NestJS Unleashed
  • Introduction
    • Prerequisites
    • Necessary tools
    • Upgrading packages (ncu)
      • NestJS v9 -> v10
      • NestJS v10 -> v11
    • UPDATES
      • 1.1
      • 1.2
  • Core module - Backend Development with NestJS
    • Project creation
    • Basic configuration
    • User entity
    • Validation
      • Basic validation
      • More specific validation
      • Validation pipe options
      • Id validation
      • Options dedicated file
    • Database creation with Docker
    • TypeORM Integration
      • Database connection
      • Entity mapping
      • Migrations
      • Repository pattern
    • Pagination
    • DTO Limitations
    • Decorator composition
    • Configuration
      • Environment variables
      • Availability and validation
      • Using the variables
      • Configuration namespace and partial registration
      • Reducing boilerplate
      • Further improvements
        • Env vars in main file
        • Generating database url in codebase
    • Remaining domain
      • Entities
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Entity validation
          • Nested validation
          • Function overload
        • Order
        • Exposing get fields
        • Payment
    • Seeding
  • Closing
  • Improvements/Tips module
    • Improvements
      • Soft delete
        • Fix - Boolean casting
        • Soft delete
        • Recover
      • Password validation
        • Regex pattern
        • Custom validator
        • Multiple validations
    • Tips
      • CORS
      • Helmet
      • UUID
  • Extra module 1 - Authentication/Authorization
    • Password hashing
      • Basic solution
      • Abstract service
      • Event listener
    • Excluding password
    • Authentication
      • Local strategy
      • Request user decorator
      • Request user interface
      • Validation middleware
      • JWT strategy
      • Public routes
    • Authorization
      • Role
      • Insert admin migration
      • Assign role route
      • Storing role in request user
      • Requiring permissions
      • Forbid empty arrays
      • More authorization checks
    • Rate limiting
    • Fix - Recover route
  • Extra module 2 - Exception Filters
    • NotFound exception filter
      • Filter basic structure
      • Error structure
      • Extracting message data
      • Response setup
    • Database exception filter
      • Basic setup
      • Creating error data
      • Last steps
  • Extra module 3 - OpenAPI Specification
    • Base document
    • Swagger CLI plugin
    • Swagger mapped types
    • Detecting optional fields
    • File name suffixes
    • Comments introspection
    • Api decorators
    • Enabling authentication
    • Discovery service
    • Limitation - Innacurate response schema
  • Extra module 4 - File Management
    • Basic file route
    • File validation
      • Validating size and extensions
      • Factory function for file validators
      • Fix - Converting file types to media types
      • Accepting file array
      • Validating file signature
    • File logic
      • Storage service
      • More util methods
      • Product-related logic
        • Controller routes
        • Service logic
        • Fetching products with filenames
      • Serve static
    • More features
      • Files exception filter
      • Documenting files routes
      • Tip - Extract body from multipart formdata
  • Extra module 5 - Advanced Querying
    • Pagination
      • Find and count
      • Querying structure
      • Metadata field
      • Documenting paginated responses
    • Filtering and sorting
      • DTO Orchestration
      • Everything at once
      • Encapsulating text filter
      • Filter operators
  • Extra module 6 - Automated Testing
    • Jest configuration
    • Simple resource
    • Unit tests
      • Some theory & First test
      • Mocks
      • Remaining service tests
      • Controller tests
    • e2e tests
      • Better test readability
      • Simulated environment
      • Testing entire flows
  • Parallel module - Prisma
    • Integration with Prisma/Docker
    • User model
    • User logic
    • Error Handling
    • Remaining domain
      • Models
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Order
        • Payment
    • Seeding
    • Tip - Serialization
  • Further Improvements
    • More validations
    • Sending emails
    • Health checks
    • Cron jobs
Powered by GitBook
On this page
  1. Extra module 1 - Authentication/Authorization
  2. Authentication

Local strategy

Using credentials for identification.

First of all, let's allow the AuthModule to use a usersRepository in its context. Therefore, let's insert in its imports the following.

TypeOrmModule.forFeature([User]),

Then, inject the repository in the AuthService.

@InjectRepository(User)
private readonly usersRepository: Repository<User>,

We'll now implement the method validateLocal(), which has email and password as parameters. This name is used for the method because Local is the passport's strategy for identifying a user through credentials, which will afterwards be used in conjunction with this method. Soon we'll understand this better.

async validateLocal(email: string, password: string) {}

Inside this method, first we find a user with this email and select only its id and password, as only these fields will be used.

const user = await this.usersRepository.findOne({
  select: {
    id: true,
    password: true,
  },
  where: { email },
});

After that, if the user is not found, we throw an exception.

if (!user) {
  throw new UnauthorizedException('Invalid email');
}

In this case, an UnauthorizedException is thrown due to the different context in which the user was not found.

Next, we should check if the provided password is correct. However, the password is now hashed before being stored in the database. Hence, we cannot make a simple comparison. We'll have to use the compare() method from the HashingService.

const isMatch = await this.hashingService.compare(password, user.password);
if (!isMatch) {
  throw new UnauthorizedException('Invalid password');
}

If you prefer, you can use a generic error message for a failed login attempt, in order to cloak what a potential malicious user may be getting wrong. Something like 'Invalid credentials', for example.

Finally, we return the id. In a future moment, we'll use it to create a JWT.

return { id: user.id };

Now, we'll use the Local strategy. Create the file auth -> strategies -> local.strategy with following content. The usernameField field is necessary to indicate the name of the field used to identify the user if the default one isn't used, which is username.

@Injectable()
export class LocalStrategy extends PassportStrategy(Strategy) {
  constructor(private readonly authService: AuthService) {
    super({
      usernameField: 'email',
    });
  }

  validate(email: string, password: string) {
    return this.authService.validateLocal(email, password);
  }
}

Strategy should be imported from passport-local.

After this, we should go back to the AuthModule and, in its imports, add the PassportModule. Then, in its providers, the LocalStrategy. With this, we're creating a flow that will be explained in a few moments.

The next step is to create a login() route. Let's do it in the AuthController. Don't worry, everything will be better explained very soon.

@UseGuards(AuthGuard('local'))
@Post('login')
login(@Request() req) {
  return req.user;
}

This is a POST route, therefore the default status if everything goes well is CREATED. However, this route does not create anything. For better semantic correctness, we can override the default status to OK by using over the route @HttpCode(HttpStatus.OK).

A Guard protects routes based on certain criteria. It returns a boolean, it being true when access is granted and false when it is denied. We are using on this route the AuthGuard of type local, but by using it like this we depend on magic strings. That is, strings that must be specific, untyped values to do something. So, to avoid this, let's create another guard to represent the same thing.

nest g gu auth/guards/local-auth

And with this content, it is the same thing, but we no longer need to insert a generic string.

@Injectable()
export class LocalAuthGuard extends AuthGuard('local') {}

Now we can replace that guard with this new one.

@UseGuards(LocalAuthGuard)

This is a nice start. This route is still not performing the login, but we should stop now to discuss what we have done so far. I know it may have been a lot at once to digest, but let's analyse this entire flow carefully to better understand each step of this process before continuing.

  1. The login() route is being protected by an AuthGuard of type local. This means that, when this route is accessed, the LocalStrategy will be activated.

  2. Inside the LocalStrategy, it will be checked if the request has in its body the login fields: email and password. Then, the validate() method will be called, using them as arguments.

  3. Then, in the AuthService, in the method validateLocal(), the login attempt is validated through the process already explained previously. If successful, an object containing the user's id is returned.

  4. Finally, this return is appended to the request as the user field. That's why we can see the user's id beign returned. This will be used to perform the login in a future section. Before it, we'll just implement several improvements for better type safety.

Commit - Local strategy

PreviousAuthenticationNextRequest user decorator

Last updated 2 months ago