chore: cache org guard and fix roles guard apiv2

apps/api/v2/src/modules/auth/guards/organizations/is-org.guard.ts

@@ -1,28 +1,58 @@
 import { OrganizationsRepository } from "@/modules/organizations/organizations.repository";
+import { RedisService } from "@/modules/redis/redis.service";
 import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from "@nestjs/common";
 import { Request } from "express";
 
 import { Team } from "@calcom/prisma/client";
 
+type CachedData = {
+ org?: Team;
+ canAccess?: boolean;
+};
+
 @Injectable()
 export class IsOrgGuard implements CanActivate {
- constructor(private organizationsRepository: OrganizationsRepository) {}
+ constructor(
+ private organizationsRepository: OrganizationsRepository,
+ private readonly redisService: RedisService
+ ) {}
 
  async canActivate(context: ExecutionContext): Promise<boolean> {
+ let canAccess = false;
  const request = context.switchToHttp().getRequest<Request & { organization: Team }>();
  const organizationId: string = request.params.orgId;
 
  if (!organizationId) {
  throw new ForbiddenException("No organization id found in request params.");
  }
 
+ const REDIS_CACHE_KEY = `apiv2:org:${organizationId}:guard:isOrg`;
+ const cachedData = await this.redisService.redis.get(REDIS_CACHE_KEY);
+
+ if (cachedData) {
+ const { org: cachedOrg, canAccess: cachedCanAccess } = JSON.parse(cachedData) as CachedData;
+ if (cachedOrg?.id === Number(organizationId) && cachedCanAccess !== undefined) {
+ request.organization = cachedOrg;
+ return cachedCanAccess;
+ }
+ }
+
  const org = await this.organizationsRepository.findById(Number(organizationId));
 
- if (org && org.isOrganization) {
+ if (org?.isOrganization) {
  request.organization = org;
- return true;
+ canAccess = true;
+ }
+
+ if (org) {
+ await this.redisService.redis.set(
+ REDIS_CACHE_KEY,
+ JSON.stringify({ org: org, canAccess } satisfies CachedData),
+ "EX",
+ 300
+ );
  }
 
- return false;
+ return canAccess;
  }
 }

apps/api/v2/src/modules/auth/guards/roles/roles.guard.ts

@@ -101,23 +101,23 @@ export class RolesGuard implements CanActivate {
  // if the user is admin or owner of org, allow request because org > team
  if (`ORG_${orgMembership.role}` === "ORG_ADMIN" || `ORG_${orgMembership.role}` === "ORG_OWNER") {
  canAccess = true;
+ } else {
+ if (!teamMembership) {
+ this.logger.log(
+ `User (${user.id}) is not part of the team (${teamId}) and/or, is not an admin nor an owner of the organization (${orgId}).`
+ );
+ throw new ForbiddenException(
+ "User is not part of the team and/or, is not an admin nor an owner of the organization."
+ );
+ }
+
+ // if user is not admin nor an owner of org, and is part of the team, then check user team membership role
+ canAccess = hasMinimumRole({
+ checkRole: `TEAM_${teamMembership.role}`,
+ minimumRole: allowedRole,
+ roles: TEAM_ROLES,
+ });
  }
-
- if (!teamMembership) {
- this.logger.log(
- `User (${user.id}) is not part of the team (${teamId}) and/or, is not an admin nor an owner of the organization (${orgId}).`
- );
- throw new ForbiddenException(
- "User is not part of the team and/or, is not an admin nor an owner of the organization."
- );
- }
-
- // if user is not admin nor an owner of org, and is part of the team, then check user team membership role
- canAccess = hasMinimumRole({
- checkRole: `TEAM_${teamMembership.role}`,
- minimumRole: allowedRole,
- roles: TEAM_ROLES,
- });
  }
 
  // if allowed role is a ORG ROLE, check org membersip role
@@ -129,7 +129,7 @@ export class RolesGuard implements CanActivate {
  });
  }
  }
- await this.redisService.redis.set(REDIS_CACHE_KEY, String(canAccess), "EX", 3600);
+ await this.redisService.redis.set(REDIS_CACHE_KEY, String(canAccess), "EX", 300);
  return canAccess;
  }
 }