From ab23e978a266ff20686a2c400f3ca6d2953d7edf Mon Sep 17 00:00:00 2001
From: Andrei <andrei@noru1.ro>
Date: Tue, 7 Oct 2025 15:58:29 +0000
Subject: [PATCH] fix: Add admin role fields to JWT strategy for AdminGuard
 authorization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The AdminGuard was rejecting requests with 403 Forbidden because the JWT
strategy was only returning userId, email, and deviceId but not the admin
authorization fields (isAdmin, globalRole, adminPermissions).

Updated jwt.strategy.ts to include:
- isAdmin: boolean flag for admin access
- globalRole: user's global role (parent/guest/admin)
- adminPermissions: array of specific admin permissions
- id: added for compatibility alongside userId

This allows the AdminGuard to properly verify admin privileges when
accessing /api/v1/admin/* endpoints.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../src/modules/auth/strategies/jwt.strategy.ts               | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/maternal-app/maternal-app-backend/src/modules/auth/strategies/jwt.strategy.ts b/maternal-app/maternal-app-backend/src/modules/auth/strategies/jwt.strategy.ts
index ae5e639..477fedc 100644
--- a/maternal-app/maternal-app-backend/src/modules/auth/strategies/jwt.strategy.ts
+++ b/maternal-app/maternal-app-backend/src/modules/auth/strategies/jwt.strategy.ts
@@ -32,8 +32,12 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
 
     return {
       userId: payload.sub,
+      id: payload.sub, // Add id for compatibility
       email: payload.email,
       deviceId: payload.deviceId,
+      isAdmin: user.isAdmin,
+      globalRole: user.globalRole,
+      adminPermissions: user.adminPermissions,
     };
   }
 }