Share
## https://sploitus.com/exploit?id=8073F6D6-4EDA-587A-B06A-B75301A82709
# FundFriends

A fundraising platform โ€” browse campaigns, create your own, and donate.
Originally a team capstone (2023: Shannen Lowe, Phan Ha Cristofer, James,
Sebastian Dutra); this is a 2026 solo revision that treats the original code
as a real PR to review: fixes live SQL injection and plaintext-password bugs,
replaces a forgeable client-readable session cookie with real cookie
authentication, and rebuilds the frontend on a current (2026) stack.

See [`ARCHITECTURE.md`](./ARCHITECTURE.md) for the full system design,
[`SECURITY.md`](./SECURITY.md) for the threat model and every vulnerability
found/fixed, and [`INTERVIEW_PITCH.md`](./INTERVIEW_PITCH.md) for the
talking points behind them.

## Stack

| Layer | Tech |
| --- | --- |
| Frontend | Next.js 14 (App Router) + TypeScript + Tailwind + hand-rolled shadcn-style components |
| Backend | ASP.NET Core 8 Web API + EF Core |
| Database | PostgreSQL (Npgsql) |
| Auth | Server-signed `HttpOnly` cookie auth (`Microsoft.AspNetCore.Identity` password hashing) |
| Tests | xUnit + `WebApplicationFactory` (API, EF-InMemory for most tests, Testcontainers/real Postgres for raw-ADO.NET paths), Vitest + React Testing Library (web) |
| Rate limiting | ASP.NET Core built-in `Microsoft.AspNetCore.RateLimiting` โ€” separate fixed-window policies for login/signup/donations |
| CI | GitHub Actions โ€” build/test both projects + dependency scanning (`dotnet list package --vulnerable`, `npm audit`) on every push/PR |

## Run locally

Requires a Postgres instance and the .NET 8 SDK/runtime + Node 18+.

```bash
# API โ€” from api/
dotnet user-secrets set "ConnectionStrings:localconnection" "Host=...;Database=...;Username=...;Password=..."
dotnet run

# Web โ€” from web/, in a separate terminal
npm install
cp .env.local.example .env.local   # point NEXT_PUBLIC_API_BASE at the API above
npm run dev
```

Frontend:  ยท API: see `api/Properties/launchSettings.json` for the assigned port.

## Tests

```bash
# API โ€” requires Docker running (Testcontainers starts a real Postgres
# for the donation-transaction tests; everything else uses EF InMemory)
cd api && dotnet test

# Web
cd web && npm run test
```

## Project layout

```text
.github/workflows/    CI: build/test both projects + dependency scanning
api/                  ASP.NET Core 8 Web API
  Controllers/         Login, Signup, Logout, Session, Fundraiser, Donations, AccountSettings, Users
  Data/                 EF Core DbContext
  Models/               Users, Fundraiser, Donations
  FundApp.Tests/        xUnit tests โ€” EF InMemory for most, Testcontainers/real
                         Postgres for the raw-ADO.NET donation transaction path
web/                  Next.js 14 App Router frontend
  app/                  One route per page (landing, login, signup, browse, fundraiser detail, donate, create, dashboard, settings)
  components/ui/        Hand-written Button/Card/Input/Progress/Badge primitives
  lib/                  Fetch wrapper + shared types
```