fix(api): add WorkspaceGuard to controllers and fix route ordering

apps/api/src/domains/domains.controller.ts

@@ -8,97 +8,62 @@ import {
   Param,
   Query,
   UseGuards,
-  Request,
-  UnauthorizedException,
 } from "@nestjs/common";
 import { DomainsService } from "./domains.service";
 import { CreateDomainDto, UpdateDomainDto, QueryDomainsDto } from "./dto";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { WorkspaceGuard, PermissionGuard } from "../common/guards";
+import { Workspace, Permission, RequirePermission } from "../common/decorators";
+import { CurrentUser } from "../auth/decorators/current-user.decorator";
 
-/**
- * Controller for domain endpoints
- * All endpoints require authentication
- */
 @Controller("domains")
-@UseGuards(AuthGuard)
+@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
 export class DomainsController {
   constructor(private readonly domainsService: DomainsService) {}
 
-  /**
-   * POST /api/domains
-   * Create a new domain
-   */
   @Post()
-  async create(@Body() createDomainDto: CreateDomainDto, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId;
-    const userId = req.user?.id;
-
-    if (!workspaceId || !userId) {
-      throw new UnauthorizedException("Authentication required");
-    }
-
-    return this.domainsService.create(workspaceId, userId, createDomainDto);
+  @RequirePermission(Permission.WORKSPACE_MEMBER)
+  async create(
+    @Body() createDomainDto: CreateDomainDto,
+    @Workspace() workspaceId: string,
+    @CurrentUser() user: any
+  ) {
+    return this.domainsService.create(workspaceId, user.id, createDomainDto);
   }
 
-  /**
-   * GET /api/domains
-   * Get paginated domains with optional filters
-   */
   @Get()
-  async findAll(@Query() query: QueryDomainsDto, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId;
-    if (!workspaceId) {
-      throw new UnauthorizedException("Authentication required");
-    }
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async findAll(
+    @Query() query: QueryDomainsDto,
+    @Workspace() workspaceId: string
+  ) {
     return this.domainsService.findAll({ ...query, workspaceId });
   }
 
-  /**
-   * GET /api/domains/:id
-   * Get a single domain by ID
-   */
   @Get(":id")
-  async findOne(@Param("id") id: string, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId;
-    if (!workspaceId) {
-      throw new UnauthorizedException("Authentication required");
-    }
+  @RequirePermission(Permission.WORKSPACE_ANY)
+  async findOne(@Param("id") id: string, @Workspace() workspaceId: string) {
     return this.domainsService.findOne(id, workspaceId);
   }
 
-  /**
-   * PATCH /api/domains/:id
-   * Update a domain
-   */
   @Patch(":id")
+  @RequirePermission(Permission.WORKSPACE_MEMBER)
   async update(
     @Param("id") id: string,
     @Body() updateDomainDto: UpdateDomainDto,
-    @Request() req: any
+    @Workspace() workspaceId: string,
+    @CurrentUser() user: any
   ) {
-    const workspaceId = req.user?.workspaceId;
-    const userId = req.user?.id;
-
-    if (!workspaceId || !userId) {
-      throw new UnauthorizedException("Authentication required");
-    }
-
-    return this.domainsService.update(id, workspaceId, userId, updateDomainDto);
+    return this.domainsService.update(id, workspaceId, user.id, updateDomainDto);
   }
 
-  /**
-   * DELETE /api/domains/:id
-   * Delete a domain
-   */
   @Delete(":id")
-  async remove(@Param("id") id: string, @Request() req: any) {
-    const workspaceId = req.user?.workspaceId;
-    const userId = req.user?.id;
-
-    if (!workspaceId || !userId) {
-      throw new UnauthorizedException("Authentication required");
-    }
-
-    return this.domainsService.remove(id, workspaceId, userId);
+  @RequirePermission(Permission.WORKSPACE_ADMIN)
+  async remove(
+    @Param("id") id: string,
+    @Workspace() workspaceId: string,
+    @CurrentUser() user: any
+  ) {
+    return this.domainsService.remove(id, workspaceId, user.id);
   }
 }