Search

The Search module provides search with three different scopes based on the caller’s role: member-scope (data belonging to the user themselves), organization-scope (all data in the user’s organization), and global (across the entire application — MORIA superadmin only). All endpoints require Bearer JWT and use the same query string (SearchQueryDto).

Property	Value
Base URL	{HOST}/v1
Auth	Bearer JWT (header Authorization) or access_token cookie
Content-Type	application/json
Error envelope	{ "message": string | string[], "statusCode": number, "error": string }
Validation	Global ValidationPipe · whitelist: true, forbidNonWhitelisted: true · unknown fields → 400
Related modules	users, organizations, accounts, transactions
Document version	v1 · 2026-05-20
Audience	Internal FE devs (mobile + web)

Summary

Pick an endpoint based on the role of the logged-in user. INDIVIDUAL can only call member-scope. ORGANIZATION admin can call member-scope (their own data) and organization-scope (across the org’s members). MORIA superadmin has access to the global endpoint for cross-tenant search.

Method	Path	Auth	Summary
GET	/v1/search/member-scope	bearer	Search within the logged-in user’s data
GET	/v1/search/organization-scope	bearer	Search within the organization scope (organization admin)
GET	/v1/search/global	bearer	Global cross-application search (MORIA superadmin)

Auth + scope notes

• All endpoints require Bearer JWT. Role guard is checked via @Roles(...).
• member-scope accepts INDIVIDUAL and ORGANIZATION — the service will filter to the logged-in user’s data.
• organization-scope rejects the request if user.user_type !== ORGANIZATION (403) or the user has no organization_id (400).
• global rejects the request if user.user_type !== MORIA (403).
• The query parameter is optional — if empty, the server returns a paginated list without text filtering.
• limit is capped at 100; page minimum is 1.

---

GET /v1/search/member-scope bearer

Search within the logged-in user’s scope: personal data, accounts, and personal items. Endpoint for both INDIVIDUAL and ORGANIZATION users — both will see only their own items.

bearer INDIVIDUAL, ORGANIZATION RESOURCE_FETCHED

Query params — SearchQueryDto

Param	Type	Default	Notes
query	string	optional	Search keyword. If empty, results are still paginated without text filtering.
page	number	1	Page number. Minimum 1.
limit	number	20	Items per page. Maximum 100.
order	'asc' | 'desc'	asc	Result order. Validated via IsEnum.

Response — 200 OK — SearchResultDto

{
  "status": "success",
  "statusCode": 200,
  "message": "Search results",
  "data": {
    "total": 12,
    "page": 1,
    "limit": 20,
    "results": [
      { "...": "shape per item depends on the matched entity type" }
    ]
  }
}

The results field is a free-form array (any[]) — the service returns a mix of objects (user, account, transaction, etc.) each with a type/kind indicator. FE must discriminate based on that field.

Errors

Status	When it occurs
400 Bad Request	limit > 100, page < 1, or order other than asc/desc
401 Unauthorized	Bearer/cookie token is invalid
403 Forbidden	Role is not INDIVIDUAL / ORGANIZATION

---

GET /v1/search/organization-scope bearer

Search across members and resources of the logged-in user’s organization. Only ORGANIZATION users with an organization_id may call this endpoint.

bearer ORGANIZATION RESOURCE_FETCHED

Query params — SearchQueryDto

Param	Type	Default	Notes
query	string	optional	Search keyword
page	number	1	Page number
limit	number	20	Maximum 100
order	'asc' | 'desc'	asc	Result order

Response — 200 OK — SearchResultDto

{
  "status": "success",
  "statusCode": 200,
  "message": "Search results",
  "data": {
    "total": 42,
    "page": 1,
    "limit": 20,
    "results": [
      { "...": "mix of users / accounts / transactions belonging to the organization" }
    ]
  }
}

Errors

Status	When it occurs
400 Bad Request	Query validation failed, or user has no organization_id (User must belong to an organization)
401 Unauthorized	Bearer/cookie token is invalid
403 Forbidden	user_type is not ORGANIZATION (Only organization users can access organization scope search)

---

GET /v1/search/global bearer

Search across the entire application — all organizations, all users, all resources. MORIA superadmin only.

bearer MORIA RESOURCE_FETCHED

Query params — SearchQueryDto

Param	Type	Default	Notes
query	string	optional	Search keyword
page	number	1	Page number
limit	number	20	Maximum 100
order	'asc' | 'desc'	asc	Result order

Response — 200 OK — SearchResultDto

{
  "status": "success",
  "statusCode": 200,
  "message": "Search results",
  "data": {
    "total": 1280,
    "page": 1,
    "limit": 20,
    "results": [
      { "...": "mix of cross-tenant entities" }
    ]
  }
}

Errors

Status	When it occurs
400 Bad Request	Query validation failed
401 Unauthorized	Bearer/cookie token is invalid
403 Forbidden	user_type is not MORIA (Only Moria admins can access global search)

---

Reference

Enum: UserType (scope eligibility)

• individual — can only access member-scope
• organization — can access member-scope and organization-scope
• moria — can access global

Enum: order

• asc — ascending (default)
• desc — descending

Numeric limits

• page ≥ 1
• limit ≥ 1 and ≤ 100

Standard error envelope

{
  "message": "Only organization users can access organization scope search",
  "statusCode": 403,
  "error": "Forbidden"
}

message can be a string or an array of strings (multi-field validation error).

Common HTTP codes

• 400 query validation or preconditions failed (e.g. user without org)
• 401 token expired / missing
• 403 role does not match the scope
• 500 internal — show a generic toast