Index: ChapterX.Application/Auth/LoginRequest.cs
===================================================================
--- ChapterX.Application/Auth/LoginRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Auth/LoginRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -1,6 +1,10 @@
 using MediatR;
+using System.ComponentModel.DataAnnotations;
 
 namespace ChapterX.Application.Auth
 {
-    public record LoginRequest(string Email, string Password) : IRequest<LoginResponse>;
+    public record LoginRequest(
+        [Required][EmailAddress][MaxLength(200)] string Email,
+        [Required][MaxLength(128)] string Password
+    ) : IRequest<LoginResponse>;
 }
Index: ChapterX.Application/Auth/RegisterRequest.cs
===================================================================
--- ChapterX.Application/Auth/RegisterRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Auth/RegisterRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -1,6 +1,13 @@
 using MediatR;
+using System.ComponentModel.DataAnnotations;
 
 namespace ChapterX.Application.Auth
 {
-    public record RegisterRequest(string Username, string Email, string Name, string Surname, string Password) : IRequest<RegisterResponse>;
+    public record RegisterRequest(
+        [Required][MaxLength(50)] string Username,
+        [Required][EmailAddress][MaxLength(200)] string Email,
+        [Required][MaxLength(100)] string Name,
+        [Required][MaxLength(100)] string Surname,
+        [Required][MinLength(8)][MaxLength(128)] string Password
+    ) : IRequest<RegisterResponse>;
 }
Index: ChapterX.Application/Chapter/Commands/AddRequest.cs
===================================================================
--- ChapterX.Application/Chapter/Commands/AddRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Chapter/Commands/AddRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -1,11 +1,12 @@
 using MediatR;
+using System.ComponentModel.DataAnnotations;
 
 namespace ChapterX.Application.Chapter.Commands
 {
     public record AddRequest(
-        int Number,
-        string Name,
-        string Title,
-        string Content,
+        [Range(1, int.MaxValue)] int Number,
+        [Required][MaxLength(200)] string Name,
+        [Required][MaxLength(300)] string Title,
+        [Required] string Content,
         int StoryId
     ) : IRequest<AddResponse>;
Index: ChapterX.Application/Chapter/Commands/DeleteHandler.cs
===================================================================
--- ChapterX.Application/Chapter/Commands/DeleteHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Chapter/Commands/DeleteHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -18,7 +18,10 @@
         public async Task<DeleteResponse> Handle(DeleteRequest request, CancellationToken cancellationToken)
         {
-            var chapter = await _chapterRepository.GetByIdAsync(request.Id, cancellationToken);
+            var chapter = await _chapterRepository.GetByIdWithStoryAsync(request.Id, cancellationToken);
             if (chapter is null)
                 return new DeleteResponse(false);
+
+            if (chapter.Story.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this chapter.");
 
             await _chapterRepository.DeleteAsync(chapter, cancellationToken);
Index: ChapterX.Application/Chapter/Commands/DeleteRequest.cs
===================================================================
--- ChapterX.Application/Chapter/Commands/DeleteRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Chapter/Commands/DeleteRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -3,4 +3,4 @@
 namespace ChapterX.Application.Chapter.Commands
 {
-    public record DeleteRequest(int Id) : IRequest<DeleteResponse>;
+    public record DeleteRequest(int Id, int CallerId) : IRequest<DeleteResponse>;
 }
Index: ChapterX.Application/Chapter/Commands/UpdateHandler.cs
===================================================================
--- ChapterX.Application/Chapter/Commands/UpdateHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Chapter/Commands/UpdateHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -18,7 +18,10 @@
         public async Task<UpdateResponse> Handle(UpdateRequest request, CancellationToken cancellationToken)
         {
-            var chapter = await _chapterRepository.GetByIdAsync(request.Id, cancellationToken);
+            var chapter = await _chapterRepository.GetByIdWithStoryAsync(request.Id, cancellationToken);
             if (chapter is null)
                 return new UpdateResponse(false);
+
+            if (chapter.Story.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this chapter.");
 
             chapter.Number = request.Number;
Index: ChapterX.Application/Chapter/Commands/UpdateRequest.cs
===================================================================
--- ChapterX.Application/Chapter/Commands/UpdateRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Chapter/Commands/UpdateRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -9,5 +9,6 @@
         string Title,
         string Content,
-        int? WordCount
+        int? WordCount,
+        int CallerId = 0
     ) : IRequest<UpdateResponse>;
 }
Index: ChapterX.Application/Comment/Commands/AddRequest.cs
===================================================================
--- ChapterX.Application/Comment/Commands/AddRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Comment/Commands/AddRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -1,6 +1,11 @@
 using MediatR;
+using System.ComponentModel.DataAnnotations;
 
 namespace ChapterX.Application.Comment.Commands
 {
-    public record AddRequest(string Content, int UserId, int StoryId) : IRequest<AddResponse>;
+    public record AddRequest(
+        [Required][MaxLength(2000)] string Content,
+        int UserId,
+        int StoryId
+    ) : IRequest<AddResponse>;
 }
Index: ChapterX.Application/Comment/Commands/DeleteHandler.cs
===================================================================
--- ChapterX.Application/Comment/Commands/DeleteHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Comment/Commands/DeleteHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -22,4 +22,7 @@
                 return new DeleteResponse(false);
 
+            if (comment.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this comment.");
+
             await _commentRepository.DeleteAsync(comment, cancellationToken);
 
Index: ChapterX.Application/Comment/Commands/DeleteRequest.cs
===================================================================
--- ChapterX.Application/Comment/Commands/DeleteRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Comment/Commands/DeleteRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -3,4 +3,4 @@
 namespace ChapterX.Application.Comment.Commands
 {
-    public record DeleteRequest(int Id) : IRequest<DeleteResponse>;
+    public record DeleteRequest(int Id, int CallerId) : IRequest<DeleteResponse>;
 }
Index: ChapterX.Application/Comment/Commands/UpdateHandler.cs
===================================================================
--- ChapterX.Application/Comment/Commands/UpdateHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Comment/Commands/UpdateHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -22,4 +22,7 @@
                 return new UpdateResponse(false);
 
+            if (comment.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this comment.");
+
             comment.Content = request.Content;
             comment.UpdatedAt = DateTime.UtcNow;
Index: ChapterX.Application/Comment/Commands/UpdateRequest.cs
===================================================================
--- ChapterX.Application/Comment/Commands/UpdateRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Comment/Commands/UpdateRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -3,4 +3,4 @@
 namespace ChapterX.Application.Comment.Commands
 {
-    public record UpdateRequest(int Id, string Content) : IRequest<UpdateResponse>;
+    public record UpdateRequest(int Id, string Content, int CallerId = 0) : IRequest<UpdateResponse>;
 }
Index: ChapterX.Application/Story/Commands/AddRequest.cs
===================================================================
--- ChapterX.Application/Story/Commands/AddRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Story/Commands/AddRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -1,6 +1,14 @@
 using MediatR;
+using System.ComponentModel.DataAnnotations;
 
 namespace ChapterX.Application.Story.Commands
 {
-    public record AddRequest(bool MatureContent, string ShortDescription, string? Image, string Content, int UserId, List<string> Genres) : IRequest<AddResponse>;
+    public record AddRequest(
+        bool MatureContent,
+        [Required][MaxLength(500)] string ShortDescription,
+        [MaxLength(2048)] string? Image,
+        [Required] string Content,
+        int UserId,
+        List<string> Genres
+    ) : IRequest<AddResponse>;
 }
Index: ChapterX.Application/Story/Commands/DeleteHandler.cs
===================================================================
--- ChapterX.Application/Story/Commands/DeleteHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Story/Commands/DeleteHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -22,4 +22,7 @@
                 return new DeleteResponse(false);
 
+            if (story.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this story.");
+
             await _storyRepository.DeleteAsync(story, cancellationToken);
 
Index: ChapterX.Application/Story/Commands/DeleteRequest.cs
===================================================================
--- ChapterX.Application/Story/Commands/DeleteRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Story/Commands/DeleteRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -3,4 +3,4 @@
 namespace ChapterX.Application.Story.Commands
 {
-    public record DeleteRequest(int Id) : IRequest<DeleteResponse>;
+    public record DeleteRequest(int Id, int CallerId) : IRequest<DeleteResponse>;
 }
Index: ChapterX.Application/Story/Commands/UpdateHandler.cs
===================================================================
--- ChapterX.Application/Story/Commands/UpdateHandler.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Story/Commands/UpdateHandler.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -22,4 +22,7 @@
                 return new UpdateResponse(false);
 
+            if (story.UserId != request.CallerId)
+                throw new UnauthorizedAccessException("You do not own this story.");
+
             story.MatureContent = request.MatureContent;
             story.ShortDescription = request.ShortDescription;
Index: ChapterX.Application/Story/Commands/UpdateRequest.cs
===================================================================
--- ChapterX.Application/Story/Commands/UpdateRequest.cs	(revision d300631ac3354730c3b03cb7b160974af50e7894)
+++ ChapterX.Application/Story/Commands/UpdateRequest.cs	(revision 0b502c2664f4d6c64626f3394b4f1dc540e0aa9b)
@@ -3,4 +3,4 @@
 namespace ChapterX.Application.Story.Commands
 {
-    public record UpdateRequest(int Id, bool MatureContent, string ShortDescription, string? Image, string Content) : IRequest<UpdateResponse>;
+    public record UpdateRequest(int Id, bool MatureContent, string ShortDescription, string? Image, string Content, int CallerId = 0) : IRequest<UpdateResponse>;
 }
