Extract user resolution to ResolveUserFilter to remove PII from controller code

Nick Campanini · Nick Campanini · commit fda823d18ddb · 2026-03-15T21:22:51.000-04:00
diff --git a/src/SEBT.Portal.Api/Controllers/IdProofing/ChallengesController.cs b/src/SEBT.Portal.Api/Controllers/IdProofing/ChallengesController.cs
@@ -1,8 +1,6 @@
-using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using SEBT.Portal.Api.Models;
-using SEBT.Portal.Core.Repositories;
+using SEBT.Portal.Api.Filters;
 using SEBT.Portal.Kernel;
 using SEBT.Portal.Kernel.AspNetCore;
 using SEBT.Portal.UseCases.IdProofing;
@@ -15,15 +13,15 @@ namespace SEBT.Portal.Api.Controllers.IdProofing;
 [ApiController]
 [Route("api/challenges")]
 [Authorize]
-public class ChallengesController(ILogger<ChallengesController> logger) : ControllerBase
+[ServiceFilter(typeof(ResolveUserFilter))]
+public class ChallengesController : ControllerBase
 {
     /// <summary>
     /// Starts a document verification challenge by generating a Socure DocV session token.
     /// Called when the user clicks "Continue" on the document verification interstitial.
     /// </summary>
     /// <param name="id">The challenge's public GUID.</param>
     /// <param name="handler">The command handler.</param>
-    /// <param name="userRepository">User repository for resolving user ID.</param>
     /// <param name="cancellationToken">Cancellation token.</param>
     /// <response code="200">DocV session created. Returns token and URL for the frontend SDK.</response>
     /// <response code="401">User is not authenticated.</response>
@@ -37,30 +35,14 @@ public class ChallengesController(ILogger<ChallengesController> logger) : Contro
     public async Task<IActionResult> Start(
         Guid id,
         [FromServices] ICommandHandler<StartChallengeCommand, StartChallengeResponse> handler,
-        [FromServices] IUserRepository userRepository,
         CancellationToken cancellationToken)
     {
-        var email = User.FindFirst(ClaimTypes.Email)?.Value
-            ?? User.FindFirst(ClaimTypes.NameIdentifier)?.Value
-            ?? User.Identity?.Name;
-
-        if (string.IsNullOrWhiteSpace(email))
-        {
-            logger.LogWarning("Challenge start request but email could not be extracted from claims");
-            return Unauthorized(new ErrorResponse("Unable to identify user from token."));
-        }
-
-        var user = await userRepository.GetUserByEmailAsync(email, cancellationToken);
-        if (user == null)
-        {
-            logger.LogWarning("Challenge start request but authenticated user not found in database");
-            return Unauthorized(new ErrorResponse("Unable to identify user from token."));
-        }
+        var userId = (int)HttpContext.Items[ResolveUserFilter.UserIdKey]!;
 
         var command = new StartChallengeCommand
         {
             ChallengeId = id,
-            UserId = user.Id
+            UserId = userId
         };
 
         var result = await handler.Handle(command, cancellationToken);
diff --git a/src/SEBT.Portal.Api/Controllers/IdProofing/IdProofingController.cs b/src/SEBT.Portal.Api/Controllers/IdProofing/IdProofingController.cs
@@ -1,9 +1,8 @@
-using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using SEBT.Portal.Api.Filters;
 using SEBT.Portal.Api.Models;
 using SEBT.Portal.Api.Models.IdProofing;
-using SEBT.Portal.Core.Repositories;
 using SEBT.Portal.Kernel;
 using SEBT.Portal.Kernel.AspNetCore;
 using SEBT.Portal.UseCases.IdProofing;
@@ -17,7 +16,8 @@ namespace SEBT.Portal.Api.Controllers.IdProofing;
 [ApiController]
 [Route("api/id-proofing")]
 [Authorize]
-public class IdProofingController(ILogger<IdProofingController> logger) : ControllerBase
+[ServiceFilter(typeof(ResolveUserFilter))]
+public class IdProofingController : ControllerBase
 {
     /// <summary>
     /// Submits ID proofing data for risk assessment.
@@ -35,18 +35,13 @@ public class IdProofingController(ILogger<IdProofingController> logger) : Contro
     public async Task<IActionResult> Submit(
         [FromBody] SubmitIdProofingRequest request,
         [FromServices] ICommandHandler<SubmitIdProofingCommand, SubmitIdProofingResponse> handler,
-        [FromServices] IUserRepository userRepository,
         CancellationToken cancellationToken)
     {
-        var userId = await ResolveUserId(userRepository, cancellationToken);
-        if (userId == null)
-        {
-            return Unauthorized(new ErrorResponse("Unable to identify user from token."));
-        }
+        var userId = (int)HttpContext.Items[ResolveUserFilter.UserIdKey]!;
 
         var command = new SubmitIdProofingCommand
         {
-            UserId = userId.Value,
+            UserId = userId,
             DateOfBirth = $"{request.DateOfBirth.Year}-{request.DateOfBirth.Month.PadLeft(2, '0')}-{request.DateOfBirth.Day.PadLeft(2, '0')}",
             IdType = request.IdType,
             IdValue = request.IdValue
@@ -62,7 +57,6 @@ public async Task<IActionResult> Submit(
     /// </summary>
     /// <param name="challengeId">The challenge's public GUID.</param>
     /// <param name="handler">The query handler.</param>
-    /// <param name="userRepository">User repository for resolving user ID.</param>
     /// <param name="cancellationToken">Cancellation token.</param>
     /// <response code="200">Status retrieved.</response>
     /// <response code="401">User is not authenticated.</response>
@@ -74,47 +68,17 @@ public async Task<IActionResult> Submit(
     public async Task<IActionResult> GetStatus(
         [FromQuery] Guid challengeId,
         [FromServices] IQueryHandler<GetVerificationStatusQuery, VerificationStatusResponse> handler,
-        [FromServices] IUserRepository userRepository,
         CancellationToken cancellationToken)
     {
-        var userId = await ResolveUserId(userRepository, cancellationToken);
-        if (userId == null)
-        {
-            return Unauthorized(new ErrorResponse("Unable to identify user from token."));
-        }
+        var userId = (int)HttpContext.Items[ResolveUserFilter.UserIdKey]!;
 
         var query = new GetVerificationStatusQuery
         {
             ChallengeId = challengeId,
-            UserId = userId.Value
+            UserId = userId
         };
 
         var result = await handler.Handle(query, cancellationToken);
         return result.ToActionResult();
     }
-
-    /// <summary>
-    /// Resolves the authenticated user's numeric ID from their email claim.
-    /// </summary>
-    private async Task<int?> ResolveUserId(IUserRepository userRepository, CancellationToken cancellationToken)
-    {
-        var email = User.FindFirst(ClaimTypes.Email)?.Value
-            ?? User.FindFirst(ClaimTypes.NameIdentifier)?.Value
-            ?? User.Identity?.Name;
-
-        if (string.IsNullOrWhiteSpace(email))
-        {
-            logger.LogWarning("ID proofing request but email could not be extracted from claims");
-            return null;
-        }
-
-        var user = await userRepository.GetUserByEmailAsync(email, cancellationToken);
-        if (user == null)
-        {
-            logger.LogWarning("ID proofing request but authenticated user not found in database");
-            return null;
-        }
-
-        return user.Id;
-    }
 }
diff --git a/src/SEBT.Portal.Api/Filters/ResolveUserFilter.cs b/src/SEBT.Portal.Api/Filters/ResolveUserFilter.cs
@@ -0,0 +1,50 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using SEBT.Portal.Api.Models;
+using SEBT.Portal.Core.Repositories;
+
+namespace SEBT.Portal.Api.Filters;
+
+/// <summary>
+/// Action filter that resolves the authenticated user's numeric ID from their email claim
+/// and stashes it on HttpContext.Items. Controllers read the pre-resolved ID, keeping PII
+/// (email) out of controller code entirely.
+/// </summary>
+public class ResolveUserFilter(
+    IUserRepository userRepository,
+    ILogger<ResolveUserFilter> logger) : IAsyncActionFilter
+{
+    /// <summary>
+    /// The HttpContext.Items key where the resolved user ID is stored.
+    /// </summary>
+    public const string UserIdKey = "ResolvedUserId";
+
+    /// <inheritdoc />
+    public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
+    {
+        var email = context.HttpContext.User.FindFirst(ClaimTypes.Email)?.Value
+            ?? context.HttpContext.User.FindFirst(ClaimTypes.NameIdentifier)?.Value
+            ?? context.HttpContext.User.Identity?.Name;
+
+        if (string.IsNullOrWhiteSpace(email))
+        {
+            logger.LogWarning("Request to resolved-user endpoint but email could not be extracted from claims");
+            context.Result = new UnauthorizedObjectResult(
+                new ErrorResponse("Unable to identify user from token."));
+            return;
+        }
+
+        var user = await userRepository.GetUserByEmailAsync(email, context.HttpContext.RequestAborted);
+        if (user == null)
+        {
+            logger.LogWarning("Request to resolved-user endpoint but authenticated user not found in database");
+            context.Result = new UnauthorizedObjectResult(
+                new ErrorResponse("Unable to identify user from token."));
+            return;
+        }
+
+        context.HttpContext.Items[UserIdKey] = user.Id;
+        await next();
+    }
+}
diff --git a/src/SEBT.Portal.Api/Program.cs b/src/SEBT.Portal.Api/Program.cs
@@ -6,6 +6,7 @@
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.Tokens;
 using SEBT.Portal.Api.Composition;
+using SEBT.Portal.Api.Filters;
 using SEBT.Portal.Api.Models;
 using Serilog;
 using Microsoft.FeatureManagement;
@@ -102,6 +103,9 @@
 builder.Services.AddPortalInfrastructureRepositories(builder.Configuration);
 builder.Services.AddPortalInfrastructureAppSettings(builder.Configuration);
 
+// Action filters
+builder.Services.AddScoped<ResolveUserFilter>();
+
 // Register IDatabaseSeeder for development utilities (e.g., ClearSeededData script)
 builder.Services.AddScoped<IDatabaseSeeder>(sp =>
 {
diff --git a/test/SEBT.Portal.Tests/Unit/Filters/ResolveUserFilterTests.cs b/test/SEBT.Portal.Tests/Unit/Filters/ResolveUserFilterTests.cs
@@ -0,0 +1,123 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Abstractions;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.Logging.Abstractions;
+using NSubstitute;
+using SEBT.Portal.Api.Filters;
+using SEBT.Portal.Core.Models.Auth;
+using SEBT.Portal.Core.Repositories;
+
+namespace SEBT.Portal.Tests.Unit.Filters;
+
+public class ResolveUserFilterTests
+{
+    private readonly IUserRepository userRepository = Substitute.For<IUserRepository>();
+
+    private readonly NullLogger<ResolveUserFilter> logger =
+        NullLogger<ResolveUserFilter>.Instance;
+
+    private ResolveUserFilter CreateFilter() => new(userRepository, logger);
+
+    private static ActionExecutingContext CreateContext(ClaimsPrincipal? user = null)
+    {
+        var httpContext = new DefaultHttpContext();
+        if (user != null)
+        {
+            httpContext.User = user;
+        }
+
+        var actionContext = new ActionContext(
+            httpContext,
+            new RouteData(),
+            new ActionDescriptor());
+
+        return new ActionExecutingContext(
+            actionContext,
+            new List<IFilterMetadata>(),
+            new Dictionary<string, object?>(),
+            controller: null!);
+    }
+
+    private static ClaimsPrincipal CreateAuthenticatedUser(string email, string claimType = ClaimTypes.Email)
+    {
+        var claims = new List<Claim> { new(claimType, email) };
+        var identity = new ClaimsIdentity(claims, "Test");
+        return new ClaimsPrincipal(identity);
+    }
+
+    [Fact]
+    public async Task OnActionExecutionAsync_ShouldSetUserId_WhenEmailClaimResolvesToUser()
+    {
+        var filter = CreateFilter();
+        var user = new User { Id = 42, Email = "test@example.com" };
+        userRepository.GetUserByEmailAsync("test@example.com", Arg.Any<CancellationToken>())
+            .Returns(user);
+
+        var context = CreateContext(CreateAuthenticatedUser("test@example.com"));
+        var nextCalled = false;
+
+        await filter.OnActionExecutionAsync(context, () =>
+        {
+            nextCalled = true;
+            return Task.FromResult(new ActionExecutedContext(
+                context, new List<IFilterMetadata>(), controller: null!));
+        });
+
+        Assert.True(nextCalled);
+        Assert.Equal(42, context.HttpContext.Items[ResolveUserFilter.UserIdKey]);
+    }
+
+    [Fact]
+    public async Task OnActionExecutionAsync_ShouldReturn401_WhenNoEmailClaim()
+    {
+        var filter = CreateFilter();
+        var context = CreateContext(new ClaimsPrincipal(new ClaimsIdentity()));
+
+        await filter.OnActionExecutionAsync(context, () =>
+            throw new InvalidOperationException("Next should not be called"));
+
+        var result = Assert.IsType<UnauthorizedObjectResult>(context.Result);
+        Assert.NotNull(result);
+    }
+
+    [Fact]
+    public async Task OnActionExecutionAsync_ShouldReturn401_WhenUserNotFoundInDatabase()
+    {
+        var filter = CreateFilter();
+        userRepository.GetUserByEmailAsync("unknown@example.com", Arg.Any<CancellationToken>())
+            .Returns((User?)null);
+
+        var context = CreateContext(CreateAuthenticatedUser("unknown@example.com"));
+
+        await filter.OnActionExecutionAsync(context, () =>
+            throw new InvalidOperationException("Next should not be called"));
+
+        var result = Assert.IsType<UnauthorizedObjectResult>(context.Result);
+        Assert.NotNull(result);
+    }
+
+    [Fact]
+    public async Task OnActionExecutionAsync_ShouldFallBackToNameIdentifier_WhenEmailClaimMissing()
+    {
+        var filter = CreateFilter();
+        var user = new User { Id = 7, Email = "fallback@example.com" };
+        userRepository.GetUserByEmailAsync("fallback@example.com", Arg.Any<CancellationToken>())
+            .Returns(user);
+
+        var context = CreateContext(CreateAuthenticatedUser("fallback@example.com", ClaimTypes.NameIdentifier));
+
+        var nextCalled = false;
+        await filter.OnActionExecutionAsync(context, () =>
+        {
+            nextCalled = true;
+            return Task.FromResult(new ActionExecutedContext(
+                context, new List<IFilterMetadata>(), controller: null!));
+        });
+
+        Assert.True(nextCalled);
+        Assert.Equal(7, context.HttpContext.Items[ResolveUserFilter.UserIdKey]);
+    }
+}
