Skip to content

Add WebSocket Room-Level Authorisation #1694

Description

@RUKAYAT-CODER

Overview

websocket.gateway.ts has JWT authentication but no room-level authorisation. Any authenticated user can subscribe to any quest room and receive private updates.

Background

A submitter should only receive updates for quests they have submitted to (or created). Verifiers should receive updates for quests they verify. Currently the room is open to all authenticated users.

Specifications

Features:

  • Room-level guard checking that the joining user has a role in the quest
  • Distinct event channels per role (submitter vs verifier vs creator)
  • Emit only relevant events per room member

Tasks:

  • Add room authorisation check in websocket.gateway.ts handleJoinRoom`n- Create WsRoomGuard that queries quest membership
  • Add gateway unit tests for auth scenarios

Impacted Files:

  • BackEnd/src/modules/websocket/websocket.gateway.tsn- BackEnd/src/modules/websocket/ws-jwt.guard.tsn

Acceptance Criteria:

  • User cannot join a quest room they have no role in
  • JWT expiry disconnects the socket session

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions