softwarehuset/books
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
books/backend/Books.Api/Controllers/BankingController.cs
Nicolaj Hartmann 709d0a4739 Audit v2: fix security, data integrity, compliance, bugs, encoding, UX 
Backend Security & Data Integrity:
- Block negative debit/credit amounts that bypass balance validation
- Require document date at posting (was optional, bypassing fiscal year checks)
- Fix event sourcing anti-pattern: timestamps now stored in events, not UtcNow in Apply
- Add [Authorize] to BankingController OAuth callback
- Add company access check on attachment downloads
- Validate CVR in CompanyAggregate.Create and CompanyAggregate.Update
- Require company CVR for invoice creation (Momsloven §52)
- Delete leftover WeatherForecastController
- Fix duplicate migration number 007 (renamed to 007b)
- Remove dead code in VatCalculationService (identical if/else branches)

Accounting Compliance:
- Add missing VAT accounts to StandardDanishAccounts (5610, 5611, 5620)
- Populate SAF-T TaxInformation on transaction lines (was always null)
- Add AuditFileCountry and TaxRegistrationNumber to SAF-T header

Critical Frontend Bugs:
- Fix Dashboard <a href> causing full page reloads (now uses React Router Link)
- Wire Kassekladde filters to actual data (account, status, date range)
- Pre-populate form when editing existing Kassekladde drafts
- Add detail drawer for "Vis detaljer" action (was just a toast)
- Toggle advanced filters with "Flere filtre" button
- CloseFiscalYearWizard now actually posts closing entries via mutations
- "Create next year" checkbox now creates the next fiscal year

Danish Character Encoding (~50 fixes):
- Fix ø/æ/å across Momsindberetning, DocumentUploadModal, Bankafstemning,
  Kontooversigt, CloseFiscalYearWizard, vatCodes, periodStore, periods,
  accounting, types/periods

Dead Buttons & UX:
- Disable Momsindberetning PDF/Export buttons with tooltips
- FiscalYearSelector "Administrer" now navigates to Settings
- Settings bank tab now uses real BankConnectionsTab component
- Bankafstemning save button disabled with development tooltip
- Replace hardcoded account options with real API data (Bankafstemning, Fakturaer)
- Header help button shows info message, notification bell shows popover

Consistency & Quality:
- Remove 7 console.log statements from production code
- Adopt PageHeader on 6 remaining pages (Kreditnotaer, Settings, Admin, etc.)
- Standardize loading states to Skeleton pattern (5 pages)
- Replace deprecated bodyStyle prop on Ant Design Cards
- Standardize date format to DD-MM-YYYY
- Fix sidebar width mismatch in designTokens
- Fix Kontooversigt breadcrumb pointing to non-existent route

Accessibility:
- Add aria-label to sidebar navigation
- Add +/- prefix to AmountText for color-blind users
- Fix CompanySwitcher permanent skeleton when no companies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 00:18:19 +01:00

111 lines
4.2 KiB
C#
Raw Blame History

using Books.Api.Banking;
using Books.Api.Commands.BankConnections;
using Books.Api.Domain.BankConnections;
using EventFlow;
using EventFlow.Aggregates.ExecutionResults;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace Books.Api.Controllers;
[ApiController]
[Route("api/banking")]
[Authorize]
public class BankingController : ControllerBase
{
private readonly ICommandBus _commandBus;
private readonly IEnableBankingClient _bankingClient;
private readonly ILogger<BankingController> _logger;
private readonly IConfiguration _configuration;
public BankingController(
ICommandBus commandBus,
IEnableBankingClient bankingClient,
ILogger<BankingController> logger,
IConfiguration configuration)
{
_commandBus = commandBus;
_bankingClient = bankingClient;
_logger = logger;
_configuration = configuration;
}
/// <summary>
/// OAuth callback from Enable Banking after user authorizes bank connection.
/// </summary>
[HttpGet("callback")]
public async Task<IActionResult> Callback(
[FromQuery] string? code,
[FromQuery] string? state,
[FromQuery] string? error,
[FromQuery] string? error_description,
CancellationToken ct)
{
var frontendBaseUrl = _configuration["Frontend:BaseUrl"] ?? "http://localhost:3000";
var redirectUrl = $"{frontendBaseUrl}/indstillinger?tab=bankAccounts";
// Handle error from bank
if (!string.IsNullOrEmpty(error))
{
_logger.LogWarning("Bank authorization failed: {Error} - {Description}", error, error_description);
return Redirect($"{redirectUrl}&error={Uri.EscapeDataString(error_description ?? error)}");
}
// Validate required parameters
if (string.IsNullOrEmpty(code) || string.IsNullOrEmpty(state))
{
_logger.LogWarning("Missing code or state in callback");
return Redirect($"{redirectUrl}&error=missing_parameters");
}
try
{
// TODO: Add proper CSRF/state validation. Currently the state parameter
// is used as the connection ID, but it should also include a CSRF token
// that is validated against the user session to prevent cross-site request
// forgery attacks on the OAuth callback.
// State contains the connection ID (set during StartBankConnection)
var connectionId = state;
// Get PSU headers from HttpContext (required by Enable Banking API)
var psuIpAddress = HttpContext.Connection.RemoteIpAddress?.ToString();
var psuUserAgent = Request.Headers.UserAgent.ToString();
// Exchange authorization code for session
var session = await _bankingClient.CreateSessionAsync(code, psuIpAddress, psuUserAgent, ct);
_logger.LogInformation(
"Bank session created: {SessionId}, Bank: {Bank}, Accounts: {AccountCount}",
session.SessionId,
session.AspspName,
session.Accounts.Count);
// Complete the bank connection
var command = new EstablishBankConnectionCommand(
BankConnectionId.With(connectionId),
session.SessionId,
session.ValidUntil,
session.Accounts.Select(a => new BankAccountInfo(
a.AccountId,
a.Iban,
a.Currency,
a.AccountName)).ToList());
var result = await _commandBus.PublishAsync(command, ct);
if (result is FailedExecutionResult failed)
{
_logger.LogError("Failed to complete bank connection: {Errors}", string.Join(", ", failed.Errors));
return Redirect($"{redirectUrl}&error=completion_failed");
}
_logger.LogInformation("Bank connection {ConnectionId} completed successfully", connectionId);
return Redirect($"{redirectUrl}&success=true");
}
catch (Exception ex)
{
_logger.LogError(ex, "Error completing bank connection");
return Redirect($"{redirectUrl}&error=internal_error");
}
}
}
Reference in a new issue View git blame Copy permalink