fix(backoffice): only allow admin users.

Author: xdanielsb

services/backend/src/main/java/com/survey/backend/service/LoginService.java

@@ -78,6 +78,18 @@ public LoginResponseDTO login(LoginRequestDTO request) {
     User user = userService.saveUser(email);
     List<String> roles = keycloakAdminService.getUserRoles(email);
 
+    if ("backoffice".equalsIgnoreCase(keycloakClientId)) {
+      boolean hasAccess =
+          roles.stream()
+              .anyMatch(
+                  r ->
+                      r.equalsIgnoreCase(KeycloakRole.ADMIN.name())
+                          || r.equalsIgnoreCase(KeycloakRole.MANAGER.name()));
+      if (!hasAccess) {
+        throw new ResponseStatusException(HttpStatus.UNAUTHORIZED, "Unauthorized");
+      }
+    }
+
     return new LoginResponseDTO(accessToken, roles, user.isPremium());
   }
 

services/backend/src/test/java/com/survey/backend/controller/AuthControllerTest.java

@@ -69,7 +69,7 @@ public void testLoginSuccess() throws Exception {
     User mockUser = User.builder().email("x@test.com").isPremium(true).build();
 
     Mockito.when(userService.saveUser(email)).thenReturn(mockUser);
-    Mockito.when(keycloakAdminService.getUserRoles(email)).thenReturn(List.of("CUSTOMER"));
+    Mockito.when(keycloakAdminService.getUserRoles(email)).thenReturn(List.of("Admin"));
 
     mockMvc
         .perform(
@@ -120,4 +120,24 @@ public void testSignupSuccess() throws Exception {
         .createUser("new@example.com", "pw", List.of(KeycloakRole.CUSTOMER.name()));
     Mockito.verify(userService).saveUser("new@example.com");
   }
+
+  @Test
+  public void testLoginFailsWhenUserNotAdminOrManager() throws Exception {
+    LoginRequestDTO loginRequest = new LoginRequestDTO();
+    loginRequest.setEmail("test@example.com");
+    loginRequest.setPassword("password");
+
+    String email = "test@example.com";
+
+    User mockUser = User.builder().email("x@test.com").isPremium(false).build();
+    Mockito.when(userService.saveUser(email)).thenReturn(mockUser);
+    Mockito.when(keycloakAdminService.getUserRoles(email)).thenReturn(List.of("CUSTOMER"));
+
+    mockMvc
+        .perform(
+            post("/auth/login")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(objectMapper.writeValueAsString(loginRequest)))
+        .andExpect(status().isUnauthorized());
+  }
 }

services/backoffice/src/app/user-management/containers/payments/payments.component.ts

@@ -1,5 +1,5 @@
 import { Component, OnInit } from '@angular/core'
-import {DatePipe, NgFor} from '@angular/common'
+import { DatePipe, NgFor } from '@angular/common'
 import { MatTableModule, MatTableDataSource } from '@angular/material/table'
 import { Payment } from '../../models/payment'
 import { PaymentsService } from '../../services/payment.service'

services/backoffice/src/app/user-management/services/keycloak.service.ts

@@ -22,6 +22,10 @@ export class KeycloakService {
     return this.keycloak.init({ onLoad: 'login-required' }).then(() => {
       const token = this.keycloak?.token
       if (token) {
+        const roles = (this.keycloak.tokenParsed?.['realm_access']?.['roles'] as string[]) || []
+        if (!roles.map((r) => r.toLowerCase()).includes('admin')) {
+          throw new Error('Unauthorized')
+        }
         Cookies.set('token', token, {
           secure: true,
           sameSite: 'strict',