Welcome back! In the last lessons, you learned how to create friendships between users and how to handle friend requests in your reading tracker app. Now, you will take the next step: allowing users to view the reading progress of their friends. This feature is important because it lets users share their achievements and stay motivated together, but it also needs to respect privacy. Only friends should be able to see each other’s reading progress. In this lesson, you will learn how to enforce this rule in your API.

You already have modules for users, friends, and reading progress. Users can send and accept friend requests, and each user’s reading sessions are stored in the database.

Now we will stitch together the friends and reading domains::

• Export ReadingService from ReadingModule so other modules can use it.
• Import ReadingModule in FriendsModule to access reading data.
• Add findAllForUser(userId) in ReadingService to fetch a user’s sessions.
• Enforce friendship in FriendsService.getFriendProgress(...).
• Expose GET /friends/:friendId/progress in FriendsController.

To let users view their friends’ reading progress, the friends module needs to access reading data. In NestJS, this is done by injecting the ReadingService into the FriendsService. However, for this to work, you must export the ReadingService from the ReadingModule and import the ReadingModule into the FriendsModule.

Here’s how this connection looks in code:

By exporting and importing the right modules, you allow the friends module to use the reading service’s methods. This is a common pattern in NestJS for sharing logic between modules.

It is important to make sure that only friends can view each other’s reading progress. This is a business rule that protects user privacy. In your code, you check if the requester and the target user are friends before returning any reading data.

Here’s how this check is done in the FriendsService:

Explanation:

• The method first finds the requester user.
• It checks if the friendId is in the requester’s friendIds array.
• If not, it throws a ForbiddenException. This will return a 403 error to the client, meaning “not allowed.”
• If they are friends, it calls findAllForUser on the reading service to get the friend’s reading sessions.

This ensures that only friends can access each other’s progress.

Now, let’s look at how to expose this functionality through an API endpoint. You will add a new route to the friends controller:

Explanation:

• This endpoint is a GET request to /friends/:friendId/progress.
• It uses a decorator to get the current user from the request.
• It takes the friendId from the URL.
• It calls the getFriendProgress method you saw earlier.

When a user calls this endpoint, the app will:

1. Check if the requester and the target user are friends.
2. If yes, return the friend’s reading sessions.
3. If not, return a 403 Forbidden error.

In this lesson, you learned how to let users view their friends’ reading progress, but only if they are actually friends. You saw how to connect modules in NestJS, enforce business rules with exceptions, and build a secure endpoint. You also practiced testing the endpoint with different users and scenarios.

Next, you will get hands-on practice with these concepts. You will try out the endpoint, test different cases, and make sure your app enforces the friendship rule correctly. Great work getting this far — let’s keep going!