[BUG] Public routes blocked by ApiKeyGuard and RolesGuard due to missing @Public() check #13
Description
Description
Summary
Public routes (such as /auth/signup/basic) are being blocked by the global ApiKeyGuard and RolesGuard, even when decorated with @Public(). This results in a Forbidden error when trying to access public endpoints.
Steps to Reproduce
- Clone the repository and install dependencies.
- Start the application.
- Attempt to sign up via the public endpoint:
POST http://localhost:3000/auth/signup/basic Content-Type: application/json { "email": "[email protected]", "password": "test1234", "name": "Test User" } - Observe the response:
{ "statusCode": 10001, "message": "Forbidden", "url": "/auth/signup/basic/" }
Expected Behavior
Public routes decorated with @Public() should bypass all authentication and authorization guards, allowing unauthenticated access as intended.
Actual Behavior
Requests to public routes are blocked by ApiKeyGuard and RolesGuard, which do not check for the @Public() decorator. This results in a Forbidden error.
Environment
- OS: Windows 11
- Node.js version: v22.12.0
- NestJS version: 11.0.2
- How you ran the app: Docker Compose
Proposed Solution
Update ApiKeyGuard and RolesGuard to check for the @Public() decorator, similar to how AuthGuard does:
const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
context.getHandler(),
context.getClass(),
]);
if (isPublic) return true;Additional Context
This issue was discovered when attempting to sign up a new user and receiving a Forbidden error, despite the route being public.