From bac832380636b6771d00ded30270897346e0e91a Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Sat, 2 May 2026 21:27:36 +0300
Subject: [PATCH] extract user from session in text controller

prevent payload from spoofing ownership by reading the user
from the request attribute set by auth middleware. respond 401
when unauthenticated.
---
 app/Text/TextController.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/app/Text/TextController.php b/app/Text/TextController.php
index 3834f32..14230e1 100644
--- a/app/Text/TextController.php
+++ b/app/Text/TextController.php
@@ -2,6 +2,7 @@
 
 namespace App\Text;
 
+use App\User\User;
 use App\Exceptions\BadRequestException;
 use App\Text\TextRepository;
 use App\Text\UseCases\CreateText;
@@ -52,10 +53,19 @@ class TextController
     ): Response {
         $data = $request->getParsedBody();
         $name = $data['name'] ?? null;
+        $user = $request->getAttribute('user');
+        if (!$user instanceof User) {
+            return $this->errorResponse(
+                $response,
+                401,
+                'unauthenticated'
+            );
+        }
 
         try {
             $text = $createTextUseCase->execute(new CreateTextRequest(
                 name: $name,
+                user: $user,
             ));
         } catch (BadRequestException $e) {
             $response->getBody()->write(json_encode(['error' => $e->getMessage()]));
@@ -68,4 +78,17 @@ class TextController
         ]));
         return $response->withHeader('Content-Type', 'application/json');
     }
+
+    private function errorResponse(
+        Response $response,
+        int $status,
+        string $message,
+    ): Response {
+        $response->getBody()->write(
+            json_encode(['error' => $message])
+        );
+
+        return $response->withStatus($status)
+            ->withHeader('Content-Type', 'application/json');
+    }
 }