ChrisChen/ROLAC
1
0
Fork 0
Code Issues 66 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(expense): resolve current user id from 'sub' JWT claim

Browse Source 
Live verification revealed the JWT carries the user id in the 'sub' claim
(NameClaimType=sub, MapInboundClaims=false), so ClaimTypes.NameIdentifier is
null at runtime. This caused ExpensesController.GetMine/GetById to throw
NullReferenceException (500) on the '!.Value', and made the services fall back
to 'system' — silently defeating the self-ownership guard. Resolve via
NameIdentifier (unit tests) then 'sub' (real tokens). Adds a regression test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Chris Chen
2026-05-29 19:08:21 -07:00
parent 95008788f3
commit e1f99158aa
4 changed files with 45 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
API/ROLAC.API/Services/MonthlyStatementService.cs
+4 -1
View File
@@ -12,8 +12,11 @@ public class MonthlyStatementService : IMonthlyStatementService
private readonly IHttpContextAccessor _http;
public MonthlyStatementService(AppDbContext db, IHttpContextAccessor http) { _db = db; _http = http; }
// See ExpenseService: the user id lives in the "sub" claim at runtime; NameIdentifier is for tests.
private string CurrentUserId =>
_http.HttpContext?.User.FindFirstValue(ClaimTypes.NameIdentifier) ?? "system";
_http.HttpContext?.User.FindFirstValue(ClaimTypes.NameIdentifier)
?? _http.HttpContext?.User.FindFirstValue("sub")
?? "system";
public async Task<List<MonthlyStatementDto>> GetAllAsync(int? year)
{