Merge pull request #2305 from trycompai/tofik/fix-assistent-chat-permission-error

[dev] [tofikwest] tofik/fix-assistent-chat-permission-error

Author: tofikwest

apps/api/src/assistant-chat/assistant-chat.controller.ts

@@ -24,6 +24,7 @@ import { streamText, convertToModelMessages, stepCountIs, type UIMessage } from
 import type { Response, Request } from 'express';
 import { AuthContext } from '../auth/auth-context.decorator';
 import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
+import { SessionOnlyGuard } from '../auth/session-only.guard';
 import { PermissionGuard } from '../auth/permission.guard';
 import { RequirePermission } from '../auth/require-permission.decorator';
 import type { AuthContext as AuthContextType } from '../auth/types';
@@ -36,7 +37,7 @@ import { RolesService } from '../roles/roles.service';
 
 @ApiTags('Assistant Chat')
 @Controller({ path: 'assistant-chat', version: '1' })
-@UseGuards(HybridAuthGuard, PermissionGuard)
+@UseGuards(HybridAuthGuard, SessionOnlyGuard, PermissionGuard)
 @RequirePermission('app', 'read')
 @ApiSecurity('apikey')
 export class AssistantChatController {
@@ -55,12 +56,6 @@ export class AssistantChatController {
       throw new BadRequestException('Organization ID is required');
     }
 
-    if (auth.isApiKey) {
-      throw new BadRequestException(
-        'Assistant chat is only available for user-authenticated requests.',
-      );
-    }
-
     if (!auth.userId) {
       throw new BadRequestException('User ID is required');
     }

apps/api/src/auth/session-only.guard.ts

@@ -0,0 +1,29 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+} from '@nestjs/common';
+import { AuthenticatedRequest } from './types';
+
+/**
+ * Guard that rejects API key and service token auth.
+ * Use on endpoints that require a real user session (e.g., assistant chat).
+ *
+ * Place between HybridAuthGuard and PermissionGuard:
+ * @UseGuards(HybridAuthGuard, SessionOnlyGuard, PermissionGuard)
+ */
+@Injectable()
+export class SessionOnlyGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
+
+    if (request.isApiKey || request.isServiceToken) {
+      throw new ForbiddenException(
+        'This endpoint is only available for user-authenticated requests.',
+      );
+    }
+
+    return true;
+  }
+}