uwblueprint · gavxue · Feb 7, 2026 · Feb 3, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/backend/typescript/graphql/resolvers/authResolvers.ts b/backend/typescript/graphql/resolvers/authResolvers.ts
@@ -53,6 +53,19 @@ const authResolvers = {
       );
       return isAuthorized;
     },
+    isAuthorizedReviewer: async (
+      _parent: undefined,
+      {
+        accessToken,
+        applicantRecordId,
+      }: { accessToken: string; applicantRecordId: string },
+    ): Promise<boolean> => {
+      const isAuthorized = await authService.isAuthorizedReviewer(
+        accessToken,
+        applicantRecordId,
+      );
+      return isAuthorized;
+    },
   },
   Mutation: {
     login: async (

diff --git a/backend/typescript/graphql/types/authType.ts b/backend/typescript/graphql/types/authType.ts
@@ -25,6 +25,10 @@ const authType = gql`
   extend type Query {
     login(email: String!, password: String!): loginOK!
     isAuthorizedByRole(accessToken: String!, roles: [Role!]!): Boolean!
+    isAuthorizedReviewer(
+      accessToken: String!
+      applicantRecordId: String!
+    ): Boolean!
   }
 
   extend type Mutation {

diff --git a/backend/typescript/services/implementations/authService.ts b/backend/typescript/services/implementations/authService.ts
@@ -7,6 +7,7 @@ import { AuthDTO, Role, Token } from "../../types";
 import { getErrorMessage } from "../../utilities/errorUtils";
 import FirebaseRestClient from "../../utilities/firebaseRestClient";
 import logger from "../../utilities/logger";
+import ReviewedApplicantRecord from "../../models/reviewedApplicantRecord.model";
 
 const Logger = logger(__filename);
 
@@ -272,6 +273,41 @@ class AuthService implements IAuthService {
       throw error;
     }
   }
+
+  async isAuthorizedReviewer(
+    accessToken: string,
+    applicantRecordId: string,
+  ): Promise<boolean> {
+    try {
+      const decodedIdToken: firebaseAdmin.auth.DecodedIdToken =
+        await firebaseAdmin.auth().verifyIdToken(accessToken, true);
+      const userId = await this.userService.getUserIdByAuthId(
+        decodedIdToken.uid,
+      );
+
+      const firebaseUser = await firebaseAdmin
+        .auth()
+        .getUser(decodedIdToken.uid);
+
+      if (!firebaseUser.emailVerified) {
+        return false;
+      }
+
+      const reviewedApplicantRecord = await ReviewedApplicantRecord.findOne({
+        where: {
+          applicantRecordId,
+          reviewerId: Number(userId),
+        },
+      });
+
+      return reviewedApplicantRecord !== null;
+    } catch (error) {
+      Logger.error(
+        `Failed to verify if user is authorized reviewer for applicant record ${applicantRecordId}`,
+      );
+      throw error;
+    }
+  }
 }
 
 export default AuthService;
diff --git a/backend/typescript/services/interfaces/authService.ts b/backend/typescript/services/interfaces/authService.ts
@@ -90,6 +90,17 @@ interface IAuthService {
    * @returns true if email sent successfully
    */
   sendSignInLink(email: string): Promise<boolean>;
+
+  /**
+   * Checks whether a user is an authorized reviewer for a specific applicant record
+   * @param accessToken user's access token
+   * @param applicantRecordId ID of the applicant record
+   * @returns true if user is authorized as a reviewer, false otherwise
+   */
+  isAuthorizedReviewer(
+    accessToken: string,
+    applicantRecordId: string,
+  ): Promise<boolean>;
 }
 
 export default IAuthService;