fix(api): add WorkspaceGuard to controllers and fix route ordering

2026-01-29 20:15:33 -06:00
parent 9977d9bcf4
commit 48abdbba8b
8 changed files with 216 additions and 541 deletions
--- a/apps/api/src/activity/activity.controller.ts
+++ b/apps/api/src/activity/activity.controller.ts
@@ -1,59 +1,44 @@
-import { Controller, Get, Query, Param, UseGuards, Request } from "@nestjs/common";
+import { 
+  Controller, 
+  Get, 
+  Query, 
+  Param, 
+  UseGuards,
+} from "@nestjs/common";
 import { ActivityService } from "./activity.service";
 import { EntityType } from "@prisma/client";
 import type { QueryActivityLogDto } from "./dto";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { WorkspaceGuard, PermissionGuard } from "../common/guards";
+import { Workspace, Permission, RequirePermission } from "../common/decorators";

-/**
- * Controller for activity log endpoints
- * All endpoints require authentication
- */
@Controller("activity")
-@UseGuards(AuthGuard)
+@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class ActivityController {
  constructor(private readonly activityService: ActivityService) {}

-  /**
-   * GET /api/activity
-   * Get paginated activity logs with optional filters
-   * workspaceId is extracted from authenticated user context
-   */
  @Get()
-  async findAll(@Query() query: QueryActivityLogDto, @Request() req: any) {
-    // Extract workspaceId from authenticated user
-    const workspaceId = req.user?.workspaceId || query.workspaceId;
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async findAll(
+    @Query() query: QueryActivityLogDto,
+    @Workspace() workspaceId: string
+  ) {
    return this.activityService.findAll({ ...query, workspaceId });
  }

-  /**
-   * GET /api/activity/:id
-   * Get a single activity log by ID
-   * workspaceId is extracted from authenticated user context
-   */
  @Get(":id")
-  async findOne(@Param("id") id: string, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId;
-    if (!workspaceId) {
-      throw new Error("User workspaceId not found");
-    }
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async findOne(@Param("id") id: string, @Workspace() workspaceId: string) {
    return this.activityService.findOne(id, workspaceId);
  }

-  /**
-   * GET /api/activity/audit/:entityType/:entityId
-   * Get audit trail for a specific entity
-   * workspaceId is extracted from authenticated user context
-   */
  @Get("audit/:entityType/:entityId")
+  @RequirePermission(Permission.WORKSPACE_ANY)
  async getAuditTrail(
-    @Request() req: any,
    @Param("entityType") entityType: EntityType,
-    @Param("entityId") entityId: string
+    @Param("entityId") entityId: string,
+    @Workspace() workspaceId: string
  ) {
-    const workspaceId = req.user?.workspaceId;
-    if (!workspaceId) {
-      throw new Error("User workspaceId not found");
-    }
    return this.activityService.getAuditTrail(workspaceId, entityType, entityId);
  }
 }