Well when you're using FormData to submit your receipt with images, the request.body is getting processed differently than with regular JSON payloads, causing your permission guard to not properly access the employee credentials.
The main problem is that when using FileFieldsInterceptor or any file upload interceptors, the form data fields are parsed differently. Your guard is trying to destructure employeeCode and employeePassword directly from request.body, but with multipart/form-data, these might be coming in as strings rather than as part of a JSON object.
import {
CanActivate,
ExecutionContext,
ForbiddenException,
Injectable,
UnauthorizedException,
} from '@nestjs/common'
import { PrismaService } from '../prisma/prisma.service'
import { PermissionEnum } from '@prisma/client'
import { Reflector } from '@nestjs/core'
import { compare } from 'bcryptjs'
@Injectable()
export class PermissionGuard implements CanActivate {
constructor(
private prisma: PrismaService,
private reflector: Reflector,
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
const requiredPermission = this.reflector.get<PermissionEnum>(
'permission',
context.getHandler(),
)
if (!requiredPermission) {
return true
}
const request = context.switchToHttp().getRequest()
const tokenId = request.user?.sub
const isCompany = request.user?.pharmacy
// Handle both JSON and FormData formats
let employeeCode, employeePassword
if (request.body) {
// Handle FormData - values will be strings
employeeCode = request.body.employeeCode || request.body.employee_code
employeePassword = request.body.employeePassword || request.body.employee_password
}
if (!tokenId) {
throw new UnauthorizedException('User not authenticated')
}
let permissions: PermissionEnum[] = []
if (isCompany) {
// If company login, we need employee validation
if (!employeeCode || !employeePassword) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'Employee credentials required',
})
}
const company = await this.prisma.company.findFirst({
where: { id: tokenId },
include: {
employees: true,
},
})
if (!company) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'Farmácia não encontrada',
})
}
const employee = company.employees.find(
(employee) => employee.code === employeeCode,
)
if (!employee) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'Funcionário não encontrado',
})
}
const isPasswordValid = await compare(employeePassword, employee.password)
if (!isPasswordValid) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'Credenciais incorretas',
})
}
permissions = employee.permissions
} else {
const user = await this.prisma.user.findFirst({
where: {
id: tokenId,
},
})
if (!user) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'User not found',
})
}
const pharmacy = user?.pharmacies[0]?.pharmacy
if (!pharmacy) {
throw new UnauthorizedException({
statusText: 'unauthorized',
message: 'Company not encontrada',
})
}
permissions = user.pharmaceutical.permissions
}
const hasPermission = permissions.some(
(perm) => perm === requiredPermission,
)
if (!hasPermission) {
throw new ForbiddenException(`Does not have the required permission: ${requiredPermission}`)
}
return true
}
}
Key changes I made to fix your issue:
More flexible field parsing: The updated guard now checks for different possible field names (employeeCode/employee_code) since form fields are sometimes sent with underscores.
Null checking: Added validation to ensure the employee credentials are present when company login is detected.
Better error handling: More descriptive error messages to help debug authentication issues.
Safe property access: Added optional chaining in the user pharmacy access to avoid potential undefined errors.
If you're still having issues, you could also consider implementing a custom middleware specifically for handling employee authentication in FormData requests, which would run before your guard and populate request.body with the parsed credentials.