fix(api): add subscriber WebSocket room permission checks [1209<-1031]

api/src/chat/services/message.service.spec.ts

@@ -21,6 +21,8 @@ import {
 import { buildTestingMocks } from '@/utils/test/utils';
 import { IOOutgoingSubscribeMessage } from '@/websocket/pipes/io-message.pipe';
 import { Room } from '@/websocket/types';
+import { SocketRequest } from '@/websocket/utils/socket-request';
+import { SocketResponse } from '@/websocket/utils/socket-response';
 import { WebsocketGateway } from '@/websocket/websocket.gateway';
 
 import { MessageRepository } from '../repositories/message.repository';
@@ -50,9 +52,14 @@ describe('MessageService', () => {
     success: true,
     subscribe: Room.MESSAGE,
   };
+  let buildReqRes: (
+    method: 'GET' | 'POST',
+    subscriberId: string,
+  ) => [SocketRequest, SocketResponse];
 
   beforeAll(async () => {
     const { getMocks } = await buildTestingMocks({
+      models: ['RoleModel', 'ModelModel'],
       autoInjectFrom: ['providers'],
       imports: [rootMongooseTestModule(installMessageFixtures)],
       providers: [MessageService, SubscriberRepository, UserRepository],
@@ -81,24 +88,44 @@ describe('MessageService', () => {
       joinNotificationSockets: jest.fn(),
     };
     mockMessageService = new MessageService({} as any, mockGateway as any);
+    buildReqRes = (method: 'GET' | 'POST', userId: string) => [
+      {
+        sessionID: SESSION_ID,
+        method,
+        session: { passport: { user: { id: userId } } },
+      } as SocketRequest,
+      {
+        json: jest.fn(),
+        status: jest.fn().mockReturnThis(),
+      } as any,
+    ];
   });
 
   afterEach(jest.clearAllMocks);
   afterAll(closeInMongodConnection);
 
   describe('subscribe', () => {
-    it('should join Notification sockets message room and return a success response', async () => {
-      const req = { sessionID: SESSION_ID };
-      const res = {
-        json: jest.fn(),
-        status: jest.fn().mockReturnThis(),
-      };
+    it('should join Notification sockets GET message room and return a success response', async () => {
+      const [req, res] = buildReqRes('GET', allUsers[0].id);
+      await mockMessageService.subscribe(req, res);
+
+      expect(mockGateway.joinNotificationSockets).toHaveBeenCalledWith(
+        req,
+        Room.MESSAGE,
+        'message',
+      );
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith(SUCCESS_PAYLOAD);
+    });
 
-      await mockMessageService.subscribe(req as any, res as any);
+    it('should join Notification sockets POST message room and return a success response', async () => {
+      const [req, res] = buildReqRes('POST', allUsers[0].id);
+      await mockMessageService.subscribe(req, res);
 
       expect(mockGateway.joinNotificationSockets).toHaveBeenCalledWith(
-        SESSION_ID,
+        req,
         Room.MESSAGE,
+        'message',
       );
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith(SUCCESS_PAYLOAD);

api/src/chat/services/message.service.ts

@@ -52,15 +52,15 @@ export class MessageService extends BaseService<
     @SocketRes() res: SocketResponse,
   ): Promise<IOOutgoingSubscribeMessage> {
     try {
-      await this.gateway.joinNotificationSockets(req.sessionID, Room.MESSAGE);
+      await this.gateway.joinNotificationSockets(req, Room.MESSAGE, 'message');
 
       return res.status(200).json({
         success: true,
         subscribe: Room.MESSAGE,
       });
-    } catch (e) {
-      this.logger.error('Websocket subscription', e);
-      throw new InternalServerErrorException(e);
+    } catch (err) {
+      this.logger.error('Websocket message room subscription error', err);
+      throw new InternalServerErrorException(err);
     }
   }
 

api/src/chat/services/subscriber.service.spec.ts

@@ -28,6 +28,8 @@ import {
 import { buildTestingMocks } from '@/utils/test/utils';
 import { IOOutgoingSubscribeMessage } from '@/websocket/pipes/io-message.pipe';
 import { Room } from '@/websocket/types';
+import { SocketRequest } from '@/websocket/utils/socket-request';
+import { SocketResponse } from '@/websocket/utils/socket-response';
 import { WebsocketGateway } from '@/websocket/websocket.gateway';
 
 import { LabelRepository } from '../repositories/label.repository';
@@ -55,9 +57,14 @@ describe('SubscriberService', () => {
     success: true,
     subscribe: Room.SUBSCRIBER,
   };
+  let buildReqRes: (
+    method: 'GET' | 'POST',
+    subscriberId: string,
+  ) => [SocketRequest, SocketResponse];
 
   beforeAll(async () => {
     const { getMocks } = await buildTestingMocks({
+      models: ['RoleModel', 'ModelModel'],
       autoInjectFrom: ['providers'],
       imports: [rootMongooseTestModule(installSubscriberFixtures)],
       providers: [SubscriberService, LabelRepository, UserRepository],
@@ -82,28 +89,48 @@ describe('SubscriberService', () => {
       joinNotificationSockets: jest.fn(),
     };
     mockSubscriberService = new SubscriberService(
-      {} as any,
+      subscriberRepository,
       {} as any,
       mockGateway as any,
     );
+    buildReqRes = (method: 'GET' | 'POST', userId: string) => [
+      {
+        sessionID: SESSION_ID,
+        method,
+        session: { passport: { user: { id: userId } } },
+      } as SocketRequest,
+      {
+        json: jest.fn(),
+        status: jest.fn().mockReturnThis(),
+      } as any,
+    ];
   });
 
   afterEach(jest.clearAllMocks);
   afterAll(closeInMongodConnection);
 
   describe('subscribe', () => {
-    it('should join Notification sockets subscriber room and return a success response', async () => {
-      const req = { sessionID: SESSION_ID };
-      const res = {
-        json: jest.fn(),
-        status: jest.fn().mockReturnThis(),
-      };
+    it('should join Notification sockets GET subscriber room and return a success response', async () => {
+      const [req, res] = buildReqRes('GET', allUsers[0].id);
+      await mockSubscriberService.subscribe(req, res);
+
+      expect(mockGateway.joinNotificationSockets).toHaveBeenCalledWith(
+        req,
+        Room.SUBSCRIBER,
+        'subscriber',
+      );
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith(SUCCESS_PAYLOAD);
+    });
 
-      await mockSubscriberService.subscribe(req as any, res as any);
+    it('should join Notification sockets POST subscriber room and return a success response', async () => {
+      const [req, res] = buildReqRes('POST', allUsers[0].id);
+      await mockSubscriberService.subscribe(req, res);
 
       expect(mockGateway.joinNotificationSockets).toHaveBeenCalledWith(
-        SESSION_ID,
+        req,
         Room.SUBSCRIBER,
+        'subscriber',
       );
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith(SUCCESS_PAYLOAD);

api/src/chat/services/subscriber.service.ts

@@ -72,17 +72,18 @@ export class SubscriberService extends BaseService<
   ): Promise<IOOutgoingSubscribeMessage> {
     try {
       await this.gateway.joinNotificationSockets(
-        req.sessionID,
+        req,
         Room.SUBSCRIBER,
+        'subscriber',
       );
 
       return res.status(200).json({
         success: true,
         subscribe: Room.SUBSCRIBER,
       });
-    } catch (e) {
-      this.logger.error('Websocket subscription');
-      throw new InternalServerErrorException(e);
+    } catch (err) {
+      this.logger.error('Websocket subscriber room subscription error', err);
+      throw new InternalServerErrorException(err);
     }
   }
 

api/src/user/services/permission.service.ts

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Hexastack. All rights reserved.
+ * Copyright © 2025 Hexastack. All rights reserved.
  *
  * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
  * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
@@ -22,6 +22,8 @@ import {
   PermissionFull,
   PermissionPopulate,
 } from '../schemas/permission.schema';
+import { MethodToAction } from '../types/action.type';
+import { TModel } from '../types/model.type';
 import { PermissionsTree } from '../types/permission.type';
 
 @Injectable()
@@ -80,4 +82,41 @@ export class PermissionService extends BaseService<
       return acc;
     }, {});
   }
+
+  /**
+   * Checks if a request (REST/WebSocket) is authorized to get access
+   *
+   * @param method - The Request Method
+   * @param userRoles - An array of ID's user Roles or empty
+   * @param targetModel - The target model that we want access
+   * @returns
+   */
+  async canAccess(
+    method: string,
+    userRoles: string[],
+    targetModel: TModel,
+  ): Promise<boolean> {
+    try {
+      const permissions = await this.getPermissions();
+
+      if (permissions && userRoles.length) {
+        const permissionsFromRoles = Object.entries(permissions)
+          .filter(([key, _]) => userRoles.includes(key))
+          .map(([_, value]) => value);
+
+        if (
+          permissionsFromRoles.some((permission) =>
+            permission[targetModel]?.includes(MethodToAction[method]),
+          )
+        ) {
+          return true;
+        }
+      }
+    } catch (e) {
+      this.logger.error('Request has no ability to get access', e);
+      return false;
+    }
+
+    return false;
+  }
 }

api/src/utils/test/fixtures/model.ts

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Hexastack. All rights reserved.
+ * Copyright © 2025 Hexastack. All rights reserved.
  *
  * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
  * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
@@ -18,13 +18,24 @@ export const modelFixtures: ModelCreateDto[] = [
     attributes: { att: 'att' },
     relation: 'role',
   },
-
   {
     name: 'Content',
     identity: 'content',
     attributes: { att: 'att' },
     relation: 'role',
   },
+  {
+    name: 'Message',
+    identity: 'message',
+    attributes: { att: 'att' },
+    relation: 'role',
+  },
+  {
+    name: 'Subscriber',
+    identity: 'subscriber',
+    attributes: { att: 'att' },
+    relation: 'role',
+  },
 ];
 
 export const installModelFixtures = async () => {

api/src/utils/test/fixtures/permission.ts

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Hexastack. All rights reserved.
+ * Copyright © 2025 Hexastack. All rights reserved.
  *
  * Licensed under the GNU Affero General Public License v3.0 (AGPLv3) with the following additional terms:
  * 1. The name "Hexabot" is a trademark of Hexastack. You may not use this name in derivative works without express written permission.
@@ -40,6 +40,30 @@ export const permissionFixtures: PermissionCreateDto[] = [
     role: '0',
     relation: 'role',
   },
+  {
+    model: '2',
+    action: Action.CREATE,
+    role: '1',
+    relation: 'role',
+  },
+  {
+    model: '2',
+    action: Action.READ,
+    role: '1',
+    relation: 'role',
+  },
+  {
+    model: '3',
+    action: Action.CREATE,
+    role: '1',
+    relation: 'role',
+  },
+  {
+    model: '3',
+    action: Action.READ,
+    role: '1',
+    relation: 'role',
+  },
 ];
 
 export const installPermissionFixtures = async () => {

api/src/utils/test/fixtures/subscriber.ts

@@ -15,7 +15,7 @@ import { getFixturesWithDefaultValues } from '../defaultValues';
 import { FixturesTypeBuilder } from '../types';
 
 import { installLabelFixtures } from './label';
-import { installUserFixtures } from './user';
+import { installPermissionFixtures } from './permission';
 
 type TSubscriberFixtures = FixturesTypeBuilder<Subscriber, SubscriberCreateDto>;
 
@@ -106,7 +106,7 @@ export const installSubscriberFixtures = async () => {
     SubscriberModel.name,
     SubscriberModel.schema,
   );
-  const { users } = await installUserFixtures();
+  const { users } = await installPermissionFixtures();
   const labels = await installLabelFixtures();
   const subscribers = await Subscriber.insertMany(
     subscriberFixtures.map((subscriberFixture) => ({