Cedric/XpenselyServer
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases 5 Wiki Activity

Compare commits

base: Cedric/XpenselyServer:9c91da9f30228ed3b519792089c0daa99b2cca4f
Branches Tags
Cedric/XpenselyServer:main Cedric/XpenselyServer:dev
Cedric/XpenselyServer:1.0.0 Cedric/XpenselyServer:0.1.3 Cedric/XpenselyServer:0.1.2 Cedric/XpenselyServer:0.1.1 Cedric/XpenselyServer:0.1.0
...
compare: Cedric/XpenselyServer:main
Branches Tags
Cedric/XpenselyServer:dev Cedric/XpenselyServer:main
Cedric/XpenselyServer:1.0.0 Cedric/XpenselyServer:0.1.3 Cedric/XpenselyServer:0.1.2 Cedric/XpenselyServer:0.1.1 Cedric/XpenselyServer:0.1.0

26 Commits
9c91da9f30 ... main

Author SHA1 Message Date
Cedric 0876eecf50 ci: improve dev pipeline with Dokploy webhook and Docker layer caching 2026-05-10 21:27:28 +02:00
Cedric 5549691d50 ci: test pipeline 2026-05-10 21:24:18 +02:00
Cedric 46c8df45d6 ci: test pipeline 2026-05-10 21:24:10 +02:00
Cedric 50d274f36a chore: resolve merge conflicts, keep Spring Boot 4.0.6 version 
Kept our version over remote (security hardening PR #12) for all conflicts:
- pom.xml: Spring Boot 4.0.6 vs 3.4.1, new test deps
- SecurityConfig: new csrf/package API for SB4
- GlobalExceptionHandler: full handler set with SLF4J logging
- AppUserController/ExpenseListController: clean delegation to GlobalExceptionHandler
- Test files: SB4 package paths, extra test coverage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-10 20:29:49 +02:00
Cedric ba4f365f06 chore: merge feature/security-hardening into main 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-10 20:25:12 +02:00
Cedric a5e5824a44 docs: write recent changes section 2026-05-10 20:18:58 +02:00
Cedric 7189e4fb08 docs: write error handling section 2026-05-10 20:18:28 +02:00
Cedric 2782823c3d docs: write data models section 2026-05-10 20:17:55 +02:00
Cedric ddf64305a5 docs: write expense lists endpoint section 2026-05-10 20:17:22 +02:00
Cedric 2b84ed0de8 docs: write home and users endpoint sections 2026-05-10 20:14:22 +02:00
Cedric 18e740bb73 docs: write rate limiting section 2026-05-10 20:13:58 +02:00
Cedric 9b93cd97a6 docs: write authentication section 2026-05-09 23:56:14 +02:00
Cedric 8fb1820bc7 docs: write API overview section 2026-05-09 23:50:42 +02:00
Cedric 9c35bb8435 docs: scaffold API.md with section headings 2026-05-09 23:49:56 +02:00
Cedric 3d456f2f81 Bugfixes 2026-05-09 23:04:27 +02:00
Cedric b1324e3048 test: add jsonPath field assertions to create validation tests 2026-05-06 14:40:11 +02:00
Cedric 8b96433b1a feat: add CreateExpenseListRequest DTO with validation to POST /create endpoint 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 17:28:47 +02:00
Cedric 19c7e1915f security hardening (#12) 
Reviewed-on: #12
Co-authored-by: Cedric Hornberger <ceddi.hornberger@gmx.de>
Co-committed-by: Cedric Hornberger <ceddi.hornberger@gmx.de>
 2026-05-05 17:13:53 +02:00
Cedric f0de751da4 fix: centralise error handling in GlobalExceptionHandler, add SLF4J logging, remove HTTP 417 and e.printStackTrace() 
- Expand GlobalExceptionHandler with handlers for ResourceNotFoundException (404),
  UsernameAlreadyExistsException (409), ResponseStatusException (pass-through),
  RuntimeException (500), and generic Exception (500); add SLF4J logging
- Remove all bare try/catch blocks and e.printStackTrace() calls from
  ExpenseListController; add SLF4J logger field
- Add test: create_returns500_onUnexpectedServiceError

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 17:11:37 +02:00
Cedric 9b95741292 fix: add /docs/superpowers to .gitignore 2026-05-05 17:00:01 +02:00
Cedric 2bd229cc5e Remove docs from tracking 2026-05-05 16:59:35 +02:00
Cedric 797d482ebf fix: use ResourceNotFoundException for not-found cases in updateExpense, IllegalArgumentException for ownership mismatch in deleteCustomCategory 2026-05-05 16:55:01 +02:00
Cedric 906b60d264 fix: single-param JPQL queries, ResourceNotFoundException throughout ExpenseListService, remove addExpenseToList loop 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-05 16:40:31 +02:00
Cedric 68783cc892 fix: throw ResourceNotFoundException instead of returning null, replace full-table-scan list queries with JPQL 2026-05-05 15:20:46 +02:00
Cedric 229a6a8a43 docker-compose.yml aktualisiert 2026-03-04 15:16:11 +01:00
Cedric 76e878ff5c docker-compose.yml aktualisiert 2026-02-04 20:25:38 +01:00
20 changed files with 1195 additions and 1942 deletions
Expand all files Collapse all files
.gitea/workflows/build.yml
+30 -28
View File
@@ -12,43 +12,45 @@ jobs:
steps:
# 1. Checkout the code
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@v4
# 2. Set up Java and Maven
# 2. Set up Java and Maven (includes Maven, no separate install needed)
- name: Set up JDK (Eclipse Temurin)
uses: actions/setup-java@v3
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "17"
cache: maven
# 3. Verify Maven installation
- name: Install Maven
run: |
sudo apt-get update
sudo apt-get install -y maven
mvn -version
# 4. Build the Spring Boot application
# 3. Build the Spring Boot application
- name: Build Spring Boot Application
run: |
mvn clean package -DskipTests
run: mvn clean package -DskipTests
# 5. Set up Docker
- name: Set up Docker
run: |
docker --version
# 4. Set up Docker Buildx (enables layer caching)
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# 6. Build the Docker image
- name: Build and Package Docker Image
run: |
docker build -t tea.zendric.de/cedric/xpensely-server:latest .
# 7. Docker login
# 5. Docker login
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
registry: tea.zendric.de
username: ${{ secrets.TEAUSER }}
password: ${{ secrets.TEAPASSWORD }}
# 6. Build and push Docker image with layer caching
- name: Build and Push Docker Image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: tea.zendric.de/cedric/xpensely-server:latest
cache-from: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache
cache-to: type=registry,ref=tea.zendric.de/cedric/xpensely-server:buildcache,mode=max
# 7. Trigger Dokploy to redeploy the dev server automatically
- name: Trigger Dokploy Redeploy
run: |
echo "${{ secrets.TEAPASSWORD }}" | docker login tea.zendric.de -u ${{ secrets.TEAUSER }} --password-stdin
# 8. Push Docker image
- name: Push the Docker Image to registry
run: |
docker push tea.zendric.de/cedric/xpensely-server:latest
curl -X POST "${{ secrets.DOKPLOY_WEBHOOK_URL }}" \
-H "Authorization: Bearer ${{ secrets.DOKPLOY_TOKEN }}" \
--fail
.gitignore
+1
View File
@@ -1,5 +1,6 @@
HELP.md
target/
/docs/superpowers
!.mvn/wrapper/maven-wrapper.jar
!**/src/main/**/target/
!**/src/test/**/target/
docs/API.md
+704
View File
@@ -0,0 +1,704 @@
# Xpensely Server — API Reference
> Last updated: 2026-05-09 · Branch: `feature/security-hardening`
## Table of Contents
1. [Overview](#1-overview)
2. [Authentication](#2-authentication)
3. [Rate Limiting](#3-rate-limiting)
4. [Endpoints](#4-endpoints)
- 4.1 [Home](#41-home)
- 4.2 [Users](#42-users)
- 4.3 [Expense Lists](#43-expense-lists)
5. [Data Models](#5-data-models)
6. [Error Handling](#6-error-handling)
7. [Recent Changes — `feature/security-hardening`](#7-recent-changes)
---
## 1. Overview
Xpensely Server is a Spring Boot REST API that manages shared expense lists for pairs of users. It uses Google OAuth2 JWT tokens for authentication. All protected endpoints require a valid Bearer token in the `Authorization` header.
**Base URL (local dev):** `http://localhost:8080`
**Content-Type:** `application/json` for all request and response bodies.
**Public endpoints (no auth required):**
| Method | Path | Description |
|--------|------|-------------|
| GET | `/` | Health check — returns `"Welcome"` |
| POST | `/api/users/createUser` | Register a new user |
| GET | `/api/users/byName` | Look up a user by username |
All other endpoints require authentication (see [Section 2](#2-authentication)).
## 2. Authentication
The server uses **OAuth2 Resource Server** authentication with **Google ID JWT tokens**.
### How it works
1. The client authenticates with Google and receives a Google ID JWT.
2. Every protected API request must include this token in the header:
```
Authorization: Bearer <google-id-jwt>
```
3. The server validates the JWT signature and extracts the `sub` claim (Google User ID).
4. The `sub` value is used to look up the registered `AppUser` in the database via `AuthenticatedUserResolver`.
5. If no `AppUser` exists for that Google ID, the request is rejected with **403 Forbidden**.
### Test profile
When the application runs under the `test` Spring profile (`-Dspring.profiles.active=test`), **all security is disabled** — every endpoint is accessible without a token. This is used for automated tests only.
### User registration flow
Before a user can call any protected endpoint they must first be registered:
1. Authenticate with Google to obtain a Google ID JWT.
2. Call `POST /api/users/createUser` with the JWT's `sub` value as `googleId` and a chosen `username`.
3. All subsequent protected calls use the same JWT — the server resolves the caller automatically.
## 3. Rate Limiting
All requests pass through a `RateLimitFilter` (implemented with **Bucket4j**).
| Setting | Value |
|---------|-------|
| Limit | 60 requests per minute |
| Window | Rolling 1-minute bucket |
| Key (authenticated) | JWT `sub` claim (Google User ID) |
| Key (unauthenticated) | `X-Forwarded-For` header, falling back to remote IP |
When the limit is exceeded the server responds with:
```
HTTP 429 Too Many Requests
```
No `Retry-After` header is currently returned. Clients should back off and retry after 60 seconds.
> **Note:** Rate limiting applies in the `!test` profile only. Tests run without rate limiting.
## 4. Endpoints
### 4.1 Home
#### `GET /`
Health check. No authentication required.
**Response:** `200 OK`
```
Welcome
```
---
### 4.2 Users
Base path: `/api/users`
---
#### `POST /api/users/createUser` — Register a user
**Auth required:** No
**Request body:**
```json
{
"username": "alice",
"googleId": "118400012345678901234"
}
```
| Field | Type | Constraints |
|-------|------|-------------|
| `username` | String | Required. 330 chars. Pattern: `^[a-zA-Z0-9_.\-]+$` |
| `googleId` | String | Required. Non-blank. Must match the JWT `sub` from Google. |
**Success response:** `200 OK` — returns the created [AppUser](#appuser) object.
**Error responses:**
| Status | Condition |
|--------|-----------|
| 400 | Validation failure (field errors returned as `{"fieldName": "message"}`) |
| 409 | `username` already taken |
---
#### `GET /api/users` — Get user by ID
**Auth required:** Yes
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `id` | Long | Yes | Database ID of the user |
**Success response:** `200 OK` — returns [AppUser](#appuser).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 404 | No user found for `id` |
---
#### `GET /api/users/byName` — Get user by username
**Auth required:** No
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `username` | String | Yes | Exact username (case-sensitive) |
**Success response:** `200 OK` — returns [AppUser](#appuser).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 404 | No user found for `username` |
---
#### `GET /api/users/byGoogleId` — Get user by Google ID
**Auth required:** Yes
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `id` | String | Yes | Google `sub` claim |
**Success response:** `200 OK` — returns [AppUser](#appuser).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 404 | No user found for that Google ID |
---
#### `DELETE /api/users` — Delete a user
**Auth required:** Yes
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `id` | Long | Yes | Database ID of the user to delete |
**Success response:** `200 OK` — returns the deleted [AppUser](#appuser).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 404 | No user found for `id` |
---
### 4.3 Expense Lists
Base path: `/api/expenselist`
All endpoints in this group require authentication. The authenticated caller is resolved from the JWT and used for ownership checks.
---
#### `GET /api/expenselist/mine` — Get caller's expense lists
Returns all expense lists where the caller is the owner **or** has been shared the list.
**Auth required:** Yes
**Request body:** None
**Success response:** `200 OK` — array of [ExpenseList](#expenselist).
```json
[
{
"id": 1,
"name": "Holiday Trip",
"inviteCode": null,
"owner": { "id": 1, "username": "alice" },
"sharedWith": null,
"expenses": [],
"customCategories": []
}
]
```
---
#### `GET /api/expenselist/byId` — Get expense list by ID
**Auth required:** Yes
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `id` | Long | Yes | Expense list database ID |
The caller must be the owner or the shared user of the list.
**Success response:** `200 OK` — returns [ExpenseList](#expenselist).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 403 | Caller is neither owner nor shared user |
| 404 | No list found for `id` |
---
#### `POST /api/expenselist/create` — Create an expense list
**Auth required:** Yes
**Request body:**
```json
{
"name": "Road Trip 2026"
}
```
| Field | Type | Constraints |
|-------|------|-------------|
| `name` | String | Required. Max 100 chars. |
The authenticated caller becomes the `owner` of the new list. The list is initialised with the default Xpensely standard categories.
**Success response:** `201 Created` — returns the created [ExpenseList](#expenselist).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 400 | Validation failure |
---
#### `DELETE /api/expenselist/{id}` — Delete an expense list
**Auth required:** Yes
**Path params:**
| Param | Type | Description |
|-------|------|-------------|
| `id` | Long | Expense list database ID |
Only the **owner** may delete a list. Deleting a list cascades to all its expenses and custom categories.
**Success response:** `204 No Content`
**Error responses:**
| Status | Condition |
|--------|-----------|
| 403 | Caller is not the owner |
| 404 | No list found for `id` |
---
#### `POST /api/expenselist/{id}/add` — Add an expense to a list
**Auth required:** Yes
**Path params:**
| Param | Type | Description |
|-------|------|-------------|
| `id` | Long | Expense list database ID |
**Request body:**
```json
{
"title": "Dinner",
"owner": "alice",
"amount": 42.50,
"personalUseAmount": 21.25,
"otherPersonAmount": 21.25,
"date": "2026-05-09",
"category": "Food"
}
```
| Field | Type | Constraints |
|-------|------|-------------|
| `title` | String | Required. Max 100 chars. |
| `owner` | String | Required. Username of the person who paid. |
| `amount` | Double | Required. Min 0.01. |
| `personalUseAmount` | Double | Optional. Caller's share. |
| `otherPersonAmount` | Double | Optional. Other person's share. |
| `date` | String (ISO-8601) | Required. Format: `YYYY-MM-DD`. |
| `category` | String | Required. Non-blank category name. |
**Success response:** `200 OK` — returns the created [Expense](#expense).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 400 | Validation failure |
| 403 | Caller is not a member (owner or sharedWith) of the list |
| 404 | List not found |
---
#### `PUT /api/expenselist/{id}/update` — Update an expense
**Auth required:** Yes
**Path params:**
| Param | Type | Description |
|-------|------|-------------|
| `id` | Long | Expense list database ID |
**Request body:**
```json
{
"id": 7,
"title": "Dinner (updated)",
"ownerName": "alice",
"amount": 50.00,
"personalUseAmount": 25.00,
"otherPersonAmount": 25.00,
"date": "2026-05-09",
"category": "Food"
}
```
| Field | Type | Constraints |
|-------|------|-------------|
| `id` | Long | Required. ID of the expense to update. |
| `title` | String | Required. Max 100 chars. |
| `ownerName` | String | Required. Username of the payer. |
| `amount` | Double | Required. Min 0.01. |
| `personalUseAmount` | Double | Optional. |
| `otherPersonAmount` | Double | Optional. |
| `date` | String (ISO-8601) | Required. `YYYY-MM-DD`. |
| `category` | String | Required. |
Caller must be a member of the list. Expense must belong to the specified list.
**Success response:** `200 OK` — returns the updated [Expense](#expense).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 400 | Validation failure or expense does not belong to this list |
| 403 | Caller is not a member of the list |
| 404 | List or expense not found |
---
#### `DELETE /api/expenselist/{id}/delete` — Remove an expense from a list
**Auth required:** Yes
**Path params:**
| Param | Type | Description |
|-------|------|-------------|
| `id` | Long | Expense list database ID |
**Query params:**
| Param | Type | Required | Description |
|-------|------|----------|-------------|
| `expenseId` | Long | Yes | ID of the expense to remove |
Caller must be a member of the list.
**Success response:** `200 OK` — returns the deleted [Expense](#expense).
**Error responses:**
| Status | Condition |
|--------|-----------|
| 403 | Caller is not a member of the list |
| 404 | List or expense not found |
---
#### `POST /api/expenselist/{listId}/invite` — Generate an invite code
Generates (or refreshes) a 6-character uppercase invite code for the list, valid for **1 week**.
**Auth required:** Yes
**Path params:**
| Param | Type | Description |
|-------|------|-------------|
| `listId` | Long | Expense list database ID |
Caller must be the **owner** of the list.
**Success response:** `200 OK` — returns the invite code as a plain string.
```
AB3X7Q
```
**Error responses:**
| Status | Condition |
|--------|-----------|
| 403 | Caller is not the owner |
| 404 | List not found |
---
#### `POST /api/expenselist/accept-invite` — Accept an invite
Joins the caller to a shared expense list using an invite code.
**Auth required:** Yes
**Request body:**
```json
{
"inviteCode": "AB3X7Q"
}
```
| Field | Type | Constraints |
|-------|------|-------------|
| `inviteCode` | String | Required. Exactly 6 characters. |
**Success response:** `200 OK` — returns the [ExpenseList](#expenselist) the caller joined.
**Error responses:**
| Status | Condition |
|--------|-----------|
| 400 | Validation failure or invite code not found / expired |
| 403 | Caller is already the owner of this list |
---
## 5. Data Models
### AppUser
Returned by all `/api/users` endpoints. Sensitive fields (`googleId`, `createdAt`) are hidden from API responses via `@JsonIgnore`.
```json
{
"id": 1,
"username": "alice"
}
```
| Field | Type | Notes |
|-------|------|-------|
| `id` | Long | Auto-generated primary key |
| `username` | String | Unique. 330 chars. |
---
### ExpenseList
```json
{
"id": 1,
"name": "Road Trip",
"inviteCode": "AB3X7Q",
"owner": { "id": 1, "username": "alice" },
"sharedWith": { "id": 2, "username": "bob" },
"xpenselyStandardCategories": {
"id": 1,
"categories": [
{ "id": 1, "name": "Food", "colorCode": "#FF5733" }
]
},
"customCategories": [],
"expenses": []
}
```
| Field | Type | Notes |
|-------|------|-------|
| `id` | Long | Auto-generated primary key |
| `name` | String | Display name of the list |
| `inviteCode` | String \| null | 6-char code; `null` if not yet generated or expired |
| `owner` | AppUser | User who created the list |
| `sharedWith` | AppUser \| null | Second member of the list; `null` until an invite is accepted |
| `xpenselyStandardCategories` | XpenselyStandardCategories | Default category set assigned at creation |
| `customCategories` | XpenselyCustomCategory[] | User-defined categories, ordered A→Z |
| `expenses` | Expense[] | All expenses, ordered by date ASC then id ASC |
> `inviteCodeExpiration` is hidden from API responses (`@JsonIgnore`).
---
### Expense
```json
{
"id": 7,
"title": "Dinner",
"owner": { "id": 1, "username": "alice" },
"amount": 42.50,
"personalUseAmount": 21.25,
"otherPersonAmount": 21.25,
"category": "Food",
"date": "2026-05-09"
}
```
| Field | Type | Notes |
|-------|------|-------|
| `id` | Long | Auto-generated |
| `title` | String | Description of the expense |
| `owner` | AppUser | Who paid |
| `amount` | Double | Total amount. Min 0.01. |
| `personalUseAmount` | Double \| null | Caller's share |
| `otherPersonAmount` | Double \| null | Other member's share |
| `category` | String | Category name (free text — must match a category on the list) |
| `date` | String (ISO-8601) | `YYYY-MM-DD` |
> The `expenseList` back-reference is excluded via `@JsonBackReference` to prevent circular serialisation.
---
### XpenselyStandardCategories
A named group of standard categories assigned to every new expense list.
```json
{
"id": 1,
"categories": [
{ "id": 1, "name": "Food", "colorCode": "#FF5733" },
{ "id": 2, "name": "Transport", "colorCode": "#3498DB" }
]
}
```
---
### XpenselyCustomCategory
A user-defined category attached to a specific expense list.
```json
{
"id": 5,
"name": "Souvenirs",
"colorCode": "#9B59B6"
}
```
| Field | Type | Notes |
|-------|------|-------|
| `id` | Long | Auto-generated |
| `name` | String | Category label |
| `colorCode` | String | 7-char hex string e.g. `#RRGGBB` |
> The `expenseList` back-reference is excluded via `@JsonBackReference`.
## 6. Error Handling
All errors are returned as JSON. The `GlobalExceptionHandler` (`@RestControllerAdvice`) maps exceptions to HTTP status codes consistently across every endpoint.
### Error response format
Most errors:
```json
{
"error": "Human-readable message"
}
```
Validation errors (`400`):
```json
{
"username": "size must be between 3 and 30",
"googleId": "must not be blank"
}
```
### Status code reference
| HTTP Status | Condition | Source |
|-------------|-----------|--------|
| 400 Bad Request | Input validation failed (missing/invalid fields) | `MethodArgumentNotValidException` via `@Valid` |
| 400 Bad Request | Business rule violation (e.g. expense not in this list) | `IllegalArgumentException` |
| 403 Forbidden | User not registered in the system | `AuthenticatedUserResolver``ResponseStatusException(FORBIDDEN)` |
| 403 Forbidden | Ownership check failed (e.g. deleting someone else's list) | `ResponseStatusException(FORBIDDEN)` in controller |
| 404 Not Found | Entity does not exist (user, list, expense) | `ResourceNotFoundException` |
| 409 Conflict | Username already taken | `UsernameAlreadyExistsException` |
| 429 Too Many Requests | Rate limit exceeded | `RateLimitFilter` (returned directly, not via exception handler) |
| 500 Internal Server Error | Unexpected runtime or generic exception | `RuntimeException` / `Exception` — message is hidden from client |
## 7. Recent Changes — `feature/security-hardening`
This section summarises API-visible changes introduced on the `feature/security-hardening` branch (commits `3d456f2``b1324e3``8b96433``f0de751`). A developer or agent reading this document should be aware of these differences compared to the `main` branch.
---
### New: Centralised error handling (`GlobalExceptionHandler`)
**File:** `src/main/java/.../controller/GlobalExceptionHandler.java`
All error responses now follow the consistent JSON shape described in [Section 6](#6-error-handling). Previously, individual controllers returned ad-hoc responses, including HTTP 417 and raw stack trace output. Both have been removed. SLF4J logging has been added for server-side error visibility.
---
### New: `AuthenticatedUserResolver`
**File:** `src/main/java/.../security/AuthenticatedUserResolver.java`
A new component that extracts the Google ID from the JWT `sub` claim and resolves the corresponding `AppUser`. Injected into all protected controller methods. Returns `403 Forbidden` if the token is valid but the user has never called `POST /api/users/createUser`.
---
### New: `RateLimitFilter` — 60 req/min
**File:** `src/main/java/.../security/RateLimitFilter.java`
Rate limiting was not present on `main`. See [Section 3](#3-rate-limiting) for full details.
---
### New: `CreateExpenseListRequest` DTO with validation
**File:** `src/main/java/.../model/CreateExpenseListRequest.java`
`POST /api/expenselist/create` previously accepted a raw `ExpenseList` body. It now requires a `CreateExpenseListRequest` with a single validated `name` field (`@NotBlank`, `@Size(max=100)`). Clients must update their request body shape.
---
### Updated: Validation constraints tightened on existing DTOs
| DTO | Field | Change |
|-----|-------|--------|
| `AppUserCreateRequest` | `username` | Added `@Pattern(regexp="^[a-zA-Z0-9_.\-]+$")` — special characters (other than `_`, `.`, `-`) now rejected |
| `InviteRequest` | `inviteCode` | Added `@Size(min=6, max=6)` — non-6-char codes now rejected at binding |
| `ExpenseInput` | `amount` | Added `@DecimalMin("0.01")` — zero and negative amounts now rejected |
| `ExpenseChangeRequest` | `amount` | Added `@DecimalMin("0.01")` — zero and negative amounts now rejected |
---
### Updated: `SecurityConfig` — test-profile isolation
**File:** `src/main/java/.../security/SecurityConfig.java`
Two separate `SecurityFilterChain` beans now exist:
- `@Profile("test")` — all endpoints permitted, CSRF disabled (for automated tests only).
- `@Profile("!test")` — full JWT/OAuth2 enforcement (production behaviour).
Previously a single config was used for both, which made tests fragile.
---
### Fixed: `ExpenseListService` — JPQL and exception consistency
- Single `@Param` used in all JPQL queries (multi-param variant was broken).
- `ResourceNotFoundException` is now thrown consistently instead of returning `null` or a generic `RuntimeException`.
- `addExpenseToList` delegates directly to `ExpenseList.addExpense()` rather than looping.
---
### Fixed: `UserService` — null returns replaced with exceptions
All not-found paths in `UserService` now throw `ResourceNotFoundException` instead of returning `null`. Callers that previously needed to null-check responses will now receive a `404` response.
docs/superpowers/plans/2026-05-04-security-hardening.md
-1462
View File
File diff suppressed because it is too large Load Diff
docs/superpowers/specs/2026-05-04-security-hardening-design.md
-166
View File
@@ -1,166 +0,0 @@
# Security Hardening Design — XpenselyServer
**Date:** 2026-05-04
**Scope:** Input validation, authorization enforcement, rate limiting
---
## Problem Statement
The XpenselyServer has three security gaps:
1. **No input validation** — request bodies are accepted without any field constraints, allowing null fields, negative amounts, oversized strings, and malformed data to reach the database layer.
2. **Authorization bypass** — every endpoint trusts caller-supplied user IDs from query params or request bodies rather than the authenticated JWT. Any authenticated user can read or destroy another user's expense lists.
3. **No rate limiting** — no protection against brute-force or abuse of sensitive endpoints (invite generation, account creation, invite acceptance).
---
## Section 1 — Input Validation
### Dependency
Add `spring-boot-starter-validation` to `pom.xml`.
### Request Model Constraints
**`AppUserCreateRequest`**
- `username`: `@NotBlank @Size(min=3, max=30) @Pattern(regexp="^[a-zA-Z0-9_.-]+$")`
- `googleId`: `@NotBlank`
**`ExpenseInput`**
- `title`: `@NotBlank @Size(max=100)`
- `owner`: `@NotBlank`
- `amount`: `@NotNull @DecimalMin("0.01")`
- `date`: `@NotNull`
- `category`: `@NotBlank`
**`ExpenseChangeRequest`** — same constraints as `ExpenseInput` for the corresponding fields.
**`InviteRequest`**
- `inviteCode`: `@NotBlank @Size(min=6, max=6)`
- `userId` field removed (derived from JWT — see Section 2)
### Controller Changes
Add `@Valid` to every `@RequestBody` parameter in `AppUserController` and `ExpenseListController`.
### Error Handling
Add a `@ControllerAdvice` class `GlobalExceptionHandler` that:
- Catches `MethodArgumentNotValidException` → returns `400 Bad Request` with a map of `{ field: errorMessage }` pairs
- Catches `IllegalArgumentException` → returns `400 Bad Request` with the exception message
This replaces the current pattern of returning `500 INTERNAL_SERVER_ERROR` or `417 EXPECTATION_FAILED` for validation failures.
### Cleanup
Remove the stray `@Id` and `@GeneratedValue` JPA annotations from `ExpenseInput` — it is a DTO, not an entity.
---
## Section 2 — Authorization Model
### Core Principle
Stop trusting caller-supplied user IDs. Derive the authenticated user from the JWT on every request.
### New Component: `AuthenticatedUserResolver`
A `@Component` with a single method:
```java
AppUser resolveCurrentUser(Authentication auth)
```
- Extracts the `sub` claim (Google ID) from the JWT
- Calls `UserService.getUserByGoogleId(sub)` to return the `AppUser`
- Throws `ResponseStatusException(403)` if no user is found for the JWT subject
### Endpoint Changes
| Endpoint | Change |
|---|---|
| `GET /api/expenselist/all` | **Removed** — no legitimate non-admin use case |
| `GET /api/expenselist/byUser?userId=X` | **Replaced** by `GET /api/expenselist/mine` — returns lists for the JWT user, no param |
| `GET /api/expenselist/byUsername?username=X` | **Removed** — redundant with `/mine` |
| `GET /api/expenselist/byId?id=X` | **Guard added** — 403 if authenticated user is neither owner nor sharedWith |
| `DELETE /api/expenselist/{id}` | **Guard added** — 403 if authenticated user is not the owner |
| `POST /api/expenselist/{id}/add` | **Guard added** — 403 if authenticated user is not owner or sharedWith |
| `PUT /api/expenselist/{id}/update` | **Guard added** — 403 if authenticated user is not owner or sharedWith |
| `DELETE /api/expenselist/{id}/delete` | **Guard added** — 403 if authenticated user is not owner or sharedWith |
| `POST /api/expenselist/{listId}/invite` | **Guard added** — 403 if authenticated user is not the owner |
| `POST /api/expenselist/accept-invite` | **`userId` removed from body** — derived from JWT instead |
| `GET /api/users?id=X` | **Guard added** — 403 if id doesn't match JWT user's id |
| `GET /api/users/byGoogleId?id=X` | **Guard added** — 403 if id doesn't match JWT sub |
| `DELETE /api/users?id=X` | **Guard added** — 403 if id doesn't match JWT user's id |
### Ownership Check Helper
Each guard is implemented as a private method in its controller (23 lines):
```java
private void assertOwner(AppUser authenticated, ExpenseList list) {
if (!list.getOwner().getId().equals(authenticated.getId()))
throw new ResponseStatusException(HttpStatus.FORBIDDEN);
}
private void assertMember(AppUser authenticated, ExpenseList list) {
boolean isOwner = list.getOwner().getId().equals(authenticated.getId());
boolean isShared = list.getSharedWith() != null && list.getSharedWith().getId().equals(authenticated.getId());
if (!isOwner && !isShared)
throw new ResponseStatusException(HttpStatus.FORBIDDEN);
}
```
### Test Profile
The `@Profile("test")` security chain in `SecurityConfig` is untouched. Existing tests continue to work without authentication.
---
## Section 3 — Rate Limiting
### Dependency
Add `bucket4j-core` to `pom.xml`. In-memory storage — no external cache needed for single-instance deployment.
### Implementation
A `RateLimitFilter` extending `OncePerRequestFilter`, registered as a `@Component` with `@Profile("!test")`:
- **Key for authenticated requests:** JWT `sub` claim (per-user bucket)
- **Key for unauthenticated requests:** remote IP address (pre-auth fallback)
- Buckets stored in a `ConcurrentHashMap<String, Bucket>`
### Limits
| Endpoint pattern | Limit |
|---|---|
| All endpoints (default) | 60 requests / minute |
| `POST /api/expenselist/*/invite` | 5 requests / minute |
| `POST /api/expenselist/accept-invite` | 10 requests / minute |
| `POST /api/users/createUser` | 3 requests / minute |
Sensitive endpoints get their own per-user bucket independent of the general bucket.
### Response
When a bucket is exhausted: `429 Too Many Requests` with a `Retry-After: <seconds>` header indicating time until refill.
---
## Architecture Summary
```
Request
└── RateLimitFilter (per-user/IP buckets)
└── SecurityFilterChain (JWT validation)
└── Controller
├── @Valid on @RequestBody → GlobalExceptionHandler on failure
├── AuthenticatedUserResolver → AppUser from JWT sub
└── assertOwner / assertMember → 403 on violation
```
No new service layer is introduced. The authorization checks are lightweight and local to each controller method.
---
## Files Affected
| File | Change |
|---|---|
| `pom.xml` | Add `spring-boot-starter-validation`, `bucket4j-core` |
| `model/AppUserCreateRequest.java` | Add validation annotations |
| `model/ExpenseInput.java` | Add validation annotations, remove JPA annotations |
| `model/ExpenseChangeRequest.java` | Add validation annotations |
| `model/InviteRequest.java` | Add validation annotations, remove `userId` field |
| `controller/AppUserController.java` | Add `@Valid`, ownership guards, use `AuthenticatedUserResolver` |
| `controller/ExpenseListController.java` | Add `@Valid`, ownership guards, remove/rename endpoints, use `AuthenticatedUserResolver` |
| `security/AuthenticatedUserResolver.java` | **New** — resolves JWT sub to `AppUser` |
| `security/RateLimitFilter.java` | **New** — per-user/IP rate limiting |
| `controller/GlobalExceptionHandler.java` | **New** — structured 400/403 error responses |
pom.xml
+130 -119
View File
@@ -1,124 +1,135 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.4.1</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>de.zendric.app</groupId>
<artifactId>XpenselyServer</artifactId>
<version>1.0.0</version>
<name>XpenselyServer</name>
<description>XpenselyServer used to handle the Xpensely App</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>21</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>com.bucket4j</groupId>
<artifactId>bucket4j-core</artifactId>
<version>8.10.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>4.0.6</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>de.zendric.app</groupId>
<artifactId>XpenselyServer</artifactId>
<version>1.0.0</version>
<name>XpenselyServer</name>
<description>XpenselyServer used to handle the Xpensely App</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>21</java.version>
<lombok.version>1.18.46</lombok.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>com.bucket4j</groupId>
<artifactId>bucket4j-core</artifactId>
<version>8.10.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webmvc-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<annotationProcessorPaths>
<path>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</path>
</annotationProcessorPaths>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<annotationProcessorPaths>
<path>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</path>
</annotationProcessorPaths>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
src/main/java/de/zendric/app/xpensely_server/controller/AppUserController.java
+3 -10
View File
@@ -9,7 +9,6 @@ import org.springframework.web.server.ResponseStatusException;
import de.zendric.app.xpensely_server.model.AppUser;
import de.zendric.app.xpensely_server.model.AppUserCreateRequest;
import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
import de.zendric.app.xpensely_server.services.UserService;
@@ -47,15 +46,9 @@ public class AppUserController {
@PostMapping("/createUser")
public ResponseEntity<AppUser> createUser(@RequestBody @Valid AppUserCreateRequest userRequest) {
try {
AppUser convertedUser = userRequest.convertToAppUser();
AppUser nUser = userService.createUser(convertedUser);
return new ResponseEntity<>(nUser, HttpStatus.CREATED);
} catch (UsernameAlreadyExistsException e) {
return new ResponseEntity<>(null, HttpStatus.CONFLICT);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
}
AppUser convertedUser = userRequest.convertToAppUser();
AppUser nUser = userService.createUser(convertedUser);
return new ResponseEntity<>(nUser, HttpStatus.CREATED);
}
@DeleteMapping
src/main/java/de/zendric/app/xpensely_server/controller/ExpenseListController.java
+28 -44
View File
@@ -5,6 +5,8 @@ import java.util.List;
import java.util.Optional;
import jakarta.validation.Valid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
@@ -21,6 +23,8 @@ import de.zendric.app.xpensely_server.services.UserService;
@RequestMapping("/api/expenselist")
public class ExpenseListController {
private static final Logger log = LoggerFactory.getLogger(ExpenseListController.class);
private final ExpenseListService expenseListService;
private final UserService userService;
private final CategoryService categoryService;
@@ -54,22 +58,18 @@ public class ExpenseListController {
}
@PostMapping("/create")
public ResponseEntity<ExpenseList> create(@RequestBody ExpenseList expenseList,
public ResponseEntity<ExpenseList> create(@RequestBody @Valid CreateExpenseListRequest request,
Authentication authentication) {
try {
AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
expenseList.setOwner(authenticatedUser);
XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
expenseList.setXpenselyStandardCategories(standardCategories);
expenseList.setSharedWith(null);
ExpenseList savedItem = expenseListService.createList(expenseList);
return new ResponseEntity<>(savedItem, HttpStatus.CREATED);
} catch (ResponseStatusException e) {
throw e;
} catch (Exception e) {
e.printStackTrace();
return new ResponseEntity<>(null, HttpStatus.EXPECTATION_FAILED);
}
AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
ExpenseList expenseList = new ExpenseList();
expenseList.setName(request.getName());
expenseList.setOwner(authenticatedUser);
XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
expenseList.setXpenselyStandardCategories(standardCategories);
expenseList.setSharedWith(null);
ExpenseList savedItem = expenseListService.createList(expenseList);
log.debug("Created expense list '{}' for user {}", savedItem.getName(), authenticatedUser.getId());
return new ResponseEntity<>(savedItem, HttpStatus.CREATED);
}
@DeleteMapping("{id}")
@@ -79,12 +79,8 @@ public class ExpenseListController {
if (listOpt.isEmpty())
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
assertOwner(user, listOpt.get());
try {
expenseListService.deleteById(id);
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
} catch (Exception e) {
return new ResponseEntity<>(HttpStatus.EXPECTATION_FAILED);
}
expenseListService.deleteById(id);
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
}
@PostMapping("/{id}/add")
@@ -97,14 +93,10 @@ public class ExpenseListController {
if (listOpt.isEmpty())
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
assertMember(user, listOpt.get());
try {
AppUser expenseOwner = userService.getUserByName(expenseInput.getOwner());
Expense expense = expenseInput.convertToExpense(expenseOwner.getId());
Expense addedExpense = expenseListService.addExpenseToList(expenseListId, expense);
return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
}
AppUser expenseOwner = userService.getUserByName(expenseInput.getOwner());
Expense expense = expenseInput.convertToExpense(expenseOwner.getId());
Expense addedExpense = expenseListService.addExpenseToList(expenseListId, expense);
return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
}
@PutMapping("/{id}/update")
@@ -115,16 +107,12 @@ public class ExpenseListController {
AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
Optional<ExpenseList> expenseListOpt = expenseListService.findById(expenseListId);
if (expenseListOpt.isEmpty())
return new ResponseEntity<>(null, HttpStatus.NOT_FOUND);
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
assertMember(user, expenseListOpt.get());
try {
AppUser expenseOwner = userService.getUserByName(expenseChangeRequest.getOwnerName());
Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseListOpt.get());
Expense updatedExpense = expenseListService.updateExpense(expenseListId, expense);
return new ResponseEntity<>(updatedExpense, HttpStatus.OK);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
}
AppUser expenseOwner = userService.getUserByName(expenseChangeRequest.getOwnerName());
Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseListOpt.get());
Expense updatedExpense = expenseListService.updateExpense(expenseListId, expense);
return new ResponseEntity<>(updatedExpense, HttpStatus.OK);
}
@DeleteMapping("/{id}/delete")
@@ -137,12 +125,8 @@ public class ExpenseListController {
if (listOpt.isEmpty())
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
assertMember(user, listOpt.get());
try {
expenseListService.deleteExpenseFromList(expenseListId, expenseId);
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
} catch (Exception e) {
return new ResponseEntity<>(null, HttpStatus.EXPECTATION_FAILED);
}
expenseListService.deleteExpenseFromList(expenseListId, expenseId);
return new ResponseEntity<>(HttpStatus.NO_CONTENT);
}
@PostMapping("/{listId}/invite")
src/main/java/de/zendric/app/xpensely_server/controller/GlobalExceptionHandler.java
+39
View File
@@ -1,11 +1,16 @@
package de.zendric.app.xpensely_server.controller;
import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.validation.FieldError;
import org.springframework.web.bind.MethodArgumentNotValidException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
import org.springframework.web.server.ResponseStatusException;
import java.util.HashMap;
import java.util.Map;
@@ -13,6 +18,8 @@ import java.util.Map;
@RestControllerAdvice
public class GlobalExceptionHandler {
private static final Logger log = LoggerFactory.getLogger(GlobalExceptionHandler.class);
@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<Map<String, String>> handleValidationErrors(MethodArgumentNotValidException ex) {
Map<String, String> errors = new HashMap<>();
@@ -27,4 +34,36 @@ public class GlobalExceptionHandler {
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(Map.of("error", ex.getMessage()));
}
@ExceptionHandler(ResourceNotFoundException.class)
public ResponseEntity<Map<String, String>> handleNotFound(ResourceNotFoundException ex) {
return ResponseEntity.status(HttpStatus.NOT_FOUND)
.body(Map.of("error", ex.getMessage()));
}
@ExceptionHandler(UsernameAlreadyExistsException.class)
public ResponseEntity<Map<String, String>> handleUsernameConflict(UsernameAlreadyExistsException ex) {
return ResponseEntity.status(HttpStatus.CONFLICT)
.body(Map.of("error", ex.getMessage()));
}
@ExceptionHandler(ResponseStatusException.class)
public ResponseEntity<Map<String, String>> handleResponseStatus(ResponseStatusException ex) {
return ResponseEntity.status(ex.getStatusCode())
.body(Map.of("error", ex.getReason() != null ? ex.getReason() : ex.getMessage()));
}
@ExceptionHandler(RuntimeException.class)
public ResponseEntity<Map<String, String>> handleRuntime(RuntimeException ex) {
log.error("Unhandled runtime exception", ex);
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body(Map.of("error", "An unexpected error occurred"));
}
@ExceptionHandler(Exception.class)
public ResponseEntity<Map<String, String>> handleGeneric(Exception ex) {
log.error("Unhandled exception", ex);
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body(Map.of("error", "An unexpected error occurred"));
}
}
src/main/java/de/zendric/app/xpensely_server/model/CreateExpenseListRequest.java
+17
View File
@@ -0,0 +1,17 @@
package de.zendric.app.xpensely_server.model;
import jakarta.validation.constraints.NotBlank;
import jakarta.validation.constraints.Size;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
@Getter
@Setter
@NoArgsConstructor
public class CreateExpenseListRequest {
@NotBlank(message = "List name is required")
@Size(max = 100, message = "List name must not exceed 100 characters")
private String name;
}
src/main/java/de/zendric/app/xpensely_server/model/Exception/ResourceNotFoundException.java
+11
View File
@@ -0,0 +1,11 @@
package de.zendric.app.xpensely_server.model.Exception;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ResponseStatus;
@ResponseStatus(HttpStatus.NOT_FOUND)
public class ResourceNotFoundException extends RuntimeException {
public ResourceNotFoundException(String message) {
super(message);
}
}
src/main/java/de/zendric/app/xpensely_server/repo/ExpenseListRepository.java
+10 -1
View File
@@ -3,13 +3,22 @@ package de.zendric.app.xpensely_server.repo;
import java.util.List;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param;
import org.springframework.stereotype.Repository;
import de.zendric.app.xpensely_server.model.ExpenseList;
@Repository
public interface ExpenseListRepository extends JpaRepository<ExpenseList, Long> {
List<ExpenseList> findByOwnerId(Long ownerId);
ExpenseList findByInviteCode(String inviteCode);
}
@Query("SELECT el FROM ExpenseList el WHERE el.owner.id = :userId OR el.sharedWith.id = :userId")
List<ExpenseList> findByOwnerIdOrSharedWithId(@Param("userId") Long userId);
@Query("SELECT el FROM ExpenseList el WHERE el.owner.username = :username OR el.sharedWith.username = :username")
List<ExpenseList> findByOwnerUsernameOrSharedWithUsername(@Param("username") String username);
}
src/main/java/de/zendric/app/xpensely_server/security/SecurityConfig.java
+3 -3
View File
@@ -6,7 +6,7 @@ import org.springframework.context.annotation.Profile;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
@@ -18,7 +18,7 @@ public class SecurityConfig {
http
.authorizeHttpRequests(auth -> auth
.anyRequest().permitAll())
.csrf().disable();
.csrf(csrf -> csrf.disable());
return http.build();
}
@@ -33,7 +33,7 @@ public class SecurityConfig {
.jwt(Customizer.withDefaults()))
.oauth2Login(Customizer.withDefaults())
.addFilterAfter(new RateLimitFilter(), BearerTokenAuthenticationFilter.class)
.csrf().disable();
.csrf(csrf -> csrf.disable());
return http.build();
}
src/main/java/de/zendric/app/xpensely_server/services/ExpenseListService.java
+15 -78
View File
@@ -1,37 +1,29 @@
package de.zendric.app.xpensely_server.services;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import de.zendric.app.xpensely_server.model.AppUser;
import de.zendric.app.xpensely_server.model.Expense;
import de.zendric.app.xpensely_server.model.ExpenseList;
import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
import de.zendric.app.xpensely_server.model.XpenselyCustomCategory;
import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
import de.zendric.app.xpensely_server.repo.ExpenseRepository;
import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
import jakarta.persistence.EntityManager;
@Service
@Transactional
public class ExpenseListService {
private ExpenseListRepository repository;
private final ExpenseListRepository repository;
private final ExpenseRepository expenseRepository;
private XpenselyCustomCategoryRepository customCategoryRepository;
private final XpenselyCustomCategoryRepository customCategoryRepository;
@Autowired
private EntityManager entityManager;
@Autowired
public ExpenseListService(ExpenseListRepository repository, ExpenseRepository expenseRepository,
XpenselyCustomCategoryRepository customCategoryRepository) {
this.repository = repository;
@@ -39,18 +31,10 @@ public class ExpenseListService {
this.customCategoryRepository = customCategoryRepository;
}
public List<ExpenseList> getAllLists() {
return repository.findAll();
}
public ExpenseList createList(ExpenseList list) {
return repository.save(list);
}
public void deleteList(Long id) {
repository.deleteById(id);
}
public void deleteById(Long id) {
repository.deleteById(id);
}
@@ -59,76 +43,29 @@ public class ExpenseListService {
return repository.findById(id);
}
public Iterable<ExpenseList> findAll() {
return repository.findAll();
}
public ExpenseList save(ExpenseList expenseList) {
return repository.save(expenseList);
}
public List<ExpenseList> findByUserId(Long id) {
List<ExpenseList> allLists = repository.findAll();
List<ExpenseList> userSpecificList = new ArrayList<>();
for (ExpenseList expenseList : allLists) {
AppUser sharedWith = expenseList.getSharedWith();
if (expenseList.getOwner().getId().equals(id)) {
userSpecificList.add(expenseList);
} else {
if (sharedWith != null && sharedWith.getId().equals(id)) {
userSpecificList.add(expenseList);
}
}
}
return userSpecificList;
return repository.findByOwnerIdOrSharedWithId(id);
}
public List<ExpenseList> findByUsername(String username) {
List<ExpenseList> allLists = repository.findAll();
List<ExpenseList> userSpecificList = new ArrayList<>();
for (ExpenseList expenseList : allLists) {
AppUser sharedWith = expenseList.getSharedWith();
if (expenseList.getOwner().getUsername().equals(username)) {
userSpecificList.add(expenseList);
} else {
if (sharedWith != null && sharedWith.getUsername().equals(username)) {
userSpecificList.add(expenseList);
}
}
}
return userSpecificList;
return repository.findByOwnerUsernameOrSharedWithUsername(username);
}
public Expense addExpenseToList(Long expenseListId, Expense expense) {
// find expenseList
ExpenseList expenseList = repository.findById(expenseListId)
.orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
// get all added expenses
HashSet<Long> existingId = new HashSet<>();
for (Expense e : expenseList.getExpenses()) {
existingId.add(e.getId());
}
// add the new expense
.orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
expenseList.addExpense(expense);
// save
repository.save(expenseList);
Expense newExpense = new Expense();
for (Expense e : expenseList.getExpenses()) {
if (!existingId.contains(e.getId())) {
newExpense = e;
break;
}
}
return newExpense;
return expense;
}
public void deleteExpenseFromList(Long expenseListId, Long expenseId) {
ExpenseList expenseList = repository.findById(expenseListId)
.orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
.orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
Expense expenseToRemove = null;
for (Expense expense : expenseList.getExpenses()) {
if (expense.getId().equals(expenseId)) {
@@ -139,14 +76,14 @@ public class ExpenseListService {
if (expenseToRemove != null) {
expenseList.removeExpense(expenseToRemove);
} else {
throw new RuntimeException("Expense not found with id: " + expenseId);
throw new ResourceNotFoundException("Expense not found with id: " + expenseId);
}
repository.save(expenseList);
}
public String generateInviteCode(Long listId) {
ExpenseList list = repository.findById(listId)
.orElseThrow(() -> new RuntimeException("List not found"));
.orElseThrow(() -> new ResourceNotFoundException("List not found"));
String inviteCode;
if (list.getInviteCode() == null || list.getInviteCodeExpiration().isBefore(LocalDateTime.now())) {
@@ -168,7 +105,7 @@ public class ExpenseListService {
public Expense updateExpense(Long expenseListId, Expense updatedExpense) {
ExpenseList expenseList = repository.findById(expenseListId)
.orElseThrow(() -> new IllegalArgumentException("ExpenseList not found"));
.orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
if (!expenseList.getExpenses().stream()
.anyMatch(expense -> expense.getId().equals(updatedExpense.getId()))) {
@@ -176,7 +113,7 @@ public class ExpenseListService {
}
Expense existingExpense = expenseRepository.findById(updatedExpense.getId())
.orElseThrow(() -> new IllegalArgumentException("Expense not found"));
.orElseThrow(() -> new ResourceNotFoundException("Expense not found with id: " + updatedExpense.getId()));
existingExpense.setTitle(updatedExpense.getTitle());
existingExpense.setAmount(updatedExpense.getAmount());
existingExpense.setPersonalUseAmount(updatedExpense.getPersonalUseAmount());
@@ -191,7 +128,7 @@ public class ExpenseListService {
// TODO implement API for this
public XpenselyCustomCategory addCustomCategory(Long expenseListId, XpenselyCustomCategory customCategory) {
ExpenseList expenseList = repository.findById(expenseListId)
.orElseThrow(() -> new RuntimeException("Expense List not found"));
.orElseThrow(() -> new ResourceNotFoundException("Expense List not found"));
customCategory.setExpenseList(expenseList);
return customCategoryRepository.save(customCategory);
@@ -200,9 +137,9 @@ public class ExpenseListService {
// TODO implement API for this
public void deleteCustomCategory(Long expenseListId, Long categoryId) {
XpenselyCustomCategory category = customCategoryRepository.findById(categoryId)
.orElseThrow(() -> new RuntimeException("Custom Category not found"));
.orElseThrow(() -> new ResourceNotFoundException("Custom Category not found"));
if (!category.getExpenseList().getId().equals(expenseListId)) {
throw new RuntimeException("Category does not belong to the specified Expense List");
throw new IllegalArgumentException("Category does not belong to the specified Expense List");
}
customCategoryRepository.delete(category);
}
src/main/java/de/zendric/app/xpensely_server/services/UserService.java
+12 -24
View File
@@ -1,11 +1,11 @@
package de.zendric.app.xpensely_server.services;
import java.util.List;
import java.util.Optional;
import org.springframework.stereotype.Service;
import de.zendric.app.xpensely_server.model.AppUser;
import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
import de.zendric.app.xpensely_server.repo.UserRepository;
@@ -29,36 +29,24 @@ public class UserService {
}
public AppUser getUser(Long id) {
Optional<AppUser> user = userRepository.findById(id);
if (user.isPresent()) {
return user.get();
} else
return null;
return userRepository.findById(id)
.orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
}
public AppUser deleteUserById(Long id) {
Optional<AppUser> user = userRepository.findById(id);
if (user.isPresent()) {
userRepository.deleteById(id);
return user.get();
} else
return null;
AppUser user = userRepository.findById(id)
.orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
userRepository.deleteById(id);
return user;
}
public AppUser getUserByName(String username) {
Optional<AppUser> optUser = userRepository.findByUsername(username);
if (optUser.isPresent()) {
return optUser.get();
} else
return null;
return userRepository.findByUsername(username)
.orElseThrow(() -> new ResourceNotFoundException("User not found: " + username));
}
public AppUser getUserByGoogleId(String id) {
Optional<AppUser> optUser = userRepository.findByGoogleId(id);
if (optUser.isPresent()) {
return optUser.get();
} else
return null;
return userRepository.findByGoogleId(id)
.orElseThrow(() -> new ResourceNotFoundException("User not found with Google ID: " + id));
}
}
}
src/test/java/de/zendric/app/xpensely_Server/ExpenseListRepositoryTest.java
+1 -1
View File
@@ -4,7 +4,7 @@ import de.zendric.app.xpensely_server.model.ExpenseList;
import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
import org.springframework.boot.data.jpa.test.autoconfigure.DataJpaTest;
import java.util.Optional;
src/test/java/de/zendric/app/xpensely_Server/controller/AppUserControllerTest.java
+10 -3
View File
@@ -6,8 +6,11 @@ import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
import de.zendric.app.xpensely_server.services.UserService;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
import org.springframework.boot.security.oauth2.client.autoconfigure.servlet.OAuth2ClientWebSecurityAutoConfiguration;
import org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
import org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest;
import org.springframework.http.MediaType;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.bean.override.mockito.MockitoBean;
@@ -18,7 +21,11 @@ import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(AppUserController.class)
@WebMvcTest(value = AppUserController.class, excludeAutoConfiguration = {
OAuth2ClientAutoConfiguration.class,
OAuth2ClientWebSecurityAutoConfiguration.class,
OAuth2ResourceServerAutoConfiguration.class
})
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
class AppUserControllerTest {
src/test/java/de/zendric/app/xpensely_Server/controller/ExpenseListControllerTest.java
+49 -3
View File
@@ -9,8 +9,11 @@ import de.zendric.app.xpensely_server.services.ExpenseListService;
import de.zendric.app.xpensely_server.services.UserService;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
import org.springframework.boot.security.oauth2.client.autoconfigure.servlet.OAuth2ClientWebSecurityAutoConfiguration;
import org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration;
import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
import org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest;
import org.springframework.http.MediaType;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.context.bean.override.mockito.MockitoBean;
@@ -24,7 +27,11 @@ import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(ExpenseListController.class)
@WebMvcTest(value = ExpenseListController.class, excludeAutoConfiguration = {
OAuth2ClientAutoConfiguration.class,
OAuth2ClientWebSecurityAutoConfiguration.class,
OAuth2ResourceServerAutoConfiguration.class
})
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
class ExpenseListControllerTest {
@@ -132,4 +139,43 @@ class ExpenseListControllerTest {
mockMvc.perform(get("/api/expenselist/mine"))
.andExpect(status().isOk());
}
@Test
void create_returns500_onUnexpectedServiceError() throws Exception {
AppUser user = new AppUser();
user.setId(1L);
when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
when(categoryService.getDefaultCategories()).thenThrow(new RuntimeException("db down"));
mockMvc.perform(post("/api/expenselist/create")
.contentType(MediaType.APPLICATION_JSON)
.content("{\"name\":\"Groceries\"}"))
.andExpect(status().isInternalServerError());
}
@Test
void create_returns400_whenNameIsBlank() throws Exception {
AppUser user = new AppUser();
user.setId(1L);
when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
mockMvc.perform(post("/api/expenselist/create")
.contentType(MediaType.APPLICATION_JSON)
.content("{\"name\":\"\"}"))
.andExpect(status().isBadRequest())
.andExpect(jsonPath("$.name").exists());
}
@Test
void create_returns400_whenBodyIsEmpty() throws Exception {
AppUser user = new AppUser();
user.setId(1L);
when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
mockMvc.perform(post("/api/expenselist/create")
.contentType(MediaType.APPLICATION_JSON)
.content("{}"))
.andExpect(status().isBadRequest())
.andExpect(jsonPath("$.name").exists());
}
}
src/test/java/de/zendric/app/xpensely_Server/services/ExpenseListServiceTest.java
+57
View File
@@ -0,0 +1,57 @@
package de.zendric.app.xpensely_Server.services;
import de.zendric.app.xpensely_server.model.AppUser;
import de.zendric.app.xpensely_server.model.ExpenseList;
import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
import de.zendric.app.xpensely_server.repo.ExpenseRepository;
import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
import de.zendric.app.xpensely_server.services.ExpenseListService;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import java.util.List;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.mockito.Mockito.never;
@ExtendWith(MockitoExtension.class)
class ExpenseListServiceTest {
@Mock ExpenseListRepository repository;
@Mock ExpenseRepository expenseRepository;
@Mock XpenselyCustomCategoryRepository customCategoryRepository;
@InjectMocks
ExpenseListService service;
@Test
void findByUserId_usesRepositoryQuery_notFindAll() {
AppUser owner = new AppUser(); owner.setId(1L);
ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
when(repository.findByOwnerIdOrSharedWithId(1L)).thenReturn(List.of(list));
List<ExpenseList> result = service.findByUserId(1L);
assertThat(result).hasSize(1);
verify(repository).findByOwnerIdOrSharedWithId(1L);
verify(repository, never()).findAll();
}
@Test
void findByUsername_usesRepositoryQuery_notFindAll() {
AppUser owner = new AppUser(); owner.setId(1L); owner.setUsername("alice");
ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
when(repository.findByOwnerUsernameOrSharedWithUsername("alice")).thenReturn(List.of(list));
List<ExpenseList> result = service.findByUsername("alice");
assertThat(result).hasSize(1);
verify(repository).findByOwnerUsernameOrSharedWithUsername("alice");
verify(repository, never()).findAll();
}
}
src/test/java/de/zendric/app/xpensely_Server/services/UserServiceTest.java
+75
View File
@@ -0,0 +1,75 @@
package de.zendric.app.xpensely_Server.services;
import de.zendric.app.xpensely_server.model.AppUser;
import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
import de.zendric.app.xpensely_server.repo.UserRepository;
import de.zendric.app.xpensely_server.services.UserService;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import java.util.Optional;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class UserServiceTest {
@Mock
UserRepository userRepository;
@InjectMocks
UserService userService;
@Test
void getUserByName_throwsResourceNotFound_whenUserMissing() {
when(userRepository.findByUsername("ghost")).thenReturn(Optional.empty());
assertThatThrownBy(() -> userService.getUserByName("ghost"))
.isInstanceOf(ResourceNotFoundException.class)
.hasMessageContaining("ghost");
}
@Test
void getUserByName_returnsUser_whenFound() {
AppUser user = new AppUser();
user.setId(1L);
user.setUsername("alice");
when(userRepository.findByUsername("alice")).thenReturn(Optional.of(user));
AppUser result = userService.getUserByName("alice");
assertThat(result.getUsername()).isEqualTo("alice");
}
@Test
void getUser_throwsResourceNotFound_whenIdMissing() {
when(userRepository.findById(99L)).thenReturn(Optional.empty());
assertThatThrownBy(() -> userService.getUser(99L))
.isInstanceOf(ResourceNotFoundException.class)
.hasMessageContaining("99");
}
@Test
void deleteUserById_throwsResourceNotFound_whenIdMissing() {
when(userRepository.findById(99L)).thenReturn(Optional.empty());
assertThatThrownBy(() -> userService.deleteUserById(99L))
.isInstanceOf(ResourceNotFoundException.class)
.hasMessageContaining("99");
}
@Test
void getUserByGoogleId_throwsResourceNotFound_whenMissing() {
when(userRepository.findByGoogleId("gid-404")).thenReturn(Optional.empty());
assertThatThrownBy(() -> userService.getUserByGoogleId("gid-404"))
.isInstanceOf(ResourceNotFoundException.class)
.hasMessageContaining("gid-404");
}
}