Skip to content

[comp] Production Deploy #2306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tofikwest merged 3 commits into from
Mar 14, 2026
Merged

[comp] Production Deploy #2306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6eb60a9
chore: merge release v3.5.0 back to main [skip ci]
github-actions[bot] Mar 14, 2026
ac97916
feat(auth): add SessionOnlyGuard to enforce user session authenticati…
tofikwest Mar 14, 2026
09b704d
Merge pull request #2305 from trycompai/tofik/fix-assistent-chat-perm…
tofikwest Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions apps/api/src/assistant-chat/assistant-chat.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import { streamText, convertToModelMessages, stepCountIs, type UIMessage } from
import type { Response, Request } from 'express';
import { AuthContext } from '../auth/auth-context.decorator';
import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
import { SessionOnlyGuard } from '../auth/session-only.guard';
import { PermissionGuard } from '../auth/permission.guard';
import { RequirePermission } from '../auth/require-permission.decorator';
import type { AuthContext as AuthContextType } from '../auth/types';
Expand All @@ -36,7 +37,7 @@ import { RolesService } from '../roles/roles.service';

@ApiTags('Assistant Chat')
@Controller({ path: 'assistant-chat', version: '1' })
@UseGuards(HybridAuthGuard, PermissionGuard)
@UseGuards(HybridAuthGuard, SessionOnlyGuard, PermissionGuard)
@RequirePermission('app', 'read')
@ApiSecurity('apikey')
export class AssistantChatController {
Expand All @@ -55,12 +56,6 @@ export class AssistantChatController {
throw new BadRequestException('Organization ID is required');
}

if (auth.isApiKey) {
throw new BadRequestException(
'Assistant chat is only available for user-authenticated requests.',
);
}

if (!auth.userId) {
throw new BadRequestException('User ID is required');
}
Expand Down
29 changes: 29 additions & 0 deletions apps/api/src/auth/session-only.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
import {
CanActivate,
ExecutionContext,
ForbiddenException,
Injectable,
} from '@nestjs/common';
import { AuthenticatedRequest } from './types';

/**
* Guard that rejects API key and service token auth.
* Use on endpoints that require a real user session (e.g., assistant chat).
*
* Place between HybridAuthGuard and PermissionGuard:
* @UseGuards(HybridAuthGuard, SessionOnlyGuard, PermissionGuard)
*/
@Injectable()
export class SessionOnlyGuard implements CanActivate {
canActivate(context: ExecutionContext): boolean {
const request = context.switchToHttp().getRequest<AuthenticatedRequest>();

if (request.isApiKey || request.isServiceToken) {
throw new ForbiddenException(
'This endpoint is only available for user-authenticated requests.',
);
}

return true;
}
}
Loading