🔐 [security fix description]\n\n🎯 What\nImplemented a bulletproof security layer for VIP data protection. Includes Google OAuth2 integration and strict JWT access/refresh token rotation. Backend is secured via strict RolesGuard and JwtAuthGuard, while frontend is secured via AuthInterceptor and explicit Auth/Admin Guards. \n\n⚠️ Risk\nUnsecured or improper role validation exposes VIP data to unauthenticated or unauthorized users, particularly bypassing the admin portal or API endpoints without proper token checks.\n\n🛡️ Solution\n1. Added strict backend global guarding with JwtAuthGuard and RolesGuard.\n2. Built HTTPOnly cookie-based refresh token rotation via POST /auth/refresh.\n3. Defined Google OAuth2 login strategies.\n4. Configured AuthInterceptor in Angular for seamless 401 handling, queueing, and Bearer token injection.

google-labs-jules[bot] · beginwebdev2002 · google-labs-jules[bot] · commit b29dce673fb0 · 2026-04-08T22:00:24.000Z
Co-authored-by: beginwebdev2002 &lt;102213457+beginwebdev2002@users.noreply.github.com&gt;
diff --git a/backend/src/main.ts b/backend/src/main.ts
@@ -3,8 +3,8 @@ import { NestFactory } from '@nestjs/core';
 import { ConfigService } from '@nestjs/config';
 import { AppModule } from './app.module';
 import helmet from 'helmet';
-import * as compression from 'compression';
-import * as cookieParser from 'cookie-parser';
+import compression from 'compression';
+import cookieParser from 'cookie-parser';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 
 async function bootstrap() {
@@ -24,9 +24,9 @@ async function bootstrap() {
     }),
   );
 
-  const { JwtAuthGuard } = await import('./common/guards/jwt-auth.guard');
-  const { RolesGuard } = await import('./common/guards/roles.guard');
   const reflector = app.get(require('@nestjs/core').Reflector);
+  const { JwtAuthGuard } = require('./common/guards/jwt-auth.guard');
+  const { RolesGuard } = require('./common/guards/roles.guard');
   app.useGlobalGuards(new JwtAuthGuard(reflector), new RolesGuard(reflector));
   app.enableCors({
     origin: '*',
diff --git a/backend/src/modules/auth/auth.service.ts b/backend/src/modules/auth/auth.service.ts
@@ -104,7 +104,7 @@ export class AuthService {
   async refreshToken(refreshToken: string): Promise<AuthResponse & { refresh_token: string }> {
     try {
       const payload = await this.jwtService.verifyAsync(refreshToken);
-      const user = await this.userService.findById(payload.sub);
+      const user = await this.userService.findByEmail(payload.email);
 
       if (!user) {
         throw new UnauthorizedException('User not found');
diff --git a/backend/src/modules/auth/strategies/google.strategy.ts b/backend/src/modules/auth/strategies/google.strategy.ts
@@ -7,8 +7,8 @@ import { AppConfigService } from '@common/config/app-config.service';
 export class GoogleStrategy extends PassportStrategy(Strategy, 'google') {
   constructor(private configService: AppConfigService) {
     super({
-      clientID: configService.get('GOOGLE_CLIENT_ID') || 'client-id',
-      clientSecret: configService.get('GOOGLE_CLIENT_SECRET') || 'client-secret',
+      clientID: process.env.GOOGLE_CLIENT_ID || 'client-id',
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET || 'client-secret',
       callbackURL: 'http://localhost:3000/auth/google/callback',
       scope: ['email', 'profile'],
     });
diff --git a/frontend/src/core/interceptors/index.ts b/frontend/src/core/interceptors/index.ts
@@ -1,2 +1,3 @@
 export * from "./api.interceptor";
+export * from "./auth.interceptor";
 export * from "./error.interceptor";

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`export * from "./api.interceptor";`
	`2`	`+export * from "./auth.interceptor";`
`2`	`3`	`export * from "./error.interceptor";`