Type
Security / Backend
Problem
Several API flows currently trust client-provided identity or lack ownership checks. This creates security risks around authentication, event management, and group membership.
Scope
Fix the following issues:
- Google auth trusts
googleId, email, and name from the request body.
- Events do not have an owner, so update/delete authorization cannot be enforced.
- Group member endpoints allow arbitrary member add/remove operations.
- Group controller accepts
X-User-Email and falls back to admin@email.com.
- Group creation says
eventId is optional, but schema requires event_id.
Acceptance Criteria
POST /auth/google accepts a Google ID token, not raw identity fields.
- Google token verification checks:
- Signature
- Issuer
- Audience
- Expiry
email_verified
- User identity is derived only from verified token claims.
- Event entity has an owner/creator user reference.
- Event creation uses the authenticated user as owner.
- Event update/delete is allowed only for the event owner or admin.
- Group member add/remove operations are restricted to group admin, with self-leave handled separately if needed.
X-User-Email fallback is removed from group flows.
- No fallback to
admin@email.com exists.
- Product decision is made for independent groups:
- Either make
eventId required in the API
- Or make
event_groups.event_id nullable in JPA and Liquibase
- Regression tests cover:
- Fake Google login
- Event ownership
- Group member permissions
- Group creation rules
- Full test suite passes.
Suggested Implementation Order
- Replace Google auth request DTO with
idToken.
- Add Google token verifier service/config.
- Remove
X-User-Email and fallback identity behavior.
- Add event owner field and Liquibase migration.
- Enforce owner-or-admin event update/delete.
- Restrict group member mutation endpoints.
- Resolve independent group schema/API mismatch.
- Add regression tests.
Type
Security / Backend
Problem
Several API flows currently trust client-provided identity or lack ownership checks. This creates security risks around authentication, event management, and group membership.
Scope
Fix the following issues:
googleId,email, andnamefrom the request body.X-User-Emailand falls back toadmin@email.com.eventIdis optional, but schema requiresevent_id.Acceptance Criteria
POST /auth/googleaccepts a Google ID token, not raw identity fields.email_verifiedX-User-Emailfallback is removed from group flows.admin@email.comexists.eventIdrequired in the APIevent_groups.event_idnullable in JPA and LiquibaseSuggested Implementation Order
idToken.X-User-Emailand fallback identity behavior.