add message guard

ZHallen122 · ZHallen122 · commit 06b6dcb0f56f · 2024-10-26T20:12:17.000-04:00
diff --git a/backend/src/chat/chat.resolver.ts b/backend/src/chat/chat.resolver.ts
@@ -10,7 +10,7 @@ import {
   ChatInput,
 } from 'src/chat/dto/chat.input';
 import { UseGuards } from '@nestjs/common';
-import { ChatGuard } from '../guard/chat.guard';
+import { ChatGuard, MessageGuard } from '../guard/chat.guard';
 import { GetUserIdFromToken } from '../decorator/get-auth-token';
 
 @Resolver('Chat')
@@ -52,6 +52,7 @@ export class ChatResolver {
     return user ? user.chats : []; // Return chats if user exists, otherwise return an empty array
   }
 
+  @UseGuards(MessageGuard)
   @Query(() => Message, { nullable: true })
   async getMessageDetail(
     @GetUserIdFromToken() userId: string,
diff --git a/backend/src/guard/chat.guard.ts b/backend/src/guard/chat.guard.ts
@@ -53,3 +53,51 @@ export class ChatGuard implements CanActivate {
     return true;
   }
 }
+
+@Injectable()
+export class MessageGuard implements CanActivate {
+  constructor(
+    private readonly chatService: ChatService, // Inject ChatService to fetch chat details
+    private readonly jwtService: JwtService, // JWT Service to verify tokens
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const gqlContext = GqlExecutionContext.create(context);
+    const request = gqlContext.getContext().req;
+
+    // Extract the authorization header
+    const authHeader = request.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      throw new UnauthorizedException('Authorization token is missing');
+    }
+
+    // Decode the token to get user information
+    const token = authHeader.split(' ')[1];
+    let user: any;
+    try {
+      user = this.jwtService.verify(token);
+    } catch (error) {
+      throw new UnauthorizedException('Invalid token');
+    }
+
+    // Extract chatId from the request arguments
+    const args = gqlContext.getArgs();
+    const { messageId } = args;
+
+    // Fetch the message and its associated chat
+    const message = await this.chatService.getMessageById(messageId);
+    if (!message) {
+      throw new UnauthorizedException('Message not found');
+    }
+
+    // Ensure that the user is part of the chat the message belongs to
+    const chat = message.chat;
+    if (chat.user.id !== user.userId) {
+      throw new UnauthorizedException(
+        'User is not authorized to access this message',
+      );
+    }
+
+    return true;
+  }
+}
