2026-05-05 17:13:54 +02:00
23 changed files with 916 additions and 260 deletions
@@ -1,5 +1,6 @@
 HELP.md
 target/
 /docs/superpowers
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
@@ -27,7 +27,7 @@
 		<url/>
 	</scm>
 	<properties>
-		<java.version>17</java.version>
+		<java.version>21</java.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -38,6 +38,15 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>com.bucket4j</groupId>
 			<artifactId>bucket4j-core</artifactId>
 			<version>8.10.1</version>
 		</dependency>
 		<dependency>
        	<groupId>org.springframework.boot</groupId>
        	<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
@@ -71,6 +80,11 @@
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-test</artifactId>
@@ -1,35 +1,35 @@
 package de.zendric.app.xpensely_server.controller;
-import org.springframework.beans.factory.annotation.Autowired;
+import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.AppUserCreateRequest;
 import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
@RestController
@RequestMapping("/api/users")
 public class AppUserController {
-    private UserService userService;
+    private final UserService userService;
    private final AuthenticatedUserResolver authenticatedUserResolver;
-    @Autowired
+    public AppUserController(UserService userService, AuthenticatedUserResolver authenticatedUserResolver) {
    public AppUserController(UserService userService) {
        this.userService = userService;
        this.authenticatedUserResolver = authenticatedUserResolver;
    }
    @GetMapping
-    public AppUser getUser(@RequestParam Long id) {
+    public ResponseEntity<AppUser> getUser(@RequestParam Long id, Authentication authentication) {
-        return userService.getUser(id);
+        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
        assertSelf(self, id);
        return ResponseEntity.ok(userService.getUser(id));
    }
    @GetMapping("/byName")
@@ -38,23 +38,17 @@ public class AppUserController {
    }
    @GetMapping("/byGoogleId")
-    public ResponseEntity<AppUser> getUserByGoogleId(@RequestParam String id) {
+    public ResponseEntity<AppUser> getUserByGoogleId(@RequestParam String id, Authentication authentication) {
-        try {
+        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
-            AppUser userByGoogleId = userService.getUserByGoogleId(id);
+        if (!self.getGoogleId().equals(id))
-            return new ResponseEntity<>(userByGoogleId, HttpStatus.OK);
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
-
+        return ResponseEntity.ok(self);
        } catch (IllegalArgumentException e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @PostMapping("/createUser")
-    public ResponseEntity<AppUser> createUser(@RequestBody AppUserCreateRequest userRequest) {
+    public ResponseEntity<AppUser> createUser(@RequestBody @Valid AppUserCreateRequest userRequest) {
        try {
            AppUser convertedUser = userRequest.convertToAppUser();
            AppUser nUser = userService.createUser(convertedUser);
            return new ResponseEntity<>(nUser, HttpStatus.CREATED);
        } catch (UsernameAlreadyExistsException e) {
@@ -62,12 +56,18 @@ public class AppUserController {
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        }
    }
    @DeleteMapping
-    public String deleteUser(@RequestParam Long id) {
+    public ResponseEntity<String> deleteUser(@RequestParam Long id, Authentication authentication) {
        AppUser self = authenticatedUserResolver.resolveCurrentUser(authentication);
        assertSelf(self, id);
        AppUser user = userService.deleteUserById(id);
-        return "User deleted : " + user.getUsername();
+        return ResponseEntity.ok("User deleted: " + user.getUsername());
    }
    private void assertSelf(AppUser authenticated, Long requestedId) {
        if (!authenticated.getId().equals(requestedId))
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
 }
@@ -1,125 +1,71 @@
 package de.zendric.app.xpensely_server.controller;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
-import org.springframework.beans.factory.annotation.Autowired;
+import jakarta.validation.Valid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.security.core.Authentication;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
-import de.zendric.app.xpensely_server.model.AppUser;
+import de.zendric.app.xpensely_server.model.*;
-import de.zendric.app.xpensely_server.model.Expense;
+import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.model.ExpenseChangeRequest;
 import de.zendric.app.xpensely_server.model.ExpenseInput;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.model.InviteRequest;
 import de.zendric.app.xpensely_server.model.XpenselyStandardCategories;
 import de.zendric.app.xpensely_server.services.CategoryService;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import de.zendric.app.xpensely_server.services.UserService;
@RestController
@RequestMapping("/api/expenselist")
-class ExpenseListController {
+public class ExpenseListController {
-    private ExpenseListService expenseListService;
+    private final ExpenseListService expenseListService;
-    private UserService userService;
+    private final UserService userService;
-    private CategoryService categoryService;
+    private final CategoryService categoryService;
    private final AuthenticatedUserResolver authenticatedUserResolver;
    @Autowired
    public ExpenseListController(ExpenseListService expenseListService, UserService userService,
-            CategoryService categoryService) {
+            CategoryService categoryService, AuthenticatedUserResolver authenticatedUserResolver) {
        this.expenseListService = expenseListService;
        this.userService = userService;
        this.categoryService = categoryService;
        this.authenticatedUserResolver = authenticatedUserResolver;
    }
-    @GetMapping("/all")
+    @GetMapping("/mine")
-    public ResponseEntity<List<ExpenseList>> getAll() {
+    public ResponseEntity<List<ExpenseList>> getMine(Authentication authentication) {
-        try {
+        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
-            List<ExpenseList> items = new ArrayList<>();
+        List<ExpenseList> items = expenseListService.findByUserId(user.getId());
-
+        if (items.isEmpty())
-            expenseListService.findAll().forEach(items::add);
+            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
-
+        return new ResponseEntity<>(items, HttpStatus.OK);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byUser")
    public ResponseEntity<List<ExpenseList>> getByUser(@RequestParam Long userId) {
        try {
            List<ExpenseList> items = expenseListService.findByUserId(userId);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byUsername")
    public ResponseEntity<List<ExpenseList>> getByUser(@RequestParam String username) {
        try {
            List<ExpenseList> items = expenseListService.findByUsername(username);
            if (items.isEmpty())
                return new ResponseEntity<>(HttpStatus.NO_CONTENT);
            return new ResponseEntity<>(items, HttpStatus.OK);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }
    @GetMapping("/byId")
-    public ResponseEntity<ExpenseList> getById(@RequestParam Long id) {
+    public ResponseEntity<ExpenseList> getById(@RequestParam Long id, Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> existingItemOptional = expenseListService.findById(id);
-
+        if (existingItemOptional.isEmpty())
        if (existingItemOptional.isPresent()) {
            return new ResponseEntity<>(existingItemOptional.get(), HttpStatus.OK);
        } else {
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
-        }
+        assertMember(user, existingItemOptional.get());
        return new ResponseEntity<>(existingItemOptional.get(), HttpStatus.OK);
    }
    @PostMapping("/create")
-    // TODO add handling of categories by using DTO
+    public ResponseEntity<ExpenseList> create(@RequestBody ExpenseList expenseList,
-    public ResponseEntity<ExpenseList> create(@RequestBody ExpenseList expenseList) {
+            Authentication authentication) {
        try {
-            if (expenseList.getOwner() != null) {
+            AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
-                AppUser existingOwner = userService.getUser(expenseList.getOwner().getId());
+            expenseList.setOwner(authenticatedUser);
-                if (existingOwner == null) {
+            XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
-                    throw new IllegalArgumentException("Owner does not exist.");
+            expenseList.setXpenselyStandardCategories(standardCategories);
                }
                expenseList.setOwner(existingOwner);
                XpenselyStandardCategories standardCategories = categoryService.getDefaultCategories();
                expenseList.setXpenselyStandardCategories(standardCategories);
            } else {
                throw new IllegalArgumentException("Owner is required.");
            }
            expenseList.setSharedWith(null);
            ExpenseList savedItem = expenseListService.createList(expenseList);
            return new ResponseEntity<>(savedItem, HttpStatus.CREATED);
        } catch (ResponseStatusException e) {
            throw e;
        } catch (Exception e) {
            e.printStackTrace();
            return new ResponseEntity<>(null, HttpStatus.EXPECTATION_FAILED);
@@ -127,7 +73,12 @@ class ExpenseListController {
    }
    @DeleteMapping("{id}")
-    public ResponseEntity<HttpStatus> delete(@PathVariable("id") Long id) {
+    public ResponseEntity<HttpStatus> delete(@PathVariable("id") Long id, Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> listOpt = expenseListService.findById(id);
        if (listOpt.isEmpty())
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
        assertOwner(user, listOpt.get());
        try {
            expenseListService.deleteById(id);
            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
@@ -139,11 +90,16 @@ class ExpenseListController {
    @PostMapping("/{id}/add")
    public ResponseEntity<Expense> addExpenseToList(
            @PathVariable("id") Long expenseListId,
-            @RequestBody ExpenseInput expenseInput) {
+            @RequestBody @Valid ExpenseInput expenseInput,
            Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> listOpt = expenseListService.findById(expenseListId);
        if (listOpt.isEmpty())
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
        assertMember(user, listOpt.get());
        try {
            AppUser expenseOwner = userService.getUserByName(expenseInput.getOwner());
            Expense expense = expenseInput.convertToExpense(expenseOwner.getId());
            Expense addedExpense = expenseListService.addExpenseToList(expenseListId, expense);
            return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
        } catch (Exception e) {
@@ -154,18 +110,18 @@ class ExpenseListController {
    @PutMapping("/{id}/update")
    public ResponseEntity<Expense> updateExpenseInList(
            @PathVariable("id") Long expenseListId,
-            @RequestBody ExpenseChangeRequest expenseChangeRequest) {
+            @RequestBody @Valid ExpenseChangeRequest expenseChangeRequest,
            Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> expenseListOpt = expenseListService.findById(expenseListId);
        if (expenseListOpt.isEmpty())
            return new ResponseEntity<>(null, HttpStatus.NOT_FOUND);
        assertMember(user, expenseListOpt.get());
        try {
            AppUser expenseOwner = userService.getUserByName(expenseChangeRequest.getOwnerName());
-            Optional<ExpenseList> expenseList = expenseListService.findById(expenseListId);
+            Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseListOpt.get());
-            if (expenseList.isPresent()) {
+            Expense updatedExpense = expenseListService.updateExpense(expenseListId, expense);
-                Expense expense = expenseChangeRequest.convertToExpense(expenseOwner.getId(), expenseList.get());
+            return new ResponseEntity<>(updatedExpense, HttpStatus.OK);
                Expense addedExpense = expenseListService.updateExpense(expenseListId, expense);
                return new ResponseEntity<>(addedExpense, HttpStatus.CREATED);
            }
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        } catch (Exception e) {
            return new ResponseEntity<>(null, HttpStatus.BAD_REQUEST);
        }
@@ -174,7 +130,13 @@ class ExpenseListController {
    @DeleteMapping("/{id}/delete")
    public ResponseEntity<Expense> deleteExpenseFromList(
            @PathVariable("id") Long expenseListId,
-            @RequestParam("expenseId") Long expenseId) {
+            @RequestParam("expenseId") Long expenseId,
            Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> listOpt = expenseListService.findById(expenseListId);
        if (listOpt.isEmpty())
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
        assertMember(user, listOpt.get());
        try {
            expenseListService.deleteExpenseFromList(expenseListId, expenseId);
            return new ResponseEntity<>(HttpStatus.NO_CONTENT);
@@ -184,13 +146,20 @@ class ExpenseListController {
    }
    @PostMapping("/{listId}/invite")
-    public ResponseEntity<String> generateInvite(@PathVariable Long listId) {
+    public ResponseEntity<String> generateInvite(@PathVariable Long listId, Authentication authentication) {
        AppUser user = authenticatedUserResolver.resolveCurrentUser(authentication);
        Optional<ExpenseList> listOpt = expenseListService.findById(listId);
        if (listOpt.isEmpty())
            return new ResponseEntity<>(HttpStatus.NOT_FOUND);
        assertOwner(user, listOpt.get());
        String inviteCode = expenseListService.generateInviteCode(listId);
        return ResponseEntity.ok(inviteCode);
    }
    @PostMapping("/accept-invite")
-    public ResponseEntity<?> acceptInvite(@RequestBody InviteRequest inviteRequest) {
+    public ResponseEntity<?> acceptInvite(@RequestBody @Valid InviteRequest inviteRequest,
            Authentication authentication) {
        AppUser authenticatedUser = authenticatedUserResolver.resolveCurrentUser(authentication);
        ExpenseList list = expenseListService.findByInviteCode(inviteRequest.getInviteCode());
        if (list == null || list.getInviteCodeExpiration() == null ||
@@ -200,21 +169,24 @@ class ExpenseListController {
        if (list.getSharedWith() != null) {
            return ResponseEntity.status(HttpStatus.IM_USED).body("List has already been shared");
        }
-        if (list.getOwner().getId() == inviteRequest.getUserId()) {
+        if (list.getOwner().getId().equals(authenticatedUser.getId())) {
-            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("You cant join your own List");
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("You cannot join your own list");
        }
        AppUser user = null;
        try {
            user = userService.getUser(inviteRequest.getUserId());
        } catch (Exception e) {
            throw new RuntimeException("User not found");
        }
        if (user != null) {
            list.setSharedWith(user);
            expenseListService.save(list);
        } else {
            throw new RuntimeException("User not found");
        }
        list.setSharedWith(authenticatedUser);
        expenseListService.save(list);
        return ResponseEntity.ok("User added to the list");
    }
    private void assertOwner(AppUser authenticated, ExpenseList list) {
        if (!list.getOwner().getId().equals(authenticated.getId()))
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
    private void assertMember(AppUser authenticated, ExpenseList list) {
        boolean isOwner = list.getOwner().getId().equals(authenticated.getId());
        boolean isShared = list.getSharedWith() != null
                && list.getSharedWith().getId().equals(authenticated.getId());
        if (!isOwner && !isShared)
            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
    }
 }
@@ -0,0 +1,30 @@
 package de.zendric.app.xpensely_server.controller;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import java.util.HashMap;
 import java.util.Map;
@RestControllerAdvice
 public class GlobalExceptionHandler {
    @ExceptionHandler(MethodArgumentNotValidException.class)
    public ResponseEntity<Map<String, String>> handleValidationErrors(MethodArgumentNotValidException ex) {
        Map<String, String> errors = new HashMap<>();
        for (FieldError fieldError : ex.getBindingResult().getFieldErrors()) {
            errors.put(fieldError.getField(), fieldError.getDefaultMessage());
        }
        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(errors);
    }
    @ExceptionHandler(IllegalArgumentException.class)
    public ResponseEntity<Map<String, String>> handleIllegalArgument(IllegalArgumentException ex) {
        return ResponseEntity.status(HttpStatus.BAD_REQUEST)
                .body(Map.of("error", ex.getMessage()));
    }
 }
@@ -1,21 +1,25 @@
 package de.zendric.app.xpensely_server.model;
-import jakarta.persistence.Column;
+import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Pattern;
 import jakarta.validation.constraints.Size;
 import lombok.Data;
@Data
 public class AppUserCreateRequest {
-    @Column(name = "username", nullable = false, unique = true)
+    @NotBlank(message = "Username is required")
    @Size(min = 3, max = 30, message = "Username must be between 3 and 30 characters")
    @Pattern(regexp = "^[a-zA-Z0-9_.\\-]+$", message = "Username may only contain letters, digits, underscores, dots, and hyphens")
    private String username;
    @NotBlank(message = "Google ID is required")
    private String googleId;
    public AppUser convertToAppUser() {
        AppUser appUser = new AppUser();
        appUser.setGoogleId(googleId);
        appUser.setUsername(username);
        return appUser;
    }
 }
@@ -0,0 +1,11 @@
 package de.zendric.app.xpensely_server.model.Exception;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ResponseStatus;
@ResponseStatus(HttpStatus.NOT_FOUND)
 public class ResourceNotFoundException extends RuntimeException {
    public ResourceNotFoundException(String message) {
        super(message);
    }
 }
@@ -2,6 +2,10 @@ package de.zendric.app.xpensely_server.model;
 import java.time.LocalDate;
 import jakarta.validation.constraints.DecimalMin;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
@@ -12,12 +16,25 @@ import lombok.NoArgsConstructor;
 public class ExpenseChangeRequest {
    private Long id;
    @NotBlank(message = "Title is required")
    @Size(max = 100, message = "Title must not exceed 100 characters")
    private String title;
    @NotBlank(message = "Owner name is required")
    private String ownerName;
    @NotNull(message = "Amount is required")
    @DecimalMin(value = "0.01", message = "Amount must be greater than zero")
    private Double amount;
    private Double personalUseAmount;
    private Double otherPersonAmount;
    @NotNull(message = "Date is required")
    private LocalDate date;
    @NotBlank(message = "Category is required")
    private String category;
    public Expense convertToExpense(Long userId, ExpenseList expenseList) {
@@ -2,9 +2,10 @@ package de.zendric.app.xpensely_server.model;
 import java.time.LocalDate;
-import jakarta.persistence.GeneratedValue;
+import jakarta.validation.constraints.DecimalMin;
-import jakarta.persistence.GenerationType;
+import jakarta.validation.constraints.NotBlank;
-import jakarta.persistence.Id;
+import jakarta.validation.constraints.NotNull;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -16,19 +17,26 @@ import lombok.Setter;
@NoArgsConstructor
 public class ExpenseInput {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    @NotBlank(message = "Title is required")
    @Size(max = 100, message = "Title must not exceed 100 characters")
    private String title;
    @NotBlank(message = "Owner is required")
    private String owner;
    @NotNull(message = "Amount is required")
    @DecimalMin(value = "0.01", message = "Amount must be greater than zero")
    private Double amount;
    private Double personalUseAmount;
    private Double otherPersonAmount;
    @NotNull(message = "Date is required")
    private LocalDate date;
    @NotBlank(message = "Category is required")
    private String category;
    private ExpenseList expenseList;
@@ -1,5 +1,7 @@
 package de.zendric.app.xpensely_server.model;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.Size;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
@@ -8,6 +10,8 @@ import lombok.NoArgsConstructor;
@AllArgsConstructor
@NoArgsConstructor
 public class InviteRequest {
    @NotBlank(message = "Invite code is required")
    @Size(min = 6, max = 6, message = "Invite code must be exactly 6 characters")
    private String inviteCode;
    private Long userId;
 }
@@ -3,13 +3,22 @@ package de.zendric.app.xpensely_server.repo;
 import java.util.List;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
 import de.zendric.app.xpensely_server.model.ExpenseList;
@Repository
 public interface ExpenseListRepository extends JpaRepository<ExpenseList, Long> {
    List<ExpenseList> findByOwnerId(Long ownerId);
    ExpenseList findByInviteCode(String inviteCode);
    @Query("SELECT el FROM ExpenseList el WHERE el.owner.id = :userId OR el.sharedWith.id = :userId")
    List<ExpenseList> findByOwnerIdOrSharedWithId(@Param("userId") Long userId);
    @Query("SELECT el FROM ExpenseList el WHERE el.owner.username = :username OR el.sharedWith.username = :username")
    List<ExpenseList> findByOwnerUsernameOrSharedWithUsername(@Param("username") String username);
 }
@@ -0,0 +1,36 @@
 package de.zendric.app.xpensely_server.security;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.stereotype.Component;
 import org.springframework.web.server.ResponseStatusException;
@Component
 public class AuthenticatedUserResolver {
    private final UserService userService;
    public AuthenticatedUserResolver(UserService userService) {
        this.userService = userService;
    }
    public AppUser resolveCurrentUser(Authentication authentication) {
        if (authentication == null) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Not authenticated");
        }
        Jwt jwt = (Jwt) authentication.getPrincipal();
        String googleId = jwt.getSubject();
        try {
            AppUser user = userService.getUserByGoogleId(googleId);
            if (user == null) {
                throw new ResponseStatusException(HttpStatus.FORBIDDEN, "User not registered");
            }
            return user;
        } catch (IllegalArgumentException e) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "User not registered");
        }
    }
 }
@@ -0,0 +1,61 @@
 package de.zendric.app.xpensely_server.security;
 import io.github.bucket4j.Bandwidth;
 import io.github.bucket4j.Bucket;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.web.filter.OncePerRequestFilter;
 import java.io.IOException;
 import java.time.Duration;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 public class RateLimitFilter extends OncePerRequestFilter {
    private static final int REQUESTS_PER_MINUTE = 60;
    private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();
    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        String key = resolveKey(request);
        Bucket bucket = buckets.computeIfAbsent(key, k -> newBucket());
        if (bucket.tryConsume(1)) {
            filterChain.doFilter(request, response);
        } else {
            response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
            response.getWriter().write("Rate limit exceeded");
        }
    }
    private String resolveKey(HttpServletRequest request) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null && auth.getPrincipal() instanceof Jwt jwt) {
            return "user:" + jwt.getSubject();
        }
        String ip = request.getHeader("X-Forwarded-For");
        if (ip != null && !ip.isBlank()) {
            return "ip:" + ip.split(",")[0].trim();
        }
        return "ip:" + request.getRemoteAddr();
    }
    private Bucket newBucket() {
        return Bucket.builder()
                .addLimit(Bandwidth.builder()
                        .capacity(REQUESTS_PER_MINUTE)
                        .refillGreedy(REQUESTS_PER_MINUTE, Duration.ofMinutes(1))
                        .build())
                .build();
    }
 }
@@ -6,6 +6,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
@Configuration
@@ -31,6 +32,7 @@ public class SecurityConfig {
                                .oauth2ResourceServer(oauth2 -> oauth2
                                                .jwt(Customizer.withDefaults()))
                                .oauth2Login(Customizer.withDefaults())
                                .addFilterAfter(new RateLimitFilter(), BearerTokenAuthenticationFilter.class)
                                .csrf().disable();
                return http.build();
@@ -1,37 +1,29 @@
 package de.zendric.app.xpensely_server.services;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Expense;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.model.XpenselyCustomCategory;
 import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import de.zendric.app.xpensely_server.repo.ExpenseRepository;
 import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
 import jakarta.persistence.EntityManager;
@Service
@Transactional
 public class ExpenseListService {
-    private ExpenseListRepository repository;
+    private final ExpenseListRepository repository;
    private final ExpenseRepository expenseRepository;
-    private XpenselyCustomCategoryRepository customCategoryRepository;
+    private final XpenselyCustomCategoryRepository customCategoryRepository;
    @Autowired
    private EntityManager entityManager;
    @Autowired
    public ExpenseListService(ExpenseListRepository repository, ExpenseRepository expenseRepository,
            XpenselyCustomCategoryRepository customCategoryRepository) {
        this.repository = repository;
@@ -68,67 +60,24 @@ public class ExpenseListService {
    }
    public List<ExpenseList> findByUserId(Long id) {
-        List<ExpenseList> allLists = repository.findAll();
+        return repository.findByOwnerIdOrSharedWithId(id);
        List<ExpenseList> userSpecificList = new ArrayList<>();
        for (ExpenseList expenseList : allLists) {
            AppUser sharedWith = expenseList.getSharedWith();
            if (expenseList.getOwner().getId().equals(id)) {
                userSpecificList.add(expenseList);
            } else {
                if (sharedWith != null && sharedWith.getId().equals(id)) {
                    userSpecificList.add(expenseList);
                }
            }
        }
        return userSpecificList;
    }
    public List<ExpenseList> findByUsername(String username) {
-        List<ExpenseList> allLists = repository.findAll();
+        return repository.findByOwnerUsernameOrSharedWithUsername(username);
        List<ExpenseList> userSpecificList = new ArrayList<>();
        for (ExpenseList expenseList : allLists) {
            AppUser sharedWith = expenseList.getSharedWith();
            if (expenseList.getOwner().getUsername().equals(username)) {
                userSpecificList.add(expenseList);
            } else {
                if (sharedWith != null && sharedWith.getUsername().equals(username)) {
                    userSpecificList.add(expenseList);
                }
            }
        }
        return userSpecificList;
    }
    public Expense addExpenseToList(Long expenseListId, Expense expense) {
        // find expenseList
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        // get all added expenses
        HashSet<Long> existingId = new HashSet<>();
        for (Expense e : expenseList.getExpenses()) {
            existingId.add(e.getId());
        }
        // add the new expense
        expenseList.addExpense(expense);
        // save
        repository.save(expenseList);
-
+        return expense;
        Expense newExpense = new Expense();
        for (Expense e : expenseList.getExpenses()) {
            if (!existingId.contains(e.getId())) {
                newExpense = e;
                break;
            }
        }
        return newExpense;
    }
    public void deleteExpenseFromList(Long expenseListId, Long expenseId) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("ExpenseList not found with id: " + expenseListId));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        Expense expenseToRemove = null;
        for (Expense expense : expenseList.getExpenses()) {
            if (expense.getId().equals(expenseId)) {
@@ -139,14 +88,14 @@ public class ExpenseListService {
        if (expenseToRemove != null) {
            expenseList.removeExpense(expenseToRemove);
        } else {
-            throw new RuntimeException("Expense not found with id: " + expenseId);
+            throw new ResourceNotFoundException("Expense not found with id: " + expenseId);
        }
        repository.save(expenseList);
    }
    public String generateInviteCode(Long listId) {
        ExpenseList list = repository.findById(listId)
-                .orElseThrow(() -> new RuntimeException("List not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("List not found"));
        String inviteCode;
        if (list.getInviteCode() == null || list.getInviteCodeExpiration().isBefore(LocalDateTime.now())) {
@@ -168,7 +117,7 @@ public class ExpenseListService {
    public Expense updateExpense(Long expenseListId, Expense updatedExpense) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new IllegalArgumentException("ExpenseList not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("ExpenseList not found with id: " + expenseListId));
        if (!expenseList.getExpenses().stream()
                .anyMatch(expense -> expense.getId().equals(updatedExpense.getId()))) {
@@ -176,7 +125,7 @@ public class ExpenseListService {
        }
        Expense existingExpense = expenseRepository.findById(updatedExpense.getId())
-                .orElseThrow(() -> new IllegalArgumentException("Expense not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Expense not found with id: " + updatedExpense.getId()));
        existingExpense.setTitle(updatedExpense.getTitle());
        existingExpense.setAmount(updatedExpense.getAmount());
        existingExpense.setPersonalUseAmount(updatedExpense.getPersonalUseAmount());
@@ -191,7 +140,7 @@ public class ExpenseListService {
    // TODO implement API for this
    public XpenselyCustomCategory addCustomCategory(Long expenseListId, XpenselyCustomCategory customCategory) {
        ExpenseList expenseList = repository.findById(expenseListId)
-                .orElseThrow(() -> new RuntimeException("Expense List not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Expense List not found"));
        customCategory.setExpenseList(expenseList);
        return customCategoryRepository.save(customCategory);
@@ -200,9 +149,9 @@ public class ExpenseListService {
    // TODO implement API for this
    public void deleteCustomCategory(Long expenseListId, Long categoryId) {
        XpenselyCustomCategory category = customCategoryRepository.findById(categoryId)
-                .orElseThrow(() -> new RuntimeException("Custom Category not found"));
+                .orElseThrow(() -> new ResourceNotFoundException("Custom Category not found"));
        if (!category.getExpenseList().getId().equals(expenseListId)) {
-            throw new RuntimeException("Category does not belong to the specified Expense List");
+            throw new IllegalArgumentException("Category does not belong to the specified Expense List");
        }
        customCategoryRepository.delete(category);
    }
@@ -1,11 +1,11 @@
 package de.zendric.app.xpensely_server.services;
 import java.util.List;
 import java.util.Optional;
 import org.springframework.stereotype.Service;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.model.Exception.UsernameAlreadyExistsException;
 import de.zendric.app.xpensely_server.repo.UserRepository;
@@ -29,36 +29,24 @@ public class UserService {
    }
    public AppUser getUser(Long id) {
-        Optional<AppUser> user = userRepository.findById(id);
+        return userRepository.findById(id)
-        if (user.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
            return user.get();
        } else
            return null;
    }
    public AppUser deleteUserById(Long id) {
-        Optional<AppUser> user = userRepository.findById(id);
+        AppUser user = userRepository.findById(id)
-        if (user.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with id: " + id));
-            userRepository.deleteById(id);
+        userRepository.deleteById(id);
-            return user.get();
+        return user;
        } else
            return null;
    }
    public AppUser getUserByName(String username) {
-        Optional<AppUser> optUser = userRepository.findByUsername(username);
+        return userRepository.findByUsername(username)
-        if (optUser.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found: " + username));
            return optUser.get();
        } else
            return null;
    }
    public AppUser getUserByGoogleId(String id) {
-        Optional<AppUser> optUser = userRepository.findByGoogleId(id);
+        return userRepository.findByGoogleId(id)
-        if (optUser.isPresent()) {
+                .orElseThrow(() -> new ResourceNotFoundException("User not found with Google ID: " + id));
            return optUser.get();
        } else
            return null;
    }
 }
@@ -1,26 +1,47 @@
 package de.zendric.app.xpensely_Server;
-import java.util.Optional;
+import de.zendric.app.xpensely_server.model.ExpenseList;
-
+import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
-import de.zendric.app.xpensely_server.model.ExpenseList;
+import java.util.Optional;
-import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
+
 import static org.junit.jupiter.api.Assertions.*;
@DataJpaTest
 class ExpenseListRepositoryTest {
-        @Autowired
+    @Autowired
-        private ExpenseListRepository expenseListRepository;
+    private ExpenseListRepository expenseListRepository;
-        @Test
+    @Test
-        void testFindExpenseListById() {
+    void saveAndFindById_returnsExpenseList() {
-                // Assuming an ExpenseList with id = 1 exists in your test DB.
+        ExpenseList list = new ExpenseList();
-                Optional<ExpenseList> optionalExpenseList = expenseListRepository.findById(1L);
+        list.setName("Groceries");
        ExpenseList saved = expenseListRepository.save(list);
-                ExpenseList expenseList = optionalExpenseList.get();
+        Optional<ExpenseList> found = expenseListRepository.findById(saved.getId());
-                System.out.println("ExpenseList name: " + expenseList.getName());
+
-        }
+        assertTrue(found.isPresent());
        assertEquals("Groceries", found.get().getName());
    }
    @Test
    void findById_nonExistentId_returnsEmpty() {
        Optional<ExpenseList> found = expenseListRepository.findById(999L);
        assertTrue(found.isEmpty());
    }
    @Test
    void delete_removesFromRepository() {
        ExpenseList list = new ExpenseList();
        list.setName("To Delete");
        ExpenseList saved = expenseListRepository.save(list);
        expenseListRepository.deleteById(saved.getId());
        assertTrue(expenseListRepository.findById(saved.getId()).isEmpty());
    }
 }
@@ -0,0 +1,95 @@
 package de.zendric.app.xpensely_Server.controller;
 import de.zendric.app.xpensely_server.controller.AppUserController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(AppUserController.class)
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
 class AppUserControllerTest {
    @Autowired MockMvc mockMvc;
    @MockitoBean UserService userService;
    @MockitoBean AuthenticatedUserResolver authenticatedUserResolver;
    @Test
    void createUser_blankUsername_returns400WithFieldError() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_invalidUsernamePattern_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"hello world!\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_usernameTooShort_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"ab\",\"googleId\":\"gid123\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.username").exists());
    }
    @Test
    void createUser_blankGoogleId_returns400() throws Exception {
        mockMvc.perform(post("/api/users/createUser")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"username\":\"validuser\",\"googleId\":\"\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.googleId").exists());
    }
    // --- Authorization tests ---
    @Test
    void getUser_differentUser_returns403() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        mockMvc.perform(get("/api/users").param("id", "99"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getUser_sameUser_returns200() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        when(userService.getUser(1L)).thenReturn(self);
        mockMvc.perform(get("/api/users").param("id", "1"))
                .andExpect(status().isOk());
    }
    @Test
    void deleteUser_differentUser_returns403() throws Exception {
        AppUser self = new AppUser(); self.setId(1L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(self);
        mockMvc.perform(delete("/api/users").param("id", "99"))
                .andExpect(status().isForbidden());
    }
 }
@@ -0,0 +1,135 @@
 package de.zendric.app.xpensely_Server.controller;
 import de.zendric.app.xpensely_server.controller.ExpenseListController;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.CategoryService;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.web.servlet.MockMvc;
 import java.util.List;
 import java.util.Optional;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@WebMvcTest(ExpenseListController.class)
@AutoConfigureMockMvc(addFilters = false)
@ActiveProfiles("test")
 class ExpenseListControllerTest {
    @Autowired MockMvc mockMvc;
    @MockitoBean ExpenseListService expenseListService;
    @MockitoBean UserService userService;
    @MockitoBean CategoryService categoryService;
    @MockitoBean AuthenticatedUserResolver authenticatedUserResolver;
    // --- Validation tests ---
    @Test
    void addExpense_blankTitle_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"\",\"owner\":\"alice\",\"amount\":10.0,\"date\":\"2026-05-04\",\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.title").exists());
    }
    @Test
    void addExpense_negativeAmount_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"Lunch\",\"owner\":\"alice\",\"amount\":-5.0,\"date\":\"2026-05-04\",\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.amount").exists());
    }
    @Test
    void addExpense_nullDate_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/1/add")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"title\":\"Lunch\",\"owner\":\"alice\",\"amount\":10.0,\"category\":\"Food\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.date").exists());
    }
    @Test
    void acceptInvite_blankCode_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/accept-invite")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"inviteCode\":\"\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.inviteCode").exists());
    }
    @Test
    void acceptInvite_wrongCodeLength_returns400() throws Exception {
        mockMvc.perform(post("/api/expenselist/accept-invite")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{\"inviteCode\":\"ABC\"}"))
                .andExpect(status().isBadRequest())
                .andExpect(jsonPath("$.inviteCode").exists());
    }
    // --- Authorization tests ---
    @Test
    void getById_authenticatedUserNotMember_returns403() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        AppUser requester = new AppUser(); requester.setId(2L);
        ExpenseList list = new ExpenseList(); list.setId(1L); list.setOwner(owner);
        when(expenseListService.findById(1L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(requester);
        mockMvc.perform(get("/api/expenselist/byId").param("id", "1"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getById_authenticatedUserIsOwner_returns200() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        ExpenseList list = new ExpenseList(); list.setId(1L); list.setOwner(owner);
        when(expenseListService.findById(1L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(owner);
        mockMvc.perform(get("/api/expenselist/byId").param("id", "1"))
                .andExpect(status().isOk());
    }
    @Test
    void deleteList_nonOwner_returns403() throws Exception {
        AppUser owner = new AppUser(); owner.setId(1L);
        AppUser nonOwner = new AppUser(); nonOwner.setId(2L);
        ExpenseList list = new ExpenseList(); list.setId(5L); list.setOwner(owner);
        when(expenseListService.findById(5L)).thenReturn(Optional.of(list));
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(nonOwner);
        mockMvc.perform(delete("/api/expenselist/5"))
                .andExpect(status().isForbidden());
    }
    @Test
    void getMine_returnsCurrentUserLists() throws Exception {
        AppUser user = new AppUser(); user.setId(3L);
        when(authenticatedUserResolver.resolveCurrentUser(any())).thenReturn(user);
        when(expenseListService.findByUserId(3L)).thenReturn(List.of(new ExpenseList()));
        mockMvc.perform(get("/api/expenselist/mine"))
                .andExpect(status().isOk());
    }
 }
@@ -0,0 +1,78 @@
 package de.zendric.app.xpensely_Server.security;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.security.AuthenticatedUserResolver;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.web.server.ResponseStatusException;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.*;
 class AuthenticatedUserResolverTest {
    UserService userService;
    AuthenticatedUserResolver resolver;
    @BeforeEach
    void setUp() {
        userService = mock(UserService.class);
        resolver = new AuthenticatedUserResolver(userService);
    }
    @Test
    void resolveCurrentUser_validJwt_returnsAppUser() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("google-id-123")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        AppUser user = new AppUser();
        user.setId(1L);
        user.setGoogleId("google-id-123");
        when(userService.getUserByGoogleId("google-id-123")).thenReturn(user);
        AppUser result = resolver.resolveCurrentUser(auth);
        assertEquals(user, result);
    }
    @Test
    void resolveCurrentUser_userNotFound_throws403() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("unknown-id")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        when(userService.getUserByGoogleId("unknown-id")).thenReturn(null);
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(auth));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
    @Test
    void resolveCurrentUser_userServiceThrows_throws403() {
        Jwt jwt = Jwt.withTokenValue("token")
                .header("alg", "RS256")
                .subject("gone-id")
                .build();
        JwtAuthenticationToken auth = new JwtAuthenticationToken(jwt);
        when(userService.getUserByGoogleId("gone-id")).thenThrow(new IllegalArgumentException("not found"));
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(auth));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
    @Test
    void resolveCurrentUser_nullAuthentication_throws403() {
        ResponseStatusException ex = assertThrows(ResponseStatusException.class,
                () -> resolver.resolveCurrentUser(null));
        assertEquals(HttpStatus.FORBIDDEN, ex.getStatusCode());
    }
 }
@@ -0,0 +1,89 @@
 package de.zendric.app.xpensely_Server.security;
 import de.zendric.app.xpensely_server.security.RateLimitFilter;
 import jakarta.servlet.FilterChain;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.*;
 class RateLimitFilterTest {
    RateLimitFilter filter;
    FilterChain chain;
    @BeforeEach
    void setUp() {
        filter = new RateLimitFilter();
        chain = mock(FilterChain.class);
    }
    @Test
    void allowsRequestUnderLimit() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("1.2.3.4");
        MockHttpServletResponse response = new MockHttpServletResponse();
        filter.doFilter(request, response, chain);
        verify(chain, times(1)).doFilter(request, response);
        assertEquals(200, response.getStatus());
    }
    @Test
    void blocksRequestOverLimit() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("5.6.7.8");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(request, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse blockedResponse = new MockHttpServletResponse();
        filter.doFilter(request, blockedResponse, chain);
        assertEquals(429, blockedResponse.getStatus());
        verify(chain, times(60)).doFilter(eq(request), any());
    }
    @Test
    void differentIpsBucketedSeparately() throws Exception {
        MockHttpServletRequest req1 = new MockHttpServletRequest();
        req1.setRemoteAddr("10.0.0.1");
        MockHttpServletRequest req2 = new MockHttpServletRequest();
        req2.setRemoteAddr("10.0.0.2");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(req1, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse response2 = new MockHttpServletResponse();
        filter.doFilter(req2, response2, chain);
        assertEquals(200, response2.getStatus());
    }
    @Test
    void prefersXForwardedForHeader() throws Exception {
        MockHttpServletRequest request = new MockHttpServletRequest();
        request.setRemoteAddr("192.168.1.1");
        request.addHeader("X-Forwarded-For", "203.0.113.5, 10.0.0.1");
        for (int i = 0; i < 60; i++) {
            filter.doFilter(request, new MockHttpServletResponse(), chain);
        }
        MockHttpServletResponse blocked = new MockHttpServletResponse();
        filter.doFilter(request, blocked, chain);
        assertEquals(429, blocked.getStatus());
        MockHttpServletRequest directRequest = new MockHttpServletRequest();
        directRequest.setRemoteAddr("192.168.1.1");
        MockHttpServletResponse directResponse = new MockHttpServletResponse();
        filter.doFilter(directRequest, directResponse, chain);
        assertEquals(200, directResponse.getStatus());
    }
 }
@@ -0,0 +1,57 @@
 package de.zendric.app.xpensely_Server.services;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.ExpenseList;
 import de.zendric.app.xpensely_server.repo.ExpenseListRepository;
 import de.zendric.app.xpensely_server.repo.ExpenseRepository;
 import de.zendric.app.xpensely_server.repo.XpenselyCustomCategoryRepository;
 import de.zendric.app.xpensely_server.services.ExpenseListService;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import java.util.List;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.Mockito.never;
@ExtendWith(MockitoExtension.class)
 class ExpenseListServiceTest {
    @Mock ExpenseListRepository repository;
    @Mock ExpenseRepository expenseRepository;
    @Mock XpenselyCustomCategoryRepository customCategoryRepository;
    @InjectMocks
    ExpenseListService service;
    @Test
    void findByUserId_usesRepositoryQuery_notFindAll() {
        AppUser owner = new AppUser(); owner.setId(1L);
        ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
        when(repository.findByOwnerIdOrSharedWithId(1L)).thenReturn(List.of(list));
        List<ExpenseList> result = service.findByUserId(1L);
        assertThat(result).hasSize(1);
        verify(repository).findByOwnerIdOrSharedWithId(1L);
        verify(repository, never()).findAll();
    }
    @Test
    void findByUsername_usesRepositoryQuery_notFindAll() {
        AppUser owner = new AppUser(); owner.setId(1L); owner.setUsername("alice");
        ExpenseList list = new ExpenseList(); list.setId(10L); list.setOwner(owner);
        when(repository.findByOwnerUsernameOrSharedWithUsername("alice")).thenReturn(List.of(list));
        List<ExpenseList> result = service.findByUsername("alice");
        assertThat(result).hasSize(1);
        verify(repository).findByOwnerUsernameOrSharedWithUsername("alice");
        verify(repository, never()).findAll();
    }
 }
@@ -0,0 +1,75 @@
 package de.zendric.app.xpensely_Server.services;
 import de.zendric.app.xpensely_server.model.AppUser;
 import de.zendric.app.xpensely_server.model.Exception.ResourceNotFoundException;
 import de.zendric.app.xpensely_server.repo.UserRepository;
 import de.zendric.app.xpensely_server.services.UserService;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import java.util.Optional;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
 class UserServiceTest {
    @Mock
    UserRepository userRepository;
    @InjectMocks
    UserService userService;
    @Test
    void getUserByName_throwsResourceNotFound_whenUserMissing() {
        when(userRepository.findByUsername("ghost")).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUserByName("ghost"))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("ghost");
    }
    @Test
    void getUserByName_returnsUser_whenFound() {
        AppUser user = new AppUser();
        user.setId(1L);
        user.setUsername("alice");
        when(userRepository.findByUsername("alice")).thenReturn(Optional.of(user));
        AppUser result = userService.getUserByName("alice");
        assertThat(result.getUsername()).isEqualTo("alice");
    }
    @Test
    void getUser_throwsResourceNotFound_whenIdMissing() {
        when(userRepository.findById(99L)).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUser(99L))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("99");
    }
    @Test
    void deleteUserById_throwsResourceNotFound_whenIdMissing() {
        when(userRepository.findById(99L)).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.deleteUserById(99L))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("99");
    }
    @Test
    void getUserByGoogleId_throwsResourceNotFound_whenMissing() {
        when(userRepository.findByGoogleId("gid-404")).thenReturn(Optional.empty());
        assertThatThrownBy(() -> userService.getUserByGoogleId("gid-404"))
                .isInstanceOf(ResourceNotFoundException.class)
                .hasMessageContaining("gid-404");
    }
 }