From e5484da39a22c5dfe015d5306f1373c2524a166e Mon Sep 17 00:00:00 2001
From: Matthieu Haineault <matthieuh@targointernet.com>
Date: Fri, 31 Oct 2025 12:34:12 -0400
Subject: [PATCH] refactor(expenses): added email to req inside controller and
 pass email to the function to pin point the right timesheet

---
 .../controllers/expense.controller.ts         |  8 ++++---
 .../services/expense-upsert.service.ts        | 22 +++++++++++++------
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/time-and-attendance/modules/expenses/controllers/expense.controller.ts b/src/time-and-attendance/modules/expenses/controllers/expense.controller.ts
index 6e4f495..594d583 100644
--- a/src/time-and-attendance/modules/expenses/controllers/expense.controller.ts
+++ b/src/time-and-attendance/modules/expenses/controllers/expense.controller.ts
@@ -1,4 +1,4 @@
-import { Controller, Post, Param, ParseIntPipe, Body, Patch, Delete } from "@nestjs/common";
+import { Controller, Post, Param, Body, Patch, Delete, Req, UnauthorizedException } from "@nestjs/common";
 import { CreateExpenseResult, UpdateExpenseResult } from "src/time-and-attendance/utils/type.utils";
 import { ExpenseUpsertService } from "src/time-and-attendance/modules/expenses/services/expense-upsert.service";
 import { updateExpenseDto } from "src/time-and-attendance/modules/expenses/dtos/expense-update.dto";
@@ -10,8 +10,10 @@ export class ExpenseController {
     constructor( private readonly upsert_service: ExpenseUpsertService ){}
 
     @Post('create')
-    create(@Body() dto: ExpenseDto): Promise<CreateExpenseResult>{
-        return this.upsert_service.createExpense(dto);
+    create( @Req() req, @Body() dto: ExpenseDto): Promise<CreateExpenseResult>{
+        const email = req.user?.email;
+        if(!email) throw new UnauthorizedException('Unauthorized User');
+        return this.upsert_service.createExpense(dto, email);
     }
 
     @Patch('update')
diff --git a/src/time-and-attendance/modules/expenses/services/expense-upsert.service.ts b/src/time-and-attendance/modules/expenses/services/expense-upsert.service.ts
index 38990a0..9687bca 100644
--- a/src/time-and-attendance/modules/expenses/services/expense-upsert.service.ts
+++ b/src/time-and-attendance/modules/expenses/services/expense-upsert.service.ts
@@ -1,22 +1,29 @@
 
 import { CreateExpenseResult, UpdateExpensePayload, UpdateExpenseResult, DeleteExpenseResult, NormalizedExpense } from "src/time-and-attendance/utils/type.utils";
 import { toDateFromString, toStringFromDate } from "src/time-and-attendance/utils/date-time.utils";
-import { Injectable, NotFoundException } from "@nestjs/common";
+import { Injectable, NotFoundException, Req } from "@nestjs/common";
 import { expense_select } from "src/time-and-attendance/utils/selects.utils";
 import { PrismaService } from "src/prisma/prisma.service";
 import { GetExpenseDto } from "src/time-and-attendance/modules/expenses/dtos/expense-get.dto";
 import { ExpenseDto } from "src/time-and-attendance/modules/expenses/dtos/expense-create.dto";
+import { EmailToIdResolver } from "src/time-and-attendance/modules/shared/utils/resolve-email-id.utils";
 
 
 @Injectable()
 export class ExpenseUpsertService {
-    constructor(private readonly prisma: PrismaService) { }
+    constructor(
+        private readonly prisma: PrismaService,
+        private readonly emailResolver: EmailToIdResolver,
+    ) { }
 
     //_________________________________________________________________
     //                              CREATE
     //_________________________________________________________________
-    async createExpense( dto: ExpenseDto): Promise<CreateExpenseResult> {
+    async createExpense( dto: ExpenseDto, email: string): Promise<CreateExpenseResult> {
         try {
+            //fetch employee_id using req.user.email
+            const employee_id = await this.emailResolver.findIdByEmail(email);
+
             //normalize strings and dates
             const normed_expense = this.normalizeExpenseDto(dto);
 
@@ -24,12 +31,13 @@ export class ExpenseUpsertService {
             const parsed_amount = this.parseOptionalNumber(dto.amount, "amount");
             const parsed_mileage = this.parseOptionalNumber(dto.mileage, "mileage");
             const parsed_attachment = this.parseOptionalNumber(dto.attachment, "attachment");
-            
-            const timesheet = await this.prisma.timesheets.findUnique({
-                where: { id: dto.timesheet_id },
-                select: { id: true },
+
+            const timesheet = await this.prisma.timesheets.findFirst({
+                where: { id: dto.timesheet_id, employee_id: employee_id },
+                select: { id: true, employee_id: true },
             });
             if(!timesheet) throw new NotFoundException(`Timesheet with id ${dto.timesheet_id} not found`);
+            
             //create a new expense
             const expense = await this.prisma.expenses.create({
                 data: {