wimm-node-app icon indicating copy to clipboard operation
wimm-node-app copied to clipboard

Published 20 hours ago verified publisher icon unusualcodeorg

[BUG] Public routes blocked by ApiKeyGuard and RolesGuard due to missing @Public() check

Open Amine2240 opened this issue 6 months ago • 0 comments

Description

Summary

Public routes (such as /auth/signup/basic) are being blocked by the global ApiKeyGuard and RolesGuard, even when decorated with @Public(). This results in a Forbidden error when trying to access public endpoints.

Steps to Reproduce

  1. Clone the repository and install dependencies.
  2. Start the application.
  3. Attempt to sign up via the public endpoint: 
    POST http://localhost:3000/auth/signup/basic
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "test1234",
  "name": "Test User"
}
  4. Observe the response: 
    {
  "statusCode": 10001,
  "message": "Forbidden",
  "url": "/auth/signup/basic/"
}

Expected Behavior

Public routes decorated with @Public() should bypass all authentication and authorization guards, allowing unauthenticated access as intended.

Actual Behavior

Requests to public routes are blocked by ApiKeyGuard and RolesGuard, which do not check for the @Public() decorator. This results in a Forbidden error.

Environment

  • OS: Windows 11
  • Node.js version: v22.12.0
  • NestJS version: 11.0.2
  • How you ran the app: Docker Compose

Proposed Solution

Update ApiKeyGuard and RolesGuard to check for the @Public() decorator, similar to how AuthGuard does:

const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
  context.getHandler(),
  context.getClass(),
]);
if (isPublic) return true;

Additional Context

This issue was discovered when attempting to sign up a new user and receiving a Forbidden error, despite the route being public.

Amine2240 avatar Jun 10 '25 19:06 Amine2240