fix: prevent access to admin info from outside the dashboard

Add @UseGuards to prevent access to admin info from outside the dashboard, exclude the admin
controller endpoints from the api docs and remove all the api requests related to the admins in the
api sdk.

re #460

apps/api/src/app/admins/admins.controller.ts

@@ -1,5 +1,14 @@
-import { Body, Controller, Get, Param, Post, Put } from "@nestjs/common"
-import { ApiCreatedResponse } from "@nestjs/swagger"
+import {
+    Body,
+    Controller,
+    Get,
+    Param,
+    Post,
+    Put,
+    UseGuards
+} from "@nestjs/common"
+import { ApiExcludeEndpoint } from "@nestjs/swagger"
+import { AuthGuard } from "../auth/auth.guard"
 import { CreateAdminDTO } from "./dto/create-admin.dto"
 import { AdminsService } from "./admins.service"
 import { Admin } from "./entities/admin.entity"
@@ -10,17 +19,22 @@ export class AdminsController {
     constructor(private readonly adminsService: AdminsService) {}
 
     @Post()
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
     async createAdmin(@Body() dto: CreateAdminDTO): Promise<Admin> {
         return this.adminsService.create(dto)
     }
 
     @Get(":admin")
-    @ApiCreatedResponse({ type: Admin })
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
     async getAdmin(@Param("admin") adminId: string) {
         return this.adminsService.findOne({ id: adminId })
     }
 
     @Put(":admin/apikey")
+    @UseGuards(AuthGuard)
+    @ApiExcludeEndpoint()
     async updateApiKey(
         @Param("admin") adminId: string,
         @Body() dto: UpdateApiKeyDTO

libs/api-sdk/src/admins.ts

@@ -1,68 +0,0 @@
-import { request } from "@bandada/utils"
-import { AdminRequest, AdminResponse, AdminUpdateApiKeyRequest } from "./types"
-
-const url = "/admins"
-
-/**
- * Create an admin with the provided details.
- * @param dto Array of objects containing the details for the admin to be created.
- * @returns Array of  the created groups.
- */
-export async function createAdmin(
-    config: object,
-    dto: AdminRequest
-): Promise<AdminResponse> {
-    const newConfig: any = {
-        method: "post",
-        data: {
-            dto
-        },
-        ...config
-    }
-
-    return request(url, newConfig)
-}
-
-/**
- * Get an admin.
- * @param adminId The admin id.
- * @returns The admin with given id.
- */
-export async function getAdmin(
-    config: object,
-    adminId: string
-): Promise<AdminResponse> {
-    const requestUrl = `${url}/${adminId}`
-
-    const newConfig: any = {
-        method: "get",
-        ...config
-    }
-
-    return request(requestUrl, newConfig)
-}
-
-/**
- * Update an admin API key.
- * @param adminId The admin id.
- * @param dto The action to be executed on the API key.
- * @returns The updated API key.
- */
-export async function updateApiKey(
-    config: object,
-    adminId: string,
-    dto: AdminUpdateApiKeyRequest
-): Promise<string> {
-    const requestUrl = `${url}/${adminId}/apikey`
-
-    const newConfig: any = {
-        method: "put",
-        body: {
-            adminId,
-            dto
-        },
-        ...config
-    }
-
-    return request(requestUrl, newConfig)
-}

libs/api-sdk/src/apiSdk.ts

@@ -3,10 +3,7 @@ import {
     GroupResponse,
     InviteResponse,
     GroupRequest,
-    GroupUpdateRequest,
-    AdminRequest,
-    AdminResponse,
-    AdminUpdateApiKeyRequest
+    GroupUpdateRequest
 } from "./types"
 import checkParameter from "./checkParameter"
 import {
@@ -25,7 +22,6 @@ import {
     removeMemberByApiKey,
     removeMembersByApiKey
 } from "./groups"
-import { createAdmin, getAdmin, updateApiKey } from "./admins"
 import { getInvite } from "./invites"
 
 export default class ApiSdk {
@@ -79,43 +75,6 @@ export default class ApiSdk {
         return this._config
     }
 
-    /**
-     * Create an admin.
-     * @param dto The data of the admin.
-     * @returns Specific admin.
-     */
-    async createAdmin(dto: AdminRequest): Promise<AdminResponse> {
-        const admin = await createAdmin(this._config, dto)
-
-        return admin
-    }
-
-    /**
-     * Get the admin with given id.
-     * @param adminId The admin id.
-     * @returns Specific admin.
-     */
-    async getAdmin(adminId: string): Promise<AdminResponse> {
-        const admin = await getAdmin(this._config, adminId)
-
-        return admin
-    }
-
-    /**
-     * Update an admin API key.
-     * @param adminId The admin id.
-     * @param dto The action to be executed on the API key.
-     * @returns The updated API key.
-     */
-    async updateApiKey(
-        adminId: string,
-        dto: AdminUpdateApiKeyRequest
-    ): Promise<string> {
-        const apiKey = await updateApiKey(this._config, adminId, dto)
-
-        return apiKey
-    }
-
     /**
      * Returns the list of groups.
      * @returns List of groups.

libs/api-sdk/src/types/index.ts

@@ -38,26 +38,6 @@ export type GroupUpdateRequest = {
     }
 }
 
-export type AdminRequest = {
-    id: string
-    address: string
-    username?: string
-}
-
-export type AdminResponse = {
-    id: string
-    address: string
-    username: string
-    apiKey: string
-    apiEnabled: boolean
-    createdAt?: Date
-    updatedAt?: Date
-}
-
-export type AdminUpdateApiKeyRequest = {
-    action: ApiKeyActions
-}
-
 type Group = {
     id: string
     name: string