fix: prevent access to admin info from outside the dashboard

Add @UseGuards to prevent access to admin info from outside the dashboard, exclude the admin controller endpoints from the api docs and remove all the api requests related to the admins in the api sdk. re #460
2026-01-09 22:47:57 -05:00 · 2024-03-29 20:35:23 +01:00
parent c1b12b93c6
commit ada9610d22
4 changed files with 18 additions and 133 deletions
--- a/apps/api/src/app/admins/admins.controller.ts
+++ b/apps/api/src/app/admins/admins.controller.ts
@@ -1,5 +1,14 @@
-import { Body, Controller, Get, Param, Post, Put } from "@nestjs/common"
-import { ApiCreatedResponse } from "@nestjs/swagger"
+import {
+    Body,
+    Controller,
+    Get,
+    Param,
+    Post,
+    Put,
+    UseGuards
+} from "@nestjs/common"
+import { ApiExcludeEndpoint } from "@nestjs/swagger"
+import { AuthGuard } from "../auth/auth.guard"
 import { CreateAdminDTO } from "./dto/create-admin.dto"
 import { AdminsService } from "./admins.service"
 import { Admin } from "./entities/admin.entity"
@@ -10,17 +19,22 @@ export class AdminsController {
    constructor(private readonly adminsService: AdminsService) {}

    @Post()
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
    async createAdmin(@Body() dto: CreateAdminDTO): Promise<Admin> {
        return this.adminsService.create(dto)
    }

    @Get(":admin")
-    @ApiCreatedResponse({ type: Admin })
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
    async getAdmin(@Param("admin") adminId: string) {
        return this.adminsService.findOne({ id: adminId })
    }

    @Put(":admin/apikey")
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
    async updateApiKey(
        @Param("admin") adminId: string,
        @Body() dto: UpdateApiKeyDTO