Explore-Beyond-Innovations · JoE11-y · Apr 26, 2026 · Apr 26, 2026
diff --git a/apps/backend-relayer/src/common/guards/admin-jwt.guard.ts b/apps/backend-relayer/src/common/guards/admin-jwt.guard.ts
@@ -5,6 +5,7 @@ import {
   CanActivate,
   ExecutionContext,
   UnauthorizedException,
+  ForbiddenException,
 } from '@nestjs/common';
 import { PrismaService } from '@prisma/prisma.service';
 import { env } from '@libs/configs';
@@ -36,7 +37,7 @@ export class AdminJwtGuard implements CanActivate {
     const admin = await this.prisma.admin.findUnique({
       where: { id: decoded.sub },
     });
-    if (!admin) throw new UnauthorizedException('Admin no longer exists');
+    if (!admin) throw new ForbiddenException('Admin privileges required');
 
     req.admin = decoded;
     return true;

diff --git a/apps/backend-relayer/src/common/guards/user-jwt.guard.ts b/apps/backend-relayer/src/common/guards/user-jwt.guard.ts
@@ -5,6 +5,7 @@ import {
   CanActivate,
   ExecutionContext,
   UnauthorizedException,
+  ForbiddenException,
 } from '@nestjs/common';
 import { PrismaService } from '@prisma/prisma.service';
 import { env } from '@libs/configs';
@@ -36,7 +37,7 @@ export class UserJwtGuard implements CanActivate {
     const user = await this.prisma.user.findUnique({
       where: { id: decoded.sub },
     });
-    if (!user) throw new UnauthorizedException('User no longer exists');
+    if (!user) throw new ForbiddenException('User access required');
 
     req.user = decoded;
     return true;

diff --git a/apps/backend-relayer/test/e2e/admin.e2e-spec.ts b/apps/backend-relayer/test/e2e/admin.e2e-spec.ts
@@ -67,18 +67,18 @@ describe('Admin E2E', () => {
       .expect(200);
   });
 
-  it('POST /v1/admin/addAdmin -> 403 without token', async () => {
+  it('POST /v1/admin/addAdmin -> 401 without token', async () => {
     await request(app.getHttpServer())
       .post('/v1/admin/addAdmin')
       .send({ email: 'noauth@x.com', password: 'Whatever#1' })
-      .expect(403);
+      .expect(401);
   });
 
-  it('POST /v1/admin/addAdmin -> 403 with invalid token', async () => {
+  it('POST /v1/admin/addAdmin -> 401 with invalid token', async () => {
     await request(app.getHttpServer())
       .post('/v1/admin/addAdmin')
       .set('Authorization', 'Bearer not-a-jwt')
       .send({ email: 'badtoken@x.com', password: 'Whatever#1' })
-      .expect(403);
+      .expect(401);
   });
 });
diff --git a/apps/backend-relayer/test/e2e/ads.e2e-spec.ts b/apps/backend-relayer/test/e2e/ads.e2e-spec.ts
@@ -29,7 +29,7 @@ describe('Ads E2E', () => {
         creatorDstAddress: userWallet.address,
         fundAmount: '1000',
       })
-      .expect(403);
+      .expect(401);
   });
 
   it('creates an ad, persists INACTIVE row, then fetches it', async () => {

diff --git a/apps/backend-relayer/test/e2e/chain.e2e-spec.ts b/apps/backend-relayer/test/e2e/chain.e2e-spec.ts
@@ -33,7 +33,7 @@ describe('Chains E2E', () => {
         adManagerAddress: randomAddress(),
         orderPortalAddress: randomAddress(),
       })
-      .expect(403);
+      .expect(401);
   });
 
   describe('Chain CRUD operations', () => {
@@ -101,7 +101,7 @@ describe('Chains E2E', () => {
       await request(app.getHttpServer())
         .patch(`/v1/admin/chains/${chainUUID}`)
         .send({ adManagerAddress: '0xAdMgrUpdated' })
-        .expect(403);
+        .expect(401);
     });
 
     it('fails to update non-existent chain', async () => {

diff --git a/apps/backend-relayer/test/e2e/notifications.e2e-spec.ts b/apps/backend-relayer/test/e2e/notifications.e2e-spec.ts
@@ -96,7 +96,7 @@ describe('Notifications E2E', () => {
   });
 
   it('GET /v1/notifications requires auth', async () => {
-    await request(app.getHttpServer()).get('/v1/notifications').expect(403);
+    await request(app.getHttpServer()).get('/v1/notifications').expect(401);
   });
 
   it('GET /v1/notifications/unread-count returns 0 for a fresh user', async () => {

diff --git a/apps/backend-relayer/test/e2e/routes.e2e-spec.ts b/apps/backend-relayer/test/e2e/routes.e2e-spec.ts
@@ -30,7 +30,7 @@ describe('Routes E2E', () => {
     await request(app.getHttpServer())
       .post('/v1/admin/routes/create')
       .send({ adTokenId: 't1', orderTokenId: 't2' })
-      .expect(403);
+      .expect(401);
   });
 
   it('creates a route, fetches it, lists by token ids', async () => {
@@ -144,7 +144,7 @@ describe('Routes E2E', () => {
     const random = randomUUID();
     await request(app.getHttpServer())
       .delete(`/v1/admin/routes/${random}`)
-      .expect(403);
+      .expect(401);
   });
 
   it('deletes a route then 404 on get', async () => {

diff --git a/apps/backend-relayer/test/e2e/token.e2e-spec.ts b/apps/backend-relayer/test/e2e/token.e2e-spec.ts
@@ -33,7 +33,7 @@ describe('Tokens E2E', () => {
         decimals: 18,
         kind: 'NATIVE',
       })
-      .expect(403);
+      .expect(401);
   });
 
   it('creates a token (POST /v1/tokens)', async () => {

diff --git a/apps/backend-relayer/test/e2e/trade-e2e-spec.ts b/apps/backend-relayer/test/e2e/trade-e2e-spec.ts
@@ -60,7 +60,7 @@ describe('Trades E2E', () => {
         amount: '1000',
         bridgerDstAddress: Wallet.createRandom().address,
       })
-      .expect(403);
+      .expect(401);
   });
 
   it('creates a trade (happy path)', async () => {