The latest articles on DEV Community by camillefauchier (@camillefauchier). https://dev.to/camillefauchier https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1264000%2F9afcfa71-62ac-4625-bba5-7ad95ccdd198.jpeg https://dev.to/camillefauchier en camillefauchier Wed, 10 Sep 2025 13:37:01 +0000 https://dev.to/camillefauchier/a-step-by-step-guide-to-implementing-multi-provider-sso-in-nestjs-with-oauth2-30p2 https://dev.to/camillefauchier/a-step-by-step-guide-to-implementing-multi-provider-sso-in-nestjs-with-oauth2-30p2 <h2> Introduction </h2> <p>While basic JWT authentication with email/password is well-covered territory in NestJS, modern applications increasingly demand multiple authentication options. Users expect to sign in with Google, GitHub, Microsoft, or their traditional credentials - all seamlessly integrated into a single system.</p> <p>This article is the continuation of my <a href="https://medium.com/@camillefauchier/implementing-authentication-in-nestjs-using-passport-and-jwt-5a565aa521de" rel="noopener noreferrer">previous tutorial</a> on JWT authentication in NestJS. I assume you have a working NestJS application with JWT authentication, Passport strategies, guards, and email/password login already implemented.</p> <p><strong>Starting from that foundation, we'll extend the system to support multiple OAuth2 providers while maintaining backward compatibility with traditional authentication. Users will be able to sign in with their preferred method, and the system will handle account linking automatically.</strong></p> <p>If you want to look at the full code you can check out <a href="https://github.com/camillefauchier/tuto-multiple-oauth2-provider-nestjs/tree/tuto-multiple-oauth2-providers-nestjs" rel="noopener noreferrer">my repo on Github</a>.</p> <h3> What We'll Build </h3> <p>Starting from a basic JWT authentication system, we'll add:</p> <ul> <li>A clean, extensible provider pattern for adding new OAuth2 services</li> <li>Automatic account linking for users with matching emails</li> <li>Support for OAuth-only users alongside traditional email/password users</li> <li>An example with Google, GitHub and Microsoft integration</li> </ul> <h3> Dependencies installation </h3> <p>I've upgraded dependancies version since my first article</p> <ul> <li> <code>passport (0.7.0)</code> is an authentication middleware for Node.js, widely used and extensible.</li> <li> <code>passport-local( ^1.0.0)</code> is a Passport strategy for authentication with an email and password.</li> <li> <code>passport-jwt (4.0.1)</code> is a Passport strategy for authentication with a JSON Web Token (JWT).</li> <li> <code>@nestjs/passport (10.0.3)</code> is a Passport integration for NestJS.</li> <li> <code>@nestjs/jwt (10.2.0)</code> is used to handle JWT tokens in NestJS. JWT (JSON Web Tokens)is a - compact and safe way to transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.</li> <li> <code>bcrypt (5.1.1)</code>is a library for hashing passwords.</li> </ul> <p>Add OAuth2 required dependencies</p> <ul> <li><code>passport-google-oauth20</code></li> <li> <code>@types/passport-google-oauth20</code> (dev-dependency) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># OAuth2 providers npm install passport-google-oauth20 # Type definitions npm install --save-dev @types/passport-google-oauth20 </code></pre> </div> <h2> Database Schema Design : Add a OAuthAccountTable </h2> <blockquote> <p><em>**🚨Migration to Prisma</em>*<br> For this multi-provider authentication system, I migrated from TypeORM to Prisma. TypeORM's decorator-heavy approach and clunky relationship management were slowing development. Prisma's schema-first design and auto-generated client dramatically simplified OAuth provider linking while eliminating the boilerplate code.*</p> </blockquote> <p>Our authentication system requires adding the OAuthAccount entity with a one-to-many relationship with User Entity:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhdhhlwbjuftcmr4vn4ss.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhdhhlwbjuftcmr4vn4ss.png" alt="New database schema" width="800" height="409"></a></p> <p><strong>User Model Changes:</strong></p> <ul> <li> <code>password</code> becomes nullable to support OAuth-only accounts</li> <li> <code>isOAuthUser</code> flag distinguishes traditional vs social sign-ups</li> <li>Maintains backward compatibility with existing email/password users</li> </ul> <p><strong>OAuth Account Entity:</strong></p> <ul> <li>Links multiple OAuth providers to a single user account</li> <li> <code>provider</code> field stores the OAuth service name ('google', 'github', 'microsoft')</li> <li> <code>providerId</code> stores the unique user identifier from each OAuth provider</li> </ul> <p>This design enables flexible authentication scenarios:</p> <ul> <li>Traditional email/password registration ✅</li> <li>Pure OAuth sign-up (no password required) ✅</li> <li>Account linking (users can connect multiple OAuth providers) ✅</li> </ul> <h2> OAuth2 Architecture Design </h2> <p>Now for the interesting part: OAuth2 integration. Rather than implementing each provider separately, you should create a unified architecture that makes adding new providers trivial. Start with creating a <code>OAuthModule</code> </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftvjmsesgllw89lkla9yz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftvjmsesgllw89lkla9yz.png" alt="Dependency Diagram" width="800" height="387"></a></p> <h2> OAuth Provider Interface </h2> <p>Every OAuth2 provider will follow the same pattern. They need three methods to work.</p> <ul> <li> <strong><code>authorize()</code></strong>: Generates the OAuth2 authorization URL where users are redirected to grant permissions. This URL includes the client ID, scopes, redirect URI, and other provider-specific parameters.</li> <li> <strong><code>callback(code: string)</code></strong>: Handles the OAuth2 callback after user authorization. Takes the authorization code from the query parameters, exchanges it for an access token, fetches user information from the provider's API, and returns a standardized <code>OAuthUser</code> object.</li> <li> <strong><code>getProviderName()</code></strong>: Returns the provider identifier (e.g., 'google', 'github', 'microsoft') used for database storage and routing.</li> </ul> <p>This interface standardizes the OAuth2 flow across all providers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/interfaces/oauth-provider.interface.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">OAuthProviderInterface</span> <span class="p">{</span> <span class="nf">authorize</span><span class="p">():</span> <span class="kr">string</span><span class="p">;</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">OAuthUser</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">getProviderName</span><span class="p">():</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> OAuth Service </h3> <p>You need to create a new service to handle login and register with SSO.</p> <p>First this service need a <code>OAuthUser</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/types/oauth-user.type.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">OAuthUser</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">firstName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">lastName</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">picture</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">emailVerified</span><span class="p">?:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Let's create <code>OAuthService</code>. Don't forget to add it in <code>OAuthModule</code> providers.<br> This service handles:</p> <ul> <li>New users signing up with OAuth2</li> <li>Existing users linking additional OAuth2 accounts</li> <li>Automatic account linking based on email addresses </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/oauth.service.ts</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OAuthService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="nx">authService</span><span class="p">:</span> <span class="nx">AuthService</span><span class="p">,</span> <span class="k">private</span> <span class="nx">oauthProviderFactory</span><span class="p">:</span> <span class="nx">OAuthProviderFactory</span><span class="p">,</span> <span class="k">private</span> <span class="nx">usersService</span><span class="p">:</span> <span class="nx">UsersService</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">getAuthorizationUrl</span><span class="p">(</span><span class="nx">provider</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthProviderFactory</span><span class="p">.</span><span class="nf">getProvider</span><span class="p">(</span><span class="nx">provider</span><span class="p">).</span><span class="nf">authorize</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">handleOAuthCallback</span><span class="p">(</span> <span class="nx">providerName</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">,</span> <span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AccessToken</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthProviderFactory</span><span class="p">.</span><span class="nf">getProvider</span><span class="p">(</span><span class="nx">providerName</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">oauthUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">callback</span><span class="p">(</span><span class="nx">code</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">handleOAuthLogin</span><span class="p">(</span><span class="nx">providerName</span><span class="p">,</span> <span class="nx">oauthUser</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">authService</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">handleOAuthLogin</span><span class="p">(</span> <span class="nx">provider</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">,</span> <span class="nx">oauthUser</span><span class="p">:</span> <span class="nx">OAuthUser</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">oauthAccount</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthAccountsService</span><span class="p">.</span><span class="nf">findOneByProvider</span><span class="p">(</span> <span class="nx">provider</span><span class="p">,</span> <span class="nx">oauthUser</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">oauthAccount</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">oauthAccount</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">findOneByEmail</span><span class="p">(</span><span class="nx">oauthUser</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">createFromOAuthUser</span><span class="p">(</span><span class="nx">oauthUser</span><span class="p">);</span> <span class="p">}</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthAccountsService</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">provider</span><span class="p">,</span> <span class="nx">oauthUser</span><span class="p">,</span> <span class="nx">user</span><span class="p">);</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Provider Factory </h3> <p>The factory pattern is what makes this architecture truly scalable. It allows us to register multiple OAuth2 providers and retrieve them dynamically based on the route parameter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/providers/oauth-provider.factory.ts</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OAuthProviderFactory</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">providers</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="nx">OAuthProviderName</span><span class="p">,</span> <span class="nx">OAuthProviderInterface</span><span class="o">&gt;</span><span class="p">();</span> <span class="nf">registerProvider</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">,</span><span class="nx">provider</span><span class="p">:</span> <span class="nx">OAuthProviderInterface</span><span class="p">):</span> <span class="k">void</span> <span class="p">{}</span> <span class="nf">getProvider</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">):</span> <span class="nx">OAuthProviderInterface</span> <span class="p">{}</span> <span class="nf">getSupportedProviders</span><span class="p">():</span> <span class="nx">OAuthProviderName</span><span class="p">[]</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key benefits:</strong></p> <ul> <li> <strong>Dynamic provider retrieval</strong>: Get any provider by name without hardcoding</li> <li> <strong>Extensible</strong>: Adding a new provider requires only implementing the interface and registering it</li> <li> <strong>Type-safe</strong>: TypeScript ensures only valid provider names are used</li> <li> <strong>Centralized management</strong>: All providers are managed in one place</li> </ul> <h2> OAuth Controller </h2> <p>The controller provides universal endpoints that work with any OAuth2 provider. Notice how the same endpoints handle Google, GitHub, or any future provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/oauth.controller.ts</span> <span class="p">@</span><span class="nd">Public</span><span class="p">()</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">oauth</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OAuthController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">oauthService</span><span class="p">:</span> <span class="nx">OAuthService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">:provider</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">authorize</span><span class="p">(</span> <span class="p">@</span><span class="nd">Param</span><span class="p">(</span><span class="dl">'</span><span class="s1">provider</span><span class="dl">'</span><span class="p">)</span> <span class="nx">providerName</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span><span class="na">authorizationUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span><span class="na">authorizationUrl</span><span class="p">:</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthService</span><span class="p">.</span><span class="nf">getAuthorizationUrl</span><span class="p">(</span><span class="nx">providerName</span><span class="p">)};</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">:provider/callback</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">callback</span><span class="p">(</span> <span class="p">@</span><span class="nd">Param</span><span class="p">(</span><span class="dl">'</span><span class="s1">provider</span><span class="dl">'</span><span class="p">)</span> <span class="nx">providerName</span><span class="p">:</span> <span class="nx">OAuthProviderName</span><span class="p">,</span> <span class="p">@</span><span class="nd">Query</span><span class="p">(</span><span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">)</span> <span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">@</span><span class="nd">Query</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">)</span> <span class="nx">error</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AccessToken</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">oauthService</span><span class="p">.</span><span class="nf">handleOAuthCallback</span><span class="p">(</span><span class="nx">providerName</span><span class="p">,</span> <span class="nx">code</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Controller breakdown:</strong></p> <ul> <li> <strong><code>GET /auth/:provider</code></strong>: Universal authorization endpoint. Works with any provider name (google, github, …)</li> <li> <strong><code>GET /auth/:provider/callback</code></strong>: Universal callback handler. The same logic processes callbacks from any OAuth2 provider</li> <li> <strong>Provider-agnostic</strong>: The controller doesn't know or care about specific provider implementations</li> </ul> <p>This is the power of the architecture - you get <code>/auth/google</code>, <code>/auth/github</code>, endpoints automatically once you register each provider!</p> <h2> Example: Let's implement Google OAuth2 </h2> <p>Now let's see how simple it is to add our first provider to this architecture:</p> <h3> Environment Configuration </h3> <p><strong>Create you OAuth application in GCP</strong></p> <ol> <li>Create an account with GCP here: <a href="https://cloud.google.com/?hl=en" rel="noopener noreferrer">https://cloud.google.com</a> </li> <li>Start by navigating to your project API &amp; Services &gt; Credentials in GCP to create a new OAuth application.</li> <li>Create the OAuth application. As part of the form, add to <strong>Authorized redirect URIs</strong> a redirect URL such as <code>http://localhost:3000/auth/google/callback</code>. Google will redirect the user to this url after they have authorized the application to access their Google account.</li> <li>Obtain the <strong>Client ID</strong> and <strong>Client Secret</strong> for your Google OAuth2 application and add it in your <code>.env</code> file below</li> </ol> <p><strong>Configure your environment variables</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>... <span class="c"># Google OAuth Configuration</span> <span class="nv">GOOGLE_CLIENT_ID</span><span class="o">=</span><span class="s2">"your_google_client_id"</span> <span class="nv">GOOGLE_CLIENT_SECRET</span><span class="o">=</span><span class="s2">"your_google_client_secret"</span> <span class="nv">GOOGLE_CALLBACK_URL</span><span class="o">=</span><span class="s2">"http://localhost:3000/auth/google/callback"</span> <span class="nv">GOOGLE_AUTH_URL</span><span class="o">=</span><span class="s2">"https://accounts.google.com/o/oauth2/v2/auth"</span> <span class="nv">GOOGLE_TOKEN_URL</span><span class="o">=</span><span class="s2">"https://www.googleapis.com/oauth2/v4/token"</span> <span class="nv">GOOGLE_USER_INFO_URL</span><span class="o">=</span><span class="s2">"https://www.googleapis.com/oauth2/v2/userinfo"</span> <span class="nv">GOOGLE_SCOPE</span><span class="o">=</span><span class="s2">"profile email"</span> </code></pre> </div> <h3> Google Provider Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/auth/oauth/providers/google-oauth.provider.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">OAuthProviderInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../interfaces/oauth-provider.interface</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">OAuthUser</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../types/oauth-user.type</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GoogleOAuthConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../types/google-oauth-config.type</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">GoogleOAuthProvider</span> <span class="k">implements</span> <span class="nx">OAuthProviderInterface</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">config</span><span class="p">:</span> <span class="nx">GoogleOAuthConfig</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">configService</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">configService</span><span class="p">.</span><span class="kd">get</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_CLIENT_ID'), clientSecret: this.configService.get<span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_CLIENT_SECRET'), callbackURL: this.configService.get<span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_CALLBACK_URL'), scope: this.configService.get<span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_SCOPE').split(' '), authURL: this.configService.get<span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_AUTH_URL'), tokenURL: this.configService.get<span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_TOKEN_URL'), }; } authorize(): string <span class="si">{</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">callbackURL</span><span class="p">,</span> <span class="na">scope</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">scope</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">),</span> <span class="na">response_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">,</span> <span class="na">access_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">offline</span><span class="dl">'</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="dl">'</span><span class="s1">consent</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">authURL</span><span class="p">}</span><span class="s2">?</span><span class="p">${</span><span class="nx">params</span><span class="p">.</span><span class="nf">toString</span><span class="p">()}</span><span class="s2">`</span><span class="p">;</span> <span class="si">}</span> async callback(code: string): Promise<span class="p">&lt;</span><span class="nc">OAuthUser</span><span class="p">&gt;</span> <span class="si">{</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">exchangeCodeForToken</span><span class="p">(</span><span class="nx">code</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userInfo</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">getUserInfo</span><span class="p">(</span><span class="nx">tokenResponse</span><span class="p">.</span><span class="nx">access_token</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">given_name</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">family_name</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="na">picture</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">picture</span><span class="p">,</span> <span class="na">emailVerified</span><span class="p">:</span> <span class="nx">userInfo</span><span class="p">.</span><span class="nx">verified_email</span><span class="p">,</span> <span class="p">};</span> <span class="si">}</span> getProviderName(): string <span class="si">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">;</span> <span class="si">}</span> private async exchangeCodeForToken(code: string): Promise<span class="p">&lt;</span><span class="si">{</span><span class="nx">access_token</span><span class="p">:</span> <span class="kr">string</span><span class="si">}</span><span class="p">&gt;</span> <span class="si">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">tokenURL</span><span class="o">!</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">client_id</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">clientId</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">clientSecret</span><span class="p">,</span> <span class="nx">code</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">authorization_code</span><span class="dl">'</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">callbackURL</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to exchange code for token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="si">}</span> private async getUserInfo(accessToken: string) <span class="si">{</span> <span class="kd">const</span> <span class="nx">userInfoURL</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">configService</span><span class="p">.</span><span class="kd">get</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('GOOGLE_USER_INFO_URL')!; const response = await fetch(userInfoURL, <span class="si">{</span> <span class="nx">headers</span><span class="p">:</span> <span class="p">{</span> <span class="nl">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="si">}</span>); if (!response.ok) <span class="si">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to fetch user info</span><span class="dl">'</span><span class="p">);</span> <span class="si">}</span> return response.json(); } } </code></pre> </div> <h3> Registering the Google Provider </h3> <p>Now you need to register the Google provider in the factory. Update your factory constructor to inject and register the Google provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Update the OAuthProviderFactory constructor</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">googleProvider</span><span class="p">:</span> <span class="nx">GoogleOAuthProvider</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">registerProvider</span><span class="p">(</span><span class="dl">'</span><span class="s1">google</span><span class="dl">'</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">googleProvider</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Add all the OAuth components to your <code>OAuthModule</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// oauth.module.ts - Add these to providers array</span> <span class="nx">providers</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// ... existing providers</span> <span class="nx">OAuthService</span><span class="p">,</span> <span class="nx">GoogleOAuthProvider</span><span class="p">,</span> <span class="nx">OAuthProviderFactory</span><span class="p">,</span> <span class="p">],</span> <span class="nx">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">OAuthController</span><span class="p">],</span> </code></pre> </div> <h3> Testing the Implementation </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4dlnfa3ulubmomoa9tuv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4dlnfa3ulubmomoa9tuv.png" alt="Sequence diagram" width="800" height="770"></a></p> <h2> What's Next? </h2> <p>This foundation supports adding additional OAuth2 providers with minimal effort. <strong>You can check <a href="https://github.com/camillefauchier/tuto-multiple-oauth2-provider-nestjs/tree/tuto-multiple-oauth2-providers-nestjs" rel="noopener noreferrer">the github repository</a> for Microsoft Integration and Github integration.</strong></p> <p>The beauty of this architecture is its extensibility - adding a new OAuth2 provider requires only implementing the <code>OAuthProviderInterface</code> and registering it with the factory. No changes to controllers, services, or database schema needed.</p> <p><em>This tutorial demonstrates an OAuth2 implementation that balances security, maintainability, and user experience. The complete source code is available on GitHub.</em></p> nestjs oauth sso google camillefauchier Tue, 23 Jan 2024 10:48:32 +0000 https://dev.to/camillefauchier/a-step-by-step-guide-to-implement-jwt-authentication-in-nestjs-using-passport-257b https://dev.to/camillefauchier/a-step-by-step-guide-to-implement-jwt-authentication-in-nestjs-using-passport-257b <p>In the domain of computer security, authentication and authorization are fundamental processes. Authentication, the initial step, validates a user's identity through methods like passwords or biometrics. Once authenticated, authorization comes into play, determining the user's permissions and access rights. It's crucial to note that authentication precedes authorization, establishing the user's identity before enforcing access control measures. </p> <p>The purpose of this article is to provide a step-by-step guide for implementing authentication system in a <a href="https://nestjs.com/">NestJS</a> project using the <a href="https://www.passportjs.org/">Passport</a> middleware module.</p> <p>Our authentication system will embody the key attributes of an exemplary system: it will be <strong>secure</strong>, <strong>easily extensible</strong>, and <strong>simple</strong>, as every good authentication system should be.</p> <p>If you want to look at the full code you can check out <a href="https://github.com/sipios/tuto-authentication-nestjs">my repo on Github</a>.</p> <h2> Dependencies installation </h2> <ul> <li> <strong><a href="https://www.npmjs.com/package/passport">passport</a></strong> (^0.7.0) is an authentication middleware for Node.js, widely used and extensible.</li> <li> <strong><a href="https://www.npmjs.com/package/passport-local">passport-local</a></strong> ( ^1.0.0) is a Passport strategy for authentication with an email and password.</li> <li> <strong><a href="https://www.npmjs.com/package/passport-jwt">passport-jwt</a></strong> (^4.0.1)is a Passport strategy for authentication with a JSON Web Token (JWT).</li> <li> <strong><a href="https://www.npmjs.com/package/@nestjs/passport">@nestjs/passport</a></strong> (^10.0.3) is a Passport integration for NestJS.</li> <li> <strong><a href="https://www.npmjs.com/package/@nestjs/jwt">@nestjs/jwt</a></strong> (^10.2.0) is used to handle JWT tokens in NestJS. <strong><a href="https://jwt.io/introduction">JWT (JSON Web Tokens)</a></strong> is a compact and safe way to transmit information between parties as a JSON object. this information can be verified and trusted because it is digitally signed.</li> <li> <strong><a href="https://www.npmjs.com/package/bcrypt">bcrypt</a></strong> (5.1.1)is a library for hashing passwords. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @nestjs/passport passport passport-local passport-jwt @nestjs/jwt bcrypt </code></pre> </div> <blockquote> <p>❓ <strong>Why you should use Passport Module to implement your authentication service</strong><br> For implementing authentication in your NestJs App I highly recommend relying on the Passport module. It enhances security through its robust strategies like JWT and OAuth, aligning with industry best practices. Among other things, it supports a plug-and-play architecture, enabling the addition of new authentication methods or the replacement of existing ones without major code modifications. This means you can effortlessly integrate custom authentication strategies, ensuring scalability and adaptability for your app's future needs. In other words, Passport ensures a smooth developer experience, making it easy for you to understand and implement authentication mechanisms.</p> </blockquote> <h2> User Module </h2> <p>Define a model (e.g., a class or an interface) for your users, including necessary fields such as <code>email</code>, <code>password</code>, etc. The <a href="https://github.com/sipios/tuto-authentication-nestjs/blob/main/src/users/users.service.ts">user service</a> responsible for all interactions with the database regarding users includes methods to create, find, update, and delete users. However, notice that the signup method must be handled by the authentication service.</p> <h2> Authentication Module </h2> <p>Your authentication module should be (at least) responsible for the following crucial tasks:</p> <ol> <li>User Identity verification</li> <li>Password Hashing and Storage</li> <li>Token Generation and Validation</li> </ol> <h3> Authentication Service </h3> <p>Create an <code>AuthService</code> service that will inject necessary services, such as <code>UsersService</code> for interacting with the user database and <code>JwtService</code> for handling JWT tokens.</p> <p><strong>AuthService Methods</strong>:</p> <ul> <li> <strong>validateUser</strong>: Takes a username and password as input and checks if the user exists and if the password is correct.</li> <li> <strong>login</strong>: Takes user data as input and generates a JWT token</li> <li> <strong>register:</strong> Checks if a user with the provided email already exists.If a user with the provided email already exists, throws a BadRequestException, if not, hash and salt the user's password using <code>bcrypt</code>, store the new user in the database and log the user in.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">//auth.service.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BadRequestException</span><span class="p">,</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/jwt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">src/users/users.entity</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AccessToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./types/AccessToken</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UsersService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">src/users/users.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterRequestDto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./dtos/register-request.dto</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="kr">private</span> <span class="nx">usersService</span><span class="p">:</span> <span class="nx">UsersService</span><span class="p">,</span> <span class="kr">private</span> <span class="nx">jwtService</span><span class="p">:</span> <span class="nx">JwtService</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="na">user</span><span class="p">:</span> <span class="nx">User</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">findOneByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="na">isMatch</span><span class="p">:</span> <span class="nx">boolean</span> <span class="o">=</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compareSync</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isMatch</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="dl">'</span><span class="s1">Password does not match</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">login</span><span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">User</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AccessToken</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">};</span> <span class="k">return</span> <span class="p">{</span> <span class="na">access_token</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">jwtService</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">register</span><span class="p">(</span><span class="nx">user</span><span class="p">:</span> <span class="nx">RegisterRequestDto</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AccessToken</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existingUser</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">findOneByEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="dl">'</span><span class="s1">email already exists</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="na">newUser</span><span class="p">:</span> <span class="nx">User</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">user</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hashedPassword</span> <span class="p">};</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersService</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">newUser</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>❓ <strong>Why is hashing and salting passwords mandatory?</strong><br> A <strong>salt</strong> is simply a random data used as an additional input to the hashing function to safeguard your password. The random string from the salt makes the hash unpredictable.<br> A password <strong>hash</strong> involves converting the password into an alphanumeric string using specialized algorithms.<br> Hashing and salting are irreversible and ensure that even if someone gains access to the hashed passwords, they will not be able to decrypt them to recover the original passwords.<br> Hystorically bcrypt is recognized as the best hashing algorithm. However, in terms of robustness against all the new cryptographic attacks targeting hashing algorithms, the current clear winner is <a href="https://www.npmjs.com/package/argon2"><code>argon2</code></a>. However, since the “youth" (2015) of this algorithm, I chose to use <code>bcrypt</code></p> </blockquote> <h3> Passport Configuration </h3> <h4> Create a Local Strategy for authentication with username and password. </h4> <p>You need to create a <strong><code>LocalStrategy</code></strong> that extends <strong><code>PassportStrategy</code></strong>. </p> <p>This <strong>authentication method</strong> is primarily used for authenticating users based on local credentials such as usernames and passwords. By default the strategy looks for a <code>username</code> field, in the code below we override <strong><code>usernameField</code></strong> to look for an <code>email</code> field since we want to login with an email.</p> <ul> <li> <strong>validate method :</strong> Requires the server to check the provided username and password against the authentication service.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">//local.strategy.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">UnauthorizedException</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PassportStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Strategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">passport-local</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthenticationService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../authentication.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../app/users/users.entity</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">LocalStrategy</span> <span class="kd">extends</span> <span class="nc">PassportStrategy</span><span class="p">(</span><span class="nx">Strategy</span><span class="p">)</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="kr">private</span> <span class="nx">authService</span><span class="p">:</span> <span class="nx">AuthenticationService</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">({</span> <span class="na">usernameField</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="nx">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="nx">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">authService</span><span class="p">.</span><span class="nf">validateUser</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">UnauthorizedException</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> <strong>Create a JWT Strategy to validate JWT tokens</strong> </h4> <p>The <code>JwtStrategy</code> validates the token sent by the user. It extracts the user ID from the token and looks it up in the database.</p> <p>This <strong>authentication method</strong> is used for authenticating users based on the presence and validity of a JSON Web Token (JWT). It extracts the user ID from the token and looks it up in the database.</p> <ul> <li> <strong>validate method:</strong> Involves checking the digital signature of the JWT to ensure its integrity and validating claims to determine the user's identity and permissions. The <code>validate</code> method receives the decoded data from the JWT token and returns user data if the token is valid. You can add additional logic, e.g., to fetch additional user information from the database.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">//jwt.strategy.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PassportStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Strategy</span><span class="p">,</span> <span class="nx">ExtractJwt</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">passport-jwt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AccessTokenPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../types/AccessTokenPayload</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">JwtStrategy</span> <span class="kd">extends</span> <span class="nc">PassportStrategy</span><span class="p">(</span><span class="nx">Strategy</span><span class="p">)</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="kr">private</span> <span class="nx">readonly</span> <span class="nx">configService</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">({</span> <span class="na">jwtFromRequest</span><span class="p">:</span> <span class="nx">ExtractJwt</span><span class="p">.</span><span class="nf">fromAuthHeaderAsBearerToken</span><span class="p">(),</span> <span class="na">ignoreExpiration</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">secretOrKey</span><span class="p">:</span> <span class="nx">configService</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">JWT_SECRET</span><span class="dl">'</span><span class="p">),</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">payload</span><span class="p">:</span> <span class="nx">AccessTokenPayload</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">payload</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Authentication Controller </h2> <p>Create endpoints for signup (<code>register</code>) and login (<code>login</code>) that both return JWT tokens. For the login endpoint, the<code>@UseGuards</code> decorator is applied to the <code>login</code> method, indicating that the <code>AuthGuard</code> named 'local' should be used, that will trigger the <code>LocalStrategy</code> previously implemented.</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// auth.controller.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BadRequestException</span><span class="p">,</span> <span class="nx">Body</span><span class="p">,</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Post</span><span class="p">,</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">UseGuards</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterRequestDto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./dtos/register-request.dto</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginResponseDTO</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./dtos/login-response.dto</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RegisterResponseDTO</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./dtos/register-response.dto</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">auth</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="kr">private</span> <span class="nx">authService</span><span class="p">:</span> <span class="nx">AuthService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">UseGuards</span><span class="p">(</span><span class="nc">AuthGuard</span><span class="p">(</span><span class="dl">'</span><span class="s1">local</span><span class="dl">'</span><span class="p">))</span> <span class="p">@</span><span class="nd">Post</span><span class="p">(</span><span class="dl">'</span><span class="s1">login</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">login</span><span class="p">(@</span><span class="nd">Request</span><span class="p">()</span> <span class="nx">req</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">LoginResponseDTO</span> <span class="o">|</span> <span class="nx">BadRequestException</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">authService</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Post</span><span class="p">(</span><span class="dl">'</span><span class="s1">register</span><span class="dl">'</span><span class="p">)</span> <span class="k">async</span> <span class="nf">register</span><span class="p">(</span> <span class="p">@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">registerBody</span><span class="p">:</span> <span class="nx">RegisterRequestDto</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">RegisterResponseDTO</span> <span class="o">|</span> <span class="nx">BadRequestException</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">authService</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">registerBody</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>❓ <strong>Passing the Access Token to the client</strong><br> In this tutorial we pass the access token to the client in the response body for simplicity reasons, but it can also be done with a <strong>cookie</strong>. Since cookies are automatically included in every HTTP request, it simplifies the process of including the access token without explicit action from the client. <br> You can read this article <a href="https://hasanthipurnimadissanayake.medium.com/cookie-based-authentication-vs-token-based-authentication-9c0dcce1d73a">Cookie-Based Authentication vs Token-Based Authentication</a> to choose the most adapted method to your case.</p> <h2> <strong>Authentication Module Configuration</strong> </h2> <p>Your <code>AuthModule</code> should import the <code>JwtModule</code> to handle JSON Web Token (JWT) generation and verification. </p> <p>The <code>registerAsync</code> method allows for asynchronous configuration, facilitating the use of the <code>ConfigService</code> to retrieve the JWT secret from environment variables stored in a <code>.env</code> file.</p> <p>Storing sensitive configurations in a <code>.env</code> file as environment variables is preferred because it enhances security and avoids accidental exposure in version control systems (⚠️ don’t forget to add it in the <code>.gitignore</code> ). This practice facilitates easy configuration management across different environments while preserving confidentiality and minimizing the risk of inadvertent information disclosure.</p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// auth.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UsersModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">src/users/users.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/jwt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigModule</span><span class="p">,</span> <span class="nx">ConfigService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LocalStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./strategy/local.strategy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthController</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth.controller</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./strategy/jwt.strategy</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">UsersModule</span><span class="p">,</span> <span class="nx">JwtModule</span><span class="p">.</span><span class="nf">registerAsync</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span><span class="nx">ConfigModule</span><span class="p">],</span> <span class="na">useFactory</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="na">configService</span><span class="p">:</span> <span class="nx">ConfigService</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">configService</span><span class="p">.</span><span class="kd">get</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span>('JWT_SECRET'), signOptions: <span class="si">{</span> <span class="nx">expiresIn</span><span class="p">:</span> <span class="nf">parseInt</span><span class="p">(</span> <span class="nx">configService</span><span class="p">.</span><span class="nx">getOrThrow</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">(</span> <span class="dl">'</span><span class="s1">ACCESS_TOKEN_VALIDITY_DURATION_IN_SEC</span><span class="dl">'</span><span class="p">,</span> <span class="p">),</span> <span class="p">),</span> <span class="si">}</span>, }), inject: [ConfigService], }), ], controllers: [AuthController], providers: [AuthService, LocalStrategy, JwtStrategy], exports: [AuthService, JwtModule], }) export class AuthModule <span class="si">{}</span> </code></pre> </div> <h2> Routes security: implementing a whitelisting strategy </h2> <blockquote> <p>❓ <strong>Why should you use a whitelisting strategy ?</strong><br> To ensure the security of your app, the best practice is to choose a <strong>whitelisting</strong> strategy. Whitelisting, involves explicitly allowing only approved elements or actions, providing precise control over permissions in a system. It is considered a better practice than blacklisting as it reduces the attack surface by permitting only known and necessary entities but also minimizes developers' errors resulting from oversights or thoughtlessness.</p> </blockquote> <p>In our context, to implement whitelisting you basically just have to create a guard for JWT-based authentication, and a decorator to designate public routes exempt from JWT authentication. This strategy offers a granular and flexible approach to securing specific endpoints. </p> <h3> Create a guard and a decorator </h3> <p>First, create the following decorator:</p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">//public.decorator.ts </span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SetMetadata</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">Public</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">SetMetadata</span><span class="p">(</span><span class="dl">'</span><span class="s1">isPublic</span><span class="dl">'</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> </code></pre> </div> <p>Then you can add the following <strong><code>JwtGuard</code></strong> class: </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">//jwt.guard.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ExecutionContext</span><span class="p">,</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Reflector</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">JwtGuard</span> <span class="kd">extends</span> <span class="nc">AuthGuard</span><span class="p">(</span><span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">reflector</span><span class="p">:</span> <span class="nx">Reflector</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">();</span> <span class="p">}</span> <span class="nf">canActivate</span><span class="p">(</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">ExecutionContext</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="o">|</span> <span class="nx">boolean</span> <span class="o">|</span> <span class="nx">Observable</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isPublic</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">reflector</span><span class="p">.</span><span class="nf">getAllAndOverride</span><span class="p">(</span><span class="dl">'</span><span class="s1">isPublic</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span> <span class="nx">context</span><span class="p">.</span><span class="nf">getHandler</span><span class="p">(),</span> <span class="nx">context</span><span class="p">.</span><span class="nf">getClass</span><span class="p">(),</span> <span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isPublic</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="k">super</span><span class="p">.</span><span class="nf">canActivate</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Class constructor:</strong> takes a single parameter - an instance of the <code>Reflector</code> class. The <code>Reflector</code> class is part of the core NestJS library and is used to retrieve metadata associated with classes, methods, and their decorators.</li> <li> <strong>canActivate Method:</strong> The <code>canActivate</code> method is a crucial part of the <code>JwtGuard</code> class. It is invoked during the request lifecycle to determine whether the current request should be allowed or denied based on the provided JWT. <ul> <li>The first step is to check if the route or endpoint is marked as public using the <code>@Public</code> decorator previously created.</li> <li>The <code>Reflector</code> is used to retrieve metadata labeled as 'isPublic' from the handler and class associated with the current execution context.</li> <li>If the route is marked as public, the method returns <code>true</code>, indicating that no further authentication checks are needed.</li> <li>If the route is not marked as public, the <code>super.canActivate(context)</code> call invokes the corresponding method in the parent class (<code>AuthGuard</code>). This method performs the actual JWT validation and authentication checks.</li> </ul> </li> </ul> <h3> Configure the AppModule </h3> <p>Within the <code>providers</code> array, the provider for the JWT guard is registered using the <code>APP_GUARD</code> token. This provider specifies the use of the <code>JwtGuard</code> class as the global guard for the entire application.</p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">//app.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppController</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.controller</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UsersModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./users/users.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ConfigModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/config</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AuthModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/auth.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/strategy/jwt.strategy</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">APP_GUARD</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/guards/jwt.guard</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">ConfigModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">isGlobal</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="p">...</span> <span class="nx">UsersModule</span><span class="p">,</span> <span class="nx">AuthModule</span><span class="p">,</span> <span class="p">],</span> <span class="na">controllers</span><span class="p">:</span> <span class="p">[</span><span class="nx">AppController</span><span class="p">],</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="nx">AppService</span><span class="p">,</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">APP_GUARD</span><span class="p">,</span> <span class="na">useClass</span><span class="p">:</span> <span class="nx">JwtGuard</span><span class="p">,</span> <span class="p">},</span> <span class="nx">JwtStrategy</span><span class="p">,</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <p>Now if the routes are not marked with <code>@Public()</code>, every incoming request undergoes JWT authentication.</p> <p>For example, in the GET endpoint below, the global guard validates and decodes the JWT access token and attaches the user information to the request object, making it accessible in the controller methods. </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">//app.controller.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Get</span><span class="p">,</span> <span class="nx">Request</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AccessTokenPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/types/AccessTokenPayload</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">appService</span><span class="p">:</span> <span class="nx">AppService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="k">async</span> <span class="nf">getHello</span><span class="p">(@</span><span class="nd">Request</span><span class="p">()</span> <span class="nx">req</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="na">accessTokenPayload</span><span class="p">:</span> <span class="nx">AccessTokenPayload</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="nx">AccessTokenPayload</span><span class="p">;</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">appService</span><span class="p">.</span><span class="nf">getHello</span><span class="p">(</span><span class="nx">accessTokenPayload</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Specify public routes </h3> <p>You have now the option to apply the <code>@Public()</code>decorator to methods or classes that don't require JWT authentication. In our scenario, we apply this decorator to the <code>AuthController</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>//auth.controller.ts @Public() @Controller('auth') export class AuthController { //... } </code></pre> </div> <h3> Create <strong>custom decorators</strong> </h3> <p>In order to make your code more readable and transparent, you can create your own <strong>custom decorator</strong> and reuse it across all of your controllers. It’s a very good practice to avoid code duplication.</p> <p>Depending on the specific requirements of your project, (e.g. <a href="https://medium.com/@dev.muhammet.ozen/role-based-access-control-in-nestjs-15c15090e47d">Role-based access control</a>), you can create numerous and various decorators and guards to address diverse authorization scenarios. For this article we will only create a  <code>@User()</code> decorator that extracts the user information from the request object in the NestJS execution context.</p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// user.decorator.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createParamDecorator</span><span class="p">,</span> <span class="nx">ExecutionContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nf">createParamDecorator</span><span class="p">(</span> <span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">:</span> <span class="nx">ExecutionContext</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">().</span><span class="nf">getRequest</span><span class="p">();</span> <span class="k">return</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>Then you just have to pass it to your controller to retrieve the user information encapsulated in your request.</p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">//app.controller.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Get</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./auth/decorators/user.decorator</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">appService</span><span class="p">:</span> <span class="nx">AppService</span><span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="k">async</span> <span class="nf">getHello</span><span class="p">(@</span><span class="nd">User</span><span class="p">()</span> <span class="nx">user</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">appService</span><span class="p">.</span><span class="nf">getHello</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion </h2> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut7bwhtuxk8boaeyirrj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fut7bwhtuxk8boaeyirrj.png" alt="Dependancies schema of the authentication system" width="800" height="528"></a></p> <p>In conclusion, <strong>crafting a secure and efficient authentication system in a NestJS application is a meticulous but easy process</strong>. We have integrated Passport to handle various authentication strategies, used JWT tokens to enhance security, and the global guards to ensure consistent authentication across the entire project. By prioritizing security, simplicity, and extensibility in our implementation, we have established a foundation that not only safeguards user data but also allows for seamless integration of future features.</p> <p>By following this step-by-step guide, you can establish a robust authentication system in your NestJS applications, promoting secure user interactions and data protection. The provided code snippets serve as a foundation for building upon and adapting to specific project requirements (Role-based access control, OAuth).</p> <p>However, I did not get into <a href="https://medium.com/@chamodisamarawickrama/understanding-refresh-tokens-f27629a096f8">refresh token</a> even though they are an essential component of secure authentication systems, particularly in scenarios where long-lived sessions are required. A deep dive into implementing refresh tokens in a NestJS context could be valuable for you if you aim to build robust and secure authentication systems.</p> <h3> Sources </h3> <ul> <li><a href="https://nestjs.com/">Documentation NestJs</a></li> <li><a href="https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/">Adding Salt to Hashing: A Better Way to Store Passwords</a></li> </ul> nestjs coding backend security