fix(api): incorrect user permissions extraction

akdasa · akdasa · commit fc769d28632e · 2025-03-17T18:03:39.000Z
diff --git a/modules/services/api/src/auth/decorators/authentication.decorator.ts b/modules/services/api/src/auth/decorators/authentication.decorator.ts
@@ -4,7 +4,6 @@ import { UserAuthentication, VidyaRequest } from '@vidya/api/auth/utils';
 export const Authentication = createParamDecorator(
   (data, ctx: ExecutionContext) => {
     const request = ctx.switchToHttp().getRequest<VidyaRequest>();
-    const accessToken = request.accessToken;
-    return new UserAuthentication(accessToken);
+    return new UserAuthentication(request.accessToken);
   },
 );
diff --git a/modules/services/api/src/auth/guards/authenticated-user.guard.ts b/modules/services/api/src/auth/guards/authenticated-user.guard.ts
@@ -48,12 +48,15 @@ export class AuthenticatedUserGuard implements CanActivate {
         throw new UnauthorizedException();
       }
 
-      // Attach the user id and permissions to the request object
-      request.userId = accessToken.sub;
-      request.accessToken = accessToken;
-      request.userPermissions = accessToken.permissions
+      // Create final access token object with user permissions
+      // (if not already present in the token)
+      const userPermissions = accessToken.permissions
         ? accessToken.permissions
         : await this.usersService.getUserPermissions(accessToken.sub);
+      request.accessToken = {
+        ...accessToken,
+        permissions: userPermissions,
+      };
     } catch {
       throw new UnauthorizedException();
     }
diff --git a/modules/services/api/src/auth/utils/request.ts b/modules/services/api/src/auth/utils/request.ts
@@ -3,6 +3,4 @@ import { Request } from 'express';
 
 export type VidyaRequest = Request & {
   accessToken: AccessToken;
-  userPermissions: UserPermission[];
-  userId: string;
 };
diff --git a/modules/services/api/src/auth/utils/user-permissions.util.ts b/modules/services/api/src/auth/utils/user-permissions.util.ts
@@ -32,14 +32,21 @@ export class UserAuthentication {
 }
 
 export class AuthenticatedUserPermissions {
-  constructor(private readonly _permissions: protocol.UserPermission[]) {}
+  constructor(private readonly _userPermissions: protocol.UserPermission[]) {}
 
+  /**
+   * Get list of scopes that user has permission for
+   * @param requiredPermissions Permissions required to perform an action
+   * @returns List of scopes that user has permission for
+   */
   public getScopes(
-    permissions: domain.PermissionKey[],
+    requiredPermissions: domain.PermissionKey[],
   ): { schoolId: string }[] {
-    return this._permissions
+    return this._userPermissions
       .filter((p) =>
-        permissions.every((permission) => p.p.includes(permission)),
+        requiredPermissions.every(
+          (permission) => p.p.includes(permission) || p.p.includes('*'),
+        ),
       )
       .map((p) => ({ schoolId: p.sid }));
   }
diff --git a/modules/services/database/index.ts b/modules/services/database/index.ts
@@ -0,0 +1 @@
+export * from './main'
