated, Long requestedId) {
        if (!authenticated.getId().equals(requestedId))
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
 }
@@ -1,196 +1,149 @@
 package de.zendric.app.xpensely_server.controller;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
-import org.springframework.beans.factory.annotation.Autowired;
+import jakarta.validation.Valid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
-import de.zendric.app.xpensely_server.model.AppUser;
+import de.zendric.app.xpensely_server.model.*;
-import de.zendric.app.xpensely_server.model.Expense;
+import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.model.ExpenseChangeRequest;
 import de.zendric.app.xpensely_server.model.ExpenseInput;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.model.InviteRequest;
 import de.zendric.app.xpensely_server.model.XpenselyStandardCategories;
 import de.zendric.app.xpensely_server.services.CategoryService;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import de.zendric.app.xpensely_server.services.UserService;
@RestController
@RequestMapping("/api/expenselist")
-class ExpenseListController {
+public class ExpenseListController {
-    private ExpenseListService expenseListService;
+    private static final Logger log = LoggerFactory.getLogger(ExpenseListController.class);
-    private UserService userService;
+
-    private CategoryService categoryService;
+    private final ExpenseListService expenseListService;
    private final UserService userService;
    private final CategoryService categoryService;
    private final AuthenticatedUserResolver authenticatedUserResolver;
    @Autowired
    public ExpenseListController(ExpenseListService expenseListService, UserService userService,
-            CategoryService categoryService) {
+            CategoryService categoryService, AuthenticatedUserResolver authenticatedUserResolver) {
        this.expenseListService = expenseListService;
        this.userService = userService;
        this.categoryService = categoryService;
        this.authenticatedUserResolver = authenticatedUserResolver;
    }
-    @GetMapping("/all")
+    @GetMapping("/mine")
-    public ResponseEntity<List<ExpenseList>> getAll() {
+    public ResponseEntity<List<ExpenseList>> getMine(Authentication authentication) {
-        try {
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            List<ExpenseList> items = new ArrayList<>();
+        List<ExpenseList> items = expenseListService.findByUserId(user.getId());
-
+        if (items.isEmpty())
-            expenseListService.findAll().forEach(items::add);
+            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
-
+        return new ResponseEntity<>(items, HttpStatus.OK);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byUser")
    public ResponseEntity<List<ExpenseList>> getByUser(@RequestParam Long userId) {
        try {
            List<ExpenseList> items = expenseListService.findByUserId(userId);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byUsername")
    public ResponseEntity<List<ExpenseList>> getByUser(@RequestParam String username) {
        try {
            List<ExpenseList> items = expenseListService.findByUsername(username);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byId")
-    public ResponseEntity<ExpenseList> getById(@RequestParam Long id) {
+    public ResponseEntity<ExpenseList> getById(@RequestParam Long id, Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> existingItemOptional = expenseListService.findById(id);
-
+        if (existingItemOptional.isEmpty())
        if (existingItemOptional.isPresent()) {
            return new ResponseEntity<>(existingItemOptional.get(), HttpStatus.OK);
        } else {
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-        }
+        assertMember(user, existingItemOptional.get());
        return new ResponseEntity<>(existingItemOptional.get(), HttpStatus.OK);
    }
    @PostMapping("/create")
-    // TODO add handling of categories by using DTO
+    public ResponseEntity<ExpenseList> create(@RequestBody @Valid CreateExpenseListRequest request,
-    public ResponseEntity<ExpenseList> create(@RequestBody ExpenseList expenseList) {
+            Authentication authentication) {
-        try {
+        AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
-            if (expenseList.getOwner() != null) {
+        ExpenseList expenseList = new ExpenseList();
-                AppUser existingOwner = userService.getUser(expenseList.getOwner().getId());
+        expenseList.setName(request.getName());
-                if (existingOwner == null) {
+        expenseList.setOwner(authenticatedUser);
-                    throw new IllegalArgumentException("Owner does not exist.");
+        XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
-                }
+        expenseList.setXpenselyStandardCategories(standardCategories);
-                expenseList.setOwner(existingOwner);
+        expenseList.setSharedWith(null);
-                XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
+        ExpenseList savedItem = expenseListService.createList(expenseList);
-                expenseList.setXpenselyStandardCategories(standardCategories);
+        log.debug("Created expense list '{}' for user {}", savedItem.getName(), authenticatedUser.getId());
-            } else {
+        return new ResponseEntity<>(savedItem, HttpStatus.CREATED);
                throw new IllegalArgumentException("Owner is required.");
            }
            expenseList.setSharedWith(null);
            ExpenseList savedItem = expenseListService.createList(expenseList);
            return new ResponseEntity<>(savedItem, HttpStatus.CREATED);
        } catch (Exception e) {
            e.printStackTrace();
            return new ResponseEntity<>(null, HttpStatus.EXPECTATION_FAILED);
        }
    }
    @DeleteMapping("{id}")
-    public ResponseEntity<HttpStatus> delete(@PathVariable("id") Long id) {
+    public ResponseEntity<HttpStatus> delete(@PathVariable("id") Long id, Authentication authentication) {
-        try {
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            expenseListService.deleteById(id);
+        Optional<ExpenseList> listOpt = expenseListService.findById(id);
-            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
+        if (listOpt.isEmpty())
-        } catch (Exception e) {
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-            return new ResponseEntity<>(HttpStatus.EXPECTATION_FAILED);
+        assertOwner(user, listOpt.get());
-        }
+        expenseListService.deleteById(id);
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }
    @PostMapping("/{id}/add")
    public ResponseEntity<Expense> addExpenseToList(
            @PathVariable("id") Long expenseListId,
-            @RequestBody ExpenseInput expenseInput) {
+            @RequestBody @Valid ExpenseInput expenseInput,
-        try {
+            Authentication authentication) {
-            AppUser expenseOwner = userService.getUserByName(expenseInput.getOwner());
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            Expense expense = expenseInput.convertToExpense(expenseOwner.getId());
+        Optional<ExpenseList> listOpt = expenseListService.findById(expenseListId);
-
+        if (listOpt.isEmpty())
-            Expense addedExpense = expenseListService.addExpenseToList(expenseListId, expense);
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-            return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
+        assertMember(user, listOpt.get());
-        } catch (Exception e) {
+        AppUser expenseOwner = userService.getUserByName(expenseInput.getOwner());
-            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
+        Expense expense = expenseInput.convertToExpense(expenseOwner.getId());
-        }
+        Expense addedExpense = expenseListService.addExpenseToList(expenseListId, expense);
        return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
    }
    @PutMapping("/{id}/update")
    public ResponseEntity<Expense> updateExpenseInList(
            @PathVariable("id") Long expenseListId,
-            @RequestBody ExpenseChangeRequest expenseChangeRequest) {
+            @RequestBody @Valid ExpenseChangeRequest expenseChangeRequest,
-        try {
+            Authentication authentication) {
-            AppUser expenseOwner = userService.getUserByName(expenseChangeRequest.getOwnerName());
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            Optional<ExpenseList> expenseList = expenseListService.findById(expenseListId);
+        Optional<ExpenseList> expenseListOpt = expenseListService.findById(expenseListId);
-            if (expenseList.isPresent()) {
+        if (expenseListOpt.isEmpty())
-                Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseList.get());
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-
+        assertMember(user, expenseListOpt.get());
-                Expense addedExpense = expenseListService.updateExpense(expenseListId, expense);
+        AppUser expenseOwner = userService.getUserByName(expenseChangeRequest.getOwnerName());
-                return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
+        Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseListOpt.get());
-            }
+        Expense updatedExpense = expenseListService.updateExpense(expenseListId, expense);
-            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
+        return new ResponseEntity<>(updatedExpense, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        }
    }
    @DeleteMapping("/{id}/delete")
    public ResponseEntity<Expense> deleteExpenseFromList(
            @PathVariable("id") Long expenseListId,
-            @RequestParam("expenseId") Long expenseId) {
+            @RequestParam("expenseId") Long expenseId,
-        try {
+            Authentication authentication) {
-            expenseListService.deleteExpenseFromList(expenseListId, expenseId);
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
+        Optional<ExpenseList> listOpt = expenseListService.findById(expenseListId);
-        } catch (Exception e) {
+        if (listOpt.isEmpty())
-            return new ResponseEntity<>(null, HttpStatus.EXPECTATION_FAILED);
+            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-        }
+        assertMember(user, listOpt.get());
        expenseListService.deleteExpenseFromList(expenseListId, expenseId);
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }
    @PostMapping("/{listId}/invite")
-    public ResponseEntity<String> generateInvite(@PathVariable Long listId) {
+    public ResponseEntity<String> generateInvite(@PathVariable Long listId, Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> listOpt = expenseListService.findById(listId);
        if (listOpt.isEmpty())
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
        assertOwner(user, listOpt.get());
        String inviteCode = expenseListService.generateInviteCode(listId);
        return ResponseEntity.ok(inviteCode);
    }
    @PostMapping("/accept-invite")
-    public ResponseEntity<?> acceptInvite(@RequestBody InviteRequest inviteRequest) {
+    public ResponseEntity<?> acceptInvite(@RequestBody @Valid InviteRequest inviteRequest,
            Authentication authentication) {
        AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
        ExpenseList list = expenseListService.findByInviteCode(inviteRequest.getInviteCode());
        if (list == null || list.getInviteCodeExpiration() == null ||
@@ -200,21 +153,24 @@ class ExpenseListController {
        if (list.getSharedWith() != null) {
            return ResponseEntity.status(HttpStatus.IM_USED).body("List has already been shared");
        }
-        if (list.getOwner().getId() == inviteRequest.getUserId()) {
+        if (list.getOwner().getId().equals(authenticatedUser.getId())) {
-            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("You cant join your own List");
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("You cannot join your own list");
        }
        AppUser user = null;
        try {
            user = userService.getUser(inviteRequest.getUserId());
        } catch (Exception e) {
            throw new RuntimeException("User not found");
        }
        if (user != null) {
            list.setSharedWith(user);
            expenseListService.save(list);
        } else {
            throw new RuntimeException("User not found");
        }
        list.setSharedWith(authenticatedUser);
        expenseListService.save(list);
        return ResponseEntity.ok("User added to the list");
    }
    private void assertOwner(AppUser authenticated, ExpenseList list) {
        if (!list.getOwner().getId().equals(authenticated.getId()))
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
    private void assertMember(AppUser authenticated, ExpenseList list) {
        boolean isOwner = list.getOwner().getId().equals(authenticated.getId());
        boolean isShared = list.getSharedWith() != null
                && list.getSharedWith().getId().equals(authenticated.getId());
        if (!isOwner && !isShared)
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
 }
@@ -0,0 +1,69 @@
 package de.zendric.app.xpensely_server.controller;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import org.springframework.web.server.ResponseStatusException;
 import java.util.HashMap;
 import java.util.Map;
@RestControllerAdvice
 public class GlobalExceptionHandler {
    private static final Logger log = LoggerFactory.getLogger(GlobalExceptionHandler.class);
    @ExceptionHandler(MethodArgumentNotValidException.class)
    public ResponseEntity<Map<String, String>> handleValidationErrors(MethodArgumentNotValidException ex) {
        Map<String, String> errors = new HashMap<>();
        for (FieldError fieldError : ex.getBindingResult().getFieldErrors()) {
            errors.put(fieldError.getField(), fieldError.getDefaultMessage());
        }
        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(errors);
    }
    @ExceptionHandler(IllegalArgumentException.class)
    public ResponseEntity<Map<String, String>> handleIllegalArgument(IllegalArgumentException ex) {
        return ResponseEntity.status(HttpStatus.BAD_REQUEST)
                .body(Map.of("error", ex.getMessage()));
    }
    @ExceptionHandler(ResourceNotFoundException.class)
    public ResponseEntity<Map<String, String>> handleNotFound(ResourceNotFoundException ex) {
        return ResponseEntity.status(HttpStatus.NOT_FOUND)
                .body(Map.of("error", ex.getMessage()));
    }
    @ExceptionHandler(UsernameAlreadyExistsException.class)
    public ResponseEntity<Map<String, String>> handleUsernameConflict(UsernameAlreadyExistsException ex) {
        return ResponseEntity.status(HttpStatus.CONFLICT)
                .body(Map.of("error", ex.getMessage()));
    }
    @ExceptionHandler(ResponseStatusException.class)
    public ResponseEntity<Map<String, String>> handleResponseStatus(ResponseStatusException ex) {
        return ResponseEntity.status(ex.getStatusCode())
                .body(Map.of("error", ex.getReason() != null ? ex.getReason() : ex.getMessage()));
    }
    @ExceptionHandler(RuntimeException.class)
    public ResponseEntity<Map<String, String>> handleRuntime(RuntimeException ex) {
        log.error("Unhandled runtime exception", ex);
        return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
                .body(Map.of("error", "An unexpected error occurred"));
    }
    @ExceptionHandler(Exception.class)
    public ResponseEntity<Map<String, String>> handleGeneric(Exception ex) {
        log.error("Unhandled exception", ex);
        return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
                .body(Map.of("error", "An unexpected error occurred"));
    }
 }
@@ -1,13 +1,30 @@
 package de.zendric.app.xpensely_server.controller;
 import org.springframework.boot.info.BuildProperties;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 import java.util.Map;
@RestController
 class HomeController {
    private final BuildProperties buildProperties;
    HomeController(BuildProperties buildProperties) {
        this.buildProperties = buildProperties;
    }
    @GetMapping("/")
    public String getAll() {
        return "Welcome";
    }
    @GetMapping("/api/version")
    public Map<String, String> version() {
        return Map.of(
                "version", buildProperties.getVersion(),
                "builtAt", buildProperties.getTime().toString()
        );
    }
 }
@@ -1,21 +1,25 @@
 package de.zendric.app.xpensely_server.model;
-import jakarta.persistence.Column;
+import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Pattern;
 import jakarta.validation.constraints.Size;
 import lombok.Data;
@Data
 public class AppUserCreateRequest {
-    @Column(name = "username", nullable = false, unique = true)
+    @NotBlank(message = "Username is required")
    @Size(min = 3, max = 30, message = "Username must be between 3 and 30 characters")
    @Pattern(regexp = "^[a-zA-Z0-9_.\\-]+$", message = "Username may only contain letters, digits, underscores, dots, and hyphens")
    private String username;
    @NotBlank(message = "Google ID is required")
    private String googleId;
    public AppUser convertToAppUser() {
        AppUser appUser = new AppUser();
        appUser.setGoogleId(googleId);
        appUser.setUsername(username);
        return appUser;
    }
 }
@@ -0,0 +1,17 @@
 package de.zendric.app.xpensely_server.model;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
@Getter
@Setter
@NoArgsConstructor
 public class CreateExpenseListRequest {
    @NotBlank(message = "List name is required")
    @Size(max = 100, message = "List name must not exceed 100 characters")
    private String name;
 }
@@ -0,0 +1,11 @@
 package de.zendric.app.xpensely_server.model.Exception;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ResponseStatus;
@ResponseStatus(HttpStatus.NOT_FOUND)
 public class ResourceNotFoundException extends RuntimeException {
    public ResourceNotFoundException(String message) {
        super(message);
    }
 }
@@ -2,6 +2,10 @@ package de.zendric.app.xpensely_server.model;
 import java.time.LocalDate;
 import jakarta.validation.constraints.DecimalMin;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
@@ -12,12 +16,25 @@ import lombok.NoArgsConstructor;
 public class ExpenseChangeRequest {
    private Long id;
    @NotBlank(message = "Title is required")
    @Size(max = 100, message = "Title must not exceed 100 characters")
    private String title;
    @NotBlank(message = "Owner name is required")
    private String ownerName;
    @NotNull(message = "Amount is required")
    @DecimalMin(value = "0.01", message = "Amount must be greater than zero")
    private Double amount;
    private Double personalUseAmount;
    private Double otherPersonAmount;
    @NotNull(message = "Date is required")
    private LocalDate date;
    @NotBlank(message = "Category is required")
    private String category;
    public Expense convertToExpense(Long userId, ExpenseList expenseList) {
@@ -38,4 +55,4 @@ public class ExpenseChangeRequest {
        return expense;
    }
-}
+}
@@ -2,9 +2,10 @@ package de.zendric.app.xpensely_server.model;
 import java.time.LocalDate;
-import jakarta.persistence.GeneratedValue;
+import jakarta.validation.constraints.DecimalMin;
-import jakarta.persistence.GenerationType;
+import jakarta.validation.constraints.NotBlank;
-import jakarta.persistence.Id;
+import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -16,19 +17,26 @@ import lombok.Setter;
@NoArgsConstructor
 public class ExpenseInput {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    @NotBlank(message = "Title is required")
    @Size(max = 100, message = "Title must not exceed 100 characters")
    private String title;
    @NotBlank(message = "Owner is required")
    private String owner;
    @NotNull(message = "Amount is required")
    @DecimalMin(value = "0.01", message = "Amount must be greater than zero")
    private Double amount;
    private Double personalUseAmount;
    private Double otherPersonAmount;
    @NotNull(message = "Date is required")
    private LocalDate date;
    @NotBlank(message = "Category is required")
    private String category;
    private ExpenseList expenseList;
@@ -1,5 +1,7 @@
 package de.zendric.app.xpensely_server.model;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
@@ -8,6 +10,8 @@ import lombok.NoArgsConstructor;
@AllArgsConstructor
@NoArgsConstructor
 public class InviteRequest {
    @NotBlank(message = "Invite code is required")
    @Size(min = 6, max = 6, message = "Invite code must be exactly 6 characters")
    private String inviteCode;
    private Long userId;
 }
@@ -3,13 +3,22 @@ package de.zendric.app.xpensely_server.repo;
 import java.util.List;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
 import de.zendric.app.xpensely_server.model.ExpenseList;
@Repository
 public interface ExpenseListRepository extends JpaRepository<ExpenseList, Long> {
    List<ExpenseList> findByOwnerId(Long ownerId);
    ExpenseList findByInviteCode(String inviteCode);
-}
+
    @Query("SELECT el FROM ExpenseList el WHERE el.owner.id = :userId OR el.sharedWith.id = :userId")
    List<ExpenseList> findByOwnerIdOrSharedWithId(@Param("userId") Long userId);
    @Query("SELECT el FROM ExpenseList el WHERE el.owner.username = :username OR el.sharedWith.username = :username")
    List<ExpenseList> findByOwnerUsernameOrSharedWithUsername(@Param("username") String username);
 }
@@ -0,0 +1,36 @@
 package de.zendric.app.xpensely_server.security;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ResponseStatusException;
@Component
 public class AuthenticatedUserResolver {
    private final UserService userService;
    public AuthenticatedUserResolver(UserService userService) {
        this.userService = userService;
    }
    public AppUser resolveCurrentUser(Authentication authentication) {
        if (authentication == null) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Not authenticated");
        }
        Jwt jwt = (Jwt) authentication.getPrincipal();
        String googleId = jwt.getSubject();
        try {
            AppUser user = userService.getUserByGoogleId(googleId);
            if (user == null) {
                throw new ResponseStatusException(HttpStatus.FORBIDDEN, "User not registered");
            }
            return user;
        } catch (IllegalArgumentException e) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "User not registered");
        }
    }
 }
@@ -0,0 +1,61 @@
 package de.zendric.app.xpensely_server.security;
 import io.github.bucket4j.Bandwidth;
 import io.github.bucket4j.Bucket;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.web.filter.OncePerRequestFilter;
 import java.io.IOException;
 import java.time.Duration;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 public class RateLimitFilter extends OncePerRequestFilter {
    private static final int REQUESTS_PER_MINUTE = 60;
    private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        String key = resolveKey(request);
        Bucket bucket = buckets.computeIfAbsent(key, k -> newBucket());
        if (bucket.tryConsume(1)) {
            filterChain.doFilter(request, response);
        } else {
            response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
            response.getWriter().write("Rate limit exceeded");
        }
    }
    private String resolveKey(HttpServletRequest request) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null && auth.getPrincipal() instanceof Jwt jwt) {
            return "user:" + jwt.getSubject();
        }
        String ip = request.getHeader("X-Forwarded-For");
        if (ip != null && !ip.isBlank()) {
            return "ip:" + ip.split(",")[0].trim();
        }
        return "ip:" + request.getRemoteAddr();
    }
    private Bucket newBucket() {
        return Bucket.builder()
                .addLimit(Bandwidth.builder()
                        .capacity(REQUESTS_PER_MINUTE)
                        .refillGreedy(REQUESTS_PER_MINUTE, Duration.ofMinutes(1))
                        .build())
                .build();
    }
 }
@@ -6,6 +6,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
@Configuration
@@ -17,7 +18,7 @@ public class SecurityConfig {
                http
                                .authorizeHttpRequests(auth -> auth
                                                .anyRequest().permitAll())
-                                .csrf().disable();
+                                .csrf(csrf -> csrf.disable());
                return http.build();
        }
@@ -27,11 +28,12 @@ public class SecurityConfig {
        public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                http
                                .authorizeHttpRequests(auth -> auth
                                                .requestMatchers("/api/version").permitAll()
                                                .anyRequest().authenticated())
                                .oauth2ResourceServer(oauth2 -> oauth2
                                                .jwt(Customizer.withDefaults()))
-                                .oauth2Login(Customizer.withDefaults())
+                                .addFilterAfter(new RateLimitFilter(), BearerTokenAuthenticationFilter.class)
-                                .csrf().disable();
+                                .csrf(csrf -> csrf.disable());
                return http.build();
        }
@@ -1,37 +1,29 @@
 package de.zendric.app.xpensely_server.services;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Expense;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.model.XpenselyCustomCategory;
 import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import de.zendric.app.xpensely_server.repo.ExpenseRepository;
 import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
 import jakarta.persistence.EntityManager;
@Service
@Transactional
 public class ExpenseListService {
-    private ExpenseListRepository repository;
+    private final ExpenseListRepository repository;
    private final ExpenseRepository expenseRepository;
-    private XpenselyCustomCategoryRepository customCategoryRepository;
+    private final XpenselyCustomCategoryRepository customCategoryRepository;
    @Autowired
    private EntityManager entityManager;
    @Autowired
    public ExpenseListService(ExpenseListRepository repository, ExpenseRepository expenseRepository,
            XpenselyCustomCategoryRepository customCategoryRepository) {
        this.repository = repository;
@@ -39,18 +31,10 @@ public class ExpenseListService {
        this.customCategoryRepository = customCategoryRepository;
    }
    public List<ExpenseList> getAllLists() {
        return repository.findAll();
    }
    public ExpenseList createList(ExpenseList list) {
        return repository.save(list);
    }
    public void deleteList(Long id) {
        repository.deleteById(id);
    }
    public void deleteById(Long id) {
        repository.deleteById(id);
    }
@@ -59,76 +43,29 @@ public class ExpenseListService {
        return repository.findById(id);
    }
    public Iterable<ExpenseList> findAll() {
        return repository.findAll();
    }
    public ExpenseList save(ExpenseList expenseList) {
        return repository.save(expenseList);
    }
    public List<ExpenseList> findByUserId(Long id) {
-        List<ExpenseList> allLists = repository.findAll();
+        return repository.findByOwnerIdOrSharedWithId(id);
        List<ExpenseList> userSpecificList = new ArrayList<>();
        for (ExpenseList expenseList : allLists) {
            AppUser sharedWith = expenseList.getSharedWith();
            if (expenseList.getOwner().getId().equals(id)) {
                userSpecificList.add(expenseList);
            } else {
                if (sharedWith != null && sharedWith.getId().equals(id)) {
                    userSpecificList.add(expenseList);
                }
            }
        }
        return userSpecificList;
    }
    public List<ExpenseList> findByUsername(String username) {
-        List<ExpenseList> allLists = repository.findAll();
+        return repository.findByOwnerUsernameOrSharedWithUsername(username);
        List<ExpenseList> userSpecificList = new ArrayList<>();
        for (ExpenseList expenseList : allLists) {
            AppUser sharedWith = expenseList.getSharedWith();
            if (expenseList.getOwner().getUsername().equals(username)) {
                userSpecificList.add(expenseList);
            } else {
                if (sharedWith != null && sharedWith.getUsername().equals(username)) {
                    userSpecificList.add(expenseList);
                }
            }
        }
        return userSpecificList;
    }
    public Expense addExpenseToList(Long expenseListId, Expense expense) {
        // find expenseList
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        // get all added expenses
        HashSet<Long> existingId = new HashSet<>();
        for (Expense e : expenseList.getExpenses()) {
            existingId.add(e.getId());
        }
        // add the new expense
        expenseList.addExpense(expense);
        // save
        repository.save(expenseList);
-
+        return expense;
        Expense newExpense = new Expense();
        for (Expense e : expenseList.getExpenses()) {
            if (!existingId.contains(e.getId())) {
                newExpense = e;
                break;
            }
        }
        return newExpense;
    }
    public void deleteExpenseFromList(Long expenseListId, Long expenseId) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        Expense expenseToRemove = null;
        for (Expense expense : expenseList.getExpenses()) {
            if (expense.getId().equals(expenseId)) {
@@ -139,14 +76,14 @@ public class ExpenseListService {
        if (expenseToRemove != null) {
            expenseList.removeExpense(expenseToRemove);
        } else {
-            throw new RuntimeException("Expense not found with id: " + expenseId);
+            throw new ResourceNotFoundException("Expense not found with id: " + expenseId);
        }
        repository.save(expenseList);
    }
    public String generateInviteCode(Long listId) {
        ExpenseList list = repository.findById(listId)
-                .orElseThrow(() -> new RuntimeException("List not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("List not found"));
        String inviteCode;
        if (list.getInviteCode() == null || list.getInviteCodeExpiration().isBefore(LocalDateTime.now())) {
@@ -168,7 +105,7 @@ public class ExpenseListService {
    public Expense updateExpense(Long expenseListId, Expense updatedExpense) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new IllegalArgumentException("ExpenseList not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        if (!expenseList.getExpenses().stream()
                .anyMatch(expense -> expense.getId().equals(updatedExpense.getId()))) {
@@ -176,7 +113,7 @@ public class ExpenseListService {
        }
        Expense existingExpense = expenseRepository.findById(updatedExpense.getId())
-                .orElseThrow(() -> new IllegalArgumentException("Expense not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Expense not found with id: " + updatedExpense.getId()));
        existingExpense.setTitle(updatedExpense.getTitle());
        existingExpense.setAmount(updatedExpense.getAmount());
        existingExpense.setPersonalUseAmount(updatedExpense.getPersonalUseAmount());
@@ -191,7 +128,7 @@ public class ExpenseListService {
    // TODO implement API for this
    public XpenselyCustomCategory addCustomCategory(Long expenseListId, XpenselyCustomCategory customCategory) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("Expense List not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Expense List not found"));
        customCategory.setExpenseList(expenseList);
        return customCategoryRepository.save(customCategory);
@@ -200,9 +137,9 @@ public class ExpenseListService {
    // TODO implement API for this
    public void deleteCustomCategory(Long expenseListId, Long categoryId) {
        XpenselyCustomCategory category = customCategoryRepository.findById(categoryId)
-                .orElseThrow(() -> new RuntimeException("Custom Category not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Custom Category not found"));
        if (!category.getExpenseList().getId().equals(expenseListId)) {
-            throw new RuntimeException("Category does not belong to the specified Expense List");
+            throw new IllegalArgumentException("Category does not belong to the specified Expense List");
        }
        customCategoryRepository.delete(category);
    }
@@ -1,11 +1,11 @@
 package de.zendric.app.xpensely_server.services;
 import java.util.List;
 import java.util.Optional;
 import org.springframework.stereotype.Service;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
 import de.zendric.app.xpensely_server.repo.UserRepository;
@@ -29,36 +29,24 @@ public class UserService {
    }
    public AppUser getUser(Long id) {
-        Optional<AppUser> user = userRepository.findById(id);
+        return userRepository.findById(id)
-        if (user.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
            return user.get();
        } else
            return null;
    }
    public AppUser deleteUserById(Long id) {
-        Optional<AppUser> user = userRepository.findById(id);
+        AppUser user = userRepository.findById(id)
-        if (user.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
-            userRepository.deleteById(id);
+        userRepository.deleteById(id);
-            return user.get();
+        return user;
        } else
            return null;
    }
    public AppUser getUserByName(String username) {
-        Optional<AppUser> optUser = userRepository.findByUsername(username);
+        return userRepository.findByUsername(username)
-        if (optUser.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found: " + username));
            return optUser.get();
        } else
            return null;
    }
    public AppUser getUserByGoogleId(String id) {
-        Optional<AppUser> optUser = userRepository.findByGoogleId(id);
+        return userRepository.findByGoogleId(id)
-        if (optUser.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with Google ID: " + id));
            return optUser.get();
        } else
            return null;
    }
-
+}
 }
@@ -3,8 +3,6 @@ spring.application.name=XpenselyServer
 #Security
 spring.security.enabled=false
 spring.security.oauth2.client.registration.google.client-id=${GOOGLE_CLIENT_ID}
 spring.security.oauth2.client.registration.google.client-secret=${GOOGLE_CLIENT_SECRET}
 spring.security.oauth2.resourceserver.jwt.issuer-uri=https://accounts.google.com
 # PostgreSQL Configuration
@@ -1,26 +1,47 @@
 package de.zendric.app.xpensely_Server;
 import java.util.Optional;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.data.jpa.test.autoconfigure.DataJpaTest;
 import java.util.Optional;
 import static org.junit.jupiter.api.Assertions.*;
@DataJpaTest
 class ExpenseListRepositoryTest {
-        @Autowired
+    @Autowired
-        private ExpenseListRepository expenseListRepository;
+    private ExpenseListRepository expenseListRepository;
-        @Test
+    @Test
-        void testFindExpenseListById() {
+    void saveAndFindById_returnsExpenseList() {
-                // Assuming an ExpenseList with id = 1 exists in your test DB.
+        ExpenseList list = new ExpenseList();
-                Optional<ExpenseList> optionalExpenseList = expenseListRepository.findById(1L);
+        list.setName("Groceries");
        ExpenseList saved = expenseListRepository.save(list);
-                ExpenseList expenseList = optionalExpenseList.get();
+        Optional<ExpenseList> found = expenseListRepository.findById(saved.getId());
-                System.out.println("ExpenseList name: " + expenseList.getName());
+
-        }
+        assertTrue(found.isPresent());
        assertEquals("Groceries", found.get().getName());
    }
    @Test
    void findById_nonExistentId_returnsEmpty() {
        Optional<ExpenseList> found = expenseListRepository.findById(999L);
        assertTrue(found.isEmpty());
    }
    @Test
    void delete_removesFromRepository() {
        ExpenseList list = new ExpenseList();
        list.setName("To Delete");
        ExpenseList saved = expenseListRepository.save(list);
        expenseListRepository.deleteById(saved.getId());
        assertTrue(expenseListRepository.findById(saved.getId()).isEmpty());
    }
 }
@@ -0,0 +1,102 @@
 package de.zendric.app.xpensely_Server.controller;
 import de.zendric.app.xpensely_server.controller.AppUserController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
 import org.springframework.boot.security.oauth2.client.autoconfigure.servlet.OAuth2ClientWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(value = AppUserController.class, excludeAutoConfiguration = {
        OAuth2ClientAutoConfiguration.class,
        OAuth2ClientWebSecurityAutoConfiguration.class,
        OAuth2ResourceServerAutoConfiguration.class
 })
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
 class AppUserControllerTest {
    @Autowired MockMvc mockMvc;
    @MockitoBean UserService userService;
    @MockitoBean AuthenticatedUserResolver authenticatedUserResolver;
    @Test
    void createUser_blankUsername_returns400WithFieldError() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_invalidUsernamePattern_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"hello world!\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_usernameTooShort_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"ab\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_blankGoogleId_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"validuser\",\"googleId\":\"\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.googleId").exists());
    }
    // --- Authorization tests ---
    @Test
    void getUser_differentUser_returns403() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        mockMvc.perform(get("/api/users").param("id", "99"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getUser_sameUser_returns200() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        when(userService.getUser(1L)).thenReturn(self);
        mockMvc.perform(get("/api/users").param("id", "1"))
                .andExpect(status().isOk());
    }
    @Test
    void deleteUser_differentUser_returns403() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        mockMvc.perform(delete("/api/users").param("id", "99"))
                .andExpect(status().isForbidden());
    }
 }
@@ -0,0 +1,181 @@
 package de.zendric.app.xpensely_Server.controller;
 import de.zendric.app.xpensely_server.controller.ExpenseListController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.CategoryService;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
 import org.springframework.boot.security.oauth2.client.autoconfigure.servlet.OAuth2ClientWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import java.util.List;
 import java.util.Optional;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(value = ExpenseListController.class, excludeAutoConfiguration = {
        OAuth2ClientAutoConfiguration.class,
        OAuth2ClientWebSecurityAutoConfiguration.class,
        OAuth2ResourceServerAutoConfiguration.class
 })
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
 class ExpenseListControllerTest {
    @Autowired MockMvc mockMvc;
    @MockitoBean ExpenseListService expenseListService;
    @MockitoBean UserService userService;
    @MockitoBean CategoryService categoryService;
    @MockitoBean AuthenticatedUserResolver authenticatedUserResolver;
    // --- Validation tests ---
    @Test
    void addExpense_blankTitle_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"\",\"owner\":\"alice\",\"amount\":10.0,\"date\":\"2026-05-04\",\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.title").exists());
    }
    @Test
    void addExpense_negativeAmount_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"Lunch\",\"owner\":\"alice\",\"amount\":-5.0,\"date\":\"2026-05-04\",\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.amount").exists());
    }
    @Test
    void addExpense_nullDate_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"Lunch\",\"owner\":\"alice\",\"amount\":10.0,\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.date").exists());
    }
    @Test
    void acceptInvite_blankCode_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/accept-invite")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"inviteCode\":\"\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.inviteCode").exists());
    }
    @Test
    void acceptInvite_wrongCodeLength_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/accept-invite")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"inviteCode\":\"ABC\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.inviteCode").exists());
    }
    // --- Authorization tests ---
    @Test
    void getById_authenticatedUserNotMember_returns403() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        AppUser requester = new AppUser(); requester.setId(2L);
        ExpenseList list = new ExpenseList(); list.setId(1L); list.setOwner(owner);
        when(expenseListService.findById(1L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(requester);
        mockMvc.perform(get("/api/expenselist/byId").param("id", "1"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getById_authenticatedUserIsOwner_returns200() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        ExpenseList list = new ExpenseList(); list.setId(1L); list.setOwner(owner);
        when(expenseListService.findById(1L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(owner);
        mockMvc.perform(get("/api/expenselist/byId").param("id", "1"))
                .andExpect(status().isOk());
    }
    @Test
    void deleteList_nonOwner_returns403() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        AppUser nonOwner = new AppUser(); nonOwner.setId(2L);
        ExpenseList list = new ExpenseList(); list.setId(5L); list.setOwner(owner);
        when(expenseListService.findById(5L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(nonOwner);
        mockMvc.perform(delete("/api/expenselist/5"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getMine_returnsCurrentUserLists() throws Exception {
        AppUser user = new AppUser(); user.setId(3L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
        when(expenseListService.findByUserId(3L)).thenReturn(List.of(new ExpenseList()));
        mockMvc.perform(get("/api/expenselist/mine"))
                .andExpect(status().isOk());
    }
    @Test
    void create_returns500_onUnexpectedServiceError() throws Exception {
        AppUser user = new AppUser();
        user.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
        when(categoryService.getDefaultCategories()).thenThrow(new RuntimeException("db down"));
        mockMvc.perform(post("/api/expenselist/create")
                        .contentType(MediaType.APPLICATION_JSON)
                        .content("{\"name\":\"Groceries\"}"))
                .andExpect(status().isInternalServerError());
    }
    @Test
    void create_returns400_whenNameIsBlank() throws Exception {
        AppUser user = new AppUser();
        user.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
        mockMvc.perform(post("/api/expenselist/create")
                        .contentType(MediaType.APPLICATION_JSON)
                        .content("{\"name\":\"\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.name").exists());
    }
    @Test
    void create_returns400_whenBodyIsEmpty() throws Exception {
        AppUser user = new AppUser();
        user.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
        mockMvc.perform(post("/api/expenselist/create")
                        .contentType(MediaType.APPLICATION_JSON)
                        .content("{}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.name").exists());
    }
 }
@@ -0,0 +1,78 @@
 package de.zendric.app.xpensely_Server.security;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.web.server.ResponseStatusException;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
 class AuthenticatedUserResolverTest {
    UserService userService;
    AuthenticatedUserResolver resolver;
    @BeforeEach
    void setUp() {
        userService = mock(UserService.class);
        resolver = new AuthenticatedUserResolver(userService);
    }
    @Test
    void resolveCurrentUser_validJwt_returnsAppUser() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("google-id-123")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        AppUser user = new AppUser();
        user.setId(1L);
        user.setGoogleId("google-id-123");
        when(userService.getUserByGoogleId("google-id-123")).thenReturn(user);
        AppUser result = resolver.resolveCurrentUser(auth);
        assertEquals(user, result);
    }
    @Test
    void resolveCurrentUser_userNotFound_throws403() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("unknown-id")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        when(userService.getUserByGoogleId("unknown-id")).thenReturn(null);
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(auth));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
    @Test
    void resolveCurrentUser_userServiceThrows_throws403() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("gone-id")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        when(userService.getUserByGoogleId("gone-id")).thenThrow(new IllegalArgumentException("not found"));
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(auth));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
    @Test
    void resolveCurrentUser_nullAuthentication_throws403() {
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(null));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
 }
@@ -0,0 +1,89 @@
 package de.zendric.app.xpensely_Server.security;
 import de.zendric.app.xpensely_server.security.RateLimitFilter;
 import jakarta.servlet.FilterChain;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.*;
 class RateLimitFilterTest {
    RateLimitFilter filter;
    FilterChain chain;
    @BeforeEach
    void setUp() {
        filter = new RateLimitFilter();
        chain = mock(FilterChain.class);
    }
    @Test
    void allowsRequestUnderLimit() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("1.2.3.4");
        MockHttpServletResponse response = new MockHttpServletResponse();
        filter.doFilter(request, response, chain);
        verify(chain, times(1)).doFilter(request, response);
        assertEquals(200, response.getStatus());
    }
    @Test
    void blocksRequestOverLimit() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("5.6.7.8");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(request, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse blockedResponse = new MockHttpServletResponse();
        filter.doFilter(request, blockedResponse, chain);
        assertEquals(429, blockedResponse.getStatus());
        verify(chain, times(60)).doFilter(eq(request), any());
    }
    @Test
    void differentIpsBucketedSeparately() throws Exception {
        MockHttpServletRequest req1 = new MockHttpServletRequest();
        req1.setRemoteAddr("10.0.0.1");
        MockHttpServletRequest req2 = new MockHttpServletRequest();
        req2.setRemoteAddr("10.0.0.2");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(req1, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse response2 = new MockHttpServletResponse();
        filter.doFilter(req2, response2, chain);
        assertEquals(200, response2.getStatus());
    }
    @Test
    void prefersXForwardedForHeader() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("192.168.1.1");
        request.addHeader("X-Forwarded-For", "203.0.113.5, 10.0.0.1");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(request, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse blocked = new MockHttpServletResponse();
        filter.doFilter(request, blocked, chain);
        assertEquals(429, blocked.getStatus());
        MockHttpServletRequest directRequest = new MockHttpServletRequest();
        directRequest.setRemoteAddr("192.168.1.1");
        MockHttpServletResponse directResponse = new MockHttpServletResponse();
        filter.doFilter(directRequest, directResponse, chain);
        assertEquals(200, directResponse.getStatus());
    }
 }
@@ -0,0 +1,57 @@
 package de.zendric.app.xpensely_Server.services;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import de.zendric.app.xpensely_server.repo.ExpenseRepository;
 import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import java.util.List;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.never;
@ExtendWith(MockitoExtension.class)
 class ExpenseListServiceTest {
    @Mock ExpenseListRepository repository;
    @Mock ExpenseRepository expenseRepository;
    @Mock XpenselyCustomCategoryRepository customCategoryRepository;
    @InjectMocks
    ExpenseListService service;
    @Test
    void findByUserId_usesRepositoryQuery_notFindAll() {
        AppUser owner = new AppUser(); owner.setId(1L);
        ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
        when(repository.findByOwnerIdOrSharedWithId(1L)).thenReturn(List.of(list));
        List<ExpenseList> result = service.findByUserId(1L);
        assertThat(result).hasSize(1);
        verify(repository).findByOwnerIdOrSharedWithId(1L);
        verify(repository, never()).findAll();
    }
    @Test
    void findByUsername_usesRepositoryQuery_notFindAll() {
        AppUser owner = new AppUser(); owner.setId(1L); owner.setUsername("alice");
        ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
        when(repository.findByOwnerUsernameOrSharedWithUsername("alice")).thenReturn(List.of(list));
        List<ExpenseList> result = service.findByUsername("alice");
        assertThat(result).hasSize(1);
        verify(repository).findByOwnerUsernameOrSharedWithUsername("alice");
        verify(repository, never()).findAll();
    }
 }
@@ -0,0 +1,75 @@
 package de.zendric.app.xpensely_Server.services;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.repo.UserRepository;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import java.util.Optional;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
 class UserServiceTest {
    @Mock
    UserRepository userRepository;
    @InjectMocks
    UserService userService;
    @Test
    void getUserByName_throwsResourceNotFound_whenUserMissing() {
        when(userRepository.findByUsername("ghost")).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUserByName("ghost"))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("ghost");
    }
    @Test
    void getUserByName_returnsUser_whenFound() {
        AppUser user = new AppUser();
        user.setId(1L);
        user.setUsername("alice");
        when(userRepository.findByUsername("alice")).thenReturn(Optional.of(user));
        AppUser result = userService.getUserByName("alice");
        assertThat(result.getUsername()).isEqualTo("alice");
    }
    @Test
    void getUser_throwsResourceNotFound_whenIdMissing() {
        when(userRepository.findById(99L)).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUser(99L))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("99");
    }
    @Test
    void deleteUserById_throwsResourceNotFound_whenIdMissing() {
        when(userRepository.findById(99L)).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.deleteUserById(99L))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("99");
    }
    @Test
    void getUserByGoogleId_throwsResourceNotFound_whenMissing() {
        when(userRepository.findByGoogleId("gid-404")).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUserByGoogleId("gid-404"))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("gid-404");
    }
 }
Author	SHA1	Message	Date
Cedric	7ad72119a8	fix secrets no longer needed Build and Deploy Spring Boot Server / build (push) Successful in 1m13s Details	2026-05-14 23:46:40 +02:00
Cedric	f7f2bf5768	ci: switch to compose.deploy to force fresh image pull Build and Deploy Spring Boot Server / build (push) Successful in 1m12s Details	2026-05-12 23:57:45 +02:00
Cedric	28df2a66ca	fix: always pull latest image on redeploy Build and Deploy Spring Boot Server / build (push) Successful in 1m21s Details	2026-05-12 23:25:07 +02:00
Cedric	29f26a8a18	feat: add /api/version endpoint returning build time and version Build and Deploy Spring Boot Server / build (push) Successful in 1m25s Details	2026-05-12 23:08:37 +02:00
Cedric	a3fa59f347	ci: test full pipeline end-to-end Build and Deploy Spring Boot Server / build (push) Successful in 1m12s Details	2026-05-12 20:34:42 +02:00
Cedric	2880934644	ci: test full pipeline end-to-end Build and Deploy Spring Boot Server / build (push) Successful in 1m10s Details	2026-05-10 23:43:13 +02:00
Cedric	b42980200d	ci: trigger Dokploy redeploy via API after image push Build and Deploy Spring Boot Server / build (push) Failing after 1m48s Details	2026-05-10 23:38:07 +02:00
Cedric	8381cdbffa	ci: test full pipeline Build and Deploy Spring Boot Server / build (push) Successful in 1m20s Details	2026-05-10 22:59:53 +02:00
Cedric	5cab2fed3b	ci: test Dokploy webhook Build and Deploy Spring Boot Server / build (push) Successful in 1m13s Details	2026-05-10 22:36:44 +02:00
Cedric	417eef7042	ci: fix Dokploy webhook, token is in URL not Authorization header Build and Deploy Spring Boot Server / build (push) Failing after 1m11s Details	2026-05-10 22:29:40 +02:00
Cedric	ed5543ce61	ci: fix Java 21 in dockerfile, add Docker Hub login to avoid rate limits Build and Deploy Spring Boot Server / build (push) Failing after 1m23s Details	2026-05-10 22:22:06 +02:00
Cedric	40b8f45de8	ci: test with Java 21 runner image Build and Deploy Spring Boot Server / build (push) Failing after 1m2s Details	2026-05-10 22:15:16 +02:00
Cedric	b221d07b48	ci: use ubuntu-java17 runner image, remove setup-java step Build and Deploy Spring Boot Server / build (push) Failing after 2m22s Details	2026-05-10 22:08:23 +02:00
Cedric	0e63b6e4e6	ci: fix mvnw executable permission Build and Deploy Spring Boot Server / build (push) Has been cancelled Details	2026-05-10 22:07:30 +02:00
Cedric	4a04c85fe8	ci: use Maven wrapper instead of mvn to fix command not found on Gitea runner Build and Deploy Spring Boot Server / build (push) Failing after 4m43s Details	2026-05-10 21:40:25 +02:00
Cedric	b8e2c9114d	chore: merge main into dev, keep clean docker-compose from main Build and Deploy Spring Boot Server / build (push) Failing after 9m2s Details	2026-05-10 21:29:11 +02:00
Cedric	0876eecf50	ci: improve dev pipeline with Dokploy webhook and Docker layer caching	2026-05-10 21:27:28 +02:00
Cedric	5549691d50	ci: test pipeline	2026-05-10 21:24:18 +02:00
Cedric	46c8df45d6	ci: test pipeline	2026-05-10 21:24:10 +02:00
Cedric	50d274f36a	chore: resolve merge conflicts, keep Spring Boot 4.0.6 version Kept our version over remote (security hardening PR #12) for all conflicts: - pom.xml: Spring Boot 4.0.6 vs 3.4.1, new test deps - SecurityConfig: new csrf/package API for SB4 - GlobalExceptionHandler: full handler set with SLF4J logging - AppUserController/ExpenseListController: clean delegation to GlobalExceptionHandler - Test files: SB4 package paths, extra test coverage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 20:29:49 +02:00
Cedric	ba4f365f06	chore: merge feature/security-hardening into main Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 20:25:12 +02:00
Cedric	a5e5824a44	docs: write recent changes section	2026-05-10 20:18:58 +02:00
Cedric	7189e4fb08	docs: write error handling section	2026-05-10 20:18:28 +02:00
Cedric	2782823c3d	docs: write data models section	2026-05-10 20:17:55 +02:00
Cedric	ddf64305a5	docs: write expense lists endpoint section	2026-05-10 20:17:22 +02:00
Cedric	2b84ed0de8	docs: write home and users endpoint sections	2026-05-10 20:14:22 +02:00
Cedric	18e740bb73	docs: write rate limiting section	2026-05-10 20:13:58 +02:00
Cedric	9b93cd97a6	docs: write authentication section	2026-05-09 23:56:14 +02:00
Cedric	8fb1820bc7	docs: write API overview section	2026-05-09 23:50:42 +02:00
Cedric	9c35bb8435	docs: scaffold API.md with section headings	2026-05-09 23:49:56 +02:00
Cedric	3d456f2f81	Bugfixes	2026-05-09 23:04:27 +02:00
Cedric	b1324e3048	test: add jsonPath field assertions to create validation tests	2026-05-06 14:40:11 +02:00
Cedric	8b96433b1a	feat: add CreateExpenseListRequest DTO with validation to POST /create endpoint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 17:28:47 +02:00
Cedric	19c7e1915f	security hardening (#12 ) Reviewed-on: #12 Co-authored-by: Cedric Hornberger <ceddi.hornberger@gmx.de> Co-committed-by: Cedric Hornberger <ceddi.hornberger@gmx.de>	2026-05-05 17:13:53 +02:00
Cedric	f0de751da4	fix: centralise error handling in GlobalExceptionHandler, add SLF4J logging, remove HTTP 417 and e.printStackTrace() - Expand GlobalExceptionHandler with handlers for ResourceNotFoundException (404), UsernameAlreadyExistsException (409), ResponseStatusException (pass-through), RuntimeException (500), and generic Exception (500); add SLF4J logging - Remove all bare try/catch blocks and e.printStackTrace() calls from ExpenseListController; add SLF4J logger field - Add test: create_returns500_onUnexpectedServiceError Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 17:11:37 +02:00
Cedric	9b95741292	fix: add /docs/superpowers to .gitignore	2026-05-05 17:00:01 +02:00
Cedric	2bd229cc5e	Remove docs from tracking	2026-05-05 16:59:35 +02:00
Cedric	797d482ebf	fix: use ResourceNotFoundException for not-found cases in updateExpense, IllegalArgumentException for ownership mismatch in deleteCustomCategory	2026-05-05 16:55:01 +02:00
Cedric	906b60d264	fix: single-param JPQL queries, ResourceNotFoundException throughout ExpenseListService, remove addExpenseToList loop Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 16:40:31 +02:00
Cedric	68783cc892	fix: throw ResourceNotFoundException instead of returning null, replace full-table-scan list queries with JPQL	2026-05-05 15:20:46 +02:00
Cedric	9c91da9f30	test: fix ExpenseListRepositoryTest with H2 and proper save-then-find pattern Added H2 as a test-scoped dependency so @DataJpaTest has an embedded database. Rewrote the test to save an entity and assert on the returned ID rather than assuming a record exists at ID=1. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 11:23:51 +02:00
Cedric	024b3880e7	security: add per-user/IP rate limiting via Bucket4j RateLimitFilter (OncePerRequestFilter) enforces 60 req/min per authenticated Google ID or client IP, using Bucket4j in-memory token buckets. Filter is registered after BearerTokenAuthenticationFilter in the production security chain. Added 4 unit tests covering allow, block, per-IP isolation, and X-Forwarded-For preference. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 11:19:42 +02:00
Cedric	457efab452	security: enforce JWT-based authorization on AppUserController Added AuthenticatedUserResolver injection and assertSelf guard to getUser, getUserByGoogleId, and deleteUser endpoints. createUser remains open for registration. Added 7 controller tests covering validation failures and 403 enforcement. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-05 11:13:05 +02:00
Cedric	95688e5111	test: add unit tests for AuthenticatedUserResolver	2026-05-05 10:03:35 +02:00
Cedric	bb2a4d70b2	feat: add ExpenseListController validation and authorization tests	2026-05-04 22:46:29 +02:00
Cedric	a948bca2fc	feat: add GlobalExceptionHandler, @Valid to user creation, AuthenticatedUserResolver stub, and rewrite ExpenseListController with authorization	2026-05-04 22:44:37 +02:00
Cedric	3bea06fead	feat: add Bean Validation annotations to request models	2026-05-04 22:36:20 +02:00
Cedric	b7db35defe	build: add spring-boot-starter-validation and bucket4j-core	2026-05-04 22:34:10 +02:00
Cedric	efe84942ff	docs: add security hardening implementation plan 8-task TDD plan covering input validation, JWT-based authorization enforcement, and Bucket4j rate limiting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 22:22:54 +02:00
Cedric	e3b8917bfc	docs: add security hardening design spec Covers input validation, JWT-based authorization enforcement, and per-user rate limiting via Bucket4j. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-04 21:58:20 +02:00
Cedric	229a6a8a43	docker-compose.yml aktualisiert	2026-03-04 15:16:11 +01:00
Cedric	76e878ff5c	docker-compose.yml aktualisiert	2026-02-04 20:25:38 +01:00
Cedric	477a5c3c70	dockerfile aktualisiert	2026-02-04 15:31:16 +01:00
Cedric	7bac694357	docker-compose.yml aktualisiert	2026-02-04 15:29:55 +01:00
Cedric	f8407db3ac	docker-compose.yml aktualisiert	2026-02-04 15:27:51 +01:00
Cedric	374d91f0c9	dockerfile aktualisiert	2026-02-04 15:18:40 +01:00
Cedric	8f17e8d8a8	dockerfile aktualisiert	2026-02-04 15:15:53 +01:00
Cedric	8c8eccb35e	dockerfile aktualisiert	2026-02-04 15:13:23 +01:00
Cedric	3656ccc941	dockerfile aktualisiert	2026-02-04 15:07:41 +01:00
Cedric	e9851ffea4	dockerfile update	2026-02-04 15:05:44 +01:00
Cedric	38b5e0f740	Merge pull request 'Vps update' (#11 ) from Vps-new-infrastructure into main Reviewed-on: #11	2026-02-04 14:56:13 +01:00
Cedric	2ba7f8d5da	Vps update	2026-02-04 14:55:25 +01:00
Cedric	b46464cd32	Merge pull request 'dev' (#8 ) from dev into main Build and Deploy Versioned Spring Boot Server / build (push) Successful in 10m4s Details Reviewed-on: #8	2025-05-10 16:13:59 -07:00
`@@ -1,4 +1,4 @@`
	`FROM openjdk:17-jdk-slim`	`FROM eclipse-temurin:21-jdk`

	`COPY ./target/*.jar app.jar`	`COPY ./target/*.jar app.jar`