refactor: remove role property from User model and update related logic for role handling

prisma/schema.prisma

@@ -10,7 +10,6 @@ datasource db {
 model User {
     id        String   @id
     username  String
-    role      Role     @default(STUDENT)
     createdAt DateTime @default(now())
 
     Class                Class[]
@@ -105,8 +104,3 @@ model RoomSurveyAnswerUser {
     Answer   RoomSurveyAnswer @relation(fields: [answerId], references: [id])
     answerId Int
 }
-
-enum Role {
-    STUDENT
-    ADMIN
-}

src/modules/auth/decorators/roles.decorator.ts

@@ -1,4 +1,3 @@
 import { SetMetadata } from "@nestjs/common";
-import { $Enums } from "@prisma/client";
 
-export const Roles = (roles: $Enums.Role[]) => SetMetadata("roles", roles);
+export const Roles = (roles: string[]) => SetMetadata("roles", roles);

src/modules/auth/guards/role.guard.ts

@@ -7,12 +7,13 @@ import {
 } from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { Request } from "express";
+import { decode, JwtPayload, UserJwtPayload } from "jsonwebtoken";
 
 @Injectable()
 export class RolesGuard implements CanActivate {
 	constructor(private readonly reflector: Reflector) {}
 
-	canActivate(context: ExecutionContext): boolean {
+	async canActivate(context: ExecutionContext): Promise<boolean> {
 		const RolesHandler = this.reflector.get<string[]>(
 			"roles",
 			context.getHandler(),
@@ -29,11 +30,21 @@ export class RolesGuard implements CanActivate {
 
 		if (!user) throw new ForbiddenException("User not authenticated");
 
+		const decodedToken = await this.decodeToken(
+			this.extractTokenFromHeader(request.headers.authorization),
+		);
+
+		// Check if the user has the right role
+		// On the handler level
 		const hasRoleHandler =
-				RolesHandler?.some((role) => user.role?.includes(role)) ??
+				RolesHandler?.some((role) =>
-				false,
+					decodedToken.realm_access.roles?.includes(role),
+				) ?? false,
+			// On the class level
 			hasRoleClass =
-				RolesClass?.some((role) => user.role?.includes(role)) ?? false;
+				RolesClass?.some((role) =>
+					decodedToken.realm_access.roles?.includes(role),
+				) ?? false;
 
 		if (hasRoleHandler) return true;
 		else if (hasRoleClass) return true;
@@ -42,4 +53,20 @@ export class RolesGuard implements CanActivate {
 				`User doesn't have the right role, expected: ${RolesHandler ?? RolesClass}`,
 			);
 	}
+
+	async decodeToken(token: string) {
+		try {
+			return decode(token) as UserJwtPayload;
+		} catch (error) {
+			throw new UnauthorizedException("Invalid token");
+		}
+	}
+
+	extractTokenFromHeader(header: string) {
+		const token = header.split(" ")[1];
+
+		if (!token) throw new UnauthorizedException("Token not found");
+
+		return token;
+	}
 }

src/modules/class/class.controller.ts

@@ -39,7 +39,7 @@ import { ClassRoomEntity } from "./entities/room.entity";
 @UseGuards(RolesGuard)
 @UseGuards(JwtAuthGuard)
 @ApiBearerAuth()
-@Roles(["ADMIN"])
+@Roles(["admin"])
 @ApiUnauthorizedResponse(UnauthorizedResponse)
 export class ClassController {
 	constructor(private readonly classService: ClassService) { }

src/modules/user/ApiResponses/UserReponse.ts

@@ -23,8 +23,8 @@ export const UsersResponse = {
 		example: {
 			summary: "A list of users",
 			value: [
-				{ id: "1", role: "ADMIN", username: "admin" },
+				{ id: "1", username: "admin" },
-				{ id: "2", role: "STUDENT", username: "student" },
+				{ id: "2", username: "student" },
 			] as UserEntity[],
 		},
 	},

src/modules/user/dto/create-user.dto.ts

@@ -1,5 +1,4 @@
 import { ApiProperty } from "@nestjs/swagger";
-import { Role } from "@prisma/client";
 import { IsString } from "class-validator";
 
 export class CreateUserDTO {
@@ -10,8 +9,4 @@ export class CreateUserDTO {
 	@IsString()
 	@ApiProperty()
 	username: string;
-
-	@IsString()
-	@ApiProperty()
-	role: Role;
 }

src/modules/user/entities/user.entity.ts

@@ -1,5 +1,4 @@
 import { ApiProperty, ApiSchema } from "@nestjs/swagger";
-import { $Enums } from "@prisma/client";
 import { Expose } from "class-transformer";
 
 @ApiSchema({ name: "User" })
@@ -12,10 +11,6 @@ export class UserEntity {
 	@ApiProperty()
 	username: string;
 
-	@Expose()
-	@ApiProperty()
-	role: $Enums.Role;
-
 	constructor(partial: Partial<UserEntity>) {
 		Object.assign(this, partial);
 	}

src/modules/user/user.controller.ts

@@ -35,7 +35,7 @@ import { Request } from "express";
 @UseGuards(RolesGuard)
 @UseGuards(JwtAuthGuard)
 @ApiBearerAuth()
-@Roles(["ADMIN"])
+@Roles(["admin"])
 @ApiUnauthorizedResponse(UnauthorizedResponse)
 export class UserController {
 	constructor(private readonly userService: UserService) {}

src/modules/user/user.service.ts

@@ -45,13 +45,10 @@ export class UserService {
 		});
 
 		if (!user) {
-			const isFirstUser = (await this.prisma.user.count()) === 0;
-
 			user = await this.prisma.user.create({
 				data: {
 					id,
-					username,
+					username
-					role: isFirstUser ? "ADMIN" : "STUDENT",
 				},
 			});
 		} else if (user.username !== username) {
@@ -80,7 +77,6 @@ export class UserService {
 			where: { id },
 			data: {
 				username: updateUserInput.username,
-				role: updateUserInput.role,
 			},
 		});
 	}
@@ -107,7 +103,6 @@ export class UserService {
 			select: {
 				id: true,
 				username: true,
-				role: true
 			}
 		});
 	}

src/types/jwt.d.ts

@@ -0,0 +1,14 @@
+import * as jwt from "jsonwebtoken";
+
+declare module "jsonwebtoken" {
+	export interface UserJwtPayload extends jwt.JwtPayload {
+		name: string;
+		preferred_username: string;
+		email: string;
+		given_name: string;
+		family_name: string;
+		realm_access: {
+			roles: string[];
+		};
+	}
+}