Add user to filter the request

Author: GuidoBR

backend/src/reports/reports.controller.ts

@@ -1,4 +1,4 @@
-import { Controller, Get, Patch, Param, Body, Query, ValidationPipe } from '@nestjs/common';
+import { Controller, Get, Patch, Param, Body, Query, ValidationPipe, Req } from '@nestjs/common';
 import {
   ApiTags,
   ApiOperation,
@@ -11,6 +11,7 @@ import { ReportsService } from './reports.service';
 import { Report } from './models/report.model';
 import { GetReportsQueryDto } from './dto/get-reports.dto';
 import { UpdateReportStatusDto } from './dto/update-report-status.dto';
+import { Request } from 'express';
 
 @ApiTags('reports')
 @Controller('reports')
@@ -25,8 +26,9 @@ export class ReportsController {
     type: [Report],
   })
   @Get()
-  async findAll(): Promise<Report[]> {
-    return this.reportsService.findAll();
+  async findAll(@Req() request: Request): Promise<Report[]> {
+    const userId = this.extractUserId(request);
+    return this.reportsService.findAll(userId);
   }
 
   @ApiOperation({ summary: 'Get latest reports' })
@@ -41,14 +43,18 @@ export class ReportsController {
     description: 'Maximum number of reports to return',
   })
   @Get('latest')
-  async findLatest(@Query(ValidationPipe) queryDto: GetReportsQueryDto): Promise<Report[]> {
-    return this.reportsService.findLatest(queryDto);
+  async findLatest(
+    @Query(ValidationPipe) queryDto: GetReportsQueryDto,
+    @Req() request: Request,
+  ): Promise<Report[]> {
+    const userId = this.extractUserId(request);
+    return this.reportsService.findLatest(queryDto, userId);
   }
 
   @ApiOperation({ summary: 'GET report' })
   @ApiResponse({
     status: 200,
-    description: 'Report status updated successfully',
+    description: 'Report details',
     type: Report,
   })
   @ApiResponse({
@@ -60,8 +66,9 @@ export class ReportsController {
     description: 'Report ID',
   })
   @Get(':id')
-  async getReport(@Param('id') id: string): Promise<Report> {
-    return this.reportsService.findOne(id);
+  async getReport(@Param('id') id: string, @Req() request: Request): Promise<Report> {
+    const userId = this.extractUserId(request);
+    return this.reportsService.findOne(id, userId);
   }
 
   @ApiOperation({ summary: 'Update report status' })
@@ -82,7 +89,21 @@ export class ReportsController {
   async updateStatus(
     @Param('id') id: string,
     @Body(ValidationPipe) updateDto: UpdateReportStatusDto,
+    @Req() request: Request,
   ): Promise<Report> {
-    return this.reportsService.updateStatus(id, updateDto);
+    const userId = this.extractUserId(request);
+    return this.reportsService.updateStatus(id, updateDto, userId);
+  }
+
+  private extractUserId(request: Request): string {
+    console.log(request);
+    // The user object is attached to the request by the AuthGuard
+    const user = request.user as any;
+
+    if (!user || !user.sub) {
+      throw new Error('User ID not found in token');
+    }
+
+    return user.sub;
   }
 }

backend/src/reports/reports.service.ts

@@ -3,6 +3,7 @@ import {
   NotFoundException,
   InternalServerErrorException,
   Logger,
+  ForbiddenException,
 } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
 import {
@@ -46,16 +47,26 @@ export class ReportsService {
     this.tableName = this.configService.get<string>('DYNAMODB_REPORTS_TABLE', 'reports');
   }
 
-  async findAll(): Promise<Report[]> {
-    const command = new ScanCommand({
-      TableName: this.tableName,
-    });
+  async findAll(userId: string): Promise<Report[]> {
+    if (!userId) {
+      throw new ForbiddenException('User ID is required');
+    }
 
     try {
+      // If the table has a GSI for userId, use QueryCommand instead
+      const command = new ScanCommand({
+        TableName: this.tableName,
+        FilterExpression: 'userId = :userId',
+        ExpressionAttributeValues: marshall({
+          ':userId': userId,
+        }),
+      });
+
       const response = await this.dynamoClient.send(command);
       return (response.Items || []).map(item => unmarshall(item) as Report);
     } catch (error: unknown) {
-      this.logger.error(`Error fetching all reports: ${this.formatError(error)}`);
+      this.logger.error(`Error fetching reports for user ${userId}:`);
+      this.logger.error(error);
 
       if (error instanceof DynamoDBServiceException) {
         if (error.name === 'UnrecognizedClientException') {
@@ -73,19 +84,30 @@ export class ReportsService {
     }
   }
 
-  async findLatest(queryDto: GetReportsQueryDto): Promise<Report[]> {
-    this.logger.log(`Running findLatest with params: ${JSON.stringify(queryDto)}`);
+  async findLatest(queryDto: GetReportsQueryDto, userId: string): Promise<Report[]> {
+    this.logger.log(
+      `Running findLatest with params: ${JSON.stringify(queryDto)} for user ${userId}`,
+    );
+
+    if (!userId) {
+      throw new ForbiddenException('User ID is required');
+    }
 
     // Convert limit to a number to avoid serialization errors
     const limit =
       typeof queryDto.limit === 'string' ? parseInt(queryDto.limit, 10) : queryDto.limit || 10;
 
-    const command = new ScanCommand({
-      TableName: this.tableName,
-      Limit: limit,
-    });
-
     try {
+      // If the table has a GSI for userId, use QueryCommand instead
+      const command = new ScanCommand({
+        TableName: this.tableName,
+        FilterExpression: 'userId = :userId',
+        ExpressionAttributeValues: marshall({
+          ':userId': userId,
+        }),
+        Limit: limit * 5, // Fetch more items since we'll filter by userId
+      });
+
       const response = await this.dynamoClient.send(command);
       const reports = (response.Items || []).map(item => unmarshall(item) as Report);
 
@@ -94,7 +116,8 @@ export class ReportsService {
         .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime())
         .slice(0, limit);
     } catch (error: unknown) {
-      this.logger.error(`Error fetching latest reports: ${this.formatError(error)}`);
+      this.logger.error(`Error fetching latest reports for user ${userId}:`);
+      this.logger.error(error);
 
       if (error instanceof DynamoDBServiceException) {
         if (error.name === 'ResourceNotFoundException') {
@@ -108,11 +131,15 @@ export class ReportsService {
     }
   }
 
-  async findOne(id: string): Promise<Report> {
+  async findOne(id: string, userId: string): Promise<Report> {
     if (!id) {
       throw new NotFoundException('Report ID is required');
     }
 
+    if (!userId) {
+      throw new ForbiddenException('User ID is required');
+    }
+
     const command = new GetItemCommand({
       TableName: this.tableName,
       Key: marshall({ id }),
@@ -125,13 +152,21 @@ export class ReportsService {
         throw new NotFoundException(`Report with ID ${id} not found`);
       }
 
-      return unmarshall(response.Item) as Report;
+      const report = unmarshall(response.Item) as Report;
+
+      // Verify the report belongs to the user
+      if (report.userId !== userId) {
+        throw new ForbiddenException('You do not have permission to access this report');
+      }
+
+      return report;
     } catch (error: unknown) {
       if (error instanceof NotFoundException) {
         throw error;
       }
 
-      this.logger.error(`Error fetching report with ID ${id}: ${this.formatError(error)}`);
+      this.logger.error(`Error fetching report with ID ${id}:`);
+      this.logger.error(error);
 
       if (error instanceof DynamoDBServiceException) {
         if (error.name === 'ResourceNotFoundException') {
@@ -145,7 +180,11 @@ export class ReportsService {
     }
   }
 
-  async updateStatus(id: string, updateDto: UpdateReportStatusDto): Promise<Report> {
+  async updateStatus(
+    id: string,
+    updateDto: UpdateReportStatusDto,
+    userId: string,
+  ): Promise<Report> {
     if (!id) {
       throw new NotFoundException('Report ID is required');
     }
@@ -154,20 +193,26 @@ export class ReportsService {
       throw new InternalServerErrorException('Status is required for update');
     }
 
+    if (!userId) {
+      throw new ForbiddenException('User ID is required');
+    }
+
     try {
-      // First check if the report exists
-      const existingReport = await this.findOne(id);
+      // First check if the report exists and belongs to the user
+      const existingReport = await this.findOne(id, userId);
 
       const command = new UpdateItemCommand({
         TableName: this.tableName,
         Key: marshall({ id }),
         UpdateExpression: 'SET #status = :status, updatedAt = :updatedAt',
+        ConditionExpression: 'userId = :userId', // Ensure the report belongs to the user
         ExpressionAttributeNames: {
           '#status': 'status',
         },
         ExpressionAttributeValues: marshall({
           ':status': updateDto.status,
           ':updatedAt': new Date().toISOString(),
+          ':userId': userId,
         }),
         ReturnValues: 'ALL_NEW',
       });
@@ -189,26 +234,20 @@ export class ReportsService {
         throw error;
       }
 
-      this.logger.error(`Error updating report status for ID ${id}: ${this.formatError(error)}`);
+      this.logger.error(`Error updating report status for ID ${id}:`);
+      this.logger.error(error);
 
       if (error instanceof DynamoDBServiceException) {
         if (error.name === 'ConditionalCheckFailedException') {
-          throw new NotFoundException(`Report with ID ${id} not found`);
+          throw new ForbiddenException('You do not have permission to update this report');
         } else if (error.name === 'ResourceNotFoundException') {
           throw new InternalServerErrorException(
             `Table "${this.tableName}" not found. Please check your database configuration.`,
           );
         }
       }
 
-      throw new InternalServerErrorException(`Failed to update status for report with ID ${id}`);
-    }
-  }
-
-  private formatError(error: unknown): string {
-    if (error instanceof Error) {
-      return `${error.name}: ${error.message}`;
+      throw new InternalServerErrorException(`Failed to update report status for ID ${id}`);
     }
-    return JSON.stringify(error, null, 2);
   }
 }