Fixed security issues in services

Author: folathecoder

Controllers/AuthController.cs

@@ -20,7 +20,7 @@ public AuthController(UserService userService, AuthService authService)
     _userService = userService;
     _authService = authService;
   }
-  
+
 
   [HttpPost("register")]
   [ProducesResponseType(typeof(SignInResponseDto), 201)]
@@ -40,8 +40,8 @@ public async Task<IActionResult> Register(SignInRegisterDto regDto)
         token = _authService.GenerateToken(user),
       };
       return Ok(res);
-    } 
-    
+    }
+
     var newUser = new User
     {
       userName = regDto.userName,

Controllers/CategoryController.cs

@@ -13,73 +13,73 @@ namespace MARKETPLACEAPI.Controllers;
 [Route("api/categories/[controller]")]
 public class CategoryController : ControllerBase
 {
-    private readonly CategoryService _categoryService;
+  private readonly CategoryService _categoryService;
 
-    public CategoryController(CategoryService categoryService) =>
-        _categoryService = categoryService;
+  public CategoryController(CategoryService categoryService) =>
+      _categoryService = categoryService;
 
-    [HttpGet]
-    public async Task<List<Category>> Get() =>
-        await _categoryService.GetAsync();
+  [HttpGet]
+  public async Task<List<Category>> Get() =>
+      await _categoryService.GetAsync();
 
-    [HttpGet("{id:length(24)}")]
-    public async Task<ActionResult<Category>> Get(string id, [FromHeader] string userId)
-    {
-        var category = await _categoryService.GetAsync(id);
-
-        if (category is null)
-        {
-            return NotFound();
-        }
+  [HttpGet("{id:length(24)}")]
+  public async Task<ActionResult<Category>> Get(string id, [FromHeader] string userId)
+  {
+    var category = await _categoryService.GetAsync(id);
 
-        return category;
+    if (category is null)
+    {
+      return NotFound();
     }
 
-    [HttpPost]
+    return category;
+  }
 
-    public async Task<IActionResult> Post(CategoryCreateDto newCategory)
-    {
-        var category = new Category
-        {
-            categoryName = newCategory.categoryName,
-            categoryDescription = newCategory.categoryDescription,
-        };
-        await _categoryService.CreateAsync(category);
-
-        return CreatedAtAction(nameof(Get), new { id = category.categoryId }, category);
-    }
+  [HttpPost]
 
-    [HttpPatch("{id:length(24)}")]
-    public async Task<IActionResult> Update(string id, CategoryUpdateDto updatedCategory)
+  public async Task<IActionResult> Post(CategoryCreateDto newCategory)
+  {
+    var category = new Category
     {
-        var category = await _categoryService.GetAsync(id);
-
-        if (category is null)
-        {
-            return NotFound();
-        }
+      categoryName = newCategory.categoryName,
+      categoryDescription = newCategory.categoryDescription,
+    };
+    await _categoryService.CreateAsync(category);
 
-        category.categoryName = updatedCategory.categoryName;
-        category.categoryDescription = updatedCategory.categoryDescription;
-        category.updatedAt = DateTime.UtcNow;
+    return CreatedAtAction(nameof(Get), new { id = category.categoryId }, category);
+  }
 
-        await _categoryService.UpdateAsync(id, category);
+  [HttpPatch("{id:length(24)}")]
+  public async Task<IActionResult> Update(string id, CategoryUpdateDto updatedCategory)
+  {
+    var category = await _categoryService.GetAsync(id);
 
-        return NoContent();
+    if (category is null)
+    {
+      return NotFound();
     }
 
-    [HttpDelete("{id:length(24)}")]
-    public async Task<IActionResult> Delete(string id)
-    {
-        var category = await _categoryService.GetAsync(id);
+    category.categoryName = updatedCategory.categoryName;
+    category.categoryDescription = updatedCategory.categoryDescription;
+    category.updatedAt = DateTime.UtcNow;
+
+    await _categoryService.UpdateAsync(id, category);
 
-        if (category is null)
-        {
-            return NotFound();
-        }
+    return NoContent();
+  }
 
-        await _categoryService.RemoveAsync(id);
+  [HttpDelete("{id:length(24)}")]
+  public async Task<IActionResult> Delete(string id)
+  {
+    var category = await _categoryService.GetAsync(id);
 
-        return NoContent();
+    if (category is null)
+    {
+      return NotFound();
     }
+
+    await _categoryService.RemoveAsync(id);
+
+    return NoContent();
+  }
 }

Controllers/NftController.cs

@@ -13,40 +13,41 @@ namespace MARKETPLACEAPI.Controllers;
 [Route("api/user/[controller]")]
 public class NftController : ControllerBase
 {
-    private readonly NftService _nftService;
-    private readonly CategoryService _categoryService;
-
-    public NftController(NftService nftService, CategoryService categoryService) {
-        _nftService = nftService;
-        _categoryService = categoryService;
+  private readonly NftService _nftService;
+  private readonly CategoryService _categoryService;
+
+  public NftController(NftService nftService, CategoryService categoryService)
+  {
+    _nftService = nftService;
+    _categoryService = categoryService;
+  }
+
+  [HttpGet]
+  public async Task<List<Nft>> Get() =>
+      await _nftService.GetAsync();
+
+  [HttpGet("{id:length(24)}")]
+  public async Task<ActionResult<NftDto>> Get(string id)
+  {
+    var nft = await _nftService.GetAsync(id);
+    if (nft is null)
+    {
+      return NotFound();
     }
 
-    [HttpGet]
-    public async Task<List<Nft>> Get() =>
-        await _nftService.GetAsync();
-
-    [HttpGet("{id:length(24)}")]
-    public async Task<ActionResult<NftDto>> Get(string id)
+    var nftDto = new NftDto
     {
-        var nft = await _nftService.GetAsync(id);
-        if (nft is null)
-        {
-            return NotFound();
-        }
-
-        var nftDto = new NftDto
-        {
-           nft = nft,
-           category = await _categoryService.GetAsync(nft.categoryId),
-        };
-        
-        return nftDto;
-    }
+      nft = nft,
+      category = await _categoryService.GetAsync(nft.categoryId),
+    };
+
+    return nftDto;
+  }
 
-    [HttpPost]
-    public async Task<IActionResult> Post(NftCreateDto newNft)
-    {   
-        var userId = HttpContext.Request.Headers["userId"].ToString();
+  [HttpPost]
+  public async Task<IActionResult> Post(NftCreateDto newNft)
+  {
+    var userId = HttpContext.Request.Headers["userId"].ToString();
 
     var nft = new Nft
     {
@@ -57,63 +58,63 @@ public async Task<IActionResult> Post(NftCreateDto newNft)
       creatorId = userId,
       categoryId = newNft.categoryId
     };
-    
+
     await _nftService.CreateAsync(nft);
 
-        return CreatedAtAction(nameof(Get), new { id = nft.nftId }, nft);
-    }
+    return CreatedAtAction(nameof(Get), new { id = nft.nftId }, nft);
+  }
+
+  [HttpPatch("{id:length(24)}")]
+  public async Task<IActionResult> Update(string id, NftUpdateDto updatedNft)
+  {
+    var nft = await _nftService.GetAsync(id);
 
-    [HttpPatch("{id:length(24)}")]
-    public async Task<IActionResult> Update(string id, NftUpdateDto updatedNft)
+    if (nft is null)
     {
-        var nft = await _nftService.GetAsync(id);
+      return NotFound();
+    }
 
-        if (nft is null)
-        {
-            return NotFound();
-        }
+    nft.nftName = updatedNft.nftName ?? nft.nftName;
+    nft.nftDescription = updatedNft.nftDescription ?? nft.nftDescription;
+    nft.price = updatedNft.price ?? nft.price;
+    nft.updatedAt = DateTime.UtcNow;
 
-        nft.nftName = updatedNft.nftName ?? nft.nftName;
-        nft.nftDescription = updatedNft.nftDescription ?? nft.nftDescription;
-        nft.price = updatedNft.price ?? nft.price;
-        nft.updatedAt = DateTime.UtcNow;
 
+    await _nftService.UpdateAsync(id, nft);
 
-        await _nftService.UpdateAsync(id, nft);
+    return NoContent();
+  }
 
-        return NoContent();
-    }
+  [HttpDelete("{id:length(24)}")]
+  public async Task<IActionResult> Delete(string id)
+  {
+    var nft = await _nftService.GetAsync(id);
 
-    [HttpDelete("{id:length(24)}")]
-    public async Task<IActionResult> Delete(string id)
+    if (nft is null)
     {
-        var nft = await _nftService.GetAsync(id);
-
-        if (nft is null)
-        {
-            return NotFound();
-        }
+      return NotFound();
+    }
 
-        await _nftService.RemoveAsync(id);
+    await _nftService.RemoveAsync(id);
 
-        return NoContent();
-    }
+    return NoContent();
+  }
 
-    [HttpGet("creator")]
-    public async Task<List<Nft>> GetNftsByCreatorId([FromQuery] string creatorId) =>
-        await _nftService.GetNftsByCreatorId(creatorId);
+  [HttpGet("creator")]
+  public async Task<List<Nft>> GetNftsByCreatorId([FromQuery] string creatorId) =>
+      await _nftService.GetNftsByCreatorId(creatorId);
 
-    [HttpGet("owner")]
-    public async Task<List<Nft>> GetNftsByOwnerId([FromQuery] string ownerId) =>
-        await _nftService.GetNftsByOwnerId(ownerId);
+  [HttpGet("owner")]
+  public async Task<List<Nft>> GetNftsByOwnerId([FromQuery] string ownerId) =>
+      await _nftService.GetNftsByOwnerId(ownerId);
 
-    [HttpGet("with-price-filter")]
-    public async Task<List<Nft>> GetNftWithPriceFilter( 
-    [FromQuery] double? priceMax, [FromQuery] double?
-     priceMin, [FromQuery] bool? ascending = true) =>
-        await _nftService.GetNftWithPriceFilter(priceMax, priceMin, ascending);
+  [HttpGet("with-price-filter")]
+  public async Task<List<Nft>> GetNftWithPriceFilter(
+  [FromQuery] double? priceMax, [FromQuery] double?
+   priceMin, [FromQuery] bool? ascending = true) =>
+      await _nftService.GetNftWithPriceFilter(priceMax, priceMin, ascending);
 
-    [HttpGet("search")]
-    public async Task<List<Nft>> SearchByNftName([FromQuery] string nftName, [FromQuery] bool ascending = true) =>
-        await _nftService.SearchByNftName(nftName, ascending);
+  [HttpGet("search")]
+  public async Task<List<Nft>> SearchByNftName([FromQuery] string nftName, [FromQuery] bool ascending = true) =>
+      await _nftService.SearchByNftName(nftName, ascending);
 }