fix: allow only query my own data (#126)

* fix: allow access only my own data

Signed-off-by: Matheus Cruz <[email protected]>

* fix: fix compilation

Signed-off-by: Matheus Cruz <[email protected]>

---------

Signed-off-by: Matheus Cruz <[email protected]>

Author: mcruzdev

site/index.html

@@ -100,8 +100,8 @@ <h2 class="text-3xl font-bold mb-6">Timeless is Open Source</h2>
     <h2 class="text-3xl font-bold mb-6">Start Using Timeless Today</h2>
     <p class="text-lg mb-8 max-w-2xl mx-auto">Your financial Life organized forever. No effort required.</p>
     <a href="#"
-      class="bg-white text-blue-600 px-6 py-3 rounded-xl text-lg font-semibold hover:bg-gray-200 transition">Join the
-      Waitlist</a>
+      class="bg-white text-blue-600 px-6 py-3 rounded-xl text-lg font-semibold hover:bg-gray-200 transition">Register
+      Now</a>
   </section>
 
   <!-- Footer -->

timeless-api/src/main/java/dev/matheuscruz/domain/RecordRepository.java

@@ -1,13 +1,18 @@
 package dev.matheuscruz.domain;
 
 import io.quarkus.hibernate.orm.panache.PanacheRepository;
+import io.quarkus.logging.Log;
+import io.quarkus.panache.common.Parameters;
 import jakarta.enterprise.context.ApplicationScoped;
 import java.util.List;
 
 @ApplicationScoped
 public class RecordRepository implements PanacheRepository<Record> {
 
-    public List<AmountAndTypeOnly> getRecordsWithAmountAndTypeOnly() {
-        return find("select r.amount, r.transaction from Record as r").project(AmountAndTypeOnly.class).list();
+    public List<AmountAndTypeOnly> getRecordsWithAmountAndTypeOnlyByUser(String userId) {
+        Log.info("Getting balance for user ID: " + userId);
+        return find("select r.amount, r.transaction from Record as r where userId = :userId",
+                Parameters.with("userId", userId)).project(AmountAndTypeOnly.class).list();
     }
+
 }

timeless-api/src/main/java/dev/matheuscruz/infra/ai/TextAiService.java

@@ -1,6 +1,7 @@
 package dev.matheuscruz.infra.ai;
 
 import dev.langchain4j.service.UserMessage;
+import dev.langchain4j.service.V;
 import dev.matheuscruz.infra.ai.data.AllRecognizedOperations;
 import dev.matheuscruz.infra.ai.tools.GetBalanceTool;
 import io.quarkiverse.langchain4j.RegisterAiService;
@@ -10,9 +11,12 @@ public interface TextAiService {
 
     @UserMessage("""
             You are a smart financial assistant capable of performing two types of operations based on the user's message:
+
             1. Extracting financial transaction data.
             2. Responding with the user's current account balance using available tools.
 
+            The user ID is {{userId}}.
+
             Your task is to analyze the content between the --- delimiters and return a JSON object in the following format:
 
             {
@@ -80,6 +84,6 @@ public interface TextAiService {
             {message}
             ---
             """)
-    AllRecognizedOperations handleMessage(String message);
+    AllRecognizedOperations handleMessage(String message, @V("userId") String userId);
 
 }

timeless-api/src/main/java/dev/matheuscruz/infra/ai/tools/GetBalanceTool.java

@@ -17,9 +17,9 @@ public GetBalanceTool(RecordRepository recordRepository) {
         this.recordRepository = recordRepository;
     }
 
-    @Tool(value = "get account balance")
-    public BigDecimal getBalance() {
-        List<AmountAndTypeOnly> list = this.recordRepository.getRecordsWithAmountAndTypeOnly();
+    @Tool(value = "get account balance for a user")
+    public BigDecimal getBalance(String userId) {
+        List<AmountAndTypeOnly> list = this.recordRepository.getRecordsWithAmountAndTypeOnlyByUser(userId);
         return list.stream()
                 .map(record -> record.getTransaction().equals(Transactions.OUT)
                         ? record.getAmount().multiply(new BigDecimal(-1))

timeless-api/src/main/java/dev/matheuscruz/infra/queue/SQS.java

@@ -77,7 +77,8 @@ private void processMessage(String body, String receiptHandle) {
 
     private void handleUserMessage(User user, IncomingMessage message, String receiptHandle) {
         try {
-            AllRecognizedOperations allRecognizedOperations = aiService.handleMessage(message.messageBody());
+            AllRecognizedOperations allRecognizedOperations = aiService.handleMessage(message.messageBody(),
+                    user.getId());
 
             for (RecognizedOperation recognizedOperation : allRecognizedOperations.all()) {
                 switch (recognizedOperation.operation()) {

timeless-api/src/main/java/dev/matheuscruz/presentation/MessageResource.java

@@ -1,6 +1,5 @@
 package dev.matheuscruz.presentation;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import dev.langchain4j.data.image.Image;
 import dev.matheuscruz.domain.Record;
 import dev.matheuscruz.domain.RecordRepository;
@@ -11,9 +10,10 @@
 import dev.matheuscruz.infra.ai.data.AiOperations;
 import dev.matheuscruz.infra.ai.data.RecognizedOperation;
 import dev.matheuscruz.infra.ai.data.RecognizedTransaction;
+import dev.matheuscruz.presentation.data.ImageRequest;
+import dev.matheuscruz.presentation.data.MessageRequest;
 import io.quarkus.narayana.jta.QuarkusTransaction;
 import jakarta.validation.Valid;
-import jakarta.validation.constraints.NotBlank;
 import jakarta.ws.rs.Consumes;
 import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.POST;
@@ -25,16 +25,24 @@
 import java.util.function.Predicate;
 import java.util.stream.Stream;
 
+/**
+ * We allow only whatsapp clients to send messages to this endpoint.
+ * <p>
+ * While we do not have everything implemented in an asynchronous way without the communication between whatsapp app and
+ * our backend, we will block this endpoint to only whatsapp IP.
+ * <p>
+ * It is a block on network level, configured in the infrastructure layer.
+ */
 @Path("/api/messages")
 public class MessageResource {
 
-    private final UserRepository userRepository;
-    private final TextAiService aiService;
-    private final ImageAiService imageAiService;
-    private final RecordRepository recordRepository;
+    final UserRepository userRepository;
+    final TextAiService aiService;
+    final ImageAiService imageAiService;
+    final RecordRepository recordRepository;
 
     public MessageResource(TextAiService aiService, ImageAiService imageAiService, RecordRepository recordRepository,
-            ObjectMapper mapper, UserRepository userRepository) {
+            UserRepository userRepository) {
         this.aiService = aiService;
         this.imageAiService = imageAiService;
         this.recordRepository = recordRepository;
@@ -76,15 +84,15 @@ public Response image(@Valid ImageRequest req) {
     }
 
     private Response handleMessage(User user, String message) {
-        List<RecognizedOperation> response = aiService.handleMessage(message).all();
+        List<RecognizedOperation> response = aiService.handleMessage(message, user.getId()).all();
         return processOnlyAddTransaction(user, response);
     }
 
     private Response processOnlyAddTransaction(User user, List<RecognizedOperation> messages) {
 
         List<RecognizedTransaction> onlyAddTransaction = messages.stream()
                 .filter(message -> AiOperations.ADD_TRANSACTION.equals(message.operation()))
-                .map(recognizedOperation -> recognizedOperation.recognizedTransaction()).toList();
+                .map(RecognizedOperation::recognizedTransaction).toList();
 
         handleTransactions(onlyAddTransaction, user);
 
@@ -101,10 +109,4 @@ private void handleTransactions(List<RecognizedTransaction> transactions, User u
             recordRepository.persist(recordStream);
         });
     }
-
-    public record MessageRequest(@NotBlank String from, @NotBlank String message) {
-    }
-
-    public record ImageRequest(@NotBlank String from, @NotBlank String base64, String text, @NotBlank String mimeType) {
-    }
 }

timeless-api/src/main/java/dev/matheuscruz/presentation/RecordResource.java

@@ -1,15 +1,20 @@
 package dev.matheuscruz.presentation;
 
-import dev.matheuscruz.domain.*;
+import dev.matheuscruz.domain.AmountAndTypeOnly;
 import dev.matheuscruz.domain.Record;
+import dev.matheuscruz.domain.RecordRepository;
+import dev.matheuscruz.domain.Transactions;
+import dev.matheuscruz.domain.User;
+import dev.matheuscruz.domain.UserRepository;
+import dev.matheuscruz.presentation.data.CreateRecordRequest;
+import dev.matheuscruz.presentation.data.PageRecord;
+import dev.matheuscruz.presentation.data.RecordItemResponse;
 import io.quarkus.narayana.jta.QuarkusTransaction;
 import io.quarkus.panache.common.Page;
 import io.quarkus.panache.common.Parameters;
-import jakarta.transaction.Transactional;
+import io.quarkus.security.Authenticated;
+import jakarta.enterprise.context.RequestScoped;
 import jakarta.validation.Valid;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.PositiveOrZero;
 import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.GET;
@@ -19,22 +24,26 @@
 import jakarta.ws.rs.core.Response;
 import java.math.BigDecimal;
 import java.net.URI;
-import java.time.Instant;
-import java.time.LocalDateTime;
 import java.time.ZoneId;
-import java.time.ZoneOffset;
 import java.time.format.DateTimeFormatter;
 import java.util.List;
 import java.util.Optional;
+import org.eclipse.microprofile.jwt.Claim;
+import org.eclipse.microprofile.jwt.Claims;
 import org.jboss.resteasy.reactive.RestQuery;
 
+@RequestScoped
 @Path("/api/records")
+@Authenticated
 public class RecordResource {
 
+    static DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd/MM/yyyy");
+
+    @Claim(standard = Claims.upn)
+    String upn;
+
     RecordRepository recordRepository;
     UserRepository userRepository;
-    static DateTimeFormatter formatter = DateTimeFormatter.ofPattern("dd/MM/yyyy");
-    static Instant INSTANT_2025 = LocalDateTime.of(2025, 1, 1, 0, 0, 0).toInstant(ZoneOffset.UTC);
 
     public RecordResource(RecordRepository recordRepository, UserRepository userRepository) {
         this.recordRepository = recordRepository;
@@ -43,9 +52,9 @@ public RecordResource(RecordRepository recordRepository, UserRepository userRepo
 
     @DELETE
     @Path("/{id}")
-    @Transactional
     public Response delete(@PathParam("id") Long id) {
-        recordRepository.deleteById(id);
+        QuarkusTransaction.requiringNew().run(() -> recordRepository.delete("id = :id AND userId = :userId",
+                Parameters.with("id", id).and("userId", upn)));
         return Response.status(Response.Status.NO_CONTENT).build();
     }
 
@@ -56,8 +65,11 @@ public Response createRecord(@Valid CreateRecordRequest req) {
         Record record = new Record.Builder().userId(user.getId()).amount(req.amount()).description(req.description())
                 .transaction(req.transaction()).category(req.category()).build();
 
-        QuarkusTransaction.requiringNew().run(() -> this.recordRepository.persist(record));
+        if (!user.getId().equals(upn)) {
+            return Response.status(Response.Status.FORBIDDEN).build();
+        }
 
+        QuarkusTransaction.requiringNew().run(() -> this.recordRepository.persist(record));
         return Response.created(URI.create("/api/records/" + record.getId())).build();
     }
 
@@ -67,40 +79,29 @@ public Response getRecords(@RestQuery("page") String p, @RestQuery("limit") Stri
         int page = Integer.parseInt(Optional.of(p).orElse("0"));
         int limit = Integer.parseInt(Optional.of(l).orElse("10"));
 
-        long totalRecords = recordRepository.count();
+        // TODO: https://github.com/mcruzdev/timeless/issues/125
+        long totalRecords = recordRepository.count("userId = :userId", Parameters.with("userId", upn));
 
-        List<RecordItemResponse> output = recordRepository.findAll().page(Page.of(page, limit)).list().stream()
-                .map(record -> {
+        // pagination
+        List<RecordItemResponse> output = recordRepository.find("userId = :userId", Parameters.with("userId", upn))
+                .page(Page.of(page, limit)).list().stream().map(record -> {
                     String format = record.getCreatedAt().atZone(ZoneId.of("America/Sao_Paulo")).toLocalDate()
                             .format(formatter);
                     return new RecordItemResponse(record.getId(), record.getAmount(), record.getDescription(),
                             record.getTransaction().name(), format, record.getCategory().name());
                 }).toList();
 
-        List<Record> list = recordRepository.find("createdAt >= :instant AND createdAt <= :now",
-                Parameters.with("instant", INSTANT_2025).and("now", Instant.now())).list();
-
-        Optional<BigDecimal> totalExpenses = list.stream()
-                .filter(item -> item.getTransaction().equals(Transactions.OUT)).map(Record::getAmount)
+        // calculate total expenses and total in
+        List<AmountAndTypeOnly> amountAndType = recordRepository.getRecordsWithAmountAndTypeOnlyByUser(upn);
+        Optional<BigDecimal> totalExpenses = amountAndType.stream()
+                .filter(item -> item.getTransaction().equals(Transactions.OUT)).map(AmountAndTypeOnly::getAmount)
                 .reduce(BigDecimal::add);
 
-        Optional<BigDecimal> totalIn = list.stream().filter(item -> item.getTransaction().equals(Transactions.IN))
-                .map(Record::getAmount).reduce(BigDecimal::add);
+        Optional<BigDecimal> totalIn = amountAndType.stream()
+                .filter(item -> item.getTransaction().equals(Transactions.IN)).map(AmountAndTypeOnly::getAmount)
+                .reduce(BigDecimal::add);
 
-        return Response.ok(new PagedRecord(output, totalRecords, totalExpenses.orElse(BigDecimal.ZERO),
+        return Response.ok(new PageRecord(output, totalRecords, totalExpenses.orElse(BigDecimal.ZERO),
                 totalIn.orElse(BigDecimal.ZERO))).build();
     }
-
-    public record PagedRecord(List<RecordItemResponse> items, Long totalRecords, BigDecimal totalExpenses,
-            BigDecimal totalIn) {
-    }
-
-    public record RecordItemResponse(Long id, BigDecimal amount, String description, String transaction,
-            String createdAt, String category) {
-    }
-
-    public record CreateRecordRequest(@PositiveOrZero BigDecimal amount, @NotBlank String description,
-            @NotNull Transactions transaction, @NotBlank String from, @NotNull Categories category) {
-    }
-
 }

timeless-api/src/main/java/dev/matheuscruz/presentation/SignInResource.java

@@ -4,12 +4,12 @@
 import dev.matheuscruz.domain.UserRepository;
 import dev.matheuscruz.infra.security.BCryptAdapter;
 import dev.matheuscruz.infra.security.Groups;
+import dev.matheuscruz.presentation.data.SignInRequest;
+import dev.matheuscruz.presentation.data.SignInResponse;
 import io.quarkus.panache.common.Parameters;
 import io.smallrye.jwt.build.Jwt;
+import jakarta.annotation.security.PermitAll;
 import jakarta.validation.Valid;
-import jakarta.validation.constraints.Email;
-import jakarta.validation.constraints.NotBlank;
-import jakarta.validation.constraints.Size;
 import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
@@ -18,6 +18,7 @@
 import java.util.Set;
 
 @Path("/api/sign-in")
+@PermitAll
 public class SignInResource {
 
     UserRepository userRepository;
@@ -44,9 +45,4 @@ public Response signIn(@Valid SignInRequest req) {
         return Response.ok(new SignInResponse(token, user.getId(), user.fullName(), req.email())).build();
     }
 
-    public record SignInRequest(@Email String email, @NotBlank @Size(min = 8, max = 32) String password) {
-    }
-
-    public record SignInResponse(String token, String id, String name, String email) {
-    }
 }

timeless-api/src/main/java/dev/matheuscruz/presentation/SignUpResource.java

@@ -4,9 +4,10 @@
 import dev.matheuscruz.domain.UserRepository;
 import dev.matheuscruz.infra.security.AESAdapter;
 import dev.matheuscruz.infra.security.BCryptAdapter;
-import dev.matheuscruz.presentation.data.Problem;
+import dev.matheuscruz.presentation.data.ProblemResponse;
 import io.quarkus.logging.Log;
 import io.quarkus.narayana.jta.QuarkusTransaction;
+import jakarta.annotation.security.PermitAll;
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.Email;
 import jakarta.validation.constraints.NotBlank;
@@ -16,6 +17,7 @@
 import jakarta.ws.rs.core.Response;
 
 @Path("/api/sign-up")
+@PermitAll
 public class SignUpResource {
 
     UserRepository userRepository;
@@ -33,7 +35,7 @@ public Response signUp(@Valid SignUpRequest req) {
         boolean exists = this.userRepository.existsByEmail(req.email());
         if (exists) {
             return Response.status(Response.Status.CONFLICT)
-                    .entity(new Problem("Este nome de usuário já foi usado. Tente outro.")).build();
+                    .entity(new ProblemResponse("Este nome de usuário já foi usado. Tente outro.")).build();
         }
 
         User user = User.create(req.email(), BCryptAdapter.encrypt(req.password()), req.firstName(), req.lastName(),