sparrowapp-dev · LordNayan · Feb 17, 2026 · Feb 10, 2026 · Feb 11, 2026 · Feb 17, 2026
diff --git a/src/modules/identity/controllers/auth.controller.ts b/src/modules/identity/controllers/auth.controller.ts
@@ -27,6 +27,13 @@ import { ObjectId } from "mongodb";
 import { ConfigService } from "@nestjs/config";
 import { HubSpotService } from "../services/hubspot.service";
 import { TeamUserService } from "../services/team-user.service";
+import { JwtAuthGuard } from "@src/modules/common/guards/jwt-auth.guard";
+import { ExtendedFastifyRequest } from "@src/types/fastify";
+import { TeamService } from "../services/team.service";
+import { JwtService } from "@nestjs/jwt";
+import { ForbiddenException } from "@nestjs/common/exceptions/forbidden.exception";
+import { TeamRepository } from "../repositories/team.repository";
+import { NotFoundException } from "@nestjs/common/exceptions/not-found.exception";
 /**
  * Authentication Controller
  */
@@ -51,6 +58,9 @@ export class AuthController {
     private readonly teamUserService: TeamUserService,
     private readonly configService: ConfigService,
     private readonly hubspotService: HubSpotService,
+    private readonly teamService: TeamService,
+    private readonly jwtService: JwtService,
+    private readonly teamRepository: TeamRepository,
   ) {}
 
   /**
@@ -235,4 +245,57 @@ export class AuthController {
       ),
     );
   }
+
+  @Post("admin-sso-token")
+  @UseGuards(JwtAuthGuard)
+  @ApiOperation({ summary: "Generate SSO Token (Team Member only)" })
+  async generateAdminSsoToken(
+    @Body() body: { teamId: string },
+    @Req() req: ExtendedFastifyRequest,
+    @Res() res: FastifyReply,
+  ) {
+    const { teamId } = body;
+
+    if (!teamId) {
+      throw new BadRequestException("Team ID is required");
+    }
+
+    const user = req.user;
+
+    // Allow ANY team member (owner, admin, member)
+
+    const team = await this.teamRepository.findTeamByTeamId(
+      new ObjectId(teamId),
+    );
+
+    if (!team) {
+      throw new NotFoundException("Team not found");
+    }
+
+    const isMember = team.users.some(
+      (member) => member.id.toString() === user._id.toString(),
+    );
+
+    if (!isMember) {
+      throw new ForbiddenException("You are not a member of this team");
+    }
+
+    const ssoToken = this.jwtService.sign(
+      {
+        _id: user._id,
+        email: user.email,
+        name: user.name,
+        type: "admin-sso",
+      },
+      {
+        secret: this.configService.get("app.jwtSecretKey"),
+        expiresIn: "5m",
+      },
+    );
+
+    return res.status(200).send({
+      message: "Admin SSO token generated successfully",
+      ssoToken,
+    });
+  }
 }
diff --git a/src/modules/identity/services/team.service.ts b/src/modules/identity/services/team.service.ts
@@ -36,6 +36,7 @@ import {
 import { isValidName } from "@src/modules/common/util/validate.name.util";
 import { isImageBuffer } from "@src/modules/common/util/isImageBuffer.util";
 import { imageSize } from "image-size";
+import { ForbiddenException } from "@nestjs/common/exceptions/forbidden.exception";
 
 /**
  * Team Service
@@ -550,7 +551,7 @@ export class TeamService {
           }
         }
       }
-      throw new BadRequestException("You don't have access");
+      throw new ForbiddenException("Only team members can access admin panel");
     }
     throw new BadRequestException("Team doesn't exist");
   }

diff --git a/src/modules/user-admin/controllers/user-admin.auth.controller.ts b/src/modules/user-admin/controllers/user-admin.auth.controller.ts
@@ -168,4 +168,23 @@ export class AdminAuthController {
 
     return res.status(responseData.httpStatusCode).send(responseData);
   }
+
+  @Post("validate-sso")
+  async validateSsoToken(
+    @Body() body: { token: string },
+    @Res() res: FastifyReply,
+  ) {
+    const { token } = body;
+
+    if (!token) {
+      throw new BadRequestException("SSO token is required");
+    }
+
+    const tokens = await this.adminAuthService.validateShortLivedToken(token);
+
+    return res.status(200).send({
+      message: "SSO login successful",
+      data: tokens,
+    });
+  }
 }
diff --git a/src/modules/user-admin/services/user-admin.auth.service.ts b/src/modules/user-admin/services/user-admin.auth.service.ts
@@ -83,6 +83,9 @@ export class AdminAuthService {
       const decoded = this.jwtService.verify(token, {
         secret: this.configService.get("app.jwtSecretKey"),
       });
+      if (decoded.type !== "admin-sso") {
+        throw new UnauthorizedException("Invalid SSO token type");
+      }
 
       // Check expiration
       const now = Math.floor(Date.now() / 1000);