mirror of
https://github.com/azaion/missions.git
synced 2026-06-21 18:51:07 +00:00
Oleksandr Bezdieniezhnykh
7025f4d075
Updated JWT authentication to use configuration values instead of hardcoded secrets, improving security and flexibility. Enhanced CORS policy to conditionally allow origins based on configuration settings, with logging for permissive defaults. Updated README to reflect project renaming and clarify service context.
72 lines
3.2 KiB
Markdown
72 lines
3.2 KiB
Markdown
# Module: `Azaion.Missions.Controllers.VehiclesController`
|
|
|
|
**File**: `Controllers/VehiclesController.cs`
|
|
|
|
> **NOTE (forward-looking)**: post-rename. Today's source is `Controllers/AircraftsController.cs` mounted at `[Route("aircrafts")]`. Renames + route changes tracked under Jira AZ-EPIC children B6 (domain rename) and B8 (HTTP route prefix rename).
|
|
|
|
## Purpose
|
|
|
|
REST surface for the `vehicles` resource. Thin HTTP wrapper over `VehicleService` -- every action delegates 1:1 with no extra logic.
|
|
|
|
## Public Interface
|
|
|
|
| HTTP | Route | Action | Body / Query | Returns |
|
|
|------|-------|--------|--------------|---------|
|
|
| `POST` | `/vehicles` | `Create` | body: `CreateVehicleRequest` | `201 Created` + `Location: /vehicles/{id}`, body: `Vehicle` |
|
|
| `PUT` | `/vehicles/{id:guid}` | `Update` | body: `UpdateVehicleRequest` | `200 OK`, body: `Vehicle` |
|
|
| `DELETE` | `/vehicles/{id:guid}` | `Delete` | -- | `204 No Content` |
|
|
| `GET` | `/vehicles` | `GetAll` | query: `GetVehiclesQuery` (`Name?`, `IsDefault?`) | `200 OK`, body: `List<Vehicle>` (no pagination) |
|
|
| `GET` | `/vehicles/{id:guid}` | `Get` | -- | `200 OK`, body: `Vehicle` |
|
|
| `PATCH` | `/vehicles/{id:guid}/default` | `SetDefault` | body: `SetDefaultRequest` | `204 No Content` |
|
|
|
|
Class-level decorators:
|
|
- `[ApiController]` -- automatic 400 for model-binding/validation errors (note: there are no validation attributes, so this rarely triggers).
|
|
- `[Route("vehicles")]` -- base path.
|
|
- `[Authorize(Policy = "FL")]` -- every action requires the `FL` JWT permission claim.
|
|
|
|
## Internal Logic
|
|
|
|
Each action is a one-liner: await the service, return `Created/Ok/NoContent`.
|
|
|
|
`Create` returns the persisted entity (including server-generated `Id`).
|
|
`Update`, `Get`, `GetAll` return entities directly (no DTO mapping -- the entity IS the response shape).
|
|
|
|
## Dependencies
|
|
|
|
- `Azaion.Missions.Services.VehicleService` (constructor-injected)
|
|
- `Azaion.Missions.DTOs` (request/query types)
|
|
- ASP.NET Core MVC: `ControllerBase`, `[ApiController]`, `[Route]`, `[Authorize]`, route-binding attributes.
|
|
|
|
## Consumers
|
|
|
|
- HTTP clients (frontend, other services, Swagger UI, integration tests).
|
|
|
|
## Data Models
|
|
|
|
Returns the `Vehicle` entity directly on the wire -- fields are serialized as PascalCase properties (`System.Text.Json` default; no camelCase configuration is set in `Program.cs`).
|
|
|
|
## Configuration
|
|
|
|
None directly.
|
|
|
|
## External Integrations
|
|
|
|
None directly -- service does the DB work.
|
|
|
|
## Security
|
|
|
|
- Every action gated by `Policy = "FL"` (JWT claim `permissions = FL`).
|
|
- No anti-CSRF (REST API, JWT auth -- typical).
|
|
- No rate limiting at this layer.
|
|
|
|
## Tests
|
|
|
|
None present.
|
|
|
|
## Notes / Smells
|
|
|
|
1. **Entity leakage on the wire** -- controllers return `Vehicle` entities. For `Vehicle` there are no associations, so no over-fetch happens. (Compare to `MissionsController` which returns `Mission` -- that DOES have `Vehicle` and `List<Waypoint>` associations; lazy-load behavior depends on LinqToDB defaults.)
|
|
2. **No HEAD / OPTIONS** explicit handlers -- relies on framework defaults.
|
|
3. **`PATCH` for SetDefault** is semantically a partial update -- appropriate. Body is a tiny `{ IsDefault: bool }` dedicated DTO.
|
|
4. **`Created` body includes the entity** -- consistent with REST best practice (avoids a follow-up GET).
|