fix(web): admin page role check — stop false redirect to /chat (#203)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/gateway/src/admin/admin.guard.ts

@@ -8,8 +8,11 @@ import {
 } from '@nestjs/common';
 import { fromNodeHeaders } from 'better-auth/node';
 import type { Auth } from '@mosaic/auth';
+import type { Db } from '@mosaic/db';
+import { eq, users as usersTable } from '@mosaic/db';
 import type { FastifyRequest } from 'fastify';
 import { AUTH } from '../auth/auth.tokens.js';
+import { DB } from '../database/database.module.js';
 
 interface UserWithRole {
   id: string;
@@ -18,7 +21,10 @@ interface UserWithRole {
 
 @Injectable()
 export class AdminGuard implements CanActivate {
-  constructor(@Inject(AUTH) private readonly auth: Auth) {}
+  constructor(
+    @Inject(AUTH) private readonly auth: Auth,
+    @Inject(DB) private readonly db: Db,
+  ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<FastifyRequest>();
@@ -32,7 +38,21 @@ export class AdminGuard implements CanActivate {
 
     const user = result.user as UserWithRole;
 
-    if (user.role !== 'admin') {
+    // Ensure the role field is populated. better-auth should include additionalFields
+    // in the session, but as a fallback, fetch the role from the database if needed.
+    let userRole = user.role;
+    if (!userRole) {
+      const [dbUser] = await this.db
+        .select({ role: usersTable.role })
+        .from(usersTable)
+        .where(eq(usersTable.id, user.id))
+        .limit(1);
+      userRole = dbUser?.role ?? 'member';
+      // Update the session user object with the fetched role
+      (user as UserWithRole).role = userRole;
+    }
+
+    if (userRole !== 'admin') {
       throw new ForbiddenException('Admin access required');
     }