fix(api): add squad number mismatch guard and update README (#418)

nanotaboada · Copilot · claude · nanotaboada · commit 26d0de6d0d3a · 2026-03-17T23:02:51.000-03:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -220,8 +220,8 @@ Interactive API documentation is available via Swagger UI at `https://localhost:
 - `GET /players/{id:Guid}` - Get player by ID (requires authentication)
 - `GET /players/squadNumber/{squadNumber:int}` - Get player by squad number
 - `POST /players` - Create new player
-- `PUT /players/squadNumber/{squadNumber}` - Update player
-- `DELETE /players/squadNumber/{squadNumber}` - Remove player
+- `PUT /players/squadNumber/{squadNumber:int}` - Update player
+- `DELETE /players/squadNumber/{squadNumber:int}` - Remove player
 - `GET /health` - Health check
 
 For complete endpoint documentation with request/response schemas, explore the [interactive Swagger UI](https://localhost:9000/swagger/index.html).
diff --git a/src/Dotnet.Samples.AspNetCore.WebApi/Controllers/PlayerController.cs b/src/Dotnet.Samples.AspNetCore.WebApi/Controllers/PlayerController.cs
@@ -188,11 +188,25 @@ [FromBody] PlayerRequestModel player
             logger.LogWarning("PUT /players/squadNumber/{SquadNumber} not found", squadNumber);
             return TypedResults.NotFound();
         }
+        if (player.SquadNumber != squadNumber)
+        {
+            logger.LogWarning(
+                "PutAsync squad number mismatch: route {SquadNumber} != body {PlayerSquadNumber}",
+                squadNumber,
+                player.SquadNumber
+            );
+            return TypedResults.BadRequest(
+                new
+                {
+                    Error = "Squad number in the route does not match squad number in the request body."
+                }
+            );
+        }
         await playerService.UpdateAsync(player);
         // Sanitize user-provided player data before logging to prevent log forging
-        var sanitizedPlayerString = player?
-            .ToString()?
-            .Replace(Environment.NewLine, string.Empty)
+        var sanitizedPlayerString = player
+            ?.ToString()
+            ?.Replace(Environment.NewLine, string.Empty)
             .Replace("\r", string.Empty)
             .Replace("\n", string.Empty);
         logger.LogInformation(
