- 1. API with NestJS #1. Controllers, routing and the module structure
- 2. API with NestJS #2. Setting up a PostgreSQL database with TypeORM
- 3. API with NestJS #3. Authenticating users with bcrypt, Passport, JWT, and cookies
- 4. API with NestJS #4. Error handling and data validation
- 5. API with NestJS #5. Serializing the response with interceptors
- 6. API with NestJS #6. Looking into dependency injection and modules
- 7. API with NestJS #7. Creating relationships with Postgres and TypeORM
- 8. API with NestJS #8. Writing unit tests
- 9. API with NestJS #9. Testing services and controllers with integration tests
- 10. API with NestJS #10. Uploading public files to Amazon S3
- 11. API with NestJS #11. Managing private files with Amazon S3
- 12. API with NestJS #12. Introduction to Elasticsearch
- 13. API with NestJS #13. Implementing refresh tokens using JWT
- 14. API with NestJS #14. Improving performance of our Postgres database with indexes
- 15. API with NestJS #15. Defining transactions with PostgreSQL and TypeORM
- 16. API with NestJS #16. Using the array data type with PostgreSQL and TypeORM
- 17. API with NestJS #17. Offset and keyset pagination with PostgreSQL and TypeORM
- 18. API with NestJS #18. Exploring the idea of microservices
- 19. API with NestJS #19. Using RabbitMQ to communicate with microservices
- 20. API with NestJS #20. Communicating with microservices using the gRPC framework
- 21. API with NestJS #21. An introduction to CQRS
- 22. API with NestJS #22. Storing JSON with PostgreSQL and TypeORM
- 23. API with NestJS #23. Implementing in-memory cache to increase the performance
- 24. API with NestJS #24. Cache with Redis. Running the app in a Node.js cluster
- 25. API with NestJS #25. Sending scheduled emails with cron and Nodemailer
- 26. API with NestJS #26. Real-time chat with WebSockets
- 27. API with NestJS #27. Introduction to GraphQL. Queries, mutations, and authentication
- 28. API with NestJS #28. Dealing in the N + 1 problem in GraphQL
- 29. API with NestJS #29. Real-time updates with GraphQL subscriptions
- 30. API with NestJS #30. Scalar types in GraphQL
- 31. API with NestJS #31. Two-factor authentication
- 32. API with NestJS #32. Introduction to Prisma with PostgreSQL
- 33. API with NestJS #33. Managing PostgreSQL relationships with Prisma
- 34. API with NestJS #34. Handling CPU-intensive tasks with queues
- 35. API with NestJS #35. Using server-side sessions instead of JSON Web Tokens
- 36. API with NestJS #36. Introduction to Stripe with React
- 37. API with NestJS #37. Using Stripe to save credit cards for future use
- 38. API with NestJS #38. Setting up recurring payments via subscriptions with Stripe
- 39. API with NestJS #39. Reacting to Stripe events with webhooks
- 40. API with NestJS #40. Confirming the email address
- 41. API with NestJS #41. Verifying phone numbers and sending SMS messages with Twilio
- 42. API with NestJS #42. Authenticating users with Google
- 43. API with NestJS #43. Introduction to MongoDB
- 44. API with NestJS #44. Implementing relationships with MongoDB
- 45. API with NestJS #45. Virtual properties with MongoDB and Mongoose
- 46. API with NestJS #46. Managing transactions with MongoDB and Mongoose
- 47. API with NestJS #47. Implementing pagination with MongoDB and Mongoose
- 48. API with NestJS #48. Definining indexes with MongoDB and Mongoose
- 49. API with NestJS #49. Updating with PUT and PATCH with MongoDB and Mongoose
- 50. API with NestJS #50. Introduction to logging with the built-in logger and TypeORM
- 51. API with NestJS #51. Health checks with Terminus and Datadog
- 52. API with NestJS #52. Generating documentation with Compodoc and JSDoc
- 53. API with NestJS #53. Implementing soft deletes with PostgreSQL and TypeORM
- 54. API with NestJS #54. Storing files inside a PostgreSQL database
- 55. API with NestJS #55. Uploading files to the server
- 56. API with NestJS #56. Authorization with roles and claims
- 57. API with NestJS #57. Composing classes with the mixin pattern
- 58. API with NestJS #58. Using ETag to implement cache and save bandwidth
- 59. API with NestJS #59. Introduction to a monorepo with Lerna and Yarn workspaces
- 60. API with NestJS #60. The OpenAPI specification and Swagger
- 61. API with NestJS #61. Dealing with circular dependencies
- 62. API with NestJS #62. Introduction to MikroORM with PostgreSQL
- 63. API with NestJS #63. Relationships with PostgreSQL and MikroORM
- 64. API with NestJS #64. Transactions with PostgreSQL and MikroORM
- 65. API with NestJS #65. Implementing soft deletes using MikroORM and filters
- 66. API with NestJS #66. Improving PostgreSQL performance with indexes using MikroORM
- 67. API with NestJS #67. Migrating to TypeORM 0.3
- 68. API with NestJS #68. Interacting with the application through REPL
- 69. API with NestJS #69. Database migrations with TypeORM
- 70. API with NestJS #70. Defining dynamic modules
- 71. API with NestJS #71. Introduction to feature flags
- 72. API with NestJS #72. Working with PostgreSQL using raw SQL queries
- 73. API with NestJS #73. One-to-one relationships with raw SQL queries
- 74. API with NestJS #74. Designing many-to-one relationships using raw SQL queries
- 75. API with NestJS #75. Many-to-many relationships using raw SQL queries
- 76. API with NestJS #76. Working with transactions using raw SQL queries
- 77. API with NestJS #77. Offset and keyset pagination with raw SQL queries
- 78. API with NestJS #78. Generating statistics using aggregate functions in raw SQL
- 79. API with NestJS #79. Implementing searching with pattern matching and raw SQL
- 80. API with NestJS #80. Updating entities with PUT and PATCH using raw SQL queries
- 81. API with NestJS #81. Soft deletes with raw SQL queries
- 82. API with NestJS #82. Introduction to indexes with raw SQL queries
- 83. API with NestJS #83. Text search with tsvector and raw SQL
- 84. API with NestJS #84. Implementing filtering using subqueries with raw SQL
- 85. API with NestJS #85. Defining constraints with raw SQL
- 86. API with NestJS #86. Logging with the built-in logger when using raw SQL
- 87. API with NestJS #87. Writing unit tests in a project with raw SQL
- 88. API with NestJS #88. Testing a project with raw SQL using integration tests
- 89. API with NestJS #89. Replacing Express with Fastify
- 90. API with NestJS #90. Using various types of SQL joins
- 91. API with NestJS #91. Dockerizing a NestJS API with Docker Compose
- 92. API with NestJS #92. Increasing the developer experience with Docker Compose
- 93. API with NestJS #93. Deploying a NestJS app with Amazon ECS and RDS
- 94. API with NestJS #94. Deploying multiple instances on AWS with a load balancer
- 95. API with NestJS #95. CI/CD with Amazon ECS and GitHub Actions
- 96. API with NestJS #96. Running unit tests with CI/CD and GitHub Actions
- 97. API with NestJS #97. Introduction to managing logs with Amazon CloudWatch
- 98. API with NestJS #98. Health checks with Terminus and Amazon ECS
- 99. API with NestJS #99. Scaling the number of application instances with Amazon ECS
- 100. API with NestJS #100. The HTTPS protocol with Route 53 and AWS Certificate Manager
- 101. API with NestJS #101. Managing sensitive data using the AWS Secrets Manager
- 102. API with NestJS #102. Writing unit tests with Prisma
- 103. API with NestJS #103. Integration tests with Prisma
- 104. API with NestJS #104. Writing transactions with Prisma
- 105. API with NestJS #105. Implementing soft deletes with Prisma and middleware
- 106. API with NestJS #106. Improving performance through indexes with Prisma
- 107. API with NestJS #107. Offset and keyset pagination with Prisma
- 108. API with NestJS #108. Date and time with Prisma and PostgreSQL
- 109. API with NestJS #109. Arrays with PostgreSQL and Prisma
- 110. API with NestJS #110. Managing JSON data with PostgreSQL and Prisma
- 111. API with NestJS #111. Constraints with PostgreSQL and Prisma
- 112. API with NestJS #112. Serializing the response with Prisma
- 113. API with NestJS #113. Logging with Prisma
- 114. API with NestJS #114. Modifying data using PUT and PATCH methods with Prisma
- 115. API with NestJS #115. Database migrations with Prisma
- 116. API with NestJS #116. REST API versioning
- 117. API with NestJS #117. CORS – Cross-Origin Resource Sharing
- 118. API with NestJS #118. Uploading and streaming videos
- 119. API with NestJS #119. Type-safe SQL queries with Kysely and PostgreSQL
- 120. API with NestJS #120. One-to-one relationships with the Kysely query builder
- 121. API with NestJS #121. Many-to-one relationships with PostgreSQL and Kysely
So far, in this series, we’ve implemented authentication. By doing that, we can confirm that the users are who they claim to be. In this series, we explain how to implement authentication with JWT tokens or with server-side sessions. We also add two-factor authentication.
While authorization might at first glance seem similar to authentication, it serves a different purpose. With authorization, we check the user’s permission to access a specific resource. A good example would be to allow a user to create posts but not delete them. This article presents two different approaches to authorization and presents how to implement them with NestJS.
While authorization is a separate process, it makes sense to have the authentication mechanism implemented first.
Role-based access control (RBAC)
With role-based access control (RBAC), we assign roles to users. Let’s create an enum containing fundamental roles:
role.enum.ts
|
1 2 3 4 5 6 |
enum Role { User = 'User', Admin = 'Admin', } export default Role; |
We also need a column to define the role of a particular user. Since in this series we use PostgreSQL, we can use the enum type:
|
1 2 3 4 5 6 7 |
CREATE TYPE user_role AS ENUM ('User', 'Admin'); CREATE TABLE users ( id serial PRIMARY KEY, email text UNIQUE, role user_role ) |
Fortunately, TypeORM supports enums. Let’s add it to the definition of the User entity. We can make it an array to support the user having multiple roles.
user.entity.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm'; import Role from './role.enum'; @Entity() class User { @PrimaryGeneratedColumn() public id: number; @Column({ unique: true }) public email: string; @Column({ type: 'enum', enum: Role, array: true, default: [Role.User] }) public roles: Role[] // ... } export default User; |
Assigning roles to routes
The official NestJS documentation suggests using two separate decorators: one to assign a role to the route and the second one to check if the user has the role. We can simplify that by creating a guard that accepts a parameter. To do that, we need to create a mixin.
role.guard.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
import Role from './role.enum'; import { CanActivate, ExecutionContext, mixin, Type } from '@nestjs/common'; import RequestWithUser from '../authentication/requestWithUser.interface'; const RoleGuard = (role: Role): Type<CanActivate> => { class RoleGuardMixin implements CanActivate { canActivate(context: ExecutionContext) { const request = context.switchToHttp().getRequest<RequestWithUser>(); const user = request.user; return user?.roles.includes(role); } } return mixin(RoleGuardMixin); } export default RoleGuard; |
An important thing above is that we use the RequestWithUser interface. For the request to contain the user property, we also need to use the JwtAuthenticationGuard:
We implement JwtAuthenticationGuard in API with NestJS #3. Authenticating users with bcrypt, Passport, JWT, and cookies
posts.controller.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
import { ClassSerializerInterceptor, Controller, Delete, Param, ParseIntPipe, UseGuards, UseInterceptors, } from '@nestjs/common'; import PostsService from './posts.service'; import RoleGuard from '../users/role.guard'; import Role from '../users/role.enum'; import JwtAuthenticationGuard from '../authentication/jwt-authentication.guard'; @Controller('posts') @UseInterceptors(ClassSerializerInterceptor) export default class PostsController { constructor( private readonly postsService: PostsService ) {} @Delete(':id') @UseGuards(RoleGuard(Role.Admin)) @UseGuards(JwtAuthenticationGuard) async deletePost(@Param('id', ParseIntPipe) id: number) { return this.postsService.deletePost(id); } // ... } |
If the user does not have the Admin role, NestJS throws 403 Forbidden:
Extending the JwtAuthenticationGuard
The crucial thing about the above code is the correct order of guards. Since decorators run from bottom to top, we need to use the JwtAuthenticationGuard below the RoleGuard.
To deal with the above issue more elegantly, we can extend our JwtAuthenticationGuard:
role.guard.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
import Role from './role.enum'; import { CanActivate, ExecutionContext, mixin, Type } from '@nestjs/common'; import RequestWithUser from '../authentication/requestWithUser.interface'; import JwtAuthenticationGuard from '../authentication/jwt-authentication.guard'; const RoleGuard = (role: Role): Type<CanActivate> => { class RoleGuardMixin extends JwtAuthenticationGuard { async canActivate(context: ExecutionContext) { await super.canActivate(context); const request = context.switchToHttp().getRequest<RequestWithUser>(); const user = request.user; return user?.roles.includes(role); } } return mixin(RoleGuardMixin); } export default RoleGuard; |
Because we call await super.canActivate(context), we no longer need to use both JwtAuthenticationGuard and RoleGuard:
posts.controller.ts
|
1 2 3 4 5 |
@Delete(':id') @UseGuards(RoleGuard(Role.Admin)) async deletePost(@Param('id', ParseIntPipe) id: number) { return this.postsService.deletePost(id); } |
Claims-based authorization
When implementing claims-based authorization, we take a slightly different approach. Instead of defining a few roles, we define multiple permissions.
permission.enum.ts
|
1 2 3 4 5 6 |
enum Permission { DeletePost = 'DeletePost', CreateCategory = 'CreateCategory' } export default Permission; |
Unfortunately, storing all permissions in a single enum might not be a scalable approach. Because of that, we can create multiple enums and merge them.
If you want to read more about merging enums, check this answer on StackOverflow.
categoriesPermission.enum.ts
|
1 2 3 4 5 |
enum CategoriesPermission { CreateCategory = 'CreateCategory' } export default CategoriesPermission; |
postsPermission.enum.ts
|
1 2 3 4 5 |
enum PostsPermission { DeletePost = 'DeletePost' } export default PostsPermission; |
permission.type.ts
|
1 2 3 4 5 6 7 8 9 10 11 |
import PostsPermission from '../posts/postsPermission.enum'; import CategoriesPermission from '../categories/categoriesPermission.enum'; const Permission = { ...PostsPermission, ...CategoriesPermission } type Permission = PostsPermission | CategoriesPermission; export default Permission; |
Thanks to the above approach, we can use Permission both as a type and as a value.
Let’s use the above type in the user’s entity definition:
user.entity.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
import { Column, Entity, PrimaryGeneratedColumn } from 'typeorm'; import Permission from './permission.type'; @Entity() class User { @PrimaryGeneratedColumn() public id: number; @Column({ unique: true }) public email: string; @Column({ type: 'enum', enum: Permission, array: true, default: [] }) public permissions: Permission[] // ... } export default User; |
Doing the above with TypeORM creates an enum that consists of all of the permissions we’ve defined.
We can use the Permission type to create the PermissionGuard:
permission.guard.ts
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
import { CanActivate, ExecutionContext, mixin, Type } from '@nestjs/common'; import RequestWithUser from '../authentication/requestWithUser.interface'; import JwtAuthenticationGuard from '../authentication/jwt-authentication.guard'; import Permission from './permission.type'; const PermissionGuard = (permission: Permission): Type<CanActivate> => { class PermissionGuardMixin extends JwtAuthenticationGuard { async canActivate(context: ExecutionContext) { await super.canActivate(context); const request = context.switchToHttp().getRequest<RequestWithUser>(); const user = request.user; return user?.permissions.includes(permission); } } return mixin(PermissionGuardMixin); } export default PermissionGuard; |
Above, we extend the JwtAuthenticationGuard to avoid having to use two guards in the same way we’ve done with the RoleGuard.
The last step is to use the PermissionGuard on a route:
|
1 2 3 4 5 |
@Delete(':id') @UseGuards(PermissionGuard(PostsPermission.DeletePost)) async deletePost(@Param('id', ParseIntPipe) id: number) { return this.postsService.deletePost(id); } |
Summary
In this article, we’ve implemented both role-based and claims-based authorization. We’ve done that by defining guards using the mixin pattern. We’ve also learned about the enum type built into PostgreSQL. While learning about authorization, we’ve used two different approaches. While both role-based and claims-based authorization would work, the latter is more customizable. As our application grows, we might find that it is easier to use claims because they are more generic.
Amazing! keep up the good work!
Thank for always support the NestJS community 🙂
Missing the situation then admin can delete all entities but user can edit/delete only own entities.
load in PermissionGuardo the entity and check owner
it is loaded twice when load entity in PermissionGuardo an in service. for that it is need to cache load once and return cache for second load
Good job please create tutorial on referral system , refferal and refferee , immediately a user register they should receive an email that contain their referral link and they can share the link with their friends to use their link , user can register with link or without link. The highest user with the most refferal count win.
Thanks, this is great stuff! Any chance to get this same topic, but with mongoose?
There is in role.guard.ts
But user doesn’t have a roles field, only role field and it’s not an array.
May be it must be something like?
Sorry if I’m missing something
Hi Dmitry. Thanks for pointing that out. In the article I mention that we can use an array, but I don’t use it in the code example. I fixed it 🙂
What if we want “minimum” role? Like I’m
Role.Owner, but need to access aRole.Adminresource. It won’t match, but admin permissions are included.Thank you again :)! How would you implement a claim-based approach per ressource? I mean to allow only the author of a post to edit/delete it? I’m doing it “manually” actually, but I wonder if there would be some Guard to implement this in a better way?
Great job. Will be updated to newer versions of NestJS?