feat: protecting endpoint by roles

src/common/decorators/allowed-roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { Roles } from '~/auth/enums';
+
+export const ROLE_METADATA_KEY = 'roles';
+export const AllowedRoles = (...roles: Roles[]) => SetMetadata(ROLE_METADATA_KEY, roles);

src/common/decorators/index.ts

@@ -1,2 +1,3 @@
+export * from './allowed-roles.decorator';
 export * from './public.decorator';
 export * from './user.decorator';

src/common/guards/access-token.guard.ts

@@ -6,7 +6,7 @@ import { IS_PUBLIC_KEY } from '../decorators';
 
 @Injectable()
 export class AccessTokenGuard extends AuthGuard('access-token') {
-  constructor(private reflector: Reflector) {
+  constructor(protected reflector: Reflector) {
     super();
   }
   canActivate(context: ExecutionContext): boolean | Promise<boolean> | Observable<boolean> {

src/common/guards/index.ts

@@ -1 +1,2 @@
 export * from './access-token.guard';
+export * from './roles-guard';

src/common/guards/roles-guard.ts

@@ -0,0 +1,28 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { Roles } from '~/auth/enums';
+import { ROLE_METADATA_KEY } from '../decorators';
+import { AccessTokenGuard } from './access-token.guard';
+
+@Injectable()
+export class RolesGuard extends AccessTokenGuard {
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    await super.canActivate(context);
+
+    const request = context.switchToHttp().getRequest();
+    const user = request.user;
+
+    if (!user) {
+      return false;
+    }
+    const allowedRoles = this.reflector.getAllAndOverride<Roles[]>(ROLE_METADATA_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!allowedRoles) {
+      return true;
+    }
+
+    return allowedRoles.some((role) => user.roles.includes(role));
+  }
+}

src/customer/controllers/customer.controller.ts

@@ -1,8 +1,9 @@
 import { Body, Controller, Patch, UseGuards } from '@nestjs/common';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
+import { Roles } from '~/auth/enums';
 import { IJwtPayload } from '~/auth/interfaces';
-import { AuthenticatedUser } from '~/common/decorators';
-import { AccessTokenGuard } from '~/common/guards';
+import { AllowedRoles, AuthenticatedUser } from '~/common/decorators';
+import { AccessTokenGuard, RolesGuard } from '~/common/guards';
 import { ResponseFactory } from '~/core/utils';
 import { UpdateCustomerRequestDto, UpdateNotificationsSettingsRequestDto } from '../dtos/request';
 import { CustomerResponseDto, NotificationSettingsResponseDto } from '../dtos/response';
@@ -11,11 +12,12 @@ import { CustomerService } from '../services';
 @Controller('customers')
 @ApiTags('Customers')
 @ApiBearerAuth()
-@UseGuards(AccessTokenGuard)
 export class CustomerController {
   constructor(private readonly customerService: CustomerService) {}
 
   @Patch('')
+  @UseGuards(RolesGuard)
+  @AllowedRoles(Roles.GUARDIAN)
   async updateCustomer(@AuthenticatedUser() { sub }: IJwtPayload, @Body() body: UpdateCustomerRequestDto) {
     const customer = await this.customerService.updateCustomer(sub, body);
 
@@ -23,6 +25,7 @@ export class CustomerController {
   }
 
   @Patch('settings/notifications')
+  @UseGuards(AccessTokenGuard)
   async updateNotificationSettings(
     @AuthenticatedUser() { sub }: IJwtPayload,
     @Body() body: UpdateNotificationsSettingsRequestDto,

src/junior/controllers/junior.controller.ts

@@ -1,8 +1,9 @@
 import { Body, Controller, Get, Param, Post, Query, UseGuards } from '@nestjs/common';
 import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
+import { Roles } from '~/auth/enums';
 import { IJwtPayload } from '~/auth/interfaces';
-import { AuthenticatedUser } from '~/common/decorators';
-import { AccessTokenGuard } from '~/common/guards';
+import { AllowedRoles, AuthenticatedUser } from '~/common/decorators';
+import { RolesGuard } from '~/common/guards';
 import { ApiDataPageResponse, ApiDataResponse } from '~/core/decorators';
 import { PageOptionsRequestDto } from '~/core/dtos';
 import { CustomParseUUIDPipe } from '~/core/pipes';
@@ -18,7 +19,8 @@ export class JuniorController {
   constructor(private readonly juniorService: JuniorService) {}
 
   @Post()
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(RolesGuard)
+  @AllowedRoles(Roles.GUARDIAN)
   @ApiDataResponse(JuniorResponseDto)
   async createJunior(@Body() body: CreateJuniorRequestDto, @AuthenticatedUser() user: IJwtPayload) {
     const junior = await this.juniorService.createJuniors(body, user.sub);
@@ -27,7 +29,8 @@ export class JuniorController {
   }
 
   @Get()
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(RolesGuard)
+  @AllowedRoles(Roles.GUARDIAN)
   @ApiDataPageResponse(JuniorResponseDto)
   async findJuniors(@AuthenticatedUser() user: IJwtPayload, @Query() pageOptions: PageOptionsRequestDto) {
     const [juniors, count] = await this.juniorService.findJuniorsByGuardianId(user.sub, pageOptions);
@@ -43,7 +46,8 @@ export class JuniorController {
   }
 
   @Get(':juniorId')
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(RolesGuard)
+  @AllowedRoles(Roles.GUARDIAN)
   @ApiDataResponse(JuniorResponseDto)
   async findJuniorById(
     @AuthenticatedUser() user: IJwtPayload,
@@ -55,7 +59,8 @@ export class JuniorController {
   }
 
   @Post('set-theme')
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(RolesGuard)
+  @AllowedRoles(Roles.JUNIOR)
   @ApiDataResponse(JuniorResponseDto)
   async setTheme(@Body() body: SetThemeRequestDto, @AuthenticatedUser() user: IJwtPayload) {
     const theme = await this.juniorService.setTheme(body, user.sub);