authentication authorization

apps/api/src/domain/protests/ProtestsController.ts

@@ -1,9 +1,13 @@
-import { Body, Controller, ForbiddenException, HttpCode, HttpStatus, Inject, InternalServerErrorException, NotFoundException, Param, Post } from '@nestjs/common';
+import { Body, Controller, ForbiddenException, HttpCode, HttpStatus, Inject, InternalServerErrorException, NotFoundException, Param, Post, Req, UnauthorizedException } from '@nestjs/common';
 import { ApiOperation, ApiParam, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { ProtestsService } from './ProtestsService';
 import { ReviewProtestCommandDTO } from '../race/dtos/ReviewProtestCommandDTO';
 import type { ReviewProtestResponseDTO } from './presenters/ReviewProtestPresenter';
 
+type AuthenticatedRequest = {
+  user?: { userId: string };
+};
+
 @ApiTags('protests')
 @Controller('protests')
 export class ProtestsController {
@@ -16,9 +20,19 @@ export class ProtestsController {
   @ApiResponse({ status: 200, description: 'Protest reviewed successfully' })
   async reviewProtest(
     @Param('protestId') protestId: string,
-    @Body() body: Omit<ReviewProtestCommandDTO, 'protestId'>,
+    @Body() body: Omit<ReviewProtestCommandDTO, 'protestId' | 'stewardId'>,
+    @Req() req: AuthenticatedRequest,
   ): Promise<void> {
-    const result: ReviewProtestResponseDTO = await this.protestsService.reviewProtest({ protestId, ...body });
+    const userId = req.user?.userId;
+    if (!userId) {
+      throw new UnauthorizedException('Unauthorized');
+    }
+
+    const result: ReviewProtestResponseDTO = await this.protestsService.reviewProtest({
+      protestId,
+      stewardId: userId,
+      ...body,
+    });
 
     if (!result.success) {
       switch (result.errorCode) {