Add role and permission guard decorators to some existing routes

CHANGELOG.md

@@ -30,6 +30,8 @@ Another example [here](https://co-pilot.dev/changelog)
 -   Update changelog ([#104](https://github.com/chingu-x/chingu-dashboard-be/pull/104))
 -   Update test.yml to run e2e tests on pull requests to the main branch [#105](https://github.com/chingu-x/chingu-dashboard-be/pull/105)
 -   Update email templates to use domain in environment variables [#110](https://github.com/chingu-x/chingu-dashboard-be/pull/110)
+-   Add role and permission guard to some existing routes (features, forms, ideations, teams) [#112](https://github.com/chingu-x/chingu-dashboard-be/pull/112)
+
 
 ### Fixed
 

src/auth/guards/permissions.guard.ts

@@ -27,15 +27,17 @@ export class PermissionsGuard implements CanActivate {
         const { user, params } = context.switchToHttp().getRequest();
 
         if (requiredPermissions.includes(AppPermissions.OWN_TEAM)) {
+            // Admin can bypass this
             if (user.roles.includes(AppRoles.Admin)) return true;
             if (!params.teamId) {
                 throw new InternalServerErrorException(
                     "This permission guard requires :teamId param",
                 );
             }
-            const canAccess = user.voyageTeams?.includes(
-                parseInt(params?.teamId),
-            );
+
+            const canAccess = user.voyageTeams
+                ?.map((t) => t.teamId)
+                ?.includes(parseInt(params?.teamId));
 
             if (!canAccess) {
                 throw new ForbiddenException(

src/auth/strategies/at.strategy.ts

@@ -30,11 +30,17 @@ export class AtStrategy extends PassportStrategy(Strategy, "jwt-at") {
     async validate(payload: any) {
         const userInDb = await this.usersService.getUserRolesById(payload.sub);
 
+        // Note: Update global/types/CustomRequest when updating this
         return {
             userId: payload.sub,
             email: payload.email,
             roles: userInDb.roles,
-            voyageTeams: userInDb.voyageTeamMembers.map((t) => t.voyageTeamId),
+            voyageTeams: userInDb.voyageTeamMembers.map((t) => {
+                return {
+                    teamId: t.voyageTeamId,
+                    memberId: t.id,
+                };
+            }),
         };
     }
 }

src/features/features.controller.ts

@@ -34,6 +34,9 @@ import {
     ExtendedFeaturesResponse,
     FeatureResponse,
 } from "./features.response";
+import { AppPermissions } from "../auth/auth.permissions";
+import { Permissions } from "../global/decorators/permissions.decorator";
+import { CustomRequest } from "../global/types/CustomRequest";
 
 @Controller()
 @ApiTags("Voyage - Features")
@@ -42,7 +45,7 @@ export class FeaturesController {
 
     @ApiOperation({
         summary:
-            "Adds a new feature for a team given a teamId (int) and that the user is logged in.",
+            "[Permission: own_team] Adds a new feature for a team given a teamId (int) and that the user is logged in.",
     })
     @ApiResponse({
         status: HttpStatus.NOT_FOUND,
@@ -51,19 +54,24 @@ export class FeaturesController {
     })
     @ApiResponse({
         status: HttpStatus.UNAUTHORIZED,
-        description:
-            "Invalid uuid or teamID. User is not authorized to perform this action.",
+        description: "User is not authorized to perform this action.",
         type: UnauthorizedErrorResponse,
     })
+    @ApiResponse({
+        status: HttpStatus.BAD_REQUEST,
+        description: "Invalid teamId",
+        type: BadRequestErrorResponse,
+    })
     @ApiResponse({
         status: HttpStatus.CREATED,
         description: "Successfully created a new feature.",
         type: FeatureResponse,
     })
+    @Permissions(AppPermissions.OWN_TEAM)
     @Post("/:teamId/features")
     @ApiCreatedResponse({ type: Feature })
     async createFeature(
-        @Request() req,
+        @Request() req: CustomRequest,
         @Param("teamId", ParseIntPipe) teamId: number,
         @Body() createFeatureDto: CreateFeatureDto,
     ) {
@@ -75,7 +83,8 @@ export class FeaturesController {
     }
 
     @ApiOperation({
-        summary: "Gets all feature category options.",
+        summary:
+            "Gets all feature category options. e.g. Must have, should have, nice to have",
     })
     @ApiResponse({
         status: HttpStatus.OK,
@@ -89,11 +98,13 @@ export class FeaturesController {
     }
 
     @ApiOperation({
-        summary: "Gets one feature given a featureId (int).",
+        summary:
+            "[Permission: own_team] Gets all features for a team given a teamId (int).",
     })
     @ApiResponse({
         status: HttpStatus.OK,
-        description: "Successfully found feature.",
+        description: "Successfully got all features for project.",
+        isArray: true,
         type: ExtendedFeaturesResponse,
     })
     @ApiResponse({
@@ -104,21 +115,22 @@ export class FeaturesController {
     })
     @ApiResponse({
         status: HttpStatus.NOT_FOUND,
-        description: "Feature with given ID does not exist.",
+        description:
+            "Could not find features for project. Team with given ID does not exist.",
         type: NotFoundErrorResponse,
     })
-    @Get("/features/:featureId")
-    findOneFeature(@Param("featureId", ParseIntPipe) featureId: number) {
-        return this.featuresService.findOneFeature(featureId);
+    @Permissions(AppPermissions.OWN_TEAM)
+    @Get("/:teamId/features")
+    findAllFeatures(@Param("teamId", ParseIntPipe) teamId: number) {
+        return this.featuresService.findAllFeatures(teamId);
     }
 
     @ApiOperation({
-        summary: "Gets all features for a team given a teamId (int).",
+        summary: "Gets one feature given a featureId (int).",
     })
     @ApiResponse({
         status: HttpStatus.OK,
-        description: "Successfully got all features for project.",
-        isArray: true,
+        description: "Successfully found feature.",
         type: ExtendedFeaturesResponse,
     })
     @ApiResponse({
@@ -129,16 +141,12 @@ export class FeaturesController {
     })
     @ApiResponse({
         status: HttpStatus.NOT_FOUND,
-        description:
-            "Could not find features for project. Team with given ID does not exist.",
+        description: "Feature with given ID does not exist.",
         type: NotFoundErrorResponse,
     })
-    @Get("/:teamId/features")
-    findAllFeatures(
-        @Request() req,
-        @Param("teamId", ParseIntPipe) teamId: number,
-    ) {
-        return this.featuresService.findAllFeatures(req, teamId);
+    @Get("/features/:featureId")
+    findOneFeature(@Param("featureId", ParseIntPipe) featureId: number) {
+        return this.featuresService.findOneFeature(featureId);
     }
 
     @ApiOperation({

src/features/features.service.ts

@@ -23,12 +23,6 @@ export class FeaturesService {
     ) {
         const { featureCategoryId, description } = createFeatureDto;
 
-        const teamMember =
-            await this.globalService.validateLoggedInAndTeamMember(
-                teamId,
-                req.user.userId,
-            );
-
         const validCategory = await this.prisma.featureCategory.findFirst({
             where: {
                 id: featureCategoryId,
@@ -58,7 +52,10 @@ export class FeaturesService {
 
             const newFeature = await this.prisma.projectFeature.create({
                 data: {
-                    teamMemberId: teamMember.id,
+                    teamMemberId: this.globalService.getVoyageTeamMemberId(
+                        req,
+                        teamId,
+                    ),
                     featureCategoryId,
                     description,
                     order: newOrder,
@@ -80,11 +77,13 @@ export class FeaturesService {
         }
     }
 
-    async findOneFeature(featureId: number) {
+    async findAllFeatures(teamId: number) {
         try {
-            const projectFeature = await this.prisma.projectFeature.findFirst({
+            const allTeamFeatures = await this.prisma.projectFeature.findMany({
                 where: {
-                    id: featureId,
+                    addedBy: {
+                        voyageTeamId: teamId,
+                    },
                 },
                 select: {
                     id: true,
@@ -112,32 +111,26 @@ export class FeaturesService {
                         },
                     },
                 },
+                orderBy: [{ category: { id: "asc" } }, { order: "asc" }],
             });
 
-            if (!projectFeature) {
+            if (!allTeamFeatures) {
                 throw new NotFoundException(
-                    `FeatureId (id: ${featureId}) does not exist.`,
+                    `TeamId (id: ${teamId}) does not exist.`,
                 );
             }
 
-            return projectFeature;
+            return allTeamFeatures;
         } catch (e) {
             throw e;
         }
     }
 
-    async findAllFeatures(req, teamId: number) {
-        await this.globalService.validateLoggedInAndTeamMember(
-            teamId,
-            req.user.userId,
-        );
-
+    async findOneFeature(featureId: number) {
         try {
-            const allTeamFeatures = await this.prisma.projectFeature.findMany({
+            const projectFeature = await this.prisma.projectFeature.findFirst({
                 where: {
-                    addedBy: {
-                        voyageTeamId: teamId,
-                    },
+                    id: featureId,
                 },
                 select: {
                     id: true,
@@ -165,16 +158,15 @@ export class FeaturesService {
                         },
                     },
                 },
-                orderBy: [{ category: { id: "asc" } }, { order: "asc" }],
             });
 
-            if (!allTeamFeatures) {
+            if (!projectFeature) {
                 throw new NotFoundException(
-                    `TeamId (id: ${teamId}) does not exist.`,
+                    `FeatureId (id: ${featureId}) does not exist.`,
                 );
             }
 
-            return allTeamFeatures;
+            return projectFeature;
         } catch (e) {
             throw e;
         }
@@ -335,7 +327,7 @@ export class FeaturesService {
                 },
             });
         }
-        const newCategoryFeaturesList = await this.findAllFeatures(req, teamId);
+        const newCategoryFeaturesList = await this.findAllFeatures(teamId);
         return newCategoryFeaturesList;
     }
 

src/forms/forms.controller.ts

@@ -8,7 +8,14 @@ import {
 import { FormsService } from "./forms.service";
 import { ApiOperation, ApiParam, ApiResponse, ApiTags } from "@nestjs/swagger";
 import { FormResponse } from "./forms.response";
-import { NotFoundErrorResponse } from "../global/responses/errors";
+import {
+    ForbiddenErrorResponse,
+    NotFoundErrorResponse,
+    UnauthorizedErrorResponse,
+} from "../global/responses/errors";
+
+import { AppRoles } from "../auth/auth.roles";
+import { Roles } from "../global/decorators/roles.decorator";
 
 @Controller("forms")
 @ApiTags("Forms")
@@ -17,7 +24,7 @@ export class FormsController {
 
     @Get()
     @ApiOperation({
-        summary: "gets all forms from the database",
+        summary: "[Roles: admin] gets all forms from the database",
         description:
             "Returns all forms details with questions. <br>" +
             "This is currently for development purpose, or admin in future",
@@ -28,6 +35,17 @@ export class FormsController {
         type: FormResponse,
         isArray: true,
     })
+    @ApiResponse({
+        status: HttpStatus.UNAUTHORIZED,
+        description: "unauthorized access - not logged in",
+        type: UnauthorizedErrorResponse,
+    })
+    @ApiResponse({
+        status: HttpStatus.FORBIDDEN,
+        description: "forbidden - user does not have the required permission",
+        type: ForbiddenErrorResponse,
+    })
+    @Roles(AppRoles.Admin)
     getAllForms() {
         return this.formsService.getAllForms();
     }
@@ -45,6 +63,11 @@ export class FormsController {
             "Successfully gets the form (with a given formId) from the database",
         type: FormResponse,
     })
+    @ApiResponse({
+        status: HttpStatus.UNAUTHORIZED,
+        description: "unauthorized access - not logged in",
+        type: UnauthorizedErrorResponse,
+    })
     @ApiResponse({
         status: HttpStatus.NOT_FOUND,
         description: "Invalid Form ID (FormId does not exist).",

src/global/global.service.ts

@@ -1,11 +1,17 @@
-import { Injectable, UnauthorizedException } from "@nestjs/common";
+import {
+    BadRequestException,
+    Injectable,
+    UnauthorizedException,
+} from "@nestjs/common";
 import { PrismaService } from "../prisma/prisma.service";
+import { CustomRequest } from "./types/CustomRequest";
 
 @Injectable()
 export class GlobalService {
     constructor(private prisma: PrismaService) {}
 
     //verifies user is logged in by using uuid from cookie and teamId to pull a teamMember.
+    // TODO: remove as it's replaced by permission guard
     public async validateLoggedInAndTeamMember(teamId: number, uuid: any) {
         const teamMember = await this.prisma.voyageTeamMember.findFirst({
             where: {
@@ -26,4 +32,14 @@ export class GlobalService {
         }
         return teamMember;
     }
+
+    public getVoyageTeamMemberId(req: CustomRequest, teamId: number) {
+        const teamMemberId = req.user.voyageTeams.find(
+            (t) => t.teamId == teamId,
+        )?.memberId;
+        if (!teamMemberId) {
+            throw new BadRequestException(`Invalid Team Id (id: ${teamId}).`);
+        }
+        return teamMemberId;
+    }
 }

src/global/types/CustomRequest.ts

@@ -0,0 +1,13 @@
+type VoyageTeam = {
+    teamId: number;
+    memberId: number;
+};
+
+export interface CustomRequest extends Request {
+    user: {
+        userId: string;
+        email: string;
+        roles: string[];
+        voyageTeams: VoyageTeam[];
+    };
+}