refactor(#10): eliminate redundant DB role lookups in AdminGuard, consolidate duplicate JWT guards

src/admin/admin.controller.ts

@@ -11,11 +11,11 @@
 import { SuspendCampaignDto } from './dtos/suspend-campaign.dto';
 import { Roles } from '../common/decorators/roles.decorator';
 import { RolesGuard } from '../common/guards/roles.guard';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 
 @Controller('admin')
 @UseGuards(JwtAuthGuard, RolesGuard)
-@Roles('admin')
+@Roles('ADMIN')
 export class AdminController {
   constructor(private readonly adminService: AdminService) {}
 
@@ -29,8 +29,8 @@
     return this.adminService.suspendCampaign(
       id,
       dto,
       req.user.sub,
       req.user.email,
     );
   }
 }

src/admin/admin.module.ts

@@ -4,7 +4,7 @@ import { AuthModule } from '../auth/auth.module';
 import { AdminService } from './admin.service';
 import { AdminController } from './admin.controller';
 import { NotificationsModule } from '../notifications/notifications.module';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { RolesGuard } from '../common/guards/roles.guard';
 
 /** Module providing admin campaign suspension, user moderation, and audit logging */

src/api-keys/api-keys.controller.ts

@@ -11,7 +11,7 @@ import {
 import { randomBytes, createHash } from 'crypto';
 import { Request } from 'express';
 import { PrismaService } from '../prisma/prisma.service';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { Throttle } from '@nestjs/throttler';
 
 interface JwtUser {

src/api-keys/api-keys.module.ts

@@ -3,7 +3,7 @@ import { PrismaModule } from '../prisma/prisma.module';
 import { AuthModule } from '../auth/auth.module';
 import { ApiKeysController } from './api-keys.controller';
 import { ApiKeyGuard } from './api-key.guard';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 
 /** Provides API key generation, revocation, and authentication middleware */
 @Module({

src/auth/auth-logout.controller.ts

@@ -9,7 +9,7 @@
 } from '@nestjs/common';
 import { CACHE_MANAGER } from '@nestjs/cache-manager';
 import type { Cache } from 'cache-manager';
-import { JwtAuthGuard } from './jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import {
   ApiTags,
   ApiOperation,
@@ -39,13 +39,13 @@
     description: 'Invalid token',
   })
   async logout(@Req() req: Request): Promise<void> {
     const user = req['user'];
 
     if (!user) {
       throw new UnauthorizedException('Invalid token');
     }
 
     const walletAddress = user.walletAddress;
     if (walletAddress) {
       await this.cacheManager.del(`refresh:${walletAddress}`);
     }

src/campaigns/campaigns.controller.ts

@@ -23,7 +23,7 @@
 import { UpdateCampaignDto } from './dto/update-campaign.dto';
 import { CreateCampaignDto } from './dto/create-campaign.dto';
 import { Request } from 'express';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { AdminGuard } from '../users/guards/admin.guard';
 import {
   BrowseCampaignsQueryDto,
@@ -69,7 +69,7 @@
     @Body() body: CreateCampaignDto,
     @Req() req: Request & { user: any },
   ) {
     const userId = req.user?.sub as string;
     return this.campaignsService.createCampaign(userId, body);
   }
 

src/campaigns/campaigns.module.ts

@@ -7,7 +7,7 @@ import { CampaignsService } from './campaigns.service';
 import { PrismaModule } from '../prisma/prisma.module';
 import { AuthModule } from '../auth/auth.module';
 import { StellarModule } from '../stellar/stellar.module';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { AdminGuard } from '../users/guards/admin.guard';
 import { DonationsModule } from '../donations/donations.module';
 

src/campaigns/campaigns.service.spec.ts

@@ -21,7 +21,7 @@ describe('CampaignsService milestone target validation', () => {
   };
 
   it.each([
-    ['missing', undefined],
+    ['missing', undefined as string | undefined],
     ['zero', '0'],
     ['zero decimal', '0.0000000'],
     ['below the minimum precision', '0.00000001'],
@@ -34,7 +34,7 @@ describe('CampaignsService milestone target validation', () => {
         milestones: [
           {
             title: 'Prototype',
-            targetAmount,
+            targetAmount: targetAmount as string,
           },
         ],
       }),

src/donations/donations.controller.ts

@@ -8,7 +8,7 @@ import {
   Req,
   Request,
 } from '@nestjs/common';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { DonationsService } from './donations.service';
 import { CreateDonationDto } from './dto/create-donation.dto';
 import {

src/donations/donations.module.ts

@@ -1,6 +1,6 @@
 import { Module, forwardRef } from '@nestjs/common';
 import { AuthModule } from '../auth/auth.module';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { CampaignsModule } from '../campaigns/campaigns.module';
 import { PrismaModule } from '../prisma/prisma.module';
 import { StellarModule } from '../stellar/stellar.module';

src/notifications/notifications.controller.ts

@@ -9,7 +9,7 @@ import {
   UseGuards,
 } from '@nestjs/common';
 import { Request } from 'express';
-import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { JwtAuthGuard } from '../users/guards/jwt-auth.guard';
 import { NotificationsService } from './notifications.service';
 
 @Controller('notifications')

src/users/guards/jwt-auth.guard.ts

@@ -5,29 +5,46 @@ import {
   UnauthorizedException,
 } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import { Request } from 'express';
 
+/**
+ * Validates JWT from the Authorization header and attaches the decoded
+ * payload to `request.user`.  The secret is read from config so this
+ * guard is not tied to a specific JwtModule registration.
+ */
 @Injectable()
 export class JwtAuthGuard implements CanActivate {
-  constructor(private readonly jwtService: JwtService) {}
+  constructor(
+    private readonly jwt: JwtService,
+    private readonly config: ConfigService,
+  ) {}
 
   canActivate(context: ExecutionContext): boolean {
-    const request = context.switchToHttp().getRequest();
-    const authHeader = request.headers.authorization;
+    const request = context
+      .switchToHttp()
+      .getRequest<Request & { user: unknown }>();
+    const authHeader = request.headers['authorization'];
 
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    if (!authHeader?.startsWith('Bearer ')) {
       throw new UnauthorizedException(
-        'Missing or invalid authorization header',
+        'Missing or invalid Authorization header',
       );
     }
 
-    const token = authHeader.substring(7);
+    const token = authHeader.slice(7);
 
     try {
-      const payload = this.jwtService.verify(token);
+      const payload = this.jwt.verify(token, {
+        secret: this.config.get<string>(
+          'JWT_SECRET',
+          'orbitchain-default-secret',
+        ),
+      }) as Record<string, unknown>;
       request.user = payload;
       return true;
-    } catch (error) {
-      throw new UnauthorizedException('Invalid token');
+    } catch {
+      throw new UnauthorizedException('Invalid or expired token');
     }
   }
 }