Add all backend domain, commands, repositories, and tests
This commit includes all previously untracked backend files:
Domain:
- Accounts, Attachments, BankConnections, Customers
- FiscalYears, Invoices, JournalEntryDrafts
- Orders, Products, UserAccess
Commands & Handlers:
- Full CQRS command structure for all domains
Repositories:
- PostgreSQL repositories for all read models
- Bank transaction and ledger repositories
GraphQL:
- Input types, scalars, and types for all entities
- Mutations and queries
Infrastructure:
- Banking integration (Enable Banking client)
- File storage, Invoicing, Reporting, SAF-T export
- Database migrations (003-029)
Tests:
- Integration tests for GraphQL endpoints
- Domain tests
- Invoicing and reporting tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:19:42 +01:00
|
|
|
using Books.Api.Banking;
|
|
|
|
|
using Books.Api.Commands.BankConnections;
|
|
|
|
|
using Books.Api.Domain.BankConnections;
|
|
|
|
|
using EventFlow;
|
|
|
|
|
using EventFlow.Aggregates.ExecutionResults;
|
Audit v2: fix security, data integrity, compliance, bugs, encoding, UX
Backend Security & Data Integrity:
- Block negative debit/credit amounts that bypass balance validation
- Require document date at posting (was optional, bypassing fiscal year checks)
- Fix event sourcing anti-pattern: timestamps now stored in events, not UtcNow in Apply
- Add [Authorize] to BankingController OAuth callback
- Add company access check on attachment downloads
- Validate CVR in CompanyAggregate.Create and CompanyAggregate.Update
- Require company CVR for invoice creation (Momsloven §52)
- Delete leftover WeatherForecastController
- Fix duplicate migration number 007 (renamed to 007b)
- Remove dead code in VatCalculationService (identical if/else branches)
Accounting Compliance:
- Add missing VAT accounts to StandardDanishAccounts (5610, 5611, 5620)
- Populate SAF-T TaxInformation on transaction lines (was always null)
- Add AuditFileCountry and TaxRegistrationNumber to SAF-T header
Critical Frontend Bugs:
- Fix Dashboard <a href> causing full page reloads (now uses React Router Link)
- Wire Kassekladde filters to actual data (account, status, date range)
- Pre-populate form when editing existing Kassekladde drafts
- Add detail drawer for "Vis detaljer" action (was just a toast)
- Toggle advanced filters with "Flere filtre" button
- CloseFiscalYearWizard now actually posts closing entries via mutations
- "Create next year" checkbox now creates the next fiscal year
Danish Character Encoding (~50 fixes):
- Fix ø/æ/å across Momsindberetning, DocumentUploadModal, Bankafstemning,
Kontooversigt, CloseFiscalYearWizard, vatCodes, periodStore, periods,
accounting, types/periods
Dead Buttons & UX:
- Disable Momsindberetning PDF/Export buttons with tooltips
- FiscalYearSelector "Administrer" now navigates to Settings
- Settings bank tab now uses real BankConnectionsTab component
- Bankafstemning save button disabled with development tooltip
- Replace hardcoded account options with real API data (Bankafstemning, Fakturaer)
- Header help button shows info message, notification bell shows popover
Consistency & Quality:
- Remove 7 console.log statements from production code
- Adopt PageHeader on 6 remaining pages (Kreditnotaer, Settings, Admin, etc.)
- Standardize loading states to Skeleton pattern (5 pages)
- Replace deprecated bodyStyle prop on Ant Design Cards
- Standardize date format to DD-MM-YYYY
- Fix sidebar width mismatch in designTokens
- Fix Kontooversigt breadcrumb pointing to non-existent route
Accessibility:
- Add aria-label to sidebar navigation
- Add +/- prefix to AmountText for color-blind users
- Fix CompanySwitcher permanent skeleton when no companies
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 00:18:19 +01:00
|
|
|
using Microsoft.AspNetCore.Authorization;
|
Add all backend domain, commands, repositories, and tests
This commit includes all previously untracked backend files:
Domain:
- Accounts, Attachments, BankConnections, Customers
- FiscalYears, Invoices, JournalEntryDrafts
- Orders, Products, UserAccess
Commands & Handlers:
- Full CQRS command structure for all domains
Repositories:
- PostgreSQL repositories for all read models
- Bank transaction and ledger repositories
GraphQL:
- Input types, scalars, and types for all entities
- Mutations and queries
Infrastructure:
- Banking integration (Enable Banking client)
- File storage, Invoicing, Reporting, SAF-T export
- Database migrations (003-029)
Tests:
- Integration tests for GraphQL endpoints
- Domain tests
- Invoicing and reporting tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:19:42 +01:00
|
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
|
|
|
|
|
|
namespace Books.Api.Controllers;
|
|
|
|
|
|
|
|
|
|
[ApiController]
|
|
|
|
|
[Route("api/banking")]
|
Audit v2: fix security, data integrity, compliance, bugs, encoding, UX
Backend Security & Data Integrity:
- Block negative debit/credit amounts that bypass balance validation
- Require document date at posting (was optional, bypassing fiscal year checks)
- Fix event sourcing anti-pattern: timestamps now stored in events, not UtcNow in Apply
- Add [Authorize] to BankingController OAuth callback
- Add company access check on attachment downloads
- Validate CVR in CompanyAggregate.Create and CompanyAggregate.Update
- Require company CVR for invoice creation (Momsloven §52)
- Delete leftover WeatherForecastController
- Fix duplicate migration number 007 (renamed to 007b)
- Remove dead code in VatCalculationService (identical if/else branches)
Accounting Compliance:
- Add missing VAT accounts to StandardDanishAccounts (5610, 5611, 5620)
- Populate SAF-T TaxInformation on transaction lines (was always null)
- Add AuditFileCountry and TaxRegistrationNumber to SAF-T header
Critical Frontend Bugs:
- Fix Dashboard <a href> causing full page reloads (now uses React Router Link)
- Wire Kassekladde filters to actual data (account, status, date range)
- Pre-populate form when editing existing Kassekladde drafts
- Add detail drawer for "Vis detaljer" action (was just a toast)
- Toggle advanced filters with "Flere filtre" button
- CloseFiscalYearWizard now actually posts closing entries via mutations
- "Create next year" checkbox now creates the next fiscal year
Danish Character Encoding (~50 fixes):
- Fix ø/æ/å across Momsindberetning, DocumentUploadModal, Bankafstemning,
Kontooversigt, CloseFiscalYearWizard, vatCodes, periodStore, periods,
accounting, types/periods
Dead Buttons & UX:
- Disable Momsindberetning PDF/Export buttons with tooltips
- FiscalYearSelector "Administrer" now navigates to Settings
- Settings bank tab now uses real BankConnectionsTab component
- Bankafstemning save button disabled with development tooltip
- Replace hardcoded account options with real API data (Bankafstemning, Fakturaer)
- Header help button shows info message, notification bell shows popover
Consistency & Quality:
- Remove 7 console.log statements from production code
- Adopt PageHeader on 6 remaining pages (Kreditnotaer, Settings, Admin, etc.)
- Standardize loading states to Skeleton pattern (5 pages)
- Replace deprecated bodyStyle prop on Ant Design Cards
- Standardize date format to DD-MM-YYYY
- Fix sidebar width mismatch in designTokens
- Fix Kontooversigt breadcrumb pointing to non-existent route
Accessibility:
- Add aria-label to sidebar navigation
- Add +/- prefix to AmountText for color-blind users
- Fix CompanySwitcher permanent skeleton when no companies
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 00:18:19 +01:00
|
|
|
[Authorize]
|
Add all backend domain, commands, repositories, and tests
This commit includes all previously untracked backend files:
Domain:
- Accounts, Attachments, BankConnections, Customers
- FiscalYears, Invoices, JournalEntryDrafts
- Orders, Products, UserAccess
Commands & Handlers:
- Full CQRS command structure for all domains
Repositories:
- PostgreSQL repositories for all read models
- Bank transaction and ledger repositories
GraphQL:
- Input types, scalars, and types for all entities
- Mutations and queries
Infrastructure:
- Banking integration (Enable Banking client)
- File storage, Invoicing, Reporting, SAF-T export
- Database migrations (003-029)
Tests:
- Integration tests for GraphQL endpoints
- Domain tests
- Invoicing and reporting tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:19:42 +01:00
|
|
|
public class BankingController : ControllerBase
|
|
|
|
|
{
|
|
|
|
|
private readonly ICommandBus _commandBus;
|
|
|
|
|
private readonly IEnableBankingClient _bankingClient;
|
|
|
|
|
private readonly ILogger<BankingController> _logger;
|
|
|
|
|
private readonly IConfiguration _configuration;
|
|
|
|
|
|
|
|
|
|
public BankingController(
|
|
|
|
|
ICommandBus commandBus,
|
|
|
|
|
IEnableBankingClient bankingClient,
|
|
|
|
|
ILogger<BankingController> logger,
|
|
|
|
|
IConfiguration configuration)
|
|
|
|
|
{
|
|
|
|
|
_commandBus = commandBus;
|
|
|
|
|
_bankingClient = bankingClient;
|
|
|
|
|
_logger = logger;
|
|
|
|
|
_configuration = configuration;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// OAuth callback from Enable Banking after user authorizes bank connection.
|
|
|
|
|
/// </summary>
|
|
|
|
|
[HttpGet("callback")]
|
|
|
|
|
public async Task<IActionResult> Callback(
|
|
|
|
|
[FromQuery] string? code,
|
|
|
|
|
[FromQuery] string? state,
|
|
|
|
|
[FromQuery] string? error,
|
|
|
|
|
[FromQuery] string? error_description,
|
|
|
|
|
CancellationToken ct)
|
|
|
|
|
{
|
|
|
|
|
var frontendBaseUrl = _configuration["Frontend:BaseUrl"] ?? "http://localhost:3000";
|
|
|
|
|
var redirectUrl = $"{frontendBaseUrl}/indstillinger?tab=bankAccounts";
|
|
|
|
|
|
|
|
|
|
// Handle error from bank
|
|
|
|
|
if (!string.IsNullOrEmpty(error))
|
|
|
|
|
{
|
|
|
|
|
_logger.LogWarning("Bank authorization failed: {Error} - {Description}", error, error_description);
|
|
|
|
|
return Redirect($"{redirectUrl}&error={Uri.EscapeDataString(error_description ?? error)}");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate required parameters
|
|
|
|
|
if (string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
|
|
|
|
|
{
|
|
|
|
|
_logger.LogWarning("Missing code or state in callback");
|
|
|
|
|
return Redirect($"{redirectUrl}&error=missing_parameters");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
try
|
|
|
|
|
{
|
2026-02-05 21:35:26 +01:00
|
|
|
// TODO: Add proper CSRF/state validation. Currently the state parameter
|
|
|
|
|
// is used as the connection ID, but it should also include a CSRF token
|
|
|
|
|
// that is validated against the user session to prevent cross-site request
|
|
|
|
|
// forgery attacks on the OAuth callback.
|
Add all backend domain, commands, repositories, and tests
This commit includes all previously untracked backend files:
Domain:
- Accounts, Attachments, BankConnections, Customers
- FiscalYears, Invoices, JournalEntryDrafts
- Orders, Products, UserAccess
Commands & Handlers:
- Full CQRS command structure for all domains
Repositories:
- PostgreSQL repositories for all read models
- Bank transaction and ledger repositories
GraphQL:
- Input types, scalars, and types for all entities
- Mutations and queries
Infrastructure:
- Banking integration (Enable Banking client)
- File storage, Invoicing, Reporting, SAF-T export
- Database migrations (003-029)
Tests:
- Integration tests for GraphQL endpoints
- Domain tests
- Invoicing and reporting tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 22:19:42 +01:00
|
|
|
// State contains the connection ID (set during StartBankConnection)
|
|
|
|
|
var connectionId = state;
|
|
|
|
|
|
|
|
|
|
// Get PSU headers from HttpContext (required by Enable Banking API)
|
|
|
|
|
var psuIpAddress = HttpContext.Connection.RemoteIpAddress?.ToString();
|
|
|
|
|
var psuUserAgent = Request.Headers.UserAgent.ToString();
|
|
|
|
|
|
|
|
|
|
// Exchange authorization code for session
|
|
|
|
|
var session = await _bankingClient.CreateSessionAsync(code, psuIpAddress, psuUserAgent, ct);
|
|
|
|
|
|
|
|
|
|
_logger.LogInformation(
|
|
|
|
|
"Bank session created: {SessionId}, Bank: {Bank}, Accounts: {AccountCount}",
|
|
|
|
|
session.SessionId,
|
|
|
|
|
session.AspspName,
|
|
|
|
|
session.Accounts.Count);
|
|
|
|
|
|
|
|
|
|
// Complete the bank connection
|
|
|
|
|
var command = new EstablishBankConnectionCommand(
|
|
|
|
|
BankConnectionId.With(connectionId),
|
|
|
|
|
session.SessionId,
|
|
|
|
|
session.ValidUntil,
|
|
|
|
|
session.Accounts.Select(a => new BankAccountInfo(
|
|
|
|
|
a.AccountId,
|
|
|
|
|
a.Iban,
|
|
|
|
|
a.Currency,
|
|
|
|
|
a.AccountName)).ToList());
|
|
|
|
|
|
|
|
|
|
var result = await _commandBus.PublishAsync(command, ct);
|
|
|
|
|
|
|
|
|
|
if (result is FailedExecutionResult failed)
|
|
|
|
|
{
|
|
|
|
|
_logger.LogError("Failed to complete bank connection: {Errors}", string.Join(", ", failed.Errors));
|
|
|
|
|
return Redirect($"{redirectUrl}&error=completion_failed");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_logger.LogInformation("Bank connection {ConnectionId} completed successfully", connectionId);
|
|
|
|
|
return Redirect($"{redirectUrl}&success=true");
|
|
|
|
|
}
|
|
|
|
|
catch (Exception ex)
|
|
|
|
|
{
|
|
|
|
|
_logger.LogError(ex, "Error completing bank connection");
|
|
|
|
|
return Redirect($"{redirectUrl}&error=internal_error");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|