softwarehuset/books
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
books/backend/Books.Api/GraphQL/Mutations/BooksMutation.cs
Nicolaj Hartmann 8e05171b66 Full product audit: fix security, compliance, UX, and wire broken features 
Security (Phase 1):
- Add authentication middleware on /graphql endpoint
- Filter company queries by user access (prevent IDOR)
- Add role-based authorization on mutations (owner/accountant)
- Reduce API key cache TTL from 24h to 5 minutes
- Hide exception details in production GraphQL errors
- Fix RBAC in frontend companyStore (was hardcoded)

Wiring broken features (Phase 2):
- Wire Kassekladde submit/void/copy to GraphQL mutations
- Wire Kontooversigt account creation to createAccount mutation
- Wire Settings save to updateCompany mutation
- Wire CreateFiscalYearModal and CloseFiscalYearWizard to mutations
- Replace Momsindberetning mock data with real useVatReport query
- Remove Dashboard hardcoded percentages and fake VAT deadline
- Fix Kreditnotaer invoice selector to use real data
- Fix mutation retry from 1 to 0 (prevent duplicate operations)

Accounting compliance (Phase 3):
- Add balanced entry validation (debit==credit) in JournalEntryDraftAggregate
- Add fiscal year boundary enforcement (status, date range checks)
- Add PostedAt timestamp to posted events (Bogføringsloven §7)
- Add account number uniqueness check within company
- Add fiscal year overlap and gap checks
- Add sequential invoice auto-numbering
- Fix InvoiceLine VAT rate to use canonical VatCodes
- Fix SAF-T account type mapping (financial → Expense)
- Add DraftLine validation (cannot have both debit and credit > 0)

UX improvements (Phase 4):
- Fix Danish character encoding across 15+ files (ø, æ, å)
- Deploy DemoDataDisclaimer on pages with mock/incomplete data
- Adopt PageHeader component universally across all pages
- Standardize active/inactive filtering to Switch pattern
- Fix dead buttons in Header (Help, Notifications)
- Remove hardcoded mock data from Settings
- Fix Sidebar controlled state and Kontooversigt navigation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-05 21:35:26 +01:00

102 lines
4.3 KiB
C#
Raw Blame History

using System.Security.Claims;
using Books.Api.Authorization;
using Books.Api.Commands.Companies;
using Books.Api.Commands.UserAccess;
using Books.Api.Domain.Companies;
using Books.Api.Domain.UserAccess;
using Books.Api.EventFlow.Repositories;
using Books.Api.GraphQL.InputTypes;
using Books.Api.GraphQL.Types;
using EventFlow;
using GraphQL;
using GraphQL.Types;
namespace Books.Api.GraphQL.Mutations;
public class BooksMutation : ObjectGraphType
{
public BooksMutation()
{
Name = "Mutation";
Description = "Root mutation for the Books API";
// createCompany(input: CreateCompanyInput!): CompanyType
Field<CompanyType>("createCompany")
.Description("Create a new company")
.Argument<NonNullGraphType<CreateCompanyInputType>>("input", "The company data")
.ResolveAsync(async ctx =>
{
var input = ctx.GetArgument<CreateCompanyInput>("input");
var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();
var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();
var companyId = CompanyId.New;
var command = new CreateCompanyCommand(
companyId,
input.Name,
input.Cvr,
input.Address,
input.PostalCode,
input.City,
input.Country ?? "DK",
input.FiscalYearStartMonth ?? 1,
input.Currency ?? "DKK",
input.VatRegistered ?? false,
input.VatPeriodFrequency);
await commandBus.PublishAsync(command, ctx.CancellationToken);
// Grant the creating user owner access to the new company
var httpContext = ctx.RequestServices!.GetRequiredService<IHttpContextAccessor>().HttpContext;
var userId = httpContext?.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
if (userId != null)
{
var accessId = UserCompanyAccessId.FromUserAndCompany(userId, companyId.Value);
var grantCmd = new GrantUserCompanyAccessCommand(
accessId, userId, companyId.Value, CompanyRole.Owner, userId);
await commandBus.PublishAsync(grantCmd, ctx.CancellationToken);
}
// Return the created company (eventually consistent)
return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);
});
// updateCompany(id: ID!, input: UpdateCompanyInput!): CompanyType
Field<CompanyType>("updateCompany")
.Description("Update an existing company")
.Argument<NonNullGraphType<IdGraphType>>("id", "The company ID")
.Argument<NonNullGraphType<UpdateCompanyInputType>>("input", "The updated company data")
.ResolveAsync(async ctx =>
{
var id = ctx.GetArgument<string>("id");
// Require Owner or Accountant role to update a company
var accessService = ctx.RequestServices!.GetRequiredService<ICompanyAccessService>();
await accessService.RequireAccessAsync(id, CompanyRole.Accountant, ctx.CancellationToken);
var input = ctx.GetArgument<UpdateCompanyInput>("input");
var commandBus = ctx.RequestServices!.GetRequiredService<ICommandBus>();
var repository = ctx.RequestServices!.GetRequiredService<ICompanyRepository>();
var companyId = CompanyId.With(id);
var command = new UpdateCompanyCommand(
companyId,
input.Name,
input.Cvr,
input.Address,
input.PostalCode,
input.City,
input.Country ?? "DK",
input.FiscalYearStartMonth ?? 1,
input.Currency ?? "DKK",
input.VatRegistered ?? false,
input.VatPeriodFrequency);
await commandBus.PublishAsync(command, ctx.CancellationToken);
return await repository.GetByIdAsync(companyId.Value, ctx.CancellationToken);
});
}
}
Reference in a new issue View git blame Copy permalink