ifsp-projects · vitingr · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
@@ -6,7 +6,7 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "build": "pnpm exec prisma generate --schema ./prisma/schema && tsup src --out-dir dist --sourcemap inline",
-    "dev": "ts-node-dev --respawn -r tsconfig-paths/register src/server.ts",
+    "dev": "ts-node-dev --respawn -r tsconfig-paths/register --compiler-options {\\\"module\\\":\\\"CommonJS\\\",\\\"moduleResolution\\\":\\\"node\\\"} src/server.ts",
     "start": "node -r tsconfig-paths/register dist/server.js",
     "prisma:migrate": "prisma migrate dev --schema ./prisma/schema",
     "prisma:push": "prisma db push --schema ./prisma/schema"

@@ -22,9 +22,8 @@ enum OngCategory {
 }
 
 enum UserRoleEnum {
-  super_admin
+  member
   admin
-  editor
 }
 
 enum AccountStatus {
@@ -33,13 +32,14 @@ enum AccountStatus {
 }
 
 model Organization {
-  id          String    @id @default(uuid())
-  email       String    @unique
-  password    String    @default("p@ssw0rd")
-  updated_at  DateTime  @updatedAt
-  created_at  DateTime  @default(now())
+  id          String       @id @default(uuid())
+  email       String       @unique
+  password    String       @default("p@ssw0rd")
+  updated_at  DateTime     @updatedAt
+  created_at  DateTime     @default(now())
   deleted_at  DateTime?
-  is_user_new Boolean   @default(true)
+  is_user_new Boolean      @default(true)
+  role        UserRoleEnum @default(member)
 
   account_status AccountStatus @default(inactive)
 

@@ -0,0 +1,10 @@
+-- AlterEnum
+BEGIN;
+CREATE TYPE "UserRoleEnum_new" AS ENUM ('member', 'admin');
+ALTER TYPE "UserRoleEnum" RENAME TO "UserRoleEnum_old";
+ALTER TYPE "UserRoleEnum_new" RENAME TO "UserRoleEnum";
+DROP TYPE "public"."UserRoleEnum_old";
+COMMIT;
+
+-- AlterTable
+ALTER TABLE "organizations" ADD COLUMN     "role" "UserRoleEnum" NOT NULL DEFAULT 'member';
@@ -1,10 +1,10 @@
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
 import { CancelPendingInviteUseCase } from '@/core/use-cases/admin/cancel-pending-invite'
 import { Route } from '../../../decorators/route-decorator'
-import { verifyJWT } from '../../../middlewares/verify-jwt'
 import type { FastifyReply, FastifyRequest } from 'fastify'
 import { cancelPendingInviteParamsSchema } from './schema'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class CancelPendingInviteController {
   private adminRepository: AdminRepository
@@ -16,7 +16,7 @@ export class CancelPendingInviteController {
   }
 
   @Route('DELETE', '/admin/invites/:id', {
-    middlewares: [verifyJWT]
+    middlewares: [verifyAdmin]
   })
   @Trace('admin.cancel_pending_invite')
   async execute(request: FastifyRequest, reply: FastifyReply): Promise<void> {

@@ -1,12 +1,12 @@
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
 import { CreateInviteTokenUseCase } from '@/core/use-cases/admin/create-and-send-invite'
-import { verifyJWT } from '../../../middlewares/verify-jwt'
 import { Route } from '../../../decorators/route-decorator'
 import type { FastifyReply, FastifyRequest } from 'fastify'
 import { createAndSendInviteBodySchema } from './schema'
 import { ResendRepository } from '@/shared/infra/email/resend'
 import { SendInviteUseCase } from '@/core/use-cases/email/send-invite'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class CreateAndSendInviteController {
   private adminRepository: AdminRepository
@@ -29,7 +29,7 @@ export class CreateAndSendInviteController {
   }
 
   @Route('POST', '/admin/invites', {
-    middlewares: [verifyJWT]
+    middlewares: [verifyAdmin]
   })
   @Trace('admin.create_and_send_invite')
   protected async execute(
@@ -41,8 +41,7 @@ export class CreateAndSendInviteController {
     const response = await this.createInviteTokenUseCase.execute(payload)
 
     await this.sendEmailUseCase.execute({
-      email: payload.email,
-      organization_id: response.inviteToken.organization_id
+      invite_token: response.inviteToken.token
     })
 
     return reply.status(201).send(response)

@@ -1,10 +1,10 @@
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
-import { verifyJWT } from '../../../middlewares/verify-jwt'
 import { Route } from '../../../decorators/route-decorator'
 import type { FastifyReply, FastifyRequest } from 'fastify'
 import { getInviteByTokenParamsSchema } from './schema'
 import { GetInviteByTokenUseCase } from '@/core/use-cases/admin/get-invite-by-token'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class GetInviteByTokenController {
   private adminRepository: AdminRepository
@@ -15,7 +15,9 @@ export class GetInviteByTokenController {
     this.useCase = new GetInviteByTokenUseCase(this.adminRepository)
   }
 
-  @Route('GET', '/admin/invites/:token/token')
+  @Route('GET', '/admin/invites/:token/token', {
+    middlewares: [verifyAdmin]
+  })
   @Trace('admin.get_invite_by_token')
   protected async execute(
     request: FastifyRequest,

@@ -3,6 +3,7 @@ import type { FastifyReply, FastifyRequest } from 'fastify'
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
 import { ListAllInvitesUseCase } from '@/core/use-cases/admin/list-all-invites'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class ListAllInvitesController {
   private adminRepository: AdminRepository
@@ -13,7 +14,9 @@ export class ListAllInvitesController {
     this.useCase = new ListAllInvitesUseCase(this.adminRepository)
   }
 
-  @Route('GET', '/admin/invites')
+  @Route('GET', '/admin/invites', {
+    middlewares: [verifyAdmin]
+  })
   @Trace('admin.list_all_invites')
   async execute(request: FastifyRequest, reply: FastifyReply): Promise<void> {
     const response = await this.useCase.execute()

@@ -1,11 +1,11 @@
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
 
 import { Route } from '../../../decorators/route-decorator'
-import { verifyJWT } from '../../../middlewares/verify-jwt'
 import type { FastifyReply, FastifyRequest } from 'fastify'
 import { regenerateTokenAndResendParamsSchema } from './schema'
 import { RegenerateInviteTokenUseCase } from '@/core/use-cases/admin/regenerate-token-and-resend-email'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class RegenerateAndResendInviteController {
   private adminRepository: AdminRepository
@@ -17,7 +17,7 @@ export class RegenerateAndResendInviteController {
   }
 
   @Route('POST', '/admin/invites/:id/resend', {
-    middlewares: [verifyJWT]
+    middlewares: [verifyAdmin]
   })
   @Trace('admin.regenerate_token_and_resend_email')
   async execute(request: FastifyRequest, reply: FastifyReply): Promise<void> {

@@ -4,6 +4,7 @@ import type { FastifyReply, FastifyRequest } from 'fastify'
 import { useInviteTokenBodySchema } from './schema'
 import { UseInviteTokenUseCase } from '@/core/use-cases/admin/use-invite-token'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class UseInviteTokenController {
   private adminRepository: AdminRepository
@@ -14,7 +15,9 @@ export class UseInviteTokenController {
     this.useCase = new UseInviteTokenUseCase(this.adminRepository)
   }
 
-  @Route('POST', '/admin/invites/token')
+  @Route('POST', '/admin/invites/token', {
+    middlewares: [verifyAdmin]
+  })
   @Trace('admin.use_invite_token')
   protected async execute(
     request: FastifyRequest,

@@ -1,10 +1,10 @@
 import { AdminRepository } from '@/adapters/outbound/prisma/repositories/admin-repositories'
-import { verifyJWT } from '../../../middlewares/verify-jwt'
 import { Route } from '../../../decorators/route-decorator'
 import type { FastifyReply, FastifyRequest } from 'fastify'
 import { validateInviteTokenParamsSchema } from './schema'
 import { ValidateInviteTokenUseCase } from '@/core/use-cases/admin/validate-invite-token'
 import { Trace } from '../../../decorators/trace-decorator'
+import { verifyAdmin } from '../../../middlewares/verify-admin'
 
 export class ValidateInviteTokenController {
   private adminRepository: AdminRepository
@@ -15,7 +15,9 @@ export class ValidateInviteTokenController {
     this.useCase = new ValidateInviteTokenUseCase(this.adminRepository)
   }
 
-  @Route('GET', '/admin/invites/validate/:token')
+  @Route('GET', '/admin/invites/validate/:token', {
+    middlewares: [verifyAdmin]
+  })
   @Trace('admin.validate_invite_token')
   protected async execute(
     request: FastifyRequest,

@@ -0,0 +1,34 @@
+import { FastifyReply, FastifyRequest } from 'fastify'
+import { JwtService } from '@/shared/infra/auth/jwt'
+import { env } from '@/config/env'
+
+const jwtService = new JwtService(env.JWT_SECRET)
+
+export async function verifyAdmin(request: FastifyRequest, reply: FastifyReply) {
+  try {
+    const authHeader = request.headers.authorization
+
+    if (!authHeader?.startsWith('Bearer ')) {
+      return reply.status(401).send({ message: 'Unauthorized' })
+    }
+
+    const token = authHeader.slice(7)
+    const data = jwtService.verifyToken(token)
+
+    if (data.role !== 'admin') {
+      return reply.status(403).send({
+        message: 'Forbidden',
+      })
+    }
+
+    request.profile = {
+      ...request.profile,
+      role: data.role
+    }
+  } catch (err) {
+    console.log('Error verifying admin token:', err)
+    return reply.status(403).send({
+      message: 'Forbidden',
+    })
+  }
-  } catch (err) {
-    console.log('Error verifying admin token:', err)
-    return reply.status(403).send({
-      message: 'Forbidden',
-    })
-  }
+  } catch (err) {
+    console.log('Error verifying admin token:', err)
+    return reply.status(401).send({
+      message: 'Unauthorized',
+    })
+  }
-  } catch (err) {
-    console.log('Error verifying admin token:', err)
-    return reply.status(403).send({
-      message: 'Forbidden',
-    })
-  }
+  } catch (err) {
+    console.log('Error verifying admin token:', err)
+    return reply.status(401).send({
+      message: 'Unauthorized',
+    })
+  }
+}
@@ -1,11 +1,23 @@
+import { env } from '@/config/env'
+import { JwtService } from '@/shared/infra/auth/jwt'
 import { FastifyReply, FastifyRequest } from 'fastify'
 
+const jwtService = new JwtService(env.JWT_SECRET)
+
 export async function verifyJWT(request: FastifyRequest, reply: FastifyReply) {
   try {
-    const data = await request.jwtVerify<{ sub: string }>()
+    const authHeader = request.headers.authorization
+
+    if (!authHeader?.startsWith('Bearer ')) {
+      return reply.status(401).send({ message: 'Unauthorized' })
+    }
+
+    const token = authHeader.slice(7)
+    const data = jwtService.verifyToken(token)
 
     request.user = { sub: data.sub }
   } catch (err) {
+    console.log('Error verifying JWT:', err)
     reply.status(401).send({
       message: 'Unauthorized'
     })

@@ -0,0 +1,7 @@
+import { ControllerError } from "@/adapters/inbound/http/middlewares/general-error-handler";
+
+export class InviteNotFound extends ControllerError {
+    constructor(public status = 404) {
+        super('Invite not found.')
+    }
+}
@@ -23,6 +23,10 @@ export class RegenerateInviteTokenUseCase {
       id
     )
 
+    if (!refreshedToken) {
+      throw new InviteTokenDoesNotExistError()
+    }
+
     return {
       inviteToken: refreshedToken
     }

@@ -22,7 +22,7 @@ export class ResetPasswordAndLoginUseCase {
     private readonly organizationsRepository: OrganizationsRepository,
     private readonly adminRepository: AdminRepository,
     private readonly jwtService: JwtService
-  ) {}
+  ) { }
 
   async execute({ invite_token, new_password }: Input): Promise<null> {
     const invite = await this.adminRepository.getInviteByToken(invite_token)
@@ -49,13 +49,15 @@ export class ResetPasswordAndLoginUseCase {
       this.jwtService.createToken(
         organization.id,
         organization.email,
+        organization.role,
         Duration.minutes(15)
       )
 
     const { token: refresh_token, claims: refresh_claims } =
       this.jwtService.createToken(
         organization.id,
         organization.email,
+        organization.role,
         Duration.days(7)
       )
 

@@ -11,7 +11,7 @@ export class LoginUseCase {
     private readonly authRepository: AuthRepository,
     private readonly organizationsRepository: OrganizationsRepository,
     private readonly jwtService: JwtService
-  ) {}
+  ) { }
 
   async execute({
     email,
@@ -28,13 +28,15 @@ export class LoginUseCase {
       this.jwtService.createToken(
         organization.id,
         organization.email,
+        organization.role,
         Duration.minutes(15)
       )
 
     const { token: refresh_token, claims: refresh_claims } =
       this.jwtService.createToken(
         organization.id,
         organization.email,
+        organization.role,
         Duration.days(7)
       )
 
@@ -53,7 +55,8 @@ export class LoginUseCase {
       refresh_token_expires_at: new Date(refresh_claims.exp * 1000),
       organization: {
         name: organization?.organization_profile?.name || '',
-        email: organization.email
+        email: organization.email,
+        role: organization?.role
       }
     }
   }

@@ -12,5 +12,6 @@ export interface LoginUserUseCaseReturn {
   organization: {
     name: string
     email: string
+    role: string
   }
 }
@@ -10,7 +10,7 @@ export class RefreshTokenUseCase {
   constructor(
     private readonly authRepository: AuthRepository,
     private readonly jwtService: JwtService
-  ) {}
+  ) { }
 
   async execute({
     refresh_token
@@ -35,6 +35,7 @@ export class RefreshTokenUseCase {
       this.jwtService.createToken(
         refresh_claims.id,
         refresh_claims.email,
+        refresh_claims.role,
         Duration.minutes(15)
       )