NestJS Unleashed
  • Introduction
    • Prerequisites
    • Necessary tools
    • Upgrading packages (ncu)
      • NestJS v9 -> v10
      • NestJS v10 -> v11
    • UPDATES
      • 1.1
      • 1.2
  • Core module - Backend Development with NestJS
    • Project creation
    • Basic configuration
    • User entity
    • Validation
      • Basic validation
      • More specific validation
      • Validation pipe options
      • Id validation
      • Options dedicated file
    • Database creation with Docker
    • TypeORM Integration
      • Database connection
      • Entity mapping
      • Migrations
      • Repository pattern
    • Pagination
    • DTO Limitations
    • Decorator composition
    • Configuration
      • Environment variables
      • Availability and validation
      • Using the variables
      • Configuration namespace and partial registration
      • Reducing boilerplate
      • Further improvements
        • Env vars in main file
        • Generating database url in codebase
    • Remaining domain
      • Entities
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Entity validation
          • Nested validation
          • Function overload
        • Order
        • Exposing get fields
        • Payment
    • Seeding
  • Closing
  • Improvements/Tips module
    • Improvements
      • Soft delete
        • Fix - Boolean casting
        • Soft delete
        • Recover
      • Password validation
        • Regex pattern
        • Custom validator
        • Multiple validations
    • Tips
      • CORS
      • Helmet
      • UUID
  • Extra module 1 - Authentication/Authorization
    • Password hashing
      • Basic solution
      • Abstract service
      • Event listener
    • Excluding password
    • Authentication
      • Local strategy
      • Request user decorator
      • Request user interface
      • Validation middleware
      • JWT strategy
      • Public routes
    • Authorization
      • Role
      • Insert admin migration
      • Assign role route
      • Storing role in request user
      • Requiring permissions
      • Forbid empty arrays
      • More authorization checks
    • Rate limiting
    • Fix - Recover route
  • Extra module 2 - Exception Filters
    • NotFound exception filter
      • Filter basic structure
      • Error structure
      • Extracting message data
      • Response setup
    • Database exception filter
      • Basic setup
      • Creating error data
      • Last steps
  • Extra module 3 - OpenAPI Specification
    • Base document
    • Swagger CLI plugin
    • Swagger mapped types
    • Detecting optional fields
    • File name suffixes
    • Comments introspection
    • Api decorators
    • Enabling authentication
    • Discovery service
    • Limitation - Innacurate response schema
  • Extra module 4 - File Management
    • Basic file route
    • File validation
      • Validating size and extensions
      • Factory function for file validators
      • Fix - Converting file types to media types
      • Accepting file array
      • Validating file signature
    • File logic
      • Storage service
      • More util methods
      • Product-related logic
        • Controller routes
        • Service logic
        • Fetching products with filenames
      • Serve static
    • More features
      • Files exception filter
      • Documenting files routes
      • Tip - Extract body from multipart formdata
  • Extra module 5 - Advanced Querying
    • Pagination
      • Find and count
      • Querying structure
      • Metadata field
      • Documenting paginated responses
    • Filtering and sorting
      • DTO Orchestration
      • Everything at once
      • Encapsulating text filter
      • Filter operators
  • Extra module 6 - Automated Testing
    • Jest configuration
    • Simple resource
    • Unit tests
      • Some theory & First test
      • Mocks
      • Remaining service tests
      • Controller tests
    • e2e tests
      • Better test readability
      • Simulated environment
      • Testing entire flows
  • Parallel module - Prisma
    • Integration with Prisma/Docker
    • User model
    • User logic
    • Error Handling
    • Remaining domain
      • Models
        • Order
        • Payment
        • Category
        • Product
        • Order Item
      • Logic
        • Category
        • Product
        • Order
        • Payment
    • Seeding
    • Tip - Serialization
  • Further Improvements
    • More validations
    • Sending emails
    • Health checks
    • Cron jobs
Powered by GitBook
On this page
  1. Extra module 1 - Authentication/Authorization
  2. Authorization

Requiring permissions

Routes may now require one of a set of roles to be accessed.

A decorator will be used to define the necessary roles for a route. Let's then create it in auth -> decorators -> roles.decorator. Notice that it accepts an array of roles.

export const ROLES_KEY = 'roles';

export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);

Another approach would be to define the decorator like this. It may be interesting in simple cases where the passed metadata should simply be appended to the route. You can read more about it here.

export const Roles = Reflector.createDecorator<Role[]>();

Afterwards, we'll create our first guard from scratch, the RolesGuard. As can be guessed, it will protect the routes according to the necessary roles.

nest g gu auth/guards/roles

Underneath we can see a basic skeleton, with a reflector and the canActivate() signature.

@Injectable()
export class RolesGuard implements CanActivate {
  constructor(private readonly reflector: Reflector) {}

  canActivate(context: ExecutionContext) {}
}

Inside the canActivate() method, the first step is to collect the roles metadata from the route (or controller). Remember that, if there is metadata for both the controller and a route, then the one from the route will be used. If there is no metadata, this guard will be out of the way.

const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
  context.getHandler(),
  context.getClass(),
]);
if (!requiredRoles) return true;

We could also use getAllAndMerge() for merging the metadata of controller and route together, if this behavior was desired.

Then, the user is extracted from the request. The Request type is from express, which has a user interface in it. As we are sure that the user in the request will always have the fields in the RequestUser interface, we can make the type assertion to it without weighing our conscience. Lastly, check if the user is an ADMIN, immediately giving access in positive case.

const request = context.switchToHttp().getRequest<Request>();
const user = request.user as RequestUser;
if (user.role === Role.ADMIN) return true;

And finally, check if the user has one of the required roles.

const hasRequiredRole = requiredRoles.some((role) => user.role === role);
return hasRequiredRole;

Now, the RolesGuard can be activated globally, after the JwtAuthGuard.

{
  provide: APP_GUARD,
  useClass: RolesGuard,
}

It's important to follow this order! Otherwise, the guards' behavior will be compromised.

We can then state that a route requires one or more roles like the following:

@Roles(Role.ADMIN)

Commit - Global roles guard and decorator for required roles in routes

With this, we can start to protect some routes. For example, we can require the MANAGER role for the following routes:

  • create(), update() and remove() routes in the

    • ProductsController

    • CategoriesController

  • find() routes in the UsersController

And require the ADMIN role for the assignRole() route.

Commit - Requiring roles in some routes

PreviousStoring role in request userNextForbid empty arrays

Last updated 2 months ago