OlufunbiIK · OlufunbiIK · Mar 29, 2026 · Mar 29, 2026 · coderabbitai · Mar 29, 2026
diff --git a/backend/src/admin/admin.controller.ts b/backend/src/admin/admin.controller.ts
@@ -15,8 +15,7 @@ import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
 import { AdminRoleGuard } from './guards/admin-role.guard';
 import { RequirePermission } from './decorators/require-permission.decorator';
 import { PERMISSIONS } from './constants/permissions';
-import { CurrentUser } from '../auth/decorators/current-user.decorator';
-import { User } from '../users/entities/user.entity';
+import { CurrentUser, CurrentUserData } from '../auth/decorators/current-user.decorator';
 import { UserFilterDto } from './dto/user-filter.dto';
 import { BanUserDto } from './dto/ban-user.dto';
 import { ResolveReportDto } from './dto/resolve-report.dto';
@@ -52,56 +51,56 @@ export class AdminController {
   async banUser(
     @Param('userId') userId: string,
     @Body() banDto: BanUserDto,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
-    return this.adminService.banUser(userId, banDto, admin.id, ipAddress);
+    return this.adminService.banUser(userId, banDto, admin.userId, ipAddress);
   }
 
   @Put('users/:userId/unban')
   @RequirePermission(PERMISSIONS.UNBAN_USERS)
   async unbanUser(
     @Param('userId') userId: string,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
-    return this.adminService.unbanUser(userId, admin.id, ipAddress);
+    return this.adminService.unbanUser(userId, admin.userId, ipAddress);
   }
 
   @Put('artists/:artistId/verify')
   @RequirePermission(PERMISSIONS.VERIFY_ARTISTS)
   async verifyArtist(
     @Param('artistId') artistId: string,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
-    return this.adminService.verifyArtist(artistId, admin.id, ipAddress);
+    return this.adminService.verifyArtist(artistId, admin.userId, ipAddress);
   }
 
   @Put('artists/:artistId/unverify')
   @RequirePermission(PERMISSIONS.UNVERIFY_ARTISTS)
   async unverifyArtist(
     @Param('artistId') artistId: string,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
-    return this.adminService.unverifyArtist(artistId, admin.id, ipAddress);
+    return this.adminService.unverifyArtist(artistId, admin.userId, ipAddress);
   }
 
   @Delete('tracks/:trackId')
   @RequirePermission(PERMISSIONS.REMOVE_TRACKS)
   async removeTrack(
     @Param('trackId') trackId: string,
     @Body('reason') reason: string,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
-    return this.adminService.removeTrack(trackId, reason, admin.id, ipAddress);
+    return this.adminService.removeTrack(trackId, reason, admin.userId, ipAddress);
   }
 
   @Get('reports/pending')
@@ -115,14 +114,14 @@ export class AdminController {
   async resolveReport(
     @Param('reportId') reportId: string,
     @Body() resolveDto: ResolveReportDto,
-    @CurrentUser() admin: User,
+    @CurrentUser() admin: CurrentUserData,
     @Req() req: any,
   ) {
     const ipAddress = req.ip || req.connection.remoteAddress;
     return this.adminService.resolveReport(
       reportId,
       resolveDto,
-      admin.id,
+      admin.userId,
       ipAddress,
     );
   }

diff --git a/backend/src/admin/guards/admin-role.guard.ts b/backend/src/admin/guards/admin-role.guard.ts
@@ -4,6 +4,7 @@ import {
   ExecutionContext,
   ForbiddenException,
   UnauthorizedException,
+  Logger,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { InjectRepository } from '@nestjs/typeorm';
@@ -20,6 +21,7 @@ export class AdminRoleGuard implements CanActivate {
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
+    const logger = new Logger(AdminRoleGuard.name);
     const requiredPermissions = this.reflector.getAllAndOverride<string[]>(
       PERMISSIONS_KEY,
       [context.getHandler(), context.getClass()],
@@ -30,17 +32,21 @@ export class AdminRoleGuard implements CanActivate {
     }
 
     const request = context.switchToHttp().getRequest();
-    const user = request.user;
+    const user = request.user as { userId?: string } | undefined;
 
-    if (!user) {
+    if (!user?.userId) {
+      logger.warn('Denied admin access: unauthenticated or malformed principal');
       throw new UnauthorizedException('User not authenticated');
     }
 
     const adminRole = await this.adminRoleRepository.findOne({
-      where: { userId: user.id },
+      where: { userId: user.userId },
     });
 
     if (!adminRole) {
+      logger.warn(
+        `Denied admin access: no admin role for userId=${user.userId}`,
+      );
       throw new ForbiddenException('User does not have admin privileges');
     }
 
@@ -49,6 +55,9 @@ export class AdminRoleGuard implements CanActivate {
     );
 
     if (!hasPermission) {
+      logger.warn(
+        `Denied admin access: missing permissions for userId=${user.userId} required=${requiredPermissions.join(',')}`,
+      );
       throw new ForbiddenException(
         'Insufficient permissions to perform this action',
       );

diff --git a/backend/src/app.module.ts b/backend/src/app.module.ts
@@ -45,6 +45,8 @@ import { EmbedModule } from "./embed/embed.module";
 import { ReferralModule } from "./social-sharing/referral.module";
 import { PayoutsModule } from "./artiste-payout/payouts.module";
 import { validate } from "./config/env.validation";
+import { AdminModule } from "./admin/admin.module";
+import { VerificationModule } from "./verification/verification.module";
 
 @Module({
   imports: [
@@ -126,6 +128,8 @@ import { validate } from "./config/env.validation";
     EmbedModule,
     ReferralModule,
     PayoutsModule,
+    AdminModule,
+    VerificationModule,
   ],
   controllers: [],
   providers: [

diff --git a/backend/src/artiste-payout/payouts.controller.ts b/backend/src/artiste-payout/payouts.controller.ts
@@ -29,7 +29,7 @@ import { JwtAuthGuard } from "../auth/guards/jwt-auth.guard";
 @ApiTags("payouts")
 @ApiBearerAuth()
 @UseGuards(JwtAuthGuard)
-@Controller("api/payouts")
+@Controller("payouts")
 export class PayoutsController {
   constructor(private readonly payoutsService: PayoutsService) {}
 

diff --git a/backend/src/artists/artists.controller.ts b/backend/src/artists/artists.controller.ts
@@ -14,6 +14,7 @@ import { ArtistsService } from "./artists.service";
 import { CreateArtistDto } from "./dto/create-artist.dto";
 import { UpdateArtistDto } from "./dto/update-artist.dto";
 import { JwtAuthGuard } from "../auth/guards/jwt-auth.guard";
+import { CurrentUser } from "../auth/decorators/current-user.decorator";
 import { ApiOperation, ApiParam, ApiQuery, ApiResponse } from "@nestjs/swagger";
 
 @Controller("artists")
@@ -22,8 +23,8 @@ export class ArtistsController {
   constructor(private readonly artistsService: ArtistsService) {}
 
   @Post()
-  create(@Req() req, @Body() dto: CreateArtistDto) {
-    return this.artistsService.create(req.user.id, dto);
+  create(@CurrentUser("userId") userId: string, @Body() dto: CreateArtistDto) {
+    return this.artistsService.create(userId, dto);
   }
 
   @Get()
@@ -64,18 +65,18 @@ export class ArtistsController {
   }
 
   @Get("me")
-  findMyArtist(@Req() req) {
-    return this.artistsService.findByUser(req.user.id);
+  findMyArtist(@CurrentUser("userId") userId: string) {
+    return this.artistsService.findByUser(userId);
   }
 
   @Patch("me")
-  update(@Req() req, @Body() dto: UpdateArtistDto) {
-    return this.artistsService.update(req.user.id, dto);
+  update(@CurrentUser("userId") userId: string, @Body() dto: UpdateArtistDto) {
+    return this.artistsService.update(userId, dto);
   }
 
   @Delete("me")
-  remove(@Req() req) {
-    return this.artistsService.remove(req.user.id);
+  remove(@CurrentUser("userId") userId: string) {
+    return this.artistsService.remove(userId);
   }
 
   // Admin only

diff --git a/backend/src/auth/guards/roles.guard.ts b/backend/src/auth/guards/roles.guard.ts
@@ -1,20 +1,31 @@
 import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { UserRole } from '../../users/entities/user.entity';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { User, UserRole } from '../../users/entities/user.entity';
 
 @Injectable()
 export class RolesGuard implements CanActivate {
-  constructor(private reflector: Reflector) {}
+  constructor(
+    private reflector: Reflector,
+    @InjectRepository(User) private readonly userRepository: Repository<User>,
+  ) {}
 
-  canActivate(context: ExecutionContext): boolean {
+  async canActivate(context: ExecutionContext): Promise<boolean> {
     const roles = this.reflector.get<UserRole[]>('roles', context.getHandler());
     if (!roles) {
       return true;
     }
     const request = context.switchToHttp().getRequest();
-    const user = request.user;
+    const principal = request.user as { userId?: string } | undefined;
+    if (!principal?.userId) return false;
+
+    const user = await this.userRepository.findOne({
+      where: { id: principal.userId },
+      select: ['id', 'role'],
+    });
     if (!user) return false;
-    
+
     return roles.includes(user.role);
   }
 }
diff --git a/backend/src/recommendations/recommendations.controller.ts b/backend/src/recommendations/recommendations.controller.ts
@@ -1,15 +1,8 @@
-import {
-  Controller,
-  Get,
-  Post,
-  Body,
-  Query,
-  UseGuards,
-  Request,
-} from "@nestjs/common";
+import { Controller, Get, Post, Body, Query, UseGuards } from "@nestjs/common";
 import { ApiTags, ApiOperation, ApiBearerAuth } from "@nestjs/swagger";
 import { JwtAuthGuard } from "../auth/guards/jwt-auth.guard";
 import { RecommendationsService } from "./recommendations.service";
+import { CurrentUser } from "../auth/decorators/current-user.decorator";
 
 @ApiTags("Recommendations")
 @Controller("recommendations")
@@ -20,28 +13,22 @@ export class RecommendationsController {
 
   @Get("tracks")
   @ApiOperation({ summary: "Get personalized track recommendations" })
-  async getTrackRecommendations(
-    @Request() req: any,
-    @Query("limit") limit?: string,
-  ) {
-    const userId = req.user?.id || req.user?.sub;
+  async getTrackRecommendations(@CurrentUser("userId") userId: string, @Query("limit") limit?: string) {
     return this.service.getTrackRecommendations(userId, Number(limit) || 20);
   }
 
   @Get("artists")
   @ApiOperation({ summary: "Get artist recommendations" })
-  async getArtistRecommendations(@Request() req: any) {
-    const userId = req.user?.id || req.user?.sub;
+  async getArtistRecommendations(@CurrentUser("userId") userId: string) {
     return this.service.getArtistRecommendations(userId);
   }
 
   @Post("feedback")
   @ApiOperation({ summary: "Submit recommendation feedback (thumbs up/down)" })
   async submitFeedback(
-    @Request() req: any,
+    @CurrentUser("userId") userId: string,
     @Body() body: { trackId: string; feedback: "up" | "down" },
   ) {
-    const userId = req.user?.id || req.user?.sub;
     return this.service.recordFeedback(userId, body.trackId, body.feedback);
   }
 }
diff --git a/backend/src/social-sharing/referral.controller.ts b/backend/src/social-sharing/referral.controller.ts
@@ -37,7 +37,7 @@ import {
 @ApiTags("Referrals")
 @ApiBearerAuth()
 @UseGuards(JwtAuthGuard)
-@Controller("api/referrals")
+@Controller("referrals")
 export class ReferralController {
   constructor(private readonly referralService: ReferralService) {}