extract user from session in text controller

prevent payload from spoofing ownership by reading the user
from the request attribute set by auth middleware. respond 401
when unauthenticated.

app/Text/TextController.php

@@ -2,6 +2,7 @@
 
 namespace App\Text;
 
+use App\User\User;
 use App\Exceptions\BadRequestException;
 use App\Text\TextRepository;
 use App\Text\UseCases\CreateText;
@@ -52,10 +53,19 @@ class TextController
     ): Response {
         $data = $request->getParsedBody();
         $name = $data['name'] ?? null;
+        $user = $request->getAttribute('user');
+        if (!$user instanceof User) {
+            return $this->errorResponse(
+                $response,
+                401,
+                'unauthenticated'
+            );
+        }
 
         try {
             $text = $createTextUseCase->execute(new CreateTextRequest(
                 name: $name,
+                user: $user,
             ));
         } catch (BadRequestException $e) {
             $response->getBody()->write(json_encode(['error' => $e->getMessage()]));
@@ -68,4 +78,17 @@ class TextController
         ]));
         return $response->withHeader('Content-Type', 'application/json');
     }
+
+    private function errorResponse(
+        Response $response,
+        int $status,
+        string $message,
+    ): Response {
+        $response->getBody()->write(
+            json_encode(['error' => $message])
+        );
+
+        return $response->withStatus($status)
+            ->withHeader('Content-Type', 'application/json');
+    }
 }