add getCreateInstrumentToken

joshunrau · joshunrau · commit 08e437a87ba5 · 2025-11-19T11:08:56.000-05:00
diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
@@ -1,4 +1,6 @@
-import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { CurrentUser } from '@douglasneuroinformatics/libnest';
+import type { RequestUser } from '@douglasneuroinformatics/libnest';
+import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiOperation } from '@nestjs/swagger';
 import { $LoginCredentials } from '@opendatacapture/schemas/auth';
 
@@ -10,6 +12,13 @@ import { AuthService } from './auth.service.js';
 export class AuthController {
   constructor(private readonly authService: AuthService) {}
 
+  @Get('create-instrument-token')
+  @HttpCode(HttpStatus.OK)
+  @RouteAccess({ action: 'create', subject: 'Instrument' })
+  async getCreateInstrumentToken(@CurrentUser() currentUser: RequestUser): Promise<{ accessToken: string }> {
+    return this.authService.getCreateInstrumentToken(currentUser);
+  }
+
   @ApiOperation({ summary: 'Login' })
   @HttpCode(HttpStatus.OK)
   @Post('login')
diff --git a/apps/api/src/auth/auth.service.ts b/apps/api/src/auth/auth.service.ts
@@ -1,5 +1,6 @@
 import { CryptoService } from '@douglasneuroinformatics/libnest';
-import { Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
+import type { RequestUser } from '@douglasneuroinformatics/libnest';
+import { ForbiddenException, Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import type { $LoginCredentials, TokenPayload } from '@opendatacapture/schemas/auth';
 import type { Group, User } from '@prisma/client';
@@ -17,6 +18,18 @@ export class AuthService {
     private readonly usersService: UsersService
   ) {}
 
+  async getCreateInstrumentToken(currentUser: RequestUser) {
+    if (!currentUser.ability.can('create', 'Instrument')) {
+      throw new ForbiddenException();
+    }
+
+    const limitedAbility = this.abilityFactory.createForPermissions([{ action: 'create', subject: 'Instrument' }]);
+
+    return {
+      accessToken: await this.jwtService.signAsync({ permissions: limitedAbility.rules }, { expiresIn: '1h' })
+    };
+  }
+
   async login(credentials: $LoginCredentials): Promise<{ accessToken: string }> {
     let user: User & {
       groups: Group[];
