Add authorization, input validation, and fix N+1 queries in Dashboard APIs (#93)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: PhantomDave <34485699+PhantomDave@users.noreply.github.com>

Author: Copilot

PhantomDave.BankTracking.Api/Services/DashboardService.cs

@@ -20,20 +20,11 @@ public async Task<IEnumerable<Dashboard>> GetAllDashboardsAsync()
     {
         var dashboards = await _unitOfWork.Dashboards
             .Query()
+            .Include(d => d.Widgets)
             .AsNoTracking()
             .OrderBy(d => d.Id)
             .ToListAsync();
 
-        foreach (var dashboard in dashboards)
-        {
-            var widgets = await _unitOfWork.DashboardWidgets
-                .Query()
-                .Where(w => w.DashboardId == dashboard.Id)
-                .OrderBy(w => w.Id)
-                .ToListAsync();
-            dashboard.Widgets = widgets.ToList();
-        }
-
         return dashboards;
     }
 

PhantomDave.BankTracking.Api/Types/Mutations/DashboardMutations.cs

@@ -1,4 +1,5 @@
 using HotChocolate;
+using HotChocolate.Authorization;
 using HotChocolate.Types;
 using PhantomDave.BankTracking.Api.Types.Inputs;
 using PhantomDave.BankTracking.Api.Types.ObjectTypes;
@@ -18,17 +19,28 @@ private static string TruncateName(string? name)
         return trimmed.Length > MaxDashboardNameLength ? trimmed[..MaxDashboardNameLength] : trimmed;
     }
 
+    [Authorize]
     public async Task<DashboardType> CreateDashboard(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,
         CreateDashboardInput input)
     {
         var accountId = httpContextAccessor.GetAccountIdFromContext();
 
+        var trimmedName = TruncateName(input.Name);
+        if (string.IsNullOrEmpty(trimmedName))
+        {
+            throw new GraphQLException(
+                ErrorBuilder.New()
+                    .SetMessage("Dashboard name cannot be empty.")
+                    .SetCode("BAD_USER_INPUT")
+                    .Build());
+        }
+
         var dashboard = new Dashboard
         {
             AccountId = accountId,
-            Name = TruncateName(input.Name)
+            Name = trimmedName
         };
 
         await unitOfWork.Dashboards.AddAsync(dashboard);
@@ -37,6 +49,7 @@ public async Task<DashboardType> CreateDashboard(
         return DashboardType.FromDashboard(dashboard);
     }
 
+    [Authorize]
     public async Task<DashboardType> UpdateDashboard(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,
@@ -59,11 +72,13 @@ public async Task<DashboardType> UpdateDashboard(
             dashboard.Name = TruncateName(input.Name);
         }
 
+        await unitOfWork.Dashboards.UpdateAsync(dashboard);
         await unitOfWork.SaveChangesAsync();
 
         return DashboardType.FromDashboard(dashboard);
     }
 
+    [Authorize]
     public async Task<bool> DeleteDashboard(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,

PhantomDave.BankTracking.Api/Types/Mutations/DashboardWidgetMutations.cs

@@ -1,4 +1,5 @@
 using HotChocolate;
+using HotChocolate.Authorization;
 using HotChocolate.Types;
 using PhantomDave.BankTracking.Api.Types.Inputs;
 using PhantomDave.BankTracking.Api.Types.ObjectTypes;
@@ -10,6 +11,7 @@ namespace PhantomDave.BankTracking.Api.Types.Mutations;
 [ExtendObjectType(OperationTypeNames.Mutation)]
 public class DashboardWidgetMutations
 {
+    [Authorize]
     public async Task<DashboardWidgetType> AddWidget(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,
@@ -52,6 +54,7 @@ public async Task<DashboardWidgetType> AddWidget(
         return DashboardWidgetType.FromDashboardWidget(widget);
     }
 
+    [Authorize]
     public async Task<DashboardWidgetType> UpdateWidget(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,
@@ -128,6 +131,7 @@ public async Task<DashboardWidgetType> UpdateWidget(
         return DashboardWidgetType.FromDashboardWidget(widget);
     }
 
+    [Authorize]
     public async Task<bool> RemoveWidget(
         [Service] IUnitOfWork unitOfWork,
         [Service] IHttpContextAccessor httpContextAccessor,

PhantomDave.BankTracking.Api/Types/Queries/DashboardQueries.cs

@@ -19,20 +19,11 @@ public async Task<IEnumerable<DashboardType>> GetDashboards(
 
         var dashboards = await unitOfWork.Dashboards
             .Query()
+            .Include(d => d.Widgets)
             .Where(d => d.AccountId == accountId)
             .OrderBy(d => d.Id)
             .ToListAsync();
 
-        foreach (var dashboard in dashboards)
-        {
-            var widgets = await unitOfWork.DashboardWidgets
-                .Query()
-                .Where(w => w.DashboardId == dashboard.Id)
-                .OrderBy(w => w.Id)
-                .ToListAsync();
-            dashboard.Widgets = widgets.ToList();
-        }
-
         return dashboards.Select(DashboardType.FromDashboard);
     }
 
@@ -44,19 +35,16 @@ public async Task<IEnumerable<DashboardType>> GetDashboards(
     {
         var accountId = httpContextAccessor.GetAccountIdFromContext();
 
-        var dashboard = await unitOfWork.Dashboards.GetByIdAsync(id);
+        var dashboard = await unitOfWork.Dashboards
+            .Query()
+            .Include(d => d.Widgets)
+            .FirstOrDefaultAsync(d => d.Id == id);
+
         if (dashboard is null || dashboard.AccountId != accountId)
         {
             return null;
         }
 
-        var widgets = await unitOfWork.DashboardWidgets
-            .Query()
-            .Where(w => w.DashboardId == dashboard.Id)
-            .OrderBy(w => w.Id)
-            .ToListAsync();
-        dashboard.Widgets = widgets.ToList();
-
         return DashboardType.FromDashboard(dashboard);
     }
 }

frontend/src/app/models/dashboards/gridster-item.ts

@@ -14,5 +14,4 @@ export interface Widget extends GridsterItem {
 export enum WidgetType {
   CurrentBalance,
   NetGraph,
-  Placeholder,
 }

frontend/src/app/widgets/widget-net-graph/widget-net-graph.component.spec.ts

@@ -1,16 +1,14 @@
-/* tslint:disable:no-unused-variable */
-import { async, ComponentFixture, TestBed } from '@angular/core/testing';
-import { DebugElement } from '@angular/core';
+import { ComponentFixture, TestBed, waitForAsync } from '@angular/core/testing';
 
 import { WidgetNetGraphComponent } from './widget-net-graph.component';
 
 describe('WidgetNetGraphComponent', () => {
   let component: WidgetNetGraphComponent;
   let fixture: ComponentFixture<WidgetNetGraphComponent>;
 
-  beforeEach(async(() => {
+  beforeEach(waitForAsync(() => {
     TestBed.configureTestingModule({
-      declarations: [ WidgetNetGraphComponent ]
+      imports: [ WidgetNetGraphComponent ]
     })
     .compileComponents();
   }));