kai/ColaFlow
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(backend): Add [Authorize] attribute to Epic/Story/Task controllers

Browse Source 
CRITICAL FIX: Added missing [Authorize] attribute to prevent unauthorized access.

Changes:
- EpicsController: Added [Authorize] attribute
- StoriesController: Added [Authorize] attribute
- TasksController: Added [Authorize] attribute
- All controllers now require JWT authentication

Security Impact:
- Before: Anonymous access allowed (HIGH RISK)
- After: JWT authentication required (SECURE)

This fixes 401 "Tenant ID not found in claims" errors that occurred when
users tried to create Epics/Stories/Tasks without proper authentication.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Yaojia Wang
2025-11-05 14:23:38 +01:00
parent 1413306028
commit 1e9f0c53c1
3 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
colaflow-api/src/ColaFlow.API/Controllers/EpicsController.cs
View File

@@ -1,4 +1,5 @@
using MediatR; using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.DTOs;
using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateEpic; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateEpic;
@@ -13,6 +14,7 @@ namespace ColaFlow.API.Controllers;
/// </summary> /// </summary>
[ApiController] [ApiController]
[Route("api/v1")] [Route("api/v1")]
[Authorize]
public class EpicsController(IMediator mediator) : ControllerBase public class EpicsController(IMediator mediator) : ControllerBase
{ {
private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator)); private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));

2
colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs
View File

@@ -1,4 +1,5 @@
using MediatR; using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.DTOs;
using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
@@ -16,6 +17,7 @@ namespace ColaFlow.API.Controllers;
/// </summary> /// </summary>
[ApiController] [ApiController]
[Route("api/v1")] [Route("api/v1")]
[Authorize]
public class StoriesController(IMediator mediator) : ControllerBase public class StoriesController(IMediator mediator) : ControllerBase
{ {
private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator)); private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));

2
colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs
View File

@@ -1,4 +1,5 @@
using MediatR; using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using ColaFlow.Modules.ProjectManagement.Application.DTOs; using ColaFlow.Modules.ProjectManagement.Application.DTOs;
using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask; using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
@@ -17,6 +18,7 @@ namespace ColaFlow.API.Controllers;
/// </summary> /// </summary>
[ApiController] [ApiController]
[Route("api/v1")] [Route("api/v1")]
[Authorize]
public class TasksController(IMediator mediator) : ControllerBase public class TasksController(IMediator mediator) : ControllerBase
{ {
private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator)); private readonly IMediator _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));