DEV Community: Khelan Mehta The latest articles on DEV Community by Khelan Mehta (@khelan_mehta_41a9c33cf658). https://dev.to/khelan_mehta_41a9c33cf658 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1788404%2F24857875-dfcd-4305-8855-677db67946c9.png DEV Community: Khelan Mehta https://dev.to/khelan_mehta_41a9c33cf658 en Authentication System with Next.js and Nest.js Khelan Mehta Sun, 16 Feb 2025 14:20:04 +0000 https://dev.to/khelan_mehta_41a9c33cf658/authentication-system-with-nextjs-and-nestjs-4k5a https://dev.to/khelan_mehta_41a9c33cf658/authentication-system-with-nextjs-and-nestjs-4k5a <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88397ievdu6j8akzim6m.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F88397ievdu6j8akzim6m.jpg" alt="Image description" width="800" height="367"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnonbicsy3y2bgnpbvukn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnonbicsy3y2bgnpbvukn.jpg" alt="Image description" width="800" height="367"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61moimnfkm9cz7e2y105.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61moimnfkm9cz7e2y105.jpg" alt="Image description" width="800" height="367"></a></p> <h1> Building a Secure Authentication System with Next.js and Nest.js </h1> <p>Security is a top priority in modern web applications, and a well-architected authentication system is key to protecting user data. In this guide, we’ll build a <strong>secure authentication system</strong> using <strong>Next.js and Nest.js</strong>, implementing <strong>Crypto.js, bcrypt, JWT, and role-based authentication</strong>. Additionally, we'll cover how to integrate <strong>NodeMailer for password reset functionality</strong> with OTP-based sessions.</p> <h2> <strong>Why This Architecture?</strong> </h2> <p>Our system follows a <strong>modular and layered</strong> security approach:<br><br> ✅ <strong>Crypto.js (Frontend Encryption)</strong> – Encrypts credentials before transmission.<br><br> ✅ <strong>bcrypt (Backend Encryption)</strong> – Hashes passwords before storing them in the database.<br><br> ✅ <strong>JWT Authentication</strong> – Issues secure access tokens for API requests.<br><br> ✅ <strong>Role-Based Access Control (RBAC)</strong> – Restricts users based on roles.<br><br> ✅ <strong>OTP and NodeMailer for Password Reset</strong> – Provides secure session-based password recovery.</p> <h2> <strong>Step 1: Setting Up the Backend with Nest.js</strong> </h2> <h3> <strong>1.1 Install Dependencies</strong> </h3> <p>In your Nest.js backend, install the required packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @nestjs/jwt @nestjs/passport bcryptjs passport passport-jwt crypto-js nodemailer </code></pre> </div> <h3> <strong>1.2 User Entity &amp; Authentication Service</strong> </h3> <p>Define the user schema in <strong>TypeORM</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Entity</span><span class="p">,</span> <span class="nx">Column</span><span class="p">,</span> <span class="nx">PrimaryGeneratedColumn</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typeorm</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Entity</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">User</span> <span class="p">{</span> <span class="p">@</span><span class="nd">PrimaryGeneratedColumn</span><span class="p">()</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">@</span><span class="nd">Column</span><span class="p">({</span> <span class="na">unique</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">Column</span><span class="p">()</span> <span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">@</span><span class="nd">Column</span><span class="p">({</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span> <span class="p">})</span> <span class="c1">// Default role is 'user'</span> <span class="nx">role</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Now, create the <strong>authentication service</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcrypt</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">JwtService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/jwt</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">jwtService</span><span class="p">:</span> <span class="nx">JwtService</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">hashPassword</span><span class="p">(</span><span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">comparePasswords</span><span class="p">(</span><span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">hash</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">hash</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">generateJWT</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">role</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">jwtService</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">role</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Step 2: Implementing Crypto.js in the Frontend (Next.js)</strong> </h2> <p>To enhance security, we encrypt credentials before sending them to the backend.</p> <h3> <strong>2.1 Install Crypto.js</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>crypto-js </code></pre> </div> <h3> <strong>2.2 Encrypt User Credentials in Next.js</strong> </h3> <p>Modify the <strong>login page</strong> (<code>pages/login.js</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">CryptoJS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto-js</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">login</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encryptedPassword</span> <span class="o">=</span> <span class="nx">CryptoJS</span><span class="p">.</span><span class="nx">AES</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SECRET</span><span class="p">).</span><span class="nf">toString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">encryptedPassword</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Step 3: JWT-Based Authentication &amp; Role-Based Access</strong> </h2> <h3> <strong>3.1 Protect Routes Using JWT</strong> </h3> <p>Middleware for <strong>JWT authentication</strong> (<code>jwt.strategy.ts</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PassportStrategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/passport</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ExtractJwt</span><span class="p">,</span> <span class="nx">Strategy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">passport-jwt</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">JwtStrategy</span> <span class="kd">extends</span> <span class="nc">PassportStrategy</span><span class="p">(</span><span class="nx">Strategy</span><span class="p">)</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">({</span> <span class="na">jwtFromRequest</span><span class="p">:</span> <span class="nx">ExtractJwt</span><span class="p">.</span><span class="nf">fromAuthHeaderAsBearerToken</span><span class="p">(),</span> <span class="na">secretOrKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">validate</span><span class="p">(</span><span class="nx">payload</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">payload</span><span class="p">.</span><span class="nx">role</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>3.2 Role-Based Authorization Middleware</strong> </h3> <p>To allow access based on <strong>user roles</strong>, create a decorator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CanActivate</span><span class="p">,</span> <span class="nx">ExecutionContext</span><span class="p">,</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RolesGuard</span> <span class="k">implements</span> <span class="nx">CanActivate</span> <span class="p">{</span> <span class="nf">canActivate</span><span class="p">(</span><span class="nx">context</span><span class="p">:</span> <span class="nx">ExecutionContext</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">().</span><span class="nf">getRequest</span><span class="p">();</span> <span class="k">return</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Only admins can access</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Apply the <strong>RolesGuard</strong> to protected routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">UseGuards</span><span class="p">(</span><span class="nx">JwtAuthGuard</span><span class="p">,</span> <span class="nx">RolesGuard</span><span class="p">)</span> <span class="p">@</span><span class="nd">Get</span><span class="p">(</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">)</span> <span class="nf">adminAccess</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">You have admin privileges!</span><span class="dl">"</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Step 4: Implementing Forgot Password with OTP &amp; NodeMailer</strong> </h2> <h3> <strong>4.1 Generate OTP and Send Email</strong> </h3> <p>Install <strong>NodeMailer</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>nodemailer </code></pre> </div> <p>Create the <strong>email service</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">nodemailer</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">nodemailer</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MailService</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">transporter</span> <span class="o">=</span> <span class="nx">nodemailer</span><span class="p">.</span><span class="nf">createTransport</span><span class="p">({</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Gmail</span><span class="dl">'</span><span class="p">,</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EMAIL_USER</span><span class="p">,</span> <span class="na">pass</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">EMAIL_PASS</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">async</span> <span class="nf">sendOTP</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">otp</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">transporter</span><span class="p">.</span><span class="nf">sendMail</span><span class="p">({</span> <span class="na">from</span><span class="p">:</span> <span class="dl">'</span><span class="s1">"Security Team" &lt;no-reply@example.com&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="na">to</span><span class="p">:</span> <span class="nx">email</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Password Reset OTP</span><span class="dl">'</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="s2">`Your OTP is </span><span class="p">${</span><span class="nx">otp</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>4.2 Store OTP in Database and Verify</strong> </h3> <p>Modify the <strong>AuthService</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="k">as</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="nf">requestPasswordReset</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">otp</span> <span class="o">=</span> <span class="nf">uuidv4</span><span class="p">().</span><span class="nf">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">6</span><span class="p">);</span> <span class="c1">// Generate a 6-digit OTP</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="nx">email</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">otp</span> <span class="p">});</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">mailService</span><span class="p">.</span><span class="nf">sendOTP</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">otp</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">verifyOTP</span><span class="p">(</span><span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">otp</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">newPassword</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">email</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">otp</span> <span class="o">===</span> <span class="nx">otp</span><span class="p">)</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">hashPassword</span><span class="p">(</span><span class="nx">newPassword</span><span class="p">);</span> <span class="nx">user</span><span class="p">.</span><span class="nx">otp</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">userRepository</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">Password reset successfully</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid OTP</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Final Thoughts</strong> </h2> <p>This authentication system ensures security at <strong>every layer</strong>:<br><br> 🔒 <strong>Crypto.js encrypts credentials on the frontend.</strong><br><br> 🔒 <strong>bcrypt hashes passwords before storing in the database.</strong><br><br> 🔒 <strong>JWT tokens provide secure access.</strong><br><br> 🔒 <strong>Role-based access restricts sensitive data.</strong><br><br> 🔒 <strong>OTP-based password reset improves security.</strong> </p> <p>With <strong>Next.js and Nest.js</strong>, we achieve a highly scalable, secure authentication system. 🚀 </p> devblog