From c48f4d90410fcc895638d0a514dcb97656493dd8 Mon Sep 17 00:00:00 2001
From: BenClaw <benclaw@mozo.bar>
Date: Sun, 17 May 2026 21:08:38 +0200
Subject: [PATCH] fix(action_cable): allow employee to subscribe to supplier
 channel

- Employee authenticates via auth_token, acts on behalf of a Supplier
- Connection now accepts ?supplier_id=ID query param
- identified_by :current_supplier_id added
- MozoChannel#authorized? allows :employee to subscribe to supplier_<id>
  when current_supplier_id matches
---
 app/channels/application_cable/connection.rb | 10 +++++++++-
 app/channels/mozo_channel.rb                 |  5 ++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/app/channels/application_cable/connection.rb b/app/channels/application_cable/connection.rb
index 98302857..42cc9d21 100644
--- a/app/channels/application_cable/connection.rb
+++ b/app/channels/application_cable/connection.rb
@@ -4,7 +4,13 @@ module ApplicationCable
   class Connection < ActionCable::Connection::Base
     # Authenticate via auth_token (same mechanism used in ApplicationController#authenticate_employee!)
     # Clients should pass ?auth_token=TOKEN when connecting to the WebSocket.
-    identified_by :current_user, :current_entity_type
+    #
+    # Auth flows:
+    #   User app:     ?auth_token=<user_token>
+    #   Supplier app: ?auth_token=<employee_token>&supplier_id=<id>
+    #     (Employee logs in, acts on behalf of a specific Supplier)
+    #
+    identified_by :current_user, :current_entity_type, :current_supplier_id
 
     def connect
       token = request.params[:auth_token].presence
@@ -13,6 +19,8 @@ module ApplicationCable
       if (employee = Employee.find_by_authentication_token(token))
         self.current_user = employee
         self.current_entity_type = :employee
+        # Employee acts on behalf of a supplier — passed as query param
+        self.current_supplier_id = request.params[:supplier_id]
       elsif (user = User.find_by_authentication_token(token))
         self.current_user = user
         self.current_entity_type = :user
diff --git a/app/channels/mozo_channel.rb b/app/channels/mozo_channel.rb
index ab8d4bab..020ef399 100644
--- a/app/channels/mozo_channel.rb
+++ b/app/channels/mozo_channel.rb
@@ -31,7 +31,10 @@ class MozoChannel < ApplicationCable::Channel
     when 'user'
       connection.current_entity_type == :user && connection.current_user.id.to_s == id
     when 'supplier'
-      connection.current_entity_type == :supplier && connection.current_user.id.to_s == id
+      # Supplier app: Employee logs in, acts on behalf of a Supplier.
+      # The supplier_id is passed as a query param when connecting.
+      (connection.current_entity_type == :supplier && connection.current_user.id.to_s == id) ||
+      (connection.current_entity_type == :employee && connection.current_supplier_id.to_s == id)
     when 'employee'
       connection.current_entity_type == :employee && connection.current_user.id.to_s == id
     else