feat: Enhance document ownership checks in IDocumentStore and InMemoryDocumentStore, update DocumentsController to validate ownership, and add unit tests for ownership scenarios

NikaNats · NikaNats · commit 65ed0b2676f7 · 2026-03-19T22:00:35.000+04:00
diff --git a/src/Sentinel.Application/Common/Abstractions/IDocumentStore.cs b/src/Sentinel.Application/Common/Abstractions/IDocumentStore.cs
@@ -5,7 +5,7 @@ namespace Sentinel.Application.Common.Abstractions;
 public interface IDocumentStore
 {
     Task<IReadOnlyCollection<DocumentDto>> ListAsync(string ownerSub, CancellationToken cancellationToken);
-    Task<DocumentDto?> GetByIdAsync(Guid id, CancellationToken cancellationToken);
+    Task<DocumentDto?> GetByIdAsync(Guid id, string ownerSub, CancellationToken cancellationToken);
     Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest request, CancellationToken cancellationToken);
     Task<DocumentDto?> UpdateAsync(Guid id, string ownerSub, UpdateDocumentRequest request, CancellationToken cancellationToken);
     Task<bool> DeleteAsync(Guid id, string ownerSub, CancellationToken cancellationToken);
diff --git a/src/Sentinel.Infrastructure/Cache/InMemoryDocumentStore.cs b/src/Sentinel.Infrastructure/Cache/InMemoryDocumentStore.cs
@@ -21,10 +21,17 @@ public Task<IReadOnlyCollection<DocumentDto>> ListAsync(string ownerSub, Cancell
         return Task.FromResult<IReadOnlyCollection<DocumentDto>>(results);
     }
 
-    public Task<DocumentDto?> GetByIdAsync(Guid id, CancellationToken cancellationToken)
+    public Task<DocumentDto?> GetByIdAsync(Guid id, string ownerSub, CancellationToken cancellationToken)
     {
         cancellationToken.ThrowIfCancellationRequested();
-        return Task.FromResult(documents.TryGetValue(id, out var state) ? Map(state) : null);
+
+        if (!documents.TryGetValue(id, out var state)
+            || !string.Equals(state.OwnerSub, ownerSub, StringComparison.Ordinal))
+        {
+            return Task.FromResult<DocumentDto?>(null);
+        }
+
+        return Task.FromResult<DocumentDto?>(Map(state));
     }
 
     public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest request, CancellationToken cancellationToken)
@@ -47,6 +54,7 @@ public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest requ
     public Task<DocumentDto?> UpdateAsync(Guid id, string ownerSub, UpdateDocumentRequest request, CancellationToken cancellationToken)
     {
         cancellationToken.ThrowIfCancellationRequested();
+        var spinWait = new SpinWait();
 
         while (documents.TryGetValue(id, out var current))
         {
@@ -66,6 +74,8 @@ public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest requ
             {
                 return Task.FromResult<DocumentDto?>(Map(updated));
             }
+
+            spinWait.SpinOnce();
         }
 
         return Task.FromResult<DocumentDto?>(null);
diff --git a/src/Sentinel.Infrastructure/Cache/SessionBlacklistCache.cs b/src/Sentinel.Infrastructure/Cache/SessionBlacklistCache.cs
@@ -1,22 +1,20 @@
-using Microsoft.Extensions.Caching.Distributed;
 using Sentinel.Application.Common.Abstractions;
+using StackExchange.Redis;
 
 namespace Sentinel.Infrastructure.Cache;
 
-public sealed class SessionBlacklistCache(IDistributedCache cache, ILogger<SessionBlacklistCache> logger) : ISessionBlacklistCache
+public sealed class SessionBlacklistCache(IConnectionMultiplexer redis, ILogger<SessionBlacklistCache> logger) : ISessionBlacklistCache
 {
+    private readonly IDatabase db = redis.GetDatabase();
     private static string GetKey(string sessionId) => $"blacklist:sid:{sessionId}";
 
     public async Task BlacklistSessionAsync(string sessionId, TimeSpan ttl, CancellationToken ct)
     {
+        ct.ThrowIfCancellationRequested();
+
         try
         {
-            var options = new DistributedCacheEntryOptions
-            {
-                AbsoluteExpirationRelativeToNow = ttl
-            };
-
-            await cache.SetAsync(GetKey(sessionId), [], options, ct);
+            await db.StringSetAsync(GetKey(sessionId), RedisValue.EmptyString, ttl, When.Always, CommandFlags.None);
             logger.LogInformation("Session {SessionId} blacklisted for {TtlSeconds} seconds.", sessionId, ttl.TotalSeconds);
         }
         catch (Exception ex)
@@ -28,10 +26,11 @@ public async Task BlacklistSessionAsync(string sessionId, TimeSpan ttl, Cancella
 
     public async ValueTask<bool> IsSessionBlacklistedAsync(string sessionId, CancellationToken ct)
     {
+        ct.ThrowIfCancellationRequested();
+
         try
         {
-            var value = await cache.GetAsync(GetKey(sessionId), ct);
-            return value is not null;
+            return await db.KeyExistsAsync(GetKey(sessionId), CommandFlags.None);
         }
         catch (Exception ex)
         {
diff --git a/src/Sentinel.Presentation/Controllers/DocumentsController.cs b/src/Sentinel.Presentation/Controllers/DocumentsController.cs
@@ -11,14 +11,16 @@ namespace Sentinel.Controllers;
 [Route("v1/documents")]
 public sealed class DocumentsController(IDocumentStore documentStore, ILogger<DocumentsController> logger) : ControllerBase
 {
+    private string? CurrentSub => User.FindFirst("sub")?.Value;
+
     [HttpGet]
     [Authorize(Policy = Policies.DocumentsRead)]
     [ProducesResponseType(StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
     [ProducesResponseType(StatusCodes.Status403Forbidden)]
     public async Task<IActionResult> ListDocuments(CancellationToken cancellationToken)
     {
-        var subject = User.FindFirst("sub")?.Value;
+        var subject = CurrentSub;
         if (string.IsNullOrWhiteSpace(subject))
         {
             return Unauthorized();
@@ -36,14 +38,14 @@ public async Task<IActionResult> ListDocuments(CancellationToken cancellationTok
     [ProducesResponseType(StatusCodes.Status403Forbidden)]
     public async Task<IActionResult> GetDocument(Guid id, CancellationToken cancellationToken)
     {
-        var subject = User.FindFirst("sub")?.Value;
+        var subject = CurrentSub;
         if (string.IsNullOrWhiteSpace(subject))
         {
             return Unauthorized();
         }
 
-        var document = await documentStore.GetByIdAsync(id, cancellationToken);
-        if (document is null || !string.Equals(document.OwnerSub, subject, StringComparison.Ordinal))
+        var document = await documentStore.GetByIdAsync(id, subject, cancellationToken);
+        if (document is null)
         {
             return NotFound();
         }
@@ -61,7 +63,7 @@ public async Task<IActionResult> GetDocument(Guid id, CancellationToken cancella
     [ProducesResponseType(StatusCodes.Status409Conflict)]
     public async Task<IActionResult> CreateDocument([FromBody] CreateDocumentRequest request, CancellationToken cancellationToken)
     {
-        var subject = User.FindFirst("sub")?.Value;
+        var subject = CurrentSub;
         if (string.IsNullOrWhiteSpace(subject))
         {
             return Unauthorized();
@@ -87,7 +89,7 @@ public async Task<IActionResult> CreateDocument([FromBody] CreateDocumentRequest
     [ProducesResponseType(StatusCodes.Status409Conflict)]
     public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocumentRequest request, CancellationToken cancellationToken)
     {
-        var subject = User.FindFirst("sub")?.Value;
+        var subject = CurrentSub;
         if (string.IsNullOrWhiteSpace(subject))
         {
             return Unauthorized();
@@ -104,7 +106,6 @@ public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocume
 
     [HttpDelete("{id}")]
     [Authorize(Policy = Policies.DocumentsWrite)]
-    [RequireIdempotency]
     [RequireMtlsBinding]
     [ProducesResponseType(StatusCodes.Status204NoContent)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -113,7 +114,7 @@ public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocume
     [ProducesResponseType(StatusCodes.Status409Conflict)]
     public async Task<IActionResult> DeleteDocument(Guid id, CancellationToken cancellationToken)
     {
-        var subject = User.FindFirst("sub")?.Value;
+        var subject = CurrentSub;
         if (string.IsNullOrWhiteSpace(subject))
         {
             return Unauthorized();
diff --git a/src/Sentinel.Presentation/Controllers/ProfileController.cs b/src/Sentinel.Presentation/Controllers/ProfileController.cs
@@ -21,9 +21,18 @@ public IActionResult GetProfile()
         var displayName = User.FindFirstValue("name") ?? string.Empty;
 
         var rolesClaim = User.FindFirst("realm_access.roles")?.Value;
-        var roles = string.IsNullOrWhiteSpace(rolesClaim)
-            ? []
-            : JsonSerializer.Deserialize<string[]>(rolesClaim) ?? [];
+        var roles = Array.Empty<string>();
+        if (!string.IsNullOrWhiteSpace(rolesClaim))
+        {
+            try
+            {
+                roles = JsonSerializer.Deserialize<string[]>(rolesClaim) ?? [];
+            }
+            catch (JsonException)
+            {
+                roles = [];
+            }
+        }
 
         if (string.IsNullOrWhiteSpace(sub))
         {
diff --git a/src/Sentinel.Presentation/DependencyInjection/ApiServiceCollectionExtensions.cs b/src/Sentinel.Presentation/DependencyInjection/ApiServiceCollectionExtensions.cs
@@ -92,10 +92,10 @@ public static WebApplication UseApiLayer(this WebApplication app)
         app.UseRouting();
 
         app.UseAuthentication();
-        app.UseRateLimiter();
         app.UseMiddleware<DpopValidationMiddleware>();
         app.UseMiddleware<MtlsBindingMiddleware>();
         app.UseMiddleware<AcrValidationMiddleware>();
+        app.UseRateLimiter();
         app.UseAuthorization();
 
         app.MapPrometheusScrapingEndpoint();
diff --git a/src/Sentinel.Presentation/Middleware/DpopValidationMiddleware.cs b/src/Sentinel.Presentation/Middleware/DpopValidationMiddleware.cs
@@ -46,6 +46,7 @@ public async Task InvokeAsync(HttpContext context)
         }
 
         var token = authHeader["DPoP ".Length..].Trim();
+        // RFC 9449 section 4.2: htu excludes query string and fragment.
         var requestUrl = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";
 
         var thumbprint = TryExtractProofThumbprint(dpopProof);
diff --git a/src/Sentinel.Presentation/Middleware/Filters/RequireIdempotencyAttribute.cs b/src/Sentinel.Presentation/Middleware/Filters/RequireIdempotencyAttribute.cs
@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.AspNetCore.Mvc.Infrastructure;
+using Microsoft.Extensions.Logging.Abstractions;
 using StackExchange.Redis;
 
 namespace Sentinel.Middleware.Filters;
@@ -26,20 +27,43 @@ public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionE
         }
 
         var idempotencyKey = keyValues.ToString();
+        var logger = context.HttpContext.RequestServices.GetService<ILogger<RequireIdempotencyAttribute>>()
+            ?? NullLogger<RequireIdempotencyAttribute>.Instance;
         var redis = context.HttpContext.RequestServices.GetRequiredService<IConnectionMultiplexer>();
         var db = redis.GetDatabase();
         var sub = context.HttpContext.User.FindFirst("sub")?.Value ?? "anonymous";
         var redisKey = $"idempotency:{sub}:{idempotencyKey}";
 
-        bool lockAcquired = await db.StringSetAsync(
-            redisKey,
-            "IN_PROGRESS",
-            TimeSpan.FromMinutes(5),
-            When.NotExists);
+        bool lockAcquired;
+        try
+        {
+            lockAcquired = await db.StringSetAsync(
+                redisKey,
+                "IN_PROGRESS",
+                TimeSpan.FromMinutes(5),
+                When.NotExists);
+        }
+        catch (RedisException ex)
+        {
+            logger.LogCritical(ex, "Redis unavailable during idempotency check.");
+            context.Result = BuildUnavailableResult();
+            return;
+        }
 
         if (!lockAcquired)
         {
-            var currentState = await db.StringGetAsync(redisKey);
+            RedisValue currentState;
+            try
+            {
+                currentState = await db.StringGetAsync(redisKey);
+            }
+            catch (RedisException ex)
+            {
+                logger.LogCritical(ex, "Redis unavailable during idempotency state read.");
+                context.Result = BuildUnavailableResult();
+                return;
+            }
+
             if (string.Equals(currentState.ToString(), "COMPLETED", StringComparison.Ordinal))
             {
                 context.Result = new NoContentResult();
@@ -62,20 +86,57 @@ public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionE
 
             if (executedContext.Exception is null && IsSuccessfulResult(executedContext.Result))
             {
-                await db.StringSetAsync(redisKey, "COMPLETED", TimeSpan.FromHours(24), When.Always);
+                try
+                {
+                    await db.StringSetAsync(redisKey, "COMPLETED", TimeSpan.FromHours(24), When.Always);
+                }
+                catch (RedisException ex)
+                {
+                    logger.LogCritical(ex, "Redis unavailable while marking idempotency request as completed.");
+                    executedContext.Result = BuildUnavailableResult();
+                }
             }
             else
             {
-                await db.KeyDeleteAsync(redisKey);
+                try
+                {
+                    await db.KeyDeleteAsync(redisKey);
+                }
+                catch (RedisException ex)
+                {
+                    logger.LogCritical(ex, "Redis unavailable while releasing idempotency lock after unsuccessful request.");
+                    executedContext.Result = BuildUnavailableResult();
+                }
             }
         }
         catch
         {
-            await db.KeyDeleteAsync(redisKey);
+            try
+            {
+                await db.KeyDeleteAsync(redisKey);
+            }
+            catch (RedisException ex)
+            {
+                logger.LogCritical(ex, "Redis unavailable while releasing idempotency lock after exception.");
+            }
+
             throw;
         }
     }
 
+    private static ObjectResult BuildUnavailableResult()
+    {
+        return new ObjectResult(new ProblemDetails
+        {
+            Type = "/errors/idempotency-unavailable",
+            Title = "Idempotency service unavailable",
+            Status = StatusCodes.Status503ServiceUnavailable
+        })
+        {
+            StatusCode = StatusCodes.Status503ServiceUnavailable
+        };
+    }
+
     private static bool IsSuccessfulResult(IActionResult? result)
     {
         if (result is IStatusCodeActionResult statusCodeResult)
diff --git a/tests/Sentinel.Tests/Integration/SecurityScenarioTests.cs b/tests/Sentinel.Tests/Integration/SecurityScenarioTests.cs
@@ -184,23 +184,23 @@ public async Task S11_MissingScope_Returns403()
     [Fact]
     public async Task S07_RateLimitExceeded_Returns429()
     {
-        using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
-        var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(new ECDsaSecurityKey(ecdsa));
-        var jwkObject = new Dictionary<string, string>
-        {
-            ["crv"] = jwk.Crv!,
-            ["kty"] = jwk.Kty!,
-            ["x"] = jwk.X!,
-            ["y"] = jwk.Y!
-        };
-        var jkt = ComputeEcThumbprint(jwkObject);
-
         var successCount = 0;
         var rateLimitedCount = 0;
         var requestUrl = new Uri(client.BaseAddress!, "/v1/profile").ToString();
 
-        var tasks = Enumerable.Range(0, 105).Select(async _ =>
+        var tasks = Enumerable.Range(0, 160).Select(async _ =>
         {
+            using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+            var jwk = JsonWebKeyConverter.ConvertFromECDsaSecurityKey(new ECDsaSecurityKey(ecdsa));
+            var jwkObject = new Dictionary<string, string>
+            {
+                ["crv"] = jwk.Crv!,
+                ["kty"] = jwk.Kty!,
+                ["x"] = jwk.X!,
+                ["y"] = jwk.Y!
+            };
+
+            var jkt = ComputeEcThumbprint(jwkObject);
             var accessToken = TestTokenIssuer.MintAccessToken(jkt);
             using var request = CreateSignedRequest(ecdsa, jwkObject, accessToken, HttpMethod.Get, requestUrl);
             var response = await client.SendAsync(request, TestContext.Current.CancellationToken);
diff --git a/tests/Sentinel.Tests/Security/RateLimitingBypassAttemptsTests.cs b/tests/Sentinel.Tests/Security/RateLimitingBypassAttemptsTests.cs
diff --git a/tests/Sentinel.Tests/Unit/DocumentsControllerOwnershipTests.cs b/tests/Sentinel.Tests/Unit/DocumentsControllerOwnershipTests.cs
diff --git a/tests/Sentinel.Tests/Unit/InMemoryDocumentStoreOwnershipTests.cs b/tests/Sentinel.Tests/Unit/InMemoryDocumentStoreOwnershipTests.cs
diff --git a/tests/Sentinel.Tests/Unit/SessionBlacklistCacheTests.cs b/tests/Sentinel.Tests/Unit/SessionBlacklistCacheTests.cs

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ namespace Sentinel.Application.Common.Abstractions;`
`5`	`5`	`public interface IDocumentStore`
`6`	`6`	`{`
`7`	`7`	`Task<IReadOnlyCollection<DocumentDto>> ListAsync(string ownerSub, CancellationToken cancellationToken);`
`8`		`- Task<DocumentDto?> GetByIdAsync(Guid id, CancellationToken cancellationToken);`
	`8`	`+ Task<DocumentDto?> GetByIdAsync(Guid id, string ownerSub, CancellationToken cancellationToken);`
`9`	`9`	`Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest request, CancellationToken cancellationToken);`
`10`	`10`	`Task<DocumentDto?> UpdateAsync(Guid id, string ownerSub, UpdateDocumentRequest request, CancellationToken cancellationToken);`
`11`	`11`	`Task<bool> DeleteAsync(Guid id, string ownerSub, CancellationToken cancellationToken);`
Original file line number	Diff line number	Diff line change
`@@ -21,10 +21,17 @@ public Task<IReadOnlyCollection<DocumentDto>> ListAsync(string ownerSub, Cancell`
`21`	`21`	`return Task.FromResult<IReadOnlyCollection<DocumentDto>>(results);`
`22`	`22`	`}`
`23`	`23`
`24`		`- public Task<DocumentDto?> GetByIdAsync(Guid id, CancellationToken cancellationToken)`
	`24`	`+ public Task<DocumentDto?> GetByIdAsync(Guid id, string ownerSub, CancellationToken cancellationToken)`
`25`	`25`	`{`
`26`	`26`	`cancellationToken.ThrowIfCancellationRequested();`
`27`		`- return Task.FromResult(documents.TryGetValue(id, out var state) ? Map(state) : null);`
	`27`	`+`
	`28`	`+ if (!documents.TryGetValue(id, out var state)`
	`29`	`+ \|\| !string.Equals(state.OwnerSub, ownerSub, StringComparison.Ordinal))`
	`30`	`+ {`
	`31`	`+ return Task.FromResult<DocumentDto?>(null);`
	`32`	`+ }`
	`33`	`+`
	`34`	`+ return Task.FromResult<DocumentDto?>(Map(state));`
`28`	`35`	`}`
`29`	`36`
`30`	`37`	`public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest request, CancellationToken cancellationToken)`
`@@ -47,6 +54,7 @@ public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest requ`
`47`	`54`	`public Task<DocumentDto?> UpdateAsync(Guid id, string ownerSub, UpdateDocumentRequest request, CancellationToken cancellationToken)`
`48`	`55`	`{`
`49`	`56`	`cancellationToken.ThrowIfCancellationRequested();`
	`57`	`+ var spinWait = new SpinWait();`
`50`	`58`
`51`	`59`	`while (documents.TryGetValue(id, out var current))`
`52`	`60`	`{`
`@@ -66,6 +74,8 @@ public Task<DocumentDto> CreateAsync(string ownerSub, CreateDocumentRequest requ`
`66`	`74`	`{`
`67`	`75`	`return Task.FromResult<DocumentDto?>(Map(updated));`
`68`	`76`	`}`
	`77`	`+`
	`78`	`+ spinWait.SpinOnce();`
`69`	`79`	`}`
`70`	`80`
`71`	`81`	`return Task.FromResult<DocumentDto?>(null);`
Original file line number	Diff line number	Diff line change
`@@ -1,22 +1,20 @@`
`1`		`-using Microsoft.Extensions.Caching.Distributed;`
`2`	`1`	`using Sentinel.Application.Common.Abstractions;`
	`2`	`+using StackExchange.Redis;`
`3`	`3`
`4`	`4`	`namespace Sentinel.Infrastructure.Cache;`
`5`	`5`
`6`		`-public sealed class SessionBlacklistCache(IDistributedCache cache, ILogger<SessionBlacklistCache> logger) : ISessionBlacklistCache`
	`6`	`+public sealed class SessionBlacklistCache(IConnectionMultiplexer redis, ILogger<SessionBlacklistCache> logger) : ISessionBlacklistCache`
`7`	`7`	`{`
	`8`	`+ private readonly IDatabase db = redis.GetDatabase();`
`8`	`9`	`private static string GetKey(string sessionId) => $"blacklist:sid:{sessionId}";`
`9`	`10`
`10`	`11`	`public async Task BlacklistSessionAsync(string sessionId, TimeSpan ttl, CancellationToken ct)`
`11`	`12`	`{`
	`13`	`+ ct.ThrowIfCancellationRequested();`
	`14`	`+`
`12`	`15`	`try`
`13`	`16`	`{`
`14`		`- var options = new DistributedCacheEntryOptions`
`15`		`- {`
`16`		`- AbsoluteExpirationRelativeToNow = ttl`
`17`		`- };`
`18`		`-`
`19`		`- await cache.SetAsync(GetKey(sessionId), [], options, ct);`
	`17`	`+ await db.StringSetAsync(GetKey(sessionId), RedisValue.EmptyString, ttl, When.Always, CommandFlags.None);`
`20`	`18`	`logger.LogInformation("Session {SessionId} blacklisted for {TtlSeconds} seconds.", sessionId, ttl.TotalSeconds);`
`21`	`19`	`}`
`22`	`20`	`catch (Exception ex)`
`@@ -28,10 +26,11 @@ public async Task BlacklistSessionAsync(string sessionId, TimeSpan ttl, Cancella`
`28`	`26`
`29`	`27`	`public async ValueTask<bool> IsSessionBlacklistedAsync(string sessionId, CancellationToken ct)`
`30`	`28`	`{`
	`29`	`+ ct.ThrowIfCancellationRequested();`
	`30`	`+`
`31`	`31`	`try`
`32`	`32`	`{`
`33`		`- var value = await cache.GetAsync(GetKey(sessionId), ct);`
`34`		`- return value is not null;`
	`33`	`+ return await db.KeyExistsAsync(GetKey(sessionId), CommandFlags.None);`
`35`	`34`	`}`
`36`	`35`	`catch (Exception ex)`
`37`	`36`	`{`
Original file line number	Diff line number	Diff line change
`@@ -11,14 +11,16 @@ namespace Sentinel.Controllers;`
`11`	`11`	`[Route("v1/documents")]`
`12`	`12`	`public sealed class DocumentsController(IDocumentStore documentStore, ILogger<DocumentsController> logger) : ControllerBase`
`13`	`13`	`{`
	`14`	`+ private string? CurrentSub => User.FindFirst("sub")?.Value;`
	`15`	`+`
`14`	`16`	`[HttpGet]`
`15`	`17`	`[Authorize(Policy = Policies.DocumentsRead)]`
`16`	`18`	`[ProducesResponseType(StatusCodes.Status200OK)]`
`17`	`19`	`[ProducesResponseType(StatusCodes.Status401Unauthorized)]`
`18`	`20`	`[ProducesResponseType(StatusCodes.Status403Forbidden)]`
`19`	`21`	`public async Task<IActionResult> ListDocuments(CancellationToken cancellationToken)`
`20`	`22`	`{`
`21`		`- var subject = User.FindFirst("sub")?.Value;`
	`23`	`+ var subject = CurrentSub;`
`22`	`24`	`if (string.IsNullOrWhiteSpace(subject))`
`23`	`25`	`{`
`24`	`26`	`return Unauthorized();`
`@@ -36,14 +38,14 @@ public async Task<IActionResult> ListDocuments(CancellationToken cancellationTok`
`36`	`38`	`[ProducesResponseType(StatusCodes.Status403Forbidden)]`
`37`	`39`	`public async Task<IActionResult> GetDocument(Guid id, CancellationToken cancellationToken)`
`38`	`40`	`{`
`39`		`- var subject = User.FindFirst("sub")?.Value;`
	`41`	`+ var subject = CurrentSub;`
`40`	`42`	`if (string.IsNullOrWhiteSpace(subject))`
`41`	`43`	`{`
`42`	`44`	`return Unauthorized();`
`43`	`45`	`}`
`44`	`46`
`45`		`- var document = await documentStore.GetByIdAsync(id, cancellationToken);`
`46`		`- if (document is null \|\| !string.Equals(document.OwnerSub, subject, StringComparison.Ordinal))`
	`47`	`+ var document = await documentStore.GetByIdAsync(id, subject, cancellationToken);`
	`48`	`+ if (document is null)`
`47`	`49`	`{`
`48`	`50`	`return NotFound();`
`49`	`51`	`}`
`@@ -61,7 +63,7 @@ public async Task<IActionResult> GetDocument(Guid id, CancellationToken cancella`
`61`	`63`	`[ProducesResponseType(StatusCodes.Status409Conflict)]`
`62`	`64`	`public async Task<IActionResult> CreateDocument([FromBody] CreateDocumentRequest request, CancellationToken cancellationToken)`
`63`	`65`	`{`
`64`		`- var subject = User.FindFirst("sub")?.Value;`
	`66`	`+ var subject = CurrentSub;`
`65`	`67`	`if (string.IsNullOrWhiteSpace(subject))`
`66`	`68`	`{`
`67`	`69`	`return Unauthorized();`
`@@ -87,7 +89,7 @@ public async Task<IActionResult> CreateDocument([FromBody] CreateDocumentRequest`
`87`	`89`	`[ProducesResponseType(StatusCodes.Status409Conflict)]`
`88`	`90`	`public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocumentRequest request, CancellationToken cancellationToken)`
`89`	`91`	`{`
`90`		`- var subject = User.FindFirst("sub")?.Value;`
	`92`	`+ var subject = CurrentSub;`
`91`	`93`	`if (string.IsNullOrWhiteSpace(subject))`
`92`	`94`	`{`
`93`	`95`	`return Unauthorized();`
`@@ -104,7 +106,6 @@ public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocume`
`104`	`106`
`105`	`107`	`[HttpDelete("{id}")]`
`106`	`108`	`[Authorize(Policy = Policies.DocumentsWrite)]`
`107`		`- [RequireIdempotency]`
`108`	`109`	`[RequireMtlsBinding]`
`109`	`110`	`[ProducesResponseType(StatusCodes.Status204NoContent)]`
`110`	`111`	`[ProducesResponseType(StatusCodes.Status401Unauthorized)]`
`@@ -113,7 +114,7 @@ public async Task<IActionResult> UpdateDocument(Guid id, [FromBody] UpdateDocume`
`113`	`114`	`[ProducesResponseType(StatusCodes.Status409Conflict)]`
`114`	`115`	`public async Task<IActionResult> DeleteDocument(Guid id, CancellationToken cancellationToken)`
`115`	`116`	`{`
`116`		`- var subject = User.FindFirst("sub")?.Value;`
	`117`	`+ var subject = CurrentSub;`
`117`	`118`	`if (string.IsNullOrWhiteSpace(subject))`
`118`	`119`	`{`
`119`	`120`	`return Unauthorized();`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ public async Task InvokeAsync(HttpContext context)`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`var token = authHeader["DPoP ".Length..].Trim();`
	`49`	`+ // RFC 9449 section 4.2: htu excludes query string and fragment.`
`49`	`50`	`var requestUrl = $"{context.Request.Scheme}://{context.Request.Host}{context.Request.Path}";`
`50`	`51`
`51`	`52`	`var thumbprint = TryExtractProofThumbprint(dpopProof);`