[FIX] Update Endpoints (#1896)

* fix(api): update response and docs for policy & risks endpoints

* fix(api): add API key auth support with userId parameter for comments API

* fix(api): add API key auth support with userId parameter for transfer-ownership and task/attachments endpoints

* fix(api): move userId to request body for comment deletion endpoint

* fix(api): don't expose sensitive fields of user model from /risks endpoint

* fix(api): update error description of transfer-ownership api

---------

Co-authored-by: chasprowebdev <[email protected]>
Co-authored-by: Mariano Fuentes <[email protected]>

Author: 3 people

apps/api/src/attachments/upload-attachment.dto.ts

@@ -69,4 +69,15 @@ export class UploadAttachmentDto {
   @IsString()
   @MaxLength(500)
   description?: string;
+
+  @ApiProperty({
+    description:
+      'User ID of the user uploading the attachment (required for API key auth, ignored for JWT auth)',
+    example: 'usr_abc123def456',
+    required: false,
+  })
+  @IsOptional()
+  @IsString()
+  @IsNotEmpty()
+  userId?: string;
 }

apps/api/src/comments/comments.controller.ts

@@ -5,15 +5,14 @@ import {
   Controller,
   Delete,
   Get,
-  HttpCode,
-  HttpStatus,
   Param,
   Post,
   Put,
   Query,
   UseGuards,
 } from '@nestjs/common';
 import {
+  ApiBody,
   ApiHeader,
   ApiOperation,
   ApiParam,
@@ -28,6 +27,7 @@ import type { AuthContext as AuthContextType } from '../auth/types';
 import { CommentsService } from './comments.service';
 import { CommentResponseDto } from './dto/comment-responses.dto';
 import { CreateCommentDto } from './dto/create-comment.dto';
+import { DeleteCommentDto } from './dto/delete-comment.dto';
 import { UpdateCommentDto } from './dto/update-comment.dto';
 
 @ApiTags('Comments')
@@ -92,13 +92,28 @@ export class CommentsController {
     @AuthContext() authContext: AuthContextType,
     @Body() createCommentDto: CreateCommentDto,
   ): Promise<CommentResponseDto> {
-    if (!authContext.userId) {
-      throw new BadRequestException('User ID is required');
+    // For API key auth, userId must be provided in the request body
+    // For JWT auth, userId comes from the authenticated session
+    let userId: string;
+    if (authContext.isApiKey) {
+      // For API key auth, userId must be provided in the DTO
+      if (!createCommentDto.userId) {
+        throw new BadRequestException(
+          'User ID is required when using API key authentication. Provide userId in the request body.',
+        );
+      }
+      userId = createCommentDto.userId;
+    } else {
+      // For JWT auth, use the authenticated user's ID
+      if (!authContext.userId) {
+        throw new BadRequestException('User ID is required');
+      }
+      userId = authContext.userId;
     }
 
     return await this.commentsService.createComment(
       organizationId,
-      authContext.userId,
+      userId,
       createCommentDto,
     );
   }
@@ -124,14 +139,29 @@ export class CommentsController {
     @Param('commentId') commentId: string,
     @Body() updateCommentDto: UpdateCommentDto,
   ): Promise<CommentResponseDto> {
-    if (!authContext.userId) {
-      throw new BadRequestException('User ID is required');
+    // For API key auth, userId must be provided in the request body
+    // For JWT auth, userId comes from the authenticated session
+    let userId: string;
+    if (authContext.isApiKey) {
+      // For API key auth, userId must be provided in the DTO
+      if (!updateCommentDto.userId) {
+        throw new BadRequestException(
+          'User ID is required when using API key authentication. Provide userId in the request body.',
+        );
+      }
+      userId = updateCommentDto.userId;
+    } else {
+      // For JWT auth, use the authenticated user's ID
+      if (!authContext.userId) {
+        throw new BadRequestException('User ID is required');
+      }
+      userId = authContext.userId;
     }
 
     return await this.commentsService.updateComment(
       organizationId,
       commentId,
-      authContext.userId,
+      userId,
       updateCommentDto.content,
     );
   }
@@ -146,6 +176,20 @@ export class CommentsController {
     description: 'Unique comment identifier',
     example: 'cmt_abc123def456',
   })
+  @ApiBody({
+    description: 'Delete comment request body',
+    schema: {
+      type: 'object',
+      properties: {
+        userId: {
+          type: 'string',
+          description:
+            'User ID of the comment author (required for API key auth, ignored for JWT auth)',
+          example: 'usr_abc123def456',
+        },
+      },
+    },
+  })
   @ApiResponse({
     status: 200,
     description: 'Comment deleted successfully',
@@ -198,15 +242,31 @@ export class CommentsController {
     @OrganizationId() organizationId: string,
     @AuthContext() authContext: AuthContextType,
     @Param('commentId') commentId: string,
+    @Body() deleteDto: DeleteCommentDto,
   ): Promise<{ success: boolean; deletedCommentId: string; message: string }> {
-    if (!authContext.userId) {
-      throw new BadRequestException('User ID is required');
+    // For API key auth, userId must be provided in the request body
+    // For JWT auth, userId comes from the authenticated session
+    let userId: string;
+    if (authContext.isApiKey) {
+      // For API key auth, userId must be provided in the request body
+      if (!deleteDto.userId) {
+        throw new BadRequestException(
+          'User ID is required when using API key authentication. Provide userId in the request body.',
+        );
+      }
+      userId = deleteDto.userId;
+    } else {
+      // For JWT auth, use the authenticated user's ID
+      if (!authContext.userId) {
+        throw new BadRequestException('User ID is required');
+      }
+      userId = authContext.userId;
     }
 
     await this.commentsService.deleteComment(
       organizationId,
       commentId,
-      authContext.userId,
+      userId,
     );
 
     return {

apps/api/src/comments/dto/create-comment.dto.ts

@@ -49,4 +49,15 @@ export class CreateCommentDto {
   @ValidateNested({ each: true })
   @Type(() => UploadAttachmentDto)
   attachments?: UploadAttachmentDto[];
+
+  @ApiProperty({
+    description:
+      'User ID of the comment author (required for API key auth, ignored for JWT auth)',
+    example: 'usr_abc123def456',
+    required: false,
+  })
+  @IsOptional()
+  @IsString()
+  @IsNotEmpty()
+  userId?: string;
 }

apps/api/src/comments/dto/delete-comment.dto.ts

@@ -0,0 +1,15 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
+
+export class DeleteCommentDto {
+  @ApiProperty({
+    description:
+      'User ID of the comment author (required for API key auth, ignored for JWT auth)',
+    example: 'usr_abc123def456',
+    required: false,
+  })
+  @IsOptional()
+  @IsString()
+  @IsNotEmpty()
+  userId?: string;
+}

apps/api/src/comments/dto/update-comment.dto.ts

@@ -1,5 +1,5 @@
 import { ApiProperty } from '@nestjs/swagger';
-import { IsNotEmpty, IsString, MaxLength } from 'class-validator';
+import { IsNotEmpty, IsOptional, IsString, MaxLength } from 'class-validator';
 
 export class UpdateCommentDto {
   @ApiProperty({
@@ -11,4 +11,15 @@ export class UpdateCommentDto {
   @IsNotEmpty()
   @MaxLength(2000)
   content: string;
+
+  @ApiProperty({
+    description:
+      'User ID of the comment author (required for API key auth, ignored for JWT auth)',
+    example: 'usr_abc123def456',
+    required: false,
+  })
+  @IsOptional()
+  @IsString()
+  @IsNotEmpty()
+  userId?: string;
 }

apps/api/src/organization/dto/transfer-ownership.dto.ts

@@ -1,5 +1,10 @@
 export interface TransferOwnershipDto {
   newOwnerId: string;
+  /**
+   * User ID of the current owner initiating the transfer
+   * Required for API key auth, ignored for JWT auth
+   */
+  userId?: string;
 }
 
 export interface TransferOwnershipResponseDto {

apps/api/src/organization/organization.controller.ts

@@ -119,25 +119,40 @@ export class OrganizationController {
     @AuthContext() authContext: AuthContextType,
     @Body() transferData: TransferOwnershipDto,
   ) {
-    if (!authContext.userId) {
-      throw new BadRequestException(
-        'User ID is required for this operation. This endpoint requires session authentication.',
-      );
+    // For API key auth, userId must be provided in the request body
+    // For JWT auth, userId comes from the authenticated session
+    let userId: string;
+    if (authContext.isApiKey) {
+      // For API key auth, userId must be provided in the DTO
+      if (!transferData.userId) {
+        throw new BadRequestException(
+          'User ID is required when using API key authentication. Provide userId in the request body.',
+        );
+      }
+      userId = transferData.userId;
+    } else {
+      // For JWT auth, use the authenticated user's ID
+      if (!authContext.userId) {
+        throw new BadRequestException(
+          'User ID is required for this operation. This endpoint requires session authentication.',
+        );
+      }
+      userId = authContext.userId;
     }
 
     const result = await this.organizationService.transferOwnership(
       organizationId,
-      authContext.userId,
+      userId,
       transferData.newOwnerId,
     );
 
     return {
       ...result,
       authType: authContext.authType,
-      // Include user context for session auth (helpful for debugging)
+      // Include user context (helpful for debugging)
       authenticatedUser: {
-        id: authContext.userId,
-        email: authContext.userEmail,
+        id: userId,
+        ...(authContext.userEmail && { email: authContext.userEmail }),
       },
     };
   }

apps/api/src/organization/schemas/organization-api-bodies.ts

@@ -71,6 +71,12 @@ export const TRANSFER_OWNERSHIP_BODY: ApiBodyOptions = {
         description: 'Member ID of the new owner',
         example: 'mem_xyz789',
       },
+      userId: {
+        type: 'string',
+        description:
+          'User ID of the current owner initiating the transfer (required for API key auth, ignored for JWT auth)',
+        example: 'usr_abc123def456',
+      },
     },
     additionalProperties: false,
   },

apps/api/src/policies/schemas/get-all-policies.responses.ts

@@ -7,24 +7,78 @@ export const GET_ALL_POLICIES_RESPONSES: Record<string, ApiResponseOptions> = {
     content: {
       'application/json': {
         schema: {
-          type: 'array',
-          items: { $ref: '#/components/schemas/PolicyResponseDto' },
+          type: 'object',
+          properties: {
+            data: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/PolicyResponseDto' },
+              description: 'Array of policies',
+            },
+            authType: {
+              type: 'string',
+              enum: ['api-key', 'session'],
+              description: 'How the request was authenticated',
+            },
+            authenticatedUser: {
+              type: 'object',
+              description: 'Authenticated user information (only present for session auth)',
+              properties: {
+                id: {
+                  type: 'string',
+                  description: 'User ID',
+                  example: 'usr_abc123def456',
+                },
+                email: {
+                  type: 'string',
+                  description: 'User email',
+                  example: '[email protected]',
+                },
+              },
+            },
+          },
+          required: ['data', 'authType'],
         },
-        example: [
-          {
-            id: 'pol_abc123def456',
-            name: 'Data Privacy Policy',
-            status: 'draft',
-            content: [
-              { type: 'paragraph', content: [{ type: 'text', text: '...' }] },
-            ],
-            isRequiredToSign: true,
-            signedBy: [],
-            createdAt: '2024-01-01T00:00:00.000Z',
-            updatedAt: '2024-01-15T00:00:00.000Z',
-            organizationId: 'org_abc123def456',
+        example: {
+          data: [
+            {
+              id: 'pol_abc123def456',
+              name: 'Data Privacy Policy',
+              description: 'This policy outlines how we handle and protect personal data',
+              status: 'draft',
+              content: [
+                {
+                  type: 'paragraph',
+                  attrs: { textAlign: null },
+                  content: [
+                    {
+                      type: 'text',
+                      text: 'This policy outlines our commitment to protecting personal data.',
+                    },
+                  ],
+                },
+              ],
+              frequency: 'yearly',
+              department: 'IT',
+              isRequiredToSign: true,
+              signedBy: [],
+              reviewDate: '2024-12-31T00:00:00.000Z',
+              isArchived: false,
+              createdAt: '2024-01-01T00:00:00.000Z',
+              updatedAt: '2024-01-15T00:00:00.000Z',
+              lastArchivedAt: null,
+              lastPublishedAt: '2024-01-10T00:00:00.000Z',
+              organizationId: 'org_abc123def456',
+              assigneeId: 'usr_abc123def456',
+              approverId: 'usr_xyz789abc123',
+              policyTemplateId: null,
+            },
+          ],
+          authType: 'session',
+          authenticatedUser: {
+            id: 'usr_abc123def456',
+            email: '[email protected]',
           },
-        ],
+        },
       },
     },
   },