Issue #94: Backend — JWT Auth Guard & Roles Decorator

[wumibals]

Labels: backend auth nestjs
Area: backend/src/common/guards/roles.guard.ts, backend/src/common/decorators/roles.decorator.ts
Difficulty: Intermediate

Description

Some admin endpoints need finer-grained access control beyond "is authenticated" — for example, only SUPER_ADMIN can delete other users. This issue creates a RolesGuard and @Roles() decorator that work together to enforce role-based access.

Acceptance Criteria

• Create backend/src/common/decorators/roles.decorator.ts exporting @Roles(...roles: AdminRole[]) using SetMetadata("roles", roles)
• Create backend/src/common/guards/roles.guard.ts implementing CanActivate:
  • Reads required roles from Reflector using the "roles" metadata key
  • If no roles metadata exists, allow access (the guard is opt-in)
  • Reads req.user.role and checks if it is included in the required roles list
  • Returns true or throws ForbiddenException
• Create backend/src/common/interceptors/audit.interceptor.ts — an NestInterceptor that automatically calls AuditService.log() after mutating requests (POST, PUT, PATCH, DELETE) complete successfully; reads action label from custom @AuditAction("label") metadata decorator
• Export all from a barrel backend/src/common/index.ts
• Both guard classes are decorated with @Injectable()

Technical Notes

• RolesGuard must be applied AFTER JwtAuthGuard so req.user is populated before the role check
• The audit interceptor is optional per-controller — not applied globally