Merge pull request #182 from akargi/feat/RBAC

Feat:  Global API Response Formatter & Role-Based Access Control (RBAC)

Author: RUKAYAT-CODER

src/auth/strategies/jwt.strategy.ts

@@ -6,7 +6,7 @@ import { ConfigService } from '@nestjs/config';
 export interface JwtPayload {
   sub: string;
   email: string;
-  role: string;
+  roles: string[];
 }
 
 @Injectable()
@@ -23,7 +23,7 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     return {
       userId: payload.sub,
       email: payload.email,
-      role: payload.role,
+      roles: payload.roles || [],
     };
   }
 }

src/common/decorators/roles.decorator.ts

@@ -25,4 +25,4 @@ export const ROLES_KEY = 'roles';
  * \@Delete('posts/:id')
  * deletePost() {}
  */
-export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);
+export const Roles = (...roles: string[]) => SetMetadata(ROLES_KEY, roles);

src/common/guards/roles.guard.spec.ts

@@ -0,0 +1,64 @@
+import { RolesGuard } from '../guards/roles.guard';
+import { Roles } from '../decorators/roles.decorator';
+
+describe('RolesGuard', () => {
+  let guard: RolesGuard;
+  let reflector: any;
+
+  beforeEach(() => {
+    reflector = {
+      getAllAndOverride: jest.fn(),
+    };
+    guard = new RolesGuard(reflector);
+  });
+
+  it('should allow access if no roles are required', () => {
+    reflector.getAllAndOverride.mockReturnValue(undefined);
+    const context = {
+      getHandler: () => {},
+      getClass: () => {},
+      switchToHttp: () => ({ getRequest: () => ({ user: { roles: ['admin'] } }) }),
+    };
+    expect(guard.canActivate(context as any)).toBe(true);
+  });
+
+  it('should deny access if user has no roles', () => {
+    reflector.getAllAndOverride.mockReturnValue(['admin']);
+    const context = {
+      getHandler: () => {},
+      getClass: () => {},
+      switchToHttp: () => ({ getRequest: () => ({ user: {} }) }),
+    };
+    expect(guard.canActivate(context as any)).toBe(false);
+  });
+
+  it('should allow access if user has required role', () => {
+    reflector.getAllAndOverride.mockReturnValue(['admin']);
+    const context = {
+      getHandler: () => {},
+      getClass: () => {},
+      switchToHttp: () => ({ getRequest: () => ({ user: { roles: ['admin', 'moderator'] } }) }),
+    };
+    expect(guard.canActivate(context as any)).toBe(true);
+  });
+
+  it('should deny access if user does not have required role', () => {
+    reflector.getAllAndOverride.mockReturnValue(['admin']);
+    const context = {
+      getHandler: () => {},
+      getClass: () => {},
+      switchToHttp: () => ({ getRequest: () => ({ user: { roles: ['user'] } }) }),
+    };
+    expect(guard.canActivate(context as any)).toBe(false);
+  });
+
+  it('should support multiple roles per endpoint', () => {
+    reflector.getAllAndOverride.mockReturnValue(['admin', 'moderator']);
+    const context = {
+      getHandler: () => {},
+      getClass: () => {},
+      switchToHttp: () => ({ getRequest: () => ({ user: { roles: ['moderator'] } }) }),
+    };
+    expect(guard.canActivate(context as any)).toBe(true);
+  });
+});

src/common/guards/roles.guard.ts

@@ -2,75 +2,28 @@ import {
   Injectable,
   CanActivate,
   ExecutionContext,
-  ForbiddenException,
-  Logger,
-  UnauthorizedException,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { Request } from 'express';
-import { Role, ROLES_KEY } from '../decorators/roles.decorator';
+import { ROLES_KEY } from '../decorators/roles.decorator';
 
-interface JwtUser {
-  id: string | number;
-  email?: string;
-  role: Role;
-}
-
-/**
- * #158 – RolesGuard
- *
- * Must be used together with an AuthGuard that populates `request.user`
- * from a validated JWT. The guard:
- *
- *  1. Skips routes that have no @Roles() decorator (public by default).
- *  2. Rejects unauthenticated requests with 401.
- *  3. Rejects authenticated requests whose role is not in the allowed list with 403.
- *
- * Registration (choose one):
- *   - Globally:  app.useGlobalGuards(new RolesGuard(reflector))  in main.ts
- *   - Per-module: providers: [RolesGuard]  and add @UseGuards(JwtAuthGuard, RolesGuard)
- */
 @Injectable()
 export class RolesGuard implements CanActivate {
-  private readonly logger = new Logger(RolesGuard.name);
-
-  constructor(private readonly reflector: Reflector) {}
+  constructor(private reflector: Reflector) {}
 
   canActivate(context: ExecutionContext): boolean {
-    // Collect roles from the handler first, then fall back to the controller level
-    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
+    const requiredRoles = this.reflector.getAllAndOverride<string[]>(ROLES_KEY, [
       context.getHandler(),
       context.getClass(),
     ]);
-
-    // No @Roles() decorator → route is unrestricted at the role level
     if (!requiredRoles || requiredRoles.length === 0) {
       return true;
     }
-
-    const request = context.switchToHttp().getRequest<Request & { user?: JwtUser }>();
+    const request = context.switchToHttp().getRequest();
     const user = request.user;
-
-    if (!user) {
-      throw new UnauthorizedException(
-        'Authentication is required to access this resource.',
-      );
+    if (!user || !user.roles) {
+      return false;
     }
-
-    const hasRole = requiredRoles.includes(user.role);
-
-    if (!hasRole) {
-      this.logger.warn(
-        `Access denied: user ${user.id} (role="${user.role}") attempted to access ` +
-          `[${context.getClass().name}::${context.getHandler().name}] ` +
-          `which requires role(s): [${requiredRoles.join(', ')}]`,
-      );
-      throw new ForbiddenException(
-        `You do not have permission to perform this action. ` +
-          `Required role(s): ${requiredRoles.join(' or ')}.`,
-      );
-    }
-
-    return true;
+    // Support multiple roles per endpoint
+    return requiredRoles.some(role => user.roles.includes(role));
   }
 }