From 1e9f0c53c140b70fab9d37a455440d576c4b8e50 Mon Sep 17 00:00:00 2001 From: Yaojia Wang Date: Wed, 5 Nov 2025 14:23:38 +0100 Subject: [PATCH] fix(backend): Add [Authorize] attribute to Epic/Story/Task controllers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CRITICAL FIX: Added missing [Authorize] attribute to prevent unauthorized access. Changes: - EpicsController: Added [Authorize] attribute - StoriesController: Added [Authorize] attribute - TasksController: Added [Authorize] attribute - All controllers now require JWT authentication Security Impact: - Before: Anonymous access allowed (HIGH RISK) - After: JWT authentication required (SECURE) This fixes 401 "Tenant ID not found in claims" errors that occurred when users tried to create Epics/Stories/Tasks without proper authentication. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs | 2 ++ colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs | 2 ++ colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs | 2 ++ 3 files changed, 6 insertions(+) diff --git a/colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs b/colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs index 754b4e4..903c982 100644 --- a/colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs +++ b/colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs @@ -1,4 +1,5 @@ using MediatR; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateEpic; @@ -13,6 +14,7 @@ namespace ColaFlow.API.Controllers; /// [ApiController] [Route("api/v1")] +[Authorize] public class EpicsController(IMediator mediator) : ControllerBase { private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator)); diff --git a/colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs b/colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs index 9757c98..e8627a0 100644 --- a/colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs +++ b/colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs @@ -1,4 +1,5 @@ using MediatR; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory; @@ -16,6 +17,7 @@ namespace ColaFlow.API.Controllers; /// [ApiController] [Route("api/v1")] +[Authorize] public class StoriesController(IMediator mediator) : ControllerBase { private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator)); diff --git a/colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs b/colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs index a98e803..4fb19e0 100644 --- a/colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs +++ b/colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs @@ -1,4 +1,5 @@ using MediatR; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask; @@ -17,6 +18,7 @@ namespace ColaFlow.API.Controllers; /// [ApiController] [Route("api/v1")] +[Authorize] public class TasksController(IMediator mediator) : ControllerBase { private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));