Overview
websocket.gateway.ts has JWT authentication but no room-level authorisation. Any authenticated user can subscribe to any quest room and receive private updates.
Background
A submitter should only receive updates for quests they have submitted to (or created). Verifiers should receive updates for quests they verify. Currently the room is open to all authenticated users.
Specifications
Features:
- Room-level guard checking that the joining user has a role in the quest
- Distinct event channels per role (submitter vs verifier vs creator)
- Emit only relevant events per room member
Tasks:
- Add room authorisation check in websocket.gateway.ts handleJoinRoom`n- Create WsRoomGuard that queries quest membership
- Add gateway unit tests for auth scenarios
Impacted Files:
- BackEnd/src/modules/websocket/websocket.gateway.ts
n- BackEnd/src/modules/websocket/ws-jwt.guard.tsn
Acceptance Criteria:
- User cannot join a quest room they have no role in
- JWT expiry disconnects the socket session
Overview
websocket.gateway.ts has JWT authentication but no room-level authorisation. Any authenticated user can subscribe to any quest room and receive private updates.
Background
A submitter should only receive updates for quests they have submitted to (or created). Verifiers should receive updates for quests they verify. Currently the room is open to all authenticated users.
Specifications
Features:
Tasks:
Impacted Files:
n- BackEnd/src/modules/websocket/ws-jwt.guard.tsnAcceptance Criteria: