NestJS Unleashed
  • Introduction
    • Prerequisites
    • Necessary tools
    • Upgrading packages (ncu)
      • NestJS v9 -> v10
      • NestJS v10 -> v11
    • UPDATES
      • 1.1
      • 1.2
  • Core module - Backend Development with NestJS
    • Project creation
    • Basic configuration
    • User entity
    • Validation
      • Basic validation
      • More specific validation
      • Validation pipe options
      • Id validation
      • Options dedicated file
    • Database creation with Docker
    • TypeORM Integration
      • Database connection
      • Entity mapping
      • Migrations
      • Repository pattern
    • Pagination
    • DTO Limitations
    • Decorator composition
    • Configuration
      • Environment variables
      • Availability and validation
      • Using the variables
      • Configuration namespace and partial registration
      • Reducing boilerplate
      • Further improvements
        • Env vars in main file
        • Generating database url in codebase
    • Remaining domain
      • Entities
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Entity validation
          • Nested validation
          • Function overload
        • Order
        • Exposing get fields
        • Payment
    • Seeding
  • Closing
  • Improvements/Tips module
    • Improvements
      • Soft delete
        • Fix - Boolean casting
        • Soft delete
        • Recover
      • Password validation
        • Regex pattern
        • Custom validator
        • Multiple validations
    • Tips
      • CORS
      • Helmet
      • UUID
  • Extra module 1 - Authentication/Authorization
    • Password hashing
      • Basic solution
      • Abstract service
      • Event listener
    • Excluding password
    • Authentication
      • Local strategy
      • Request user decorator
      • Request user interface
      • Validation middleware
      • JWT strategy
      • Public routes
    • Authorization
      • Role
      • Insert admin migration
      • Assign role route
      • Storing role in request user
      • Requiring permissions
      • Forbid empty arrays
      • More authorization checks
    • Rate limiting
    • Fix - Recover route
  • Extra module 2 - Exception Filters
    • NotFound exception filter
      • Filter basic structure
      • Error structure
      • Extracting message data
      • Response setup
    • Database exception filter
      • Basic setup
      • Creating error data
      • Last steps
  • Extra module 3 - OpenAPI Specification
    • Base document
    • Swagger CLI plugin
    • Swagger mapped types
    • Detecting optional fields
    • File name suffixes
    • Comments introspection
    • Api decorators
    • Enabling authentication
    • Discovery service
    • Limitation - Innacurate response schema
  • Extra module 4 - File Management
    • Basic file route
    • File validation
      • Validating size and extensions
      • Factory function for file validators
      • Fix - Converting file types to media types
      • Accepting file array
      • Validating file signature
    • File logic
      • Storage service
      • More util methods
      • Product-related logic
        • Controller routes
        • Service logic
        • Fetching products with filenames
      • Serve static
    • More features
      • Files exception filter
      • Documenting files routes
      • Tip - Extract body from multipart formdata
  • Extra module 5 - Advanced Querying
    • Pagination
      • Find and count
      • Querying structure
      • Metadata field
      • Documenting paginated responses
    • Filtering and sorting
      • DTO Orchestration
      • Everything at once
      • Encapsulating text filter
      • Filter operators
  • Extra module 6 - Automated Testing
    • Jest configuration
    • Simple resource
    • Unit tests
      • Some theory & First test
      • Mocks
      • Remaining service tests
      • Controller tests
    • e2e tests
      • Better test readability
      • Simulated environment
      • Testing entire flows
  • Parallel module - Prisma
    • Integration with Prisma/Docker
    • User model
    • User logic
    • Error Handling
    • Remaining domain
      • Models
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Order
        • Payment
    • Seeding
    • Tip - Serialization
  • Further Improvements
    • More validations
    • Sending emails
    • Health checks
    • Cron jobs
Powered by GitBook
On this page
  1. Extra module 1 - Authentication/Authorization
  2. Authorization

More authorization checks

Some more checks to ensure that users can do only what they're allowed to.

To finish the topic of authorization, let's just add some more checks. Specifically:

  • A user can receive an update(), remove() or recover() only from himself

  • An order can be paid only by the user who owns it

  • A regular user can only soft delete his account

First, go to the UsersController and, in the three aforementioned routes, extract the user from the request and pass it along to the service method. Remember to also add this parameter to the namesake methods in the service (call it currentUser to prevent name collision).

@User() user: RequestUser,

Now, before going to the service, let's create the file auth -> util -> authorization.util. Here, we'll create a function to compare the id of the current user with a required id. If they're not the same, access will be denied. The purpose of this function is to verify if a user is acting on himself or on something which he owns.

export const compareUserId = (userId: number, requiredId: number) => {
  if (userId !== requiredId) {
    throw new ForbiddenException('Forbidden resource');
  }
};

Then, in the UsersService, at the start of those three methods, we'll simply check if the user is an ADMIN, in which case he should have unrestricted access. If not, we then compare his id.

if (currentUser.role !== Role.ADMIN) {
  compareUserId(currentUser.id, id);
}

In the case of making a payment, we have to check if the order is owned by the user who is paying it. In the payOrder() route in the PaymentsController, we shall perform the same step done just above. That is, to extract the user from the request and pass it along to the method call below, and also add this parameter to the method in the service.

In the PaymentsService, when fetching the order, also bring its customer in the relations to be able to make the comparison. Then, make it after checking if the order exists.

compareUserId(currentUser.id, order.customer.id);

Finally, let's enforce that a regular user can only soft delete his account. In the remove() method in the UsersService, we already check if the user is not an ADMIN. There, after comparing his id, check the deletion type.

if (!soft) {
  throw new ForbiddenException('Forbidden resource');
}

The main content of this module has been concluded. We'll now just see a last feature and a fix.

Commit - Validating user authorization inside service

PreviousForbid empty arraysNextRate limiting

Last updated 2 months ago