Merge pull request #267 from Code-4-Community/user-module-docs-and-logs

User module docs and logs

Author: prooflesben

backend/src/guards/auth.guard.ts

@@ -73,6 +73,14 @@ export class VerifyAdminRoleGuard implements CanActivate {
       }
       const result = await this.verifier.verify(accessToken);
       const groups = result['cognito:groups'] || [];
+      
+      // Attach user info to request for use in controllers
+      request.user = {
+        userId: result['username'] || result['cognito:username'],
+        email: result['email'],
+        position: groups.includes('Admin') ? 'Admin' : (groups.includes('Employee') ? 'Employee' : 'Inactive')
+      };
+      
       console.log("User groups from token:", groups); 
       if (!groups.includes('Admin')) {
         console.warn("Access denied: User is not an Admin");
@@ -87,3 +95,57 @@ export class VerifyAdminRoleGuard implements CanActivate {
     }
   }
 }
+
+@Injectable()
+export class VerifyAdminOrEmployeeRoleGuard implements CanActivate {
+  private verifier: any;
+  private readonly logger: Logger;
+  
+  constructor() {
+    const userPoolId = process.env.COGNITO_USER_POOL_ID;
+    this.logger = new Logger(VerifyAdminOrEmployeeRoleGuard.name);
+    
+    if (userPoolId) {
+      this.verifier = CognitoJwtVerifier.create({
+        userPoolId,
+        tokenUse: "access",
+        clientId: process.env.COGNITO_CLIENT_ID,
+      });
+    } else {
+      throw new Error(
+        "[AUTH] USER POOL ID is not defined in environment variables"
+      );
+    }
+  }
+  
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    try {
+      const request = context.switchToHttp().getRequest();
+      const accessToken = request.cookies["access_token"];
+      
+      if (!accessToken) {
+        this.logger.error("No access token found in cookies");
+        return false;
+      }
+      
+      const result = await this.verifier.verify(accessToken);
+      const groups = result['cognito:groups'] || [];
+      
+      this.logger.log(`User groups from token: ${groups.join(', ')}`);
+      
+      // Check if user is either Admin or Employee
+      const isAuthorized = groups.includes('Admin') || groups.includes('Employee');
+      
+      if (!isAuthorized) {
+        this.logger.warn("Access denied: User is not an Admin or Employee");
+        return false;
+      }
+      
+      return true;
+      
+    } catch (error) {
+      this.logger.error("Token verification failed:", error);
+      return false;
+    }
+  }
+}

backend/src/user/__test__/user.service.spec.ts

@@ -4,7 +4,7 @@ import { UserService } from '../user.service';
 
 import * as AWS from 'aws-sdk';
 
-import { VerifyUserGuard, VerifyAdminRoleGuard } from '../../guards/auth.guard';
+import { VerifyUserGuard, VerifyAdminRoleGuard, VerifyAdminOrEmployeeRoleGuard } from '../../guards/auth.guard';
 import { describe, it, expect, beforeEach, beforeAll, vi } from 'vitest';
 
 // Create mock functions at module level (BEFORE mock)
@@ -77,6 +77,9 @@ vi.mock('../../guards/auth.guard', () => ({
   }),
   VerifyAdminRoleGuard: vi.fn(class MockVerifyAdminRoleGuard {
     canActivate = vi.fn().mockResolvedValue(true);
+  }),
+  VerifyAdminOrEmployeeRoleGuard: vi.fn(class MockVerifyAdminOrEmployeeRoleGuard {
+    canActivate = vi.fn().mockResolvedValue(true);
   })
 }));
 

backend/src/user/types/user.types.ts

@@ -0,0 +1,11 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { UserStatus } from '../../../../middle-layer/types/UserStatus';
+
+export class ChangeRoleBody {
+  user!: {   
+    userId: string,
+    position: UserStatus,
+    email: string 
+  };
+  groupName!: UserStatus;
+}

backend/src/user/user.controller.ts

@@ -1,60 +1,202 @@
-import { Controller, Get, Post, Body, Param, UseGuards } from "@nestjs/common";
+import { Controller, Get, Patch, Delete, Body, Param, UseGuards, Req } from "@nestjs/common";
 import { UserService } from "./user.service";
 import { User } from "../../../middle-layer/types/User";
 import { UserStatus } from "../../../middle-layer/types/UserStatus";
-import { VerifyAdminRoleGuard, VerifyUserGuard } from "../guards/auth.guard";
+import { VerifyAdminRoleGuard, VerifyUserGuard, VerifyAdminOrEmployeeRoleGuard } from "../guards/auth.guard";
+import { ApiResponse, ApiParam , ApiBearerAuth} from "@nestjs/swagger";
+import { ChangeRoleBody } from "./types/user.types";
 
 @Controller("user")
 export class UserController {
   constructor(private readonly userService: UserService) {}
 
+  /**
+   * Get all users
+   */
   @Get()
-  @UseGuards(VerifyUserGuard)
+  @ApiResponse({
+    status : 200,
+    description : "All users retrieved successfully"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
+  @UseGuards(VerifyAdminOrEmployeeRoleGuard)
+  @ApiBearerAuth()
   async getAllUsers() {
     return await this.userService.getAllUsers();
   }
 
+
+  /**
+   * Get all inactive users
+   */
   @Get("inactive")
-  @UseGuards(VerifyUserGuard)
+  @ApiResponse({
+    status : 200,
+    description : "All inactive users retrieved successfully"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
+  @UseGuards(VerifyAdminOrEmployeeRoleGuard)
+  @ApiBearerAuth()
   async getAllInactiveUsers(): Promise<User[]> {
     return await this.userService.getAllInactiveUsers();
   }
 
+  /**
+   * Get all active users
+   */
   @Get("active")
-  @UseGuards(VerifyUserGuard)
+  @ApiResponse({
+    status : 200,
+    description : "All active users retrieved successfully"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
+  @UseGuards(VerifyAdminOrEmployeeRoleGuard)
+  @ApiBearerAuth()
   async getAllActiveUsers(): Promise<User[]> {
     console.log("Fetching all active users");
     return await this.userService.getAllActiveUsers();
   }
-  // Make sure to put a guard on this route
-  @Post("change-role")
+
+  /**
+   * Change a user's role (make sure guard is on this route)
+   */
+  @Patch("change-role")
+  @ApiResponse({
+    status : 200,
+    description : "User role changed successfully"
+  })
+  @ApiResponse({
+    status : 400,
+    description : "{Error encountered}"
+  })
+  @ApiResponse({
+    status : 401,
+    description : "Unauthorized"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 404,
+    description : "Not Found"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
   @UseGuards(VerifyAdminRoleGuard)
+  @ApiBearerAuth()
   async addToGroup(
-    @Body("user") user: User,
-    @Body("groupName") groupName: UserStatus,
-    @Body("requestedBy") requestedBy: User
+    @Body() changeRoleBody: ChangeRoleBody,
+    @Req() req: any
   ): Promise<User> {
+    // Get the requesting admin from the authenticated session (attached by guard)
+    const requestedBy: User = req.user;
+    
     let newUser: User = await this.userService.addUserToGroup(
-      user,
-      groupName,
+      changeRoleBody.user,
+      changeRoleBody.groupName,
       requestedBy
     );
     return newUser as User;
   }
 
-  @Post("delete-user")
+  /**
+   * Delete a user
+   */
+  @Delete("delete-user/:userId")
+  @ApiParam({
+    name: 'userId',
+    description: 'ID of the user to delete',
+    required: true,
+    type: String
+  })
+  @ApiResponse({
+    status : 200,
+    description : "User deleted successfully"
+  })
+  @ApiResponse({
+    status : 400,
+    description : "{Error encountered}"
+  })
+  @ApiResponse({
+    status : 401,
+    description : "Unauthorized"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 404,
+    description : "Not Found"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
   @UseGuards(VerifyAdminRoleGuard)
+  @ApiBearerAuth()
   async deleteUser(
-    @Body("user") user: User,
-    @Body("requestedBy") requestedBy: User
+    @Param('userId') userId: string,
+    @Req() req: any
   ): Promise<User> {
-    let deletedUser = await this.userService.deleteUser(user, requestedBy);
-    return user as User;
+    // Get the requesting admin from the authenticated session (attached by guard)
+    const requestedBy: User = req.user;
+    
+    // Fetch the user to delete from the database
+    const userToDelete: User = await this.userService.getUserById(userId);
+    
+    return await this.userService.deleteUser(userToDelete, requestedBy);
   }
 
+  /**
+   * Get user by ID
+   */
   @Get(":id")
-  @UseGuards(VerifyUserGuard)
-  async getUserById(@Param("id") userId: string) {
+  @ApiParam({
+    name: 'id',
+    description: 'User ID to retrieve',
+    required: true,
+    type: String
+  })
+  @ApiResponse({
+    status : 200,
+    description : "User retrieved successfully"
+  })
+  @ApiResponse({
+    status : 403,
+    description : "Forbidden"
+  })
+  @ApiResponse({
+    status : 500,
+    description : "Internal Server Error"
+  })
+  @UseGuards(VerifyAdminOrEmployeeRoleGuard)
+  @ApiBearerAuth()
+  async getUserById(@Param('id') userId: string): Promise<User> {
     return await this.userService.getUserById(userId);
   }
 }