feat: protecting endpoint by roles

src/common/decorators/allowed-roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { Roles } from '~/auth/enums';
+
+export const ROLE_METADATA_KEY = 'roles';
+export const AllowedRoles = (...roles: Roles[]) => SetMetadata(ROLE_METADATA_KEY, roles);

src/common/decorators/index.ts

@@ -1,2 +1,3 @@
+export * from './allowed-roles.decorator';
 export * from './public.decorator';
 export * from './user.decorator';

src/common/guards/access-token.guard.ts

@@ -6,7 +6,7 @@ import { IS_PUBLIC_KEY } from '../decorators';
 
 @Injectable()
 export class AccessTokenGuard extends AuthGuard('access-token') {
-  constructor(private reflector: Reflector) {
+  constructor(protected reflector: Reflector) {
     super();
   }
   canActivate(context: ExecutionContext): boolean | Promise<boolean> | Observable<boolean> {

src/common/guards/index.ts

@@ -1 +1,2 @@
 export * from './access-token.guard';
+export * from './roles-guard';

src/common/guards/roles-guard.ts

@@ -0,0 +1,28 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { Roles } from '~/auth/enums';
+import { ROLE_METADATA_KEY } from '../decorators';
+import { AccessTokenGuard } from './access-token.guard';
+
+@Injectable()
+export class RolesGuard extends AccessTokenGuard {
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    await super.canActivate(context);
+
+    const request = context.switchToHttp().getRequest();
+    const user = request.user;
+
+    if (!user) {
+      return false;
+    }
+    const allowedRoles = this.reflector.getAllAndOverride<Roles[]>(ROLE_METADATA_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!allowedRoles) {
+      return true;
+    }
+
+    return allowedRoles.some((role) => user.roles.includes(role));
+  }
+}