## https://sploitus.com/exploit?id=8073F6D6-4EDA-587A-B06A-B75301A82709
# FundFriends
A fundraising platform โ browse campaigns, create your own, and donate.
Originally a team capstone (2023: Shannen Lowe, Phan Ha Cristofer, James,
Sebastian Dutra); this is a 2026 solo revision that treats the original code
as a real PR to review: fixes live SQL injection and plaintext-password bugs,
replaces a forgeable client-readable session cookie with real cookie
authentication, and rebuilds the frontend on a current (2026) stack.
See [`ARCHITECTURE.md`](./ARCHITECTURE.md) for the full system design,
[`SECURITY.md`](./SECURITY.md) for the threat model and every vulnerability
found/fixed, and [`INTERVIEW_PITCH.md`](./INTERVIEW_PITCH.md) for the
talking points behind them.
## Stack
| Layer | Tech |
| --- | --- |
| Frontend | Next.js 14 (App Router) + TypeScript + Tailwind + hand-rolled shadcn-style components |
| Backend | ASP.NET Core 8 Web API + EF Core |
| Database | PostgreSQL (Npgsql) |
| Auth | Server-signed `HttpOnly` cookie auth (`Microsoft.AspNetCore.Identity` password hashing) |
| Tests | xUnit + `WebApplicationFactory` (API, EF-InMemory for most tests, Testcontainers/real Postgres for raw-ADO.NET paths), Vitest + React Testing Library (web) |
| Rate limiting | ASP.NET Core built-in `Microsoft.AspNetCore.RateLimiting` โ separate fixed-window policies for login/signup/donations |
| CI | GitHub Actions โ build/test both projects + dependency scanning (`dotnet list package --vulnerable`, `npm audit`) on every push/PR |
## Run locally
Requires a Postgres instance and the .NET 8 SDK/runtime + Node 18+.
```bash
# API โ from api/
dotnet user-secrets set "ConnectionStrings:localconnection" "Host=...;Database=...;Username=...;Password=..."
dotnet run
# Web โ from web/, in a separate terminal
npm install
cp .env.local.example .env.local # point NEXT_PUBLIC_API_BASE at the API above
npm run dev
```
Frontend: ยท API: see `api/Properties/launchSettings.json` for the assigned port.
## Tests
```bash
# API โ requires Docker running (Testcontainers starts a real Postgres
# for the donation-transaction tests; everything else uses EF InMemory)
cd api && dotnet test
# Web
cd web && npm run test
```
## Project layout
```text
.github/workflows/ CI: build/test both projects + dependency scanning
api/ ASP.NET Core 8 Web API
Controllers/ Login, Signup, Logout, Session, Fundraiser, Donations, AccountSettings, Users
Data/ EF Core DbContext
Models/ Users, Fundraiser, Donations
FundApp.Tests/ xUnit tests โ EF InMemory for most, Testcontainers/real
Postgres for the raw-ADO.NET donation transaction path
web/ Next.js 14 App Router frontend
app/ One route per page (landing, login, signup, browse, fundraiser detail, donate, create, dashboard, settings)
components/ui/ Hand-written Button/Card/Input/Progress/Badge primitives
lib/ Fetch wrapper + shared types
```