Implemented get followers endpoint

PatrickMatthiesen · Apr 4, 2023 · 2618563 · 2618563
1 parent 94dce3e
commit 2618563
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 14 deletions.
diff --git a/MiniTwit/MiniTwit/Client/Pages/MyTimeline.razor b/MiniTwit/MiniTwit/Client/Pages/MyTimeline.razor
@@ -13,18 +13,29 @@
 </ContentDisplay>
 
 @code {
- private List<MessageDTO> _messages;
-
- private string _error;
-
- protected override async Task OnInitializedAsync() {
- var userId = await _authStateProvider.GetUserIdAsync();
- var result = await _http.GetAsync($"api/User/{userId}/mytimeline");
- if (!result.IsSuccessStatusCode)
- {
- _error = "Something went wrong loading the timeline";
- return;
- }
- _messages = await result.Content.ReadFromJsonAsync<List<MessageDTO>>();
+ private List<MessageDTO> _messages;
+
+ private List<UserDTO> _followers;
+
+ private string _error;
+
+ protected override async Task OnInitializedAsync() {
+ var userId = await _authStateProvider.GetUserIdAsync();
+ var result = await _http.GetAsync($"api/User/{userId}/mytimeline");
+ var followers = await _http.GetAsync($"api/User/{userId}/get-followers");
+ if (!result.IsSuccessStatusCode)
+ {
+ _error = "Something went wrong loading the timeline";
+ return;
+ }
+ if (!followers.IsSuccessStatusCode) 
+ {
+ _error = "Something went wrong loading users followers";
+ return;
+ }
+ _messages = await result.Content.ReadFromJsonAsync<List<MessageDTO>>();
+ _followers = await followers.Content.ReadFromJsonAsync<List<UserDTO>>();
  }
+
+
 }
diff --git a/MiniTwit/MiniTwit/Infrastructure/Repositories/UserRepository.cs b/MiniTwit/MiniTwit/Infrastructure/Repositories/UserRepository.cs
@@ -136,11 +136,17 @@ public async Task<List<UserDTO>> ReadFollowsAsync(string Id) {
 
  var returnList = new List<UserDTO>();
 
+ if (entity == null)
+ {
+ throw new Exception($"User with Id {Id} not found.");
+ }
+
  foreach (var f in entity.Follows)
  {
+ Console.WriteLine(f.UserName + ", " + f.Email);
  returnList.Add(new UserDTO(f.Id, f.UserName, f.Email));
  }
-
+ 
  return returnList;
  }
 

diff --git a/MiniTwit/MiniTwit/Server/Controllers/UserController.cs b/MiniTwit/MiniTwit/Server/Controllers/UserController.cs
@@ -46,4 +46,11 @@ public async Task<ActionResult<List<MessageDTO>>> GetMyTimeline(string userId)
  {
  return await _repository.ReadMyTimelineAsync(userId);
  }
+
+ [HttpGet("{userId}/get-followers")]
+ public async Task<ActionResult<List<UserDTO>>> GetUsersFollowers(string userId)
+ {
+ return await _repository.ReadFollowsAsyncQuery(userId);
+ }
+
 }
diff --git a/MiniTwit/MiniTwit/Shared/IRepositories/IUserRepository.cs b/MiniTwit/MiniTwit/Shared/IRepositories/IUserRepository.cs
@@ -9,6 +9,7 @@ public interface IUserRepository
  Task<(Response Response, UserDTO)> FindAsync(string userId);
  Task<Response> UpdateAsync(UserUpdateDTO user);
  Task<List<UserDTO>> ReadFollowsAsync(string Id);
+ Task<List<UserDTO>> ReadFollowsAsyncQuery(string Id);
  Task<Response> UnFollowAsync(string Id_own, string Id_target);
  Task<Response> Follow(string Id_own, string Id_target);
  Task<List<MessageDTO>> ReadMessagesFromUserNameAsync(string userName);

diff --git a/MiniTwit/Tests/ATTACK_Scan.md b/MiniTwit/Tests/ATTACK_Scan.md
@@ -0,0 +1,31 @@
+# Penetration Test ZAP (Zed Attack Proxy)
+
+## Vulnerabilities
+
+1. No Anti-CSRF tokens were found in a HTML submission form
+> - A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim.
+> - Solution: Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
+> - https://blog.insiderattack.net/anti-csrf-tokens-to-prevent-cross-site-request-forgery-csrf-79b9d7a5c079
+
+2. Passive (90022 - Application Error Disclosure)
+> - This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application.
+> - Solution: Review the source code of this page. Implement a custom error page!
+
+3. Content Security Policy (CSP) Header Not Set
+> - Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.
+> - Solution: Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
+> - https://content-security-policy.com/examples/nginx/
+
+4. Hidden File Found
+> - A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.
+> - Screenshot found in our index.html exposes Client/wwwroot/service-worker ![](./resources/Vulnearability4.jpg)
+
+5. Vulnerable JS Library
+> - jQuery Validation Plugin v1.17.0 is vulnurable. 
+> - URL: http://souffle.nu/Identity/lib/jquery-validation/dist/jquery.validate.js 
+> - Solution: Please upgrade to the latest version of jquery-validation.
+
+6. XSLT Injection might be possible.
+> - Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.
+> - Solution: Sanitize and analyze every user input coming from any client-side
+> - Article: https://blog.pentesteracademy.com/xslt-injections-for-dummies-a0cfbe0c42f5 
diff --git a/MiniTwit/Tests/resources/Vulnearability4.jpg b/MiniTwit/Tests/resources/Vulnearability4.jpg