From 1484a7023cf022591f8c5ca100d37401a9e0c69f Mon Sep 17 00:00:00 2001
From: Jesse Brault <jbrault@mac.com>
Date: Wed, 14 Aug 2024 09:29:11 -0500
Subject: [PATCH] Require principal for star mutations.

---
 .../api/recipe/RecipeController.java             | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/main/java/app/mealsmadeeasy/api/recipe/RecipeController.java b/src/main/java/app/mealsmadeeasy/api/recipe/RecipeController.java
index 742308d..1fc017a 100644
--- a/src/main/java/app/mealsmadeeasy/api/recipe/RecipeController.java
+++ b/src/main/java/app/mealsmadeeasy/api/recipe/RecipeController.java
@@ -11,6 +11,7 @@ import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Slice;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 
@@ -70,8 +71,11 @@ public class RecipeController {
     public ResponseEntity<RecipeStar> addStar(
             @PathVariable String username,
             @PathVariable String slug,
-            @AuthenticationPrincipal User principal
+            @Nullable @AuthenticationPrincipal User principal
     ) throws RecipeException {
+        if (principal == null) {
+            throw new AccessDeniedException("Must be logged in to star a recipe.");
+        }
         return ResponseEntity.status(HttpStatus.CREATED).body(this.recipeStarService.create(username, slug, principal));
     }
 
@@ -79,8 +83,11 @@ public class RecipeController {
     public ResponseEntity<Map<String, Object>> getStar(
             @PathVariable String username,
             @PathVariable String slug,
-            @AuthenticationPrincipal User principal
+            @Nullable @AuthenticationPrincipal User principal
     ) throws RecipeException {
+        if (principal == null) {
+            throw new AccessDeniedException("Must be logged in to get a recipe star.");
+        }
         final @Nullable RecipeStar star = this.recipeStarService.find(username, slug, principal).orElse(null);
         if (star != null) {
             return ResponseEntity.ok(Map.of("isStarred", true, "star", star));
@@ -93,8 +100,11 @@ public class RecipeController {
     public ResponseEntity<Object> removeStar(
             @PathVariable String username,
             @PathVariable String slug,
-            @AuthenticationPrincipal User principal
+            @Nullable @AuthenticationPrincipal User principal
     ) throws RecipeException {
+        if (principal == null) {
+            throw new AccessDeniedException("Must be logged in to delete a recipe star.");
+        }
         this.recipeStarService.delete(username, slug, principal);
         return ResponseEntity.noContent().build();
     }