stack/apps/api/src/auth/guards/admin.guard.ts

/**
 * Admin Guard
 *
 * Restricts access to system-level admin operations.
 * Currently checks if user owns at least one workspace (indicating admin status).
 * Future: Replace with proper role-based access control (RBAC).
 */

import {
  Injectable,
  CanActivate,
  ExecutionContext,
  ForbiddenException,
  Logger,
} from "@nestjs/common";
import { PrismaService } from "../../prisma/prisma.service";
import type { AuthenticatedRequest } from "../../common/types/user.types";

@Injectable()
export class AdminGuard implements CanActivate {
  private readonly logger = new Logger(AdminGuard.name);

  constructor(private readonly prisma: PrismaService) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
    const user = request.user;

    if (!user) {
      throw new ForbiddenException("User not authenticated");
    }

    // Check if user owns any workspace (admin indicator)
    // TODO: Replace with proper RBAC system admin role check
    const ownedWorkspaces = await this.prisma.workspace.count({
      where: { ownerId: user.id },
    });

    if (ownedWorkspaces === 0) {
      this.logger.warn(`Non-admin user ${user.id} attempted admin operation`);
      throw new ForbiddenException("This operation requires system administrator privileges");
    }

    return true;
  }
}