The latest articles on DEV Community by Anandhu Prakash (@luffy_p1r4t3). https://dev.to/luffy_p1r4t3 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1262258%2F51e78847-f03e-466c-8dce-542be48aa102.png https://dev.to/luffy_p1r4t3 en Anandhu Prakash Sat, 28 Dec 2024 04:45:48 +0000 https://dev.to/luffy_p1r4t3/role-based-access-control-in-nestjs-2cl2 https://dev.to/luffy_p1r4t3/role-based-access-control-in-nestjs-2cl2 <h2> Role-Based Authorization in NestJS </h2> <p>Authorization is a critical aspect of application security. It ensures that users can access only the resources they’re permitted to. In NestJS, a progressive Node.js framework, implementing role-based authorization is straightforward thanks to its modular design and support for decorators.</p> <h3> What is Role-Based Authorization? </h3> <p>Role-based authorization assigns permissions to users based on their roles. Common roles include “admin,” “user,” and “guest.” Each role has a predefined set of actions it can perform. For example:</p> <ul> <li> <strong>Admin</strong>: Can manage all resources.</li> <li> <strong>User</strong>: Can read and update their own data.</li> <li> <strong>Guest</strong>: Can only view public resources.</li> </ul> <p>By implementing role-based authorization, you can easily control access within your application.</p> <h3> Setting Up Role-Based Authorization in NestJS </h3> <p>Here’s how you can implement role-based authorization in NestJS:</p> <h4> 1. Install Dependencies </h4> <p>First, ensure you have a NestJS project set up. If not, you can create one using the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm i <span class="nt">-g</span> @nestjs/cli nest new my-app </code></pre> </div> <p>Next, install <code>@nestjs/passport</code> and <code>passport</code> for authentication support:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @nestjs/passport passport passport-jwt npm <span class="nb">install</span> <span class="nt">--save-dev</span> @types/passport-jwt </code></pre> </div> <h4> 2. Define Roles </h4> <p>Create a <code>roles.enum.ts</code> file to define roles as an enum:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">enum</span> <span class="nx">Role</span> <span class="p">{</span> <span class="nx">Admin</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="nx">User</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Guest</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">guest</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h4> 3. Create a Roles Guard </h4> <p>Guards in NestJS intercept requests before they reach route handlers. Create a custom guard to enforce role-based access control.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">CanActivate</span><span class="p">,</span> <span class="nx">ExecutionContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Reflector</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Role</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.enum</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RolesGuard</span> <span class="k">implements</span> <span class="nx">CanActivate</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">reflector</span><span class="p">:</span> <span class="nx">Reflector</span><span class="p">)</span> <span class="p">{}</span> <span class="nf">canActivate</span><span class="p">(</span><span class="nx">context</span><span class="p">:</span> <span class="nx">ExecutionContext</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">roles</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">reflector</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">Role</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">roles</span><span class="dl">'</span><span class="p">,</span> <span class="nx">context</span><span class="p">.</span><span class="nf">getHandler</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">roles</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">().</span><span class="nf">getRequest</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="k">return</span> <span class="nx">roles</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">role</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">roles</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">role</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> 4. Create a Roles Decorator </h4> <p>To simplify the process of adding roles to route handlers, create a custom decorator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SetMetadata</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Role</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.enum</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">Roles</span> <span class="o">=</span> <span class="p">(...</span><span class="nx">roles</span><span class="p">:</span> <span class="nx">Role</span><span class="p">[])</span> <span class="o">=&gt;</span> <span class="nc">SetMetadata</span><span class="p">(</span><span class="dl">'</span><span class="s1">roles</span><span class="dl">'</span><span class="p">,</span> <span class="nx">roles</span><span class="p">);</span> </code></pre> </div> <h4> 5. Apply the Roles Guard Globally or Locally </h4> <p>To make the <code>RolesGuard</code> active, you can apply it globally or locally. For global application, add it to your <code>AppModule</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Module</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">APP_GUARD</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RolesGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.guard</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">APP_GUARD</span><span class="p">,</span> <span class="na">useClass</span><span class="p">:</span> <span class="nx">RolesGuard</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <p>For local application, use it in specific controllers or methods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Controller</span><span class="p">,</span> <span class="nx">Get</span><span class="p">,</span> <span class="nx">UseGuards</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Roles</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.decorator</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RolesGuard</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.guard</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Role</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./roles.enum</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">resources</span><span class="dl">'</span><span class="p">)</span> <span class="p">@</span><span class="nd">UseGuards</span><span class="p">(</span><span class="nx">RolesGuard</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">ResourcesController</span> <span class="p">{</span> <span class="p">@</span><span class="nd">Get</span><span class="p">()</span> <span class="p">@</span><span class="nd">Roles</span><span class="p">(</span><span class="nx">Role</span><span class="p">.</span><span class="nx">Admin</span><span class="p">,</span> <span class="nx">Role</span><span class="p">.</span><span class="nx">User</span><span class="p">)</span> <span class="nf">findAll</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">This endpoint is accessible to Admins and Users.</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> 6. Authenticate Users </h4> <p>To identify a user’s roles, ensure your authentication process adds the roles to the <code>user</code> object in the request. This often involves decoding a JWT or using a session store.</p> <h4> Example Authentication Middleware </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">NestMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AuthMiddleware</span> <span class="k">implements</span> <span class="nx">NestMiddleware</span> <span class="p">{</span> <span class="nf">use</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">decodeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="c1">// Implement JWT decoding</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">;</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">decodeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">any</span> <span class="p">{</span> <span class="c1">// Logic to decode JWT and retrieve user data</span> <span class="k">return</span> <span class="p">{</span> <span class="na">roles</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">]</span> <span class="p">};</span> <span class="c1">// Example decoded payload</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Testing the Implementation </h3> <p>Start your application and test endpoints with users of different roles. Ensure each user can access only what their role permits.</p> <h4> Example Requests </h4> <ul> <li> <strong>Admin User</strong>: Should access all routes.</li> <li> <strong>Regular User</strong>: Should access user-specific routes.</li> <li> <strong>Guest</strong>: Should be restricted to public routes.</li> </ul> <h3> Conclusion </h3> <p>Role-based authorization in NestJS is clean and efficient thanks to decorators, guards, and the framework’s modularity. By following the steps above, you can secure your application while maintaining flexibility and scalability.</p> <p>For more complex scenarios, consider integrating with external libraries like <strong>Casl</strong> or implementing attribute-based access control (ABAC).</p> webdev backend nestjs typescript