GalactiGuild · Spycall · Apr 29, 2026 · Apr 29, 2026
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -40,6 +40,7 @@
     "@nestjs/core": "^10.4.22",
     "@nestjs/graphql": "^12.2.2",
     "@nestjs/jwt": "^11.0.2",
+    "@nestjs/passport": "^10.0.3",
     "@nestjs/mapped-types": "*",
     "@nestjs/platform-express": "^10.4.22",
     "@nestjs/schedule": "^4.1.2",
@@ -73,6 +74,8 @@
     "node-cron": "^4.2.1",
     "p-limit": "^7.3.0",
     "pg": "^8.18.0",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
     "prisma": "^5.0.0",
     "qrcode": "^1.5.4",
     "reflect-metadata": "^0.2.2",
@@ -96,6 +99,12 @@
     "@types/speakeasy": "^2.0.10",
     "@types/supertest": "^2.0.12",
     "@types/web-push": "^3.6.4",
+ feature/role-based-auth
+    "@types/speakeasy": "^2.0.10",
+    "@types/qrcode": "^1.5.5",
+    "@types/passport-jwt": "^4.0.1",
+
+
     "@typescript-eslint/eslint-plugin": "^6.0.0",
     "@typescript-eslint/parser": "^6.0.0",
     "eslint": "^8.42.0",

diff --git a/backend/prisma/schema.prisma b/backend/prisma/schema.prisma
@@ -16,6 +16,7 @@ model User {
   profileData     Json?    @map("profile_data")
   reputationScore Int      @default(0) @map("reputation_score")
   trustScore      Int      @default(500) @map("trust_score")
+  role            UserRole @default(INVESTOR) @map("role")
   createdAt       DateTime @default(now()) @map("created_at")
   updatedAt       DateTime @updatedAt @map("updated_at")
 
@@ -151,6 +152,12 @@ enum KycStatus {
   EXPIRED
 }
 
+enum UserRole {
+  INVESTOR
+  CREATOR
+  ADMIN
+}
+
 enum EmailDigestMode {
   INSTANT
   WEEKLY

diff --git a/backend/src/admin/controllers/audit.controller.ts b/backend/src/admin/controllers/audit.controller.ts
@@ -15,9 +15,14 @@ import { Throttle } from '@nestjs/throttler';
 import { AuditExporterService } from '../services/audit-exporter.service';
 import { GenerateAuditPackageDto, AuditPackageResponseDto } from '../dto/audit-package.dto';
 import { AdminGuard } from '../../guards/admin.guard';
+import { JwtAuthGuard } from '../../guards/jwt-auth.guard';
+import { RolesGuard } from '../../guards/roles.guard';
+import { Roles } from '../../decorators/roles.decorator';
+import { UserRole } from '@prisma/client';
 
 @Controller('admin/audit')
-@UseGuards(AdminGuard)
+@UseGuards(JwtAuthGuard, RolesGuard)
+@Roles(UserRole.ADMIN)
 export class AuditController {
   constructor(private readonly auditService: AuditExporterService) {}
 

diff --git a/backend/src/api/institutional.controller.ts b/backend/src/api/institutional.controller.ts
@@ -9,6 +9,10 @@ import {
 } from '@nestjs/common';
 import { Response } from 'express';
 import { AdminGuard } from '../guards/admin.guard';
+import { JwtAuthGuard } from '../guards/jwt-auth.guard';
+import { RolesGuard } from '../guards/roles.guard';
+import { Roles } from '../decorators/roles.decorator';
+import { UserRole } from '@prisma/client';
 import { PrismaService } from '../prisma.service';
 
 type ReportFormat = 'json' | 'csv' | 'xml';

diff --git a/backend/src/app.module.ts b/backend/src/app.module.ts
@@ -32,6 +32,7 @@ import { AdminModule } from './admin/admin.module';
 import { SupportModule } from './support/support.module';
 import { GovernanceModule } from './governance/governance.module';
 import { ApiModule } from './api/api.module';
+import { AuthModule } from './auth/auth.module';
 import { APP_GUARD } from '@nestjs/core';
 import { MaintenanceGuard } from './guards/maintenance.guard';
 
@@ -82,6 +83,7 @@ import { MaintenanceGuard } from './guards/maintenance.guard';
     AdminModule,
     GovernanceModule,
     ApiModule,
+    AuthModule,
   ],
   controllers: [AppController],
   providers: [

diff --git a/backend/src/auth/auth.module.ts b/backend/src/auth/auth.module.ts
@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+import { JwtStrategy } from '../guards/jwt.strategy';
+import { AuthService } from '../services/auth.service';
+import { DatabaseModule } from '../database.module';
+
+@Module({
+  imports: [
+    DatabaseModule,
+    PassportModule,
+    JwtModule.register({
+      secret: process.env.JWT_SECRET,
+      signOptions: { expiresIn: process.env.JWT_EXPIRATION },
+    }),
+  ],
+  providers: [AuthService, JwtStrategy],
+  exports: [AuthService, JwtModule],
+})
+export class AuthModule {}
diff --git a/backend/src/decorators/roles.decorator.ts b/backend/src/decorators/roles.decorator.ts
@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { UserRole } from '@prisma/client';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: UserRole[]) => SetMetadata(ROLES_KEY, roles);
diff --git a/backend/src/guards/jwt-auth.guard.ts b/backend/src/guards/jwt-auth.guard.ts
@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {}
diff --git a/backend/src/guards/jwt.strategy.ts b/backend/src/guards/jwt.strategy.ts
@@ -0,0 +1,33 @@
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { PrismaService } from '../prisma.service';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor(private prisma: PrismaService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: process.env.JWT_SECRET,
+    });
+  }
+
+  async validate(payload: any) {
+    const user = await this.prisma.user.findUnique({
+      where: { id: payload.sub },
+    });
+
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    return {
+      id: user.id,
+      walletAddress: user.walletAddress,
+      role: user.role,
+      reputationScore: user.reputationScore,
+      trustScore: user.trustScore,
+    };
+  }
+}
diff --git a/backend/src/guards/roles.guard.ts b/backend/src/guards/roles.guard.ts
@@ -0,0 +1,23 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { UserRole } from '@prisma/client';
+import { ROLES_KEY } from '../decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<UserRole[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (!requiredRoles) {
+      return true;
+    }
+
+    const { user } = context.switchToHttp().getRequest();
+    return requiredRoles.some((role) => user?.role === role);
+  }
+}
diff --git a/backend/src/user.controller.ts b/backend/src/user.controller.ts
@@ -44,7 +44,8 @@ export class UserController {
   }
 
   @Put('freeze-request/:requestId/review')
-  @UseGuards(AdminGuard)
+  @UseGuards(JwtAuthGuard, RolesGuard)
+  @Roles(UserRole.ADMIN)
   async reviewFreezeRequest(
     @Param('requestId') requestId: string,
     @Body() body: { adminId: string; approved: boolean; adminNotes?: string },

diff --git a/backend/src/verification/controllers/kyc-admin.controller.ts b/backend/src/verification/controllers/kyc-admin.controller.ts
@@ -9,9 +9,14 @@ import {
 import { KycAdminService } from '../services/kyc-admin.service';
 import { KycOverrideDto } from '../dto/kyc-override.dto';
 import { AdminGuard } from '../../guards/admin.guard';
+import { JwtAuthGuard } from '../../guards/jwt-auth.guard';
+import { RolesGuard } from '../../guards/roles.guard';
+import { Roles } from '../../decorators/roles.decorator';
+import { UserRole } from '@prisma/client';
 
 @Controller('admin/kyc')
-@UseGuards(AdminGuard)
+@UseGuards(JwtAuthGuard, RolesGuard)
+@Roles(UserRole.ADMIN)
 export class KycAdminController {
   constructor(private readonly kycService: KycAdminService) {}