DEV Community: Rosa

Stop Showing Your Database Schema to the World: A Better Way to Handle Errors in Express + Prisma

Rosa — Sat, 19 Jul 2025 11:52:25 +0000

So I was working on this side project, and I realized something embarrassing: my API was basically broadcasting my entire database structure to anyone who sent a malformed request.

You know that moment when you're testing your endpoint and you get back something like this?

{
  "error": "PrismaClientKnownRequestError: \nInvalid `prisma.user.create()` invocation:\n\n{\n  data: {\n    email: \"user@example.com\",\n           ~~~~~~~~~~~~~~~~~~\n    name: \"User\"\n  }\n}\n\nUnique constraint failed on the fields: (`email`)"
}

That's not just ugly—it's a security nightmare. It is basically handing over your database blueprint to anyone who hits your endpoints.

What I really wanted was something clean like this:

{
  "status": "fail",
  "message": "Duplicate value found for email. Please use a different value."
}

Much better, right?

The Usual Tutorial Problem

Here's the thing about most Express tutorials: they show you the happy path. But real apps? They're chaos. Users send garbage data, your database goes down, network requests fail.
Without proper error handling, you're basically coding blindfolded.

My Solution: Error Translation Layer

Instead of trying to catch every possible error, I built a translation layer. Think of it as a bouncer for your errors—it takes the messy backend stuff and turns it into something your frontend can actually use.

Let me show you how I did it.

Setting Up the Project

First, we need a project that can actually break in interesting ways. I'm using Express with Prisma and SQLite because they generate the kind of detailed errors that make this demonstration worthwhile.

mkdir global-error-handling
cd global-error-handling
npm init -y

Install the essentials:

# Core dependencies
npm install express cors helmet dotenv @prisma/client

# Development tools
npm install -D typescript @types/express @types/node nodemon ts-node prisma

TypeScript Configuration

Create tsconfig.json:

{
  "compilerOptions": {
    "target": "ES2020",
    "lib": ["ES2020"],
    "module": "commonjs",
    "rootDir": "./src",
    "resolveJsonModule": true,
    "declaration": true,
    "declarationMap": true,
    "sourceMap": true,
    "outDir": "./dist",
    "esModuleInterop": true,
    "forceConsistentCasingInFileNames": true,
    "strict": true,
    "skipLibCheck": true
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules", "dist"]
}

Package.json Scripts

Update your package.json scripts section:

{
  "scripts": {
    "dev": "nodemon src/server.ts",
    "build": "tsc",
    "start": "node dist/server.js",
    "db:generate": "prisma generate",
    "db:push": "prisma db push",
    "db:studio": "prisma studio"
  }
}

Database Setup with Prisma

Initialize Prisma:

npx prisma init --datasource-provider sqlite

Create your database schema in prisma/schema.prisma:

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "sqlite"
  url      = "file:./dev.db"
}

model User {
  id        Int      @id @default(autoincrement())
  email     String   @unique
  name      String?
  posts     Post[]
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
}

model Post {
  id        Int      @id @default(autoincrement())
  title     String
  content   String?
  published Boolean  @default(false)
  author    User     @relation(fields: [authorId], references: [id], onDelete: Cascade)
  authorId  Int
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt
}

Generate the Prisma client and push the schema:

npm run db:generate
npm run db:push

Building the Error Handling System

Now, let's build our error handling system. Create the src directory and start with our utility classes.

Creating a Custom Error Class

// src/utils/appError.ts
class AppError extends Error {
  statusCode: number;
  status: "fail" | "error";
  isOperational: boolean;

  constructor(message: string, statusCode: number) {
    super(message);
    this.statusCode = statusCode;
    this.status = `${statusCode}`.startsWith("4")
      ? "fail"
      : "error";
    this.isOperational = true;
    this.message = message;

    Error.captureStackTrace(this, this.constructor);
  }
}

export default AppError;

Eliminating Try-Catch Hell

// src/utils/catchAsync.ts
import { Request, Response, NextFunction } from 'express';

const catchAsync = (
  fn: (req: Request, res: Response, next: NextFunction) => Promise<unknown>,
) => {
  return (req: Request, res: Response, next: NextFunction) => {
    fn(req, res, next).catch((err) => next(err));
  };
};

export default catchAsync;

The Main Event: Global Error Handler

This is where the magic happens. Express lets you define a global error handler that catches everything:

// src/middleware/errorHandler.ts
import { NextFunction, Request, Response } from "express";
import {
  PrismaClientKnownRequestError,
  PrismaClientValidationError,
  PrismaClientInitializationError,
  PrismaClientRustPanicError,
} from "@prisma/client/runtime/library";
import AppError from "../utils/appError";

interface ErrorWithCode extends Error {
  code?: string;
  statusCode?: number;
  status?: string;
  isOperational?: boolean;
}

const handlePrismaValidationError = (
  err: PrismaClientValidationError
): AppError => {
  return new AppError(
    "Invalid input data. Please check your request.",
    400
  );
};

const handlePrismaKnownError = (
  err: PrismaClientKnownRequestError
): AppError => {
  const errorMap: Record<string, () => AppError> = {
    P2002: () => {
      const field =
        (err.meta?.target as string[])?.join(", ") ||
        "field";
      return new AppError(
        `Duplicate value found for ${field}. Please use a different value.`,
        409
      );
    },
    P2003: () => {
      const field =
        (err.meta?.field_name as string) ||
        (err.meta?.target as string) ||
        "unknown field";
      return new AppError(
        `Invalid reference for field: ${field}`,
        400
      );
    },
    P2025: () => new AppError("Record not found.", 404),
    P2021: () =>
      new AppError("The table does not exist.", 500),
    P2022: () =>
      new AppError("The column does not exist.", 500),
  };

  return (
    errorMap[err.code]?.() ||
    new AppError("Database error occurred.", 500)
  );
};

const handlePrismaInitializationError = (
  err: PrismaClientInitializationError
): AppError => {
  return new AppError(
    "Database connection failed. Please try again later.",
    500
  );
};

const handlePrismaRustPanicError = (
  err: PrismaClientRustPanicError
): AppError => {
  return new AppError(
    "Critical database error occurred. Please try again.",
    500
  );
};

// Development error response
const sendErrorDev = (
  err: ErrorWithCode,
  res: Response
): void => {
  res.status(err.statusCode || 500).json({
    status: err.status,
    message: err.message,
    error: err,
    stack: err.stack,
  });
};

// Production error response
const sendErrorProd = (
  err: ErrorWithCode,
  res: Response
): void => {
  if (err.isOperational) {
    res.status(err.statusCode || 500).json({
      status: err.status,
      message: err.message,
    });
  } else {
    res.status(500).json({
      status: "error",
      message: "Something went wrong!",
    });
  }
};

// Global error handling middleware
const globalErrorHandler = (
  err: ErrorWithCode,
  req: Request,
  res: Response,
  next: NextFunction
): void => {
  err.statusCode = err.statusCode || 500;
  err.status = err.status || "error";

  const isDev = process.env.NODE_ENV === "development";
  let error = err;

  if (err instanceof PrismaClientValidationError) {
    error = handlePrismaValidationError(err);
  } else if (err instanceof PrismaClientKnownRequestError) {
    error = handlePrismaKnownError(err);
  } else if (
    err instanceof PrismaClientInitializationError
  ) {
    error = handlePrismaInitializationError(err);
  } else if (err instanceof PrismaClientRustPanicError) {
    error = handlePrismaRustPanicError(err);
  }

  if (isDev) {
    sendErrorDev(error, res);
  } else {
    sendErrorProd(error, res);
  }
};

export default globalErrorHandler;

The key insight here is the two-environment approach. During development, you want to see everything—stack traces, error objects, the full disaster. In production, you want clean, professional responses that don't leak implementation details.

Building Routes That Actually Break

Let's create some routes that demonstrate different error scenarios:

// src/routes/users.ts
import { Router, Request, Response } from "express";
import { PrismaClient } from "@prisma/client";

import AppError from "../utils/appError";
import catchAsync from "../utils/catchAsync";

const router = Router();
const prisma = new PrismaClient();

router.get(
  "/:id",
  catchAsync(async (req: Request, res: Response) => {
    const { id } = req.params;

    const user = await prisma.user.findUnique({
      where: { id: parseInt(id) },
      include: {
        posts: true,
      },
    });

    if (!user) {
      throw new AppError("User not found", 404);
    }

    res.status(200).json({
      status: "success",
      data: { user },
    });
  })
);

router.post(
  "/",
  catchAsync(async (req: Request, res: Response) => {
    const { email, name } = req.body;

    if (!email) {
      throw new AppError("Email is required", 400);
    }

    // This will trigger Prisma P2002 error if email already exists
    const user = await prisma.user.create({
      data: {
        email,
        name,
      },
    });

    res.status(201).json({
      status: "success",
      data: { user },
    });
  })
);

router.post(
  "/:id/posts",
  catchAsync(async (req: Request, res: Response) => {
    const { id } = req.params;
    const { title, content } = req.body;

    if (!title) {
      throw new AppError("Title is required", 400);
    }

    // This will trigger Prisma P2003 error if user doesn't exist
    const post = await prisma.post.create({
      data: {
        title,
        content,
        authorId: parseInt(id),
      },
    });

    res.status(201).json({
      status: "success",
      data: { post },
    });
  })
);

router.delete(
  "/:id",
  catchAsync(async (req: Request, res: Response) => {
    const { id } = req.params;

    // This will trigger Prisma P2025 error if user doesn't exist
    await prisma.user.delete({
      where: { id: parseInt(id) },
    });

    res.status(204).json({
      status: "success",
      data: null,
    });
  })
);

export default router;

Putting It All Together

// src/app.ts
import express from "express";
import cors from "cors";
import helmet from "helmet";
import AppError from "./utils/appError";
import globalErrorHandler from "./middleware/errorHandler";
import userRoutes from "./routes/users";

const app = express();

// Basic middleware
app.use(helmet()); 
app.use(cors());
app.use(express.json({ limit: "10kb" })); 

// API routes
app.use("/api/users", userRoutes);

// Catch undefined routes
app.all("*", (req, res, next) => {
  next(
    new AppError(
      `Can't find ${req.originalUrl} on this server`,
      404
    )
  );
});

// Global error handler (must be last!)
app.use(globalErrorHandler);

export default app;

Server Setup with Process Handling

// src/server.ts
import { PrismaClient } from "@prisma/client";
import dotenv from "dotenv";
import app from "./app";

dotenv.config();

const prisma = new PrismaClient();
const port = process.env.PORT || 3000;

/**
 * Handle uncaught exceptions
 * These are synchronous errors that occur outside of Express
 */
process.on("uncaughtException", (err: Error) => {
  console.log("💥 UNCAUGHT EXCEPTION! Shutting down...");
  console.log(err.name, err.message);
  process.exit(1);
});

/**
 * Start the server
 */
async function startServer() {
  try {
    // Connect to database
    await prisma.$connect();
    console.log("Database connected successfully");

    // Start Express server
    const server = app.listen(port, () => {
      console.log(`Server running on port ${port}`);
    });

    /**
     * Handle unhandled promise rejections
     * These are async errors that aren't caught anywhere
     */
    process.on("unhandledRejection", (err: Error) => {
      console.log(
        "💥 UNHANDLED REJECTION! Shutting down..."
      );
      console.log(err.name, err.message);

      server.close(() => {
        process.exit(1);
      });
    });

    /**
     * Graceful shutdown on SIGTERM
     */
    process.on("SIGTERM", async () => {
      console.log(
        "SIGTERM received. Shutting down gracefully..."
      );

      await prisma.$disconnect();
      server.close(() => {
        console.log("Process terminated");
      });
    });
  } catch (error) {
    console.error("Failed to start server:", error);
    await prisma.$disconnect();
    process.exit(1);
  }
}

startServer();

Running the Application

Create a .env file:

NODE_ENV=development
PORT=3000

Start the development server:

npm run dev

Testing The System

To test our error handling system, create an api.http file in your project root. This file works with the REST Client extension in VS Code, making it easy to test your API endpoints.

Create api.http:

## 1. SUCCESS CASES (To Setup Test Data)

### Create first user (SUCCESS)
POST http://localhost:3000/api/users
Content-Type: application/json

{
  "email": "user1@example.com",
  "name": "user1"
}

## 2. PRISMA ERROR TESTING

### P2002 - Unique Constraint Violation (Duplicate Email)
### This will trigger the global error handler for duplicate emails
POST http://localhost:3000/api/users
Content-Type: application/json

{
  "email": "user1@example.com",
  "name": "Another user1"
}

### P2003 - Foreign Key Constraint Violation (Invalid User ID)
### This will trigger the global error handler for invalid foreign key
POST http://localhost:3000/api/users/999/posts
Content-Type: application/json

{
  "title": "Post with Invalid User",
  "content": "This should fail because user 999 doesn't exist"
}

### P2025 - Record Not Found (Delete Non-existent User)
### This will trigger the global error handler for record not found
DELETE http://localhost:3000/api/users/999

## 3. VALIDATION ERRORS 

### Missing required email field
POST http://localhost:3000/api/users
Content-Type: application/json

{
  "name": "User Without Email"
}

### Missing required title field for post
POST http://localhost:3000/api/users/1/posts
Content-Type: application/json

{
  "content": "Post without title"
}

### 4. MALFORMED REQUEST ERRORS

### Invalid JSON (will trigger Express JSON parser error)
POST http://localhost:3000/api/users
Content-Type: application/json

{
  "email": "test@example.com"
  "name": "Invalid JSON" // Missing comma
}

To test both environments:

Run tests with NODE_ENV=development (default)
Change to NODE_ENV=production in your .env file and restart the server
Run the same tests to see the difference in error responses

What This Gets You

With this setup, you get:

Consistent error responses across your entire API
User-friendly messages instead of database internals
Appropriate detail levels for dev vs production
Clean route handlers without try-catch hell
Proper HTTP status codes for different error types

The best part? Once you set this up, you barely think about it. Your routes stay clean, your users get helpful error messages, and you sleep better knowing your database schema isn't being broadcast to the internet.

NestJS Authentication Tutorial - Part 2: JWT Authentication & Email Verification

Rosa — Mon, 14 Jul 2025 09:38:08 +0000

This is part 2 of a 2-part series on building production-ready authentication in NestJS. If you haven't read Part 1: Foundation & Setup, start there first - we'll be building on the foundation established in that part.

Okay, so you've got the foundation from Part 1. Now comes the fun part – actually making people log in and not letting random strangers mess with your app.

The Authentication Flow I Actually Built

After fighting with authentication for way too long, here's what I finally got working:

Sign up (but can't do anything until they verify email)
Get an email verification link (printed to console for now, because I'm not setting up SMTP in this tutorial)
Verify their email and automatically log in
Login normally after that
Update their password without breaking everything
Log out properly

The system uses HTTP-only cookies for the JWT tokens.

Setting Up the Data Structures

First, I need to define what the authentication inputs and outputs look like:

// src/auth/dto/signup.input.ts
import { Field, InputType } from '@nestjs/graphql';
import { IsEmail, IsNotEmpty, MinLength, IsString } from 'class-validator';

@InputType()
export class SignupInput {
  @Field()
  @IsString()
  @IsNotEmpty()
  name: string;

  @Field()
  @IsEmail()
  @IsNotEmpty()
  email: string;

  @Field()
  @IsNotEmpty()
  @MinLength(8)
  password: string;

  @Field()
  @IsNotEmpty()
  @MinLength(8)
  passwordConfirm: string;
}

// src/auth/dto/login.input.ts
import { Field, InputType } from '@nestjs/graphql';
import { IsEmail, IsNotEmpty } from 'class-validator';

@InputType()
export class LoginInput {
  @Field()
  @IsEmail()
  @IsNotEmpty()
  email: string;

  @Field()
  @IsNotEmpty()
  password: string;
}

// src/auth/dto/update-password.input.ts
import { IsString, MinLength, IsNotEmpty } from 'class-validator';
import { InputType, Field } from '@nestjs/graphql';

@InputType()
export class UpdatePasswordInput {
  @Field()
  @IsString()
  @IsNotEmpty({ message: 'Current password is required' })
  currentPassword: string;

  @Field()
  @IsString()
  @MinLength(8, { message: 'Password must be at least 8 characters long' })
  password: string;

  @Field()
  @IsString()
  @IsNotEmpty({ message: 'Password confirmation is required' })
  passwordConfirm: string;
}

For the responses, I keep it simple:

// src/auth/dto/auth-response.dto.ts
import { Field, ObjectType } from '@nestjs/graphql';
import { User } from 'src/user/user.entity';

@ObjectType()
export class AuthResponse {
  @Field(() => User)
  user: User;
}

// src/auth/dto/signup-response.dto.ts
import { Field, ObjectType } from '@nestjs/graphql';

@ObjectType()
export class SignupResponse {
  @Field()
  message: string;
}

Notice I'm not returning the JWT token in the GraphQL response? That's because it's going straight into an HTTP-only cookie where JavaScript can't touch it.

The Authentication Service

This is where I spent most of my time debugging weird edge cases. The AuthService handles the entire authentication flow:

// src/auth/auth.service.ts
import {
  Injectable,
  UnauthorizedException,
  BadRequestException,
} from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { SignupInput } from './dto/signup.input';
import { LoginInput } from './dto/login.input';
import { PasswordService } from './password.service';
import { UserService } from 'src/user/user.service';
import { User } from 'src/user/user.entity';
import { UpdatePasswordInput } from './dto/update-password.input';

interface VerificationTokenPayload {
  email: string;
  sub: string;
  iat?: number;
  exp?: number;
}

@Injectable()
export class AuthService {
  constructor(
    private usersService: UserService,
    private jwtService: JwtService,
    private passwordService: PasswordService,
  ) {}

  async signup(
    signupInput: SignupInput,
  ): Promise<{ message: string; verificationToken?: string }> {
    // Check passwords match - doing this first saves a database call
    if (signupInput.password !== signupInput.passwordConfirm) {
      throw new BadRequestException('Passwords do not match');
    }

    const existingUser = await this.usersService.findByEmail(signupInput.email);
    if (existingUser) {
      throw new BadRequestException('Email already in use');
    }

    // Give them 15 minutes to verify their email
    const expiresDate = new Date();
    expiresDate.setMinutes(expiresDate.getMinutes() + 15);

    const user = await this.usersService.create({
      name: signupInput.name,
      email: signupInput.email,
      password: signupInput.password,
      isEmailVerified: false,
      emailVerificationExpires: expiresDate,
    });

    // Generate verification token (short-lived)
    const verificationToken = this.generateVerificationToken(user);

    // In real life, you'd send this via email service
    // For now, just log it so you can test
    console.log(`Verification token for ${user.email}: ${verificationToken}`);

    return { message: 'Please check your email for verification link' };
  }

  async verifyEmail(token: string): Promise<{ token: string; user: User }> {
    try {
      const decoded = this.jwtService.verify<VerificationTokenPayload>(token);
      const user = await this.usersService.findById(decoded.sub);

      if (!user) {
        throw new UnauthorizedException('Invalid token');
      }

      // Check if already verified
      if (user.isEmailVerified) {
        throw new BadRequestException('Email already verified');
      }

      // Check if verification expired
      if (
        user.emailVerificationExpires &&
        user.emailVerificationExpires < new Date()
      ) {
        // Clean up the unverified user account
        await this.usersService.remove(user.id);
        throw new UnauthorizedException(
          'Verification link has expired. Please sign up again.',
        );
      }

      // Mark email as verified
      await this.usersService.updateEmailVerification({
        userId: user.id,
        isEmailVerified: true,
        emailVerificationExpires: null,
      });

      // Get updated user and generate access token
      const updatedUser = await this.usersService.findById(user.id);
      const accessToken = this.generateToken(updatedUser);

      return { token: accessToken, user: updatedUser };
    } catch {
      throw new UnauthorizedException('Invalid or expired verification token');
    }
  }

  async login(loginInput: LoginInput): Promise<{ token: string; user: User }> {
    const user = await this.usersService.findByEmail(loginInput.email);
    if (!user) {
      // Same error message whether email exists or not (prevents email enumeration)
      throw new UnauthorizedException('Invalid email or password');
    }

    // Verify password using PasswordService
    const isPasswordValid = await this.passwordService.verify(
      loginInput.password,
      user.password,
    );

    if (!isPasswordValid) {
      throw new UnauthorizedException('Invalid email or password');
    }

    // Don't let unverified users log in
    if (!user.isEmailVerified) {
      throw new UnauthorizedException(
        'Email not verified. Please verify your email before logging in.',
      );
    }

    // All good - generate token
    const token = this.generateToken(user);

    return { token, user };
  }

  async updatePassword(
    userId: string,
    updatePasswordInput: UpdatePasswordInput,
  ): Promise<{ token: string; user: User }> {
    const user = await this.usersService.findById(userId);

    // Check if current password is correct using PasswordService
    const isCurrentPasswordValid = await this.passwordService.verify(
      updatePasswordInput.currentPassword,
      user.password,
    );

    if (!isCurrentPasswordValid) {
      throw new BadRequestException('Current password is incorrect');
    }

    // Check if new passwords match
    if (updatePasswordInput.password !== updatePasswordInput.passwordConfirm) {
      throw new BadRequestException('Passwords do not match');
    }

    // Update password - hashing handled by UsersService
    await this.usersService.update(userId, {
      password: updatePasswordInput.password,
    });

    const updatedUser = await this.usersService.findById(userId);

    const token = this.generateToken(updatedUser);

    return { token, user: updatedUser };
  }

  private generateToken(user: User): string {
    const payload = { email: user.email, sub: user.id, roles: user.roles };
    return this.jwtService.sign(payload);
  }

  private generateVerificationToken(user: User): string {
    const payload = { email: user.email, sub: user.id };

    // Verification tokens are short-lived
    return this.jwtService.sign(payload, {
      expiresIn: '15m',
    });
  }
}

The key insight here is that I use two different token types: short-lived verification tokens and longer-lived access tokens.

Also notice how I clean up expired user registrations automatically. If someone signs up but doesn't verify their email in time, their account gets deleted when they try to use the expired token. This prevents the database from filling up with junk accounts.

Decorators

These decorators make the code way cleaner and easier to read:

// src/auth/decorators/public.decorator.ts
import { SetMetadata } from '@nestjs/common';

export const IS_PUBLIC_KEY = 'isPublic';
export const Public = () => SetMetadata(IS_PUBLIC_KEY, true);

// src/auth/decorators/roles.decorator.ts
import { SetMetadata } from '@nestjs/common';
import { Role } from 'src/user/role.enum';

export const ROLES_KEY = 'roles';
export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);

// src/auth/decorators/current-user.decorator.ts
import { createParamDecorator, ExecutionContext } from '@nestjs/common';
import { GqlExecutionContext } from '@nestjs/graphql';
import { Request } from 'express';
import { User } from 'src/user/user.entity';

interface GqlContext {
  req: Request;
}

export const CurrentUser = createParamDecorator(
  (data: unknown, context: ExecutionContext) => {
    const ctx = GqlExecutionContext.create(context);
    const gqlContext = ctx.getContext<GqlContext>();
    return gqlContext.req.user as User;
  },
);

Now I can use @CurrentUser() to get the authenticated user in any resolver. Much cleaner than manually extracting it from the context every time.

Guards and Strategies

Here's where things get interesting. Guards are like bouncers for your app - they decide who gets in and who doesn't. But understanding how they work took me way too long, so let me break it down properly.

JWT Strategy (Getting Tokens from Cookies)

// src/auth/strategies/jwt.strategy.ts
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { Strategy } from 'passport-jwt';

import { TypedConfigService } from 'src/config/typed-config.service';
import { AuthConfig } from 'src/config/auth.config';
import { RequestWithCookies } from 'src/types/express';
import { UserService } from 'src/user/user.service';
import { Role } from 'src/user/role.enum';

interface JwtPayload {
  sub: string;
  email: string;
  roles?: Role[];
  iat?: number;
  exp?: number;
}

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(
    private readonly config: TypedConfigService,
    private readonly usersService: UserService,
  ) {
    const auth = config.get<AuthConfig>('auth');

    if (!auth) {
      throw new Error('Auth config not found');
    }

    const jwtFromRequest = (req: RequestWithCookies) => {
      if (req.cookies?.airbnbCloneJWT) {
        return req.cookies.airbnbCloneJWT;
      }
    };

    super({
      jwtFromRequest,
      ignoreExpiration: false,
      secretOrKey: auth.jwt.secret,
    });
  }

  async validate(payload: JwtPayload) {
    const user = await this.usersService.findById(payload.sub);
    if (!user) {
      throw new UnauthorizedException('User no longer exists');
    }
    return user;
  }
}

The Main Auth Guard (Your App's Default Security)

// src/auth/guards/auth.guard.ts
import { ExecutionContext, Injectable } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { GqlExecutionContext } from '@nestjs/graphql';
import { AuthGuard } from '@nestjs/passport';
import { Request } from 'express';
import { IS_PUBLIC_KEY } from '../decorators/public.decorator';

interface GqlContext {
  req: Request;
}

@Injectable()
export class GqlAuthGuard extends AuthGuard('jwt') {
  constructor(private reflector: Reflector) {
    super();
  }

  canActivate(context: ExecutionContext) {
    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
      context.getHandler(),
      context.getClass(),
    ]);

    if (isPublic) {
      return true;
    }

    return super.canActivate(context);
  }

  getRequest(context: ExecutionContext) {
    const ctx = GqlExecutionContext.create(context);
    const gqlContext = ctx.getContext<GqlContext>();
    return gqlContext.req;
  }
}

Here's the important part that confused me for hours: This guard is applied globally (you'll see how in the module setup). That means every single GraphQL operation requires authentication by default.

Want a route to be public? You have to explicitly mark it with @Public(). It's way more secure - you can't accidentally forget to protect a route.

Role-Based Access Guard (For Admin Stuff)

// src/auth/guards/roles.guard.ts
import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { GqlExecutionContext } from '@nestjs/graphql';
import { ROLES_KEY } from '../decorators/roles.decorator';
import { Role } from 'src/user/role.enum';
import { GqlContext } from 'src/types/express';

@Injectable()
export class RolesGuard implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
      context.getHandler(),
      context.getClass(),
    ]);

    if (!requiredRoles) {
      return true;
    }

    const ctx = GqlExecutionContext.create(context);
    const gqlContext = ctx.getContext<GqlContext>();

    const req = gqlContext.req;
    const user = req.user;

    if (!user) {
      return false;
    }

    return requiredRoles.some((role) => user.roles?.includes(role));
  }
}

This guard is also applied globally, but it only kicks in when you use the @Roles() decorator. Here's how you'd use it:

@Roles(Role.ADMIN)
@Query(() => [User])
async getAllUsers(): Promise<User[]> {
// Only admins can access this
  return this.usersService.findAll();
}

The guard checks if the user has at least one of the required roles. If they don't, they get rejected.

Email Verification Guard (For Verified Users Only)

// src/auth/guards/verified-email.guard.ts
import {
  Injectable,
  CanActivate,
  ExecutionContext,
  UnauthorizedException,
} from '@nestjs/common';
import { GqlExecutionContext } from '@nestjs/graphql';
import { GqlContext } from 'src/types/express';

@Injectable()
export class VerifiedEmailGuard implements CanActivate {
  canActivate(context: ExecutionContext): boolean {
    const ctx = GqlExecutionContext.create(context);
    const gqlContext = ctx.getContext<GqlContext>();

    const req = gqlContext.req;
    const user = req.user;

    if (!user) {
      return false;
    }

    if (!user.isEmailVerified) {
      throw new UnauthorizedException('Email not verified');
    }

    return true;
  }
}

This one is not applied globally. You use it on specific routes where you want to make sure the user has verified their email:

@UseGuards(VerifiedEmailGuard)
@Mutation(() => AuthResponse)
async updatePassword(
  @CurrentUser() user: User,
  @Args('updatePasswordInput') updatePasswordInput: UpdatePasswordInput,
): Promise<AuthResponse> {
// Only verified users can change their password
}

Cookie Management

Managing cookies securely is more complex than it should be:

// src/auth/utils/token.utils.ts
import { Injectable } from '@nestjs/common';
import { Response } from 'express';

import { ConfigService } from '@nestjs/config';
import { User } from 'src/user/user.entity';

@Injectable()
export class TokenUtils {
  constructor(private configService: ConfigService) {}

  setCookieToken(res: Response, token: string): void {
    const cookieExpiresInDays = parseInt(
      this.configService.get('JWT_COOKIE_EXPIRES_IN') || '7',
      10,
    );

    const cookieOptions = {
      expires: new Date(Date.now() + cookieExpiresInDays * 24 * 60 * 60 * 1000),
      httpOnly: true,
      secure: this.configService.get('NODE_ENV') === 'production',
      path: '/',
    };

    res.cookie('airbnbCloneJWT', token, cookieOptions);
  }

  createSendToken(
    user: User,
    statusCode: number,
    res: Response,
    token: string,
  ): any {
    this.setCookieToken(res, token);

    const userResponse = { ...user } as Partial<User>;
    delete userResponse.password;

    return {
      user: userResponse,
    };
  }
}

The security options here are crucial:

httpOnly: Prevents XSS attacks by making the cookie inaccessible to JavaScript
secure: Only sends cookie over HTTPS in production
path: '/': Makes cookie available to all routes

The GraphQL Resolver (Where It All Comes Together)

Finally, the resolver that ties everything together:

// src/auth/auth.resolver.ts
import { Resolver, Mutation, Args, Context } from '@nestjs/graphql';
import { AuthService } from './auth.service';
import { AuthResponse } from './dto/auth-response.dto';
import { SignupInput } from './dto/signup.input';
import { LoginInput } from './dto/login.input';
import { SignupResponse } from './dto/signup-response.dto';
import { TokenUtils } from './utils/token.utils';
import { Public } from './decorators/public.decorator';
import { GqlContext } from 'src/types/express';
import { CurrentUser } from './decorators/current-user.decorator';
import { UseGuards } from '@nestjs/common';
import { User } from 'src/user/user.entity';
import { VerifiedEmailGuard } from './guards/verified-email.guard';
import { UpdatePasswordInput } from './dto/update-password.input';

@Resolver()
export class AuthResolver {
  constructor(
    private readonly authService: AuthService,
    private readonly tokenUtils: TokenUtils,
  ) {}

  @Public()
  @Mutation(() => SignupResponse)
  async signup(
    @Args('signupInput') signupInput: SignupInput,
  ): Promise<SignupResponse> {
    return this.authService.signup(signupInput);
  }

  @Public()
  @Mutation(() => AuthResponse)
  async verifyEmail(
    @Args('token') token: string,
    @Context() context: GqlContext,
  ): Promise<AuthResponse> {
    const { token: authToken, user } =
      await this.authService.verifyEmail(token);

    // Set the token in an HTTP-only cookie only
    this.tokenUtils.setCookieToken(context.res, authToken);

    return { user };
  }

  @Public()
  @Mutation(() => AuthResponse)
  async login(
    @Args('loginInput') loginInput: LoginInput,
    @Context() { res }: GqlContext,
  ): Promise<AuthResponse> {
    const { token, user } = await this.authService.login(loginInput);

    // Set the token in an HTTP-only cookie only
    this.tokenUtils.setCookieToken(res, token);

    return { user };
  }

  @Mutation(() => AuthResponse)
  @UseGuards(VerifiedEmailGuard)
  async updatePassword(
    @CurrentUser() user: User,
    @Args('updatePasswordInput') updatePasswordInput: UpdatePasswordInput,
    @Context() context: GqlContext,
  ): Promise<AuthResponse> {
    const result = await this.authService.updatePassword(
      user.id,
      updatePasswordInput,
    );

    // Set the new token in an HTTP-only cookie only
    this.tokenUtils.setCookieToken(context.res, result.token);

    return { user: result.user };
  }

  @Mutation(() => Boolean)
  // eslint-disable-next-line @typescript-eslint/require-await
  async logout(@Context() context: GqlContext): Promise<boolean> {
    // Clear the cookie with secure options
    context.res.clearCookie('airbnbCloneJWT', {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      path: '/',
    });
    return true;
  }
}

Notice how the public mutations use @Public() decorator, while updatePassword requires a verified email with @UseGuards(VerifiedEmailGuard).

Also, I generate a new JWT after password updates since the user's credentials changed. This invalidates any other active sessions.

Wiring It All Together

Finally, the AuthModule that makes everything work:

// src/auth/auth.module.ts
import { Module, forwardRef } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
import { PassportModule } from '@nestjs/passport';
import { ConfigModule, ConfigService } from '@nestjs/config';
import { AuthService } from './auth.service';
import { AuthResolver } from './auth.resolver';
import { JwtStrategy } from './strategies/jwt.strategy';
import { PasswordService } from './password.service';
import { TypedConfigService } from 'src/config/typed-config.service';
import { AuthConfig } from 'src/config/auth.config';
import { RolesGuard } from './guards/roles.guard';
import { APP_GUARD } from '@nestjs/core';
import { GqlAuthGuard } from './guards/auth.guard';
import { VerifiedEmailGuard } from './guards/verified-email.guard';
import { TokenUtils } from './utils/token.utils';
import { UserModule } from 'src/user/user.module';

@Module({
  imports: [
    forwardRef(() => UserModule),
    PassportModule,
    JwtModule.registerAsync({
      imports: [ConfigModule],
      inject: [ConfigService],
      useFactory: (config: TypedConfigService) => ({
        secret: config.get<AuthConfig>('auth')?.jwt.secret,
        signOptions: {
          expiresIn: config.get<AuthConfig>('auth')?.jwt.expiresIn,
        },
      }),
    }),
  ],
  providers: [
    AuthResolver,
    AuthService,
    JwtStrategy,
    PasswordService,
    RolesGuard,
    GqlAuthGuard,
    VerifiedEmailGuard,
    TokenUtils,
    {
      provide: APP_GUARD,
      useClass: GqlAuthGuard,
    },
    {
      provide: APP_GUARD,
      useClass: RolesGuard,
    },
    {
      provide: TypedConfigService,
      useExisting: ConfigService,
    },
  ],
  exports: [AuthService, PasswordService, TokenUtils],
})
export class AuthModule {}

The APP_GUARD providers make authentication required by default for all GraphQL operations. Routes need to be explicitly marked as @Public() to bypass authentication.

Testing It Out

Start your app and try the flow:

Signup: Creates an unverified user and prints a verification link
Email Verification: Click the link (or paste token in GraphQL playground) to verify and auto-login
Login: Regular login for verified users
Protected Operations: Try accessing user data - should work once authenticated
Logout: Clears the authentication cookie

The authentication state persists across browser sessions thanks to the secure HTTP-only cookies.

What I Learned

Cookie security matters
Error messages should be vague: Don't leak information about which emails exist in your system
Email verification cleanup is essential
GraphQL context is different: You need custom guards and extractors for GraphQL vs REST

Next Steps

This authentication system is production-ready, but there are some features you might want to add:

Email service integration (SendGrid, AWS SES, etc.)
Password reset functionality
Rate limiting for login attempts
Refresh tokens for longer sessions
Account lockout after failed attempts

The foundation we've built makes adding these features much easier. The modular structure means you can extend the authentication system without breaking existing functionality.

And honestly? Once you get through the initial setup pain, this system is pretty solid. The HTTP-only cookies, email verification, and role-based access control handle most real-world authentication requirements.

Get the complete source code on GitHub

NestJS Authentication Tutorial - Part 1: Foundation & Setup

Rosa — Mon, 14 Jul 2025 09:37:40 +0000

This is part 1 of a 2-part series on building production-ready authentication in NestJS. In this part, we'll set up the project foundation, database, and user management. Part 2 will cover JWT authentication, email verification, and role-based access control.

So you want to add auth to your NestJS app? Cool. Fair warning though - this is one of those features that looks simple from the outside but honestly, it was more painful than I expected. Sure, there are tons of tutorials out there, but most of them skip the production-ready parts or gloss over the security considerations that actually matter.
After wrestling with JWT tokens, password hashing, and role-based access for longer than I'd like to admit, I finally got something solid working. Figured I'd share what I learned – maybe it'll save someone else the headache I went through.

What I Actually Built

The system handles the usual suspects:

User registration and login
JWT tokens stored in HTTP-only cookies (more on why later)
Password updates that don't suck
Role-based permissions
GraphQL API because REST felt overkill for this project
PostgreSQL because I trust it more than MongoDB for auth data

Setting Up the Project

First things first – create a new NestJS project:

npm i -g @nestjs/cli
nest new nestjs-auth
cd nestjs-auth

Now for the dependencies. I learned the hard way that getting the versions right matters:

# Core GraphQL stuff
npm install @nestjs/graphql @nestjs/apollo apollo-server-express graphql

# Database and auth libraries
npm install @nestjs/typeorm typeorm pg @nestjs/jwt @nestjs/passport passport passport-jwt passport-local

# Utilities I actually use
npm install bcryptjs cookie-parser class-validator class-transformer joi

# Dev dependencies
npm install -D @types/bcryptjs @types/cookie-parser @types/passport-jwt @types/passport-local

Main App Configuration

Here's my main.ts:

import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
import { ValidationPipe } from '@nestjs/common';
import * as cookieParser from 'cookie-parser';

async function bootstrap() {
  const app = await NestFactory.create(AppModule);

  // This validation pipe has saved me from so many bugs
  app.useGlobalPipes(
    new ValidationPipe({
      transform: true,
      whitelist: true, 
      forbidNonWhitelisted: true, 
    }),
  );

  // Essential for HTTP-only cookies
  app.use(cookieParser());

  await app.listen(process.env.PORT ?? 3000);
}
bootstrap();

The ValidationPipe is clutch here. Trust me on this one - you don't want random fields sneaking into your database.

Database Setup

I use Docker for local development because it keeps the database isolated and makes it easy for others to run the project. Create a docker-compose.yml:

version: '3.8'
services:
  postgres:
    image: postgres:16
    container_name: nestjs_auth_postgres
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: nestjs_auth_db
    ports:
      - '5433:5432'  # Using 5433 to avoid conflicts
    volumes:
      - nestjs_auth_db:/var/lib/postgresql/data
    restart: unless-stopped

volumes:
  nestjs_auth_db:

Now run this command:

docker-compose up -d

Configuration (Don't Hardcode Secrets, Please)

Let's set up proper configuration to avoid environment variable headaches later.

// src/config/auth.config.ts
import { registerAs } from '@nestjs/config';

export interface AuthConfig {
  jwt: {
    secret: string;
    expiresIn: string;
    cookieExpiresIn: number;
  };
  nodeEnv: string;
}

export const authConfig = registerAs(
  'auth',
  (): AuthConfig => ({
    jwt: {
      secret: process.env.JWT_SECRET as string,
      expiresIn: process.env.JWT_EXPIRES_IN ?? '60m',
      cookieExpiresIn: parseInt(process.env.JWT_COOKIE_EXPIRES_IN || '90', 10),
    },
    nodeEnv: process.env.NODE_ENV || 'development',
  }),
);

// src/config/database.config.ts
import { registerAs } from '@nestjs/config';
import { TypeOrmModuleOptions } from '@nestjs/typeorm';

export const typeOrmConfig = registerAs(
  'database',
  (): TypeOrmModuleOptions => ({
    type: 'postgres',
    host: process.env.DB_HOST,
    port: parseInt(process.env.DB_PORT ?? '5433'),
    username: process.env.DB_USER,
    password: process.env.DB_PASSWORD,
    database: process.env.DB_DATABASE,
    synchronize: Boolean(process.env.DB_SYNC ?? false),
  }),
);

Important note about synchronize: I only enable this in development. In production, you should manage database migrations properly. Synchronize will automatically create/update database tables based on your entities, which can be dangerous in production.

// src/config/config.types.ts
import { TypeOrmModuleOptions } from '@nestjs/typeorm';
import * as Joi from 'joi';
import { AuthConfig } from './auth.config';

export interface ConfigType {
  database: TypeOrmModuleOptions;
  auth: AuthConfig;
}

export const appConfigSchema = Joi.object({
  NODE_ENV: Joi.string()
    .valid('development', 'production', 'test')
    .default('development'),
  DB_HOST: Joi.string().default('localhost'),
  DB_PORT: Joi.number().default(5432),
  DB_USER: Joi.string().required(),
  DB_PASSWORD: Joi.string().required(),
  DB_DATABASE: Joi.string().required(),
  DB_SYNC: Joi.number().valid(0, 1).required(),
  JWT_SECRET: Joi.string().required(),
  JWT_EXPIRES_IN: Joi.string().required(),
  JWT_COOKIE_EXPIRES_IN: Joi.number().default(90),
});

// src/config/typed-config.service.ts
import { ConfigService } from '@nestjs/config';
import { ConfigType } from './config.types';

export class TypedConfigService extends ConfigService<ConfigType> {}

Why all this configuration complexity?

Type safety: We get autocomplete and type checking for all config values
Validation: The app won't start if required environment variables are missing
Documentation: The Joi schema serves as documentation for what environment variables are needed
Defaults: We can provide sensible defaults for optional values

Create your .env file:

# Database
DB_HOST=localhost
DB_PORT=5433
DB_USER=postgres
DB_PASSWORD=postgres
DB_DATABASE=nestjs_auth_db

# JWT
JWT_SECRET=your-super-secret-jwt-key-change-this-in-production
JWT_EXPIRES_IN=
JWT_COOKIE_EXPIRES_IN=

NODE_ENV=development

Module structure

Generate the required modules using NestJS CLI:

nest generate resource user --no-spec
nest generate resource auth --no-spec

When prompted, select "GraphQL (code first)" and "No" for CRUD entry points since I'll build custom operations.

User entity and roles

The User entity is the foundation of the authentication system. Here's how I structure it:

// src/user/role.enum.ts
export enum Role {
  USER = 'user',
  ADMIN = 'admin',
}

// src/user/user.entity.ts
import { Entity, PrimaryGeneratedColumn, Column, CreateDateColumn } from 'typeorm';
import { Field, ID, ObjectType } from '@nestjs/graphql';
import { Role } from './role.enum';

@ObjectType()
@Entity()
export class User {
  @Field(() => ID)
  @PrimaryGeneratedColumn('uuid')
  id: string;

  @Field()
  @Column()
  name: string;

  @Field()
  @Column({ unique: true })
  email: string;

  // No @Field() decorator - this should NEVER be exposed in GraphQL
  @Column()
  password: string; 

  @Field(() => [String])
  @Column('text', { array: true, default: [Role.USER] })
  roles: Role[];

  @Field()
  @Column({ default: false })
  isEmailVerified: boolean;

  @Field()
  @Column({ nullable: true })
  emailVerificationExpires: Date;

  @Field()
  @CreateDateColumn()
  createdAt: Date;
}

Few things to note:

UUID primary keys because auto-incrementing IDs are predictable
Password field has no GraphQL decorator
Using PostgreSQL arrays for roles - simpler than a separate table
Email verification with expiry dates

Application module configuration

Update your app.module.ts to wire everything together:

import { Module } from '@nestjs/common';
import { GraphQLModule } from '@nestjs/graphql';
import { ApolloDriver, ApolloDriverConfig } from '@nestjs/apollo';
import { join } from 'path';
import { TypeOrmModule } from '@nestjs/typeorm';
import { ConfigModule, ConfigService } from '@nestjs/config';
import { AppService } from './app.service';
import { AppController } from './app.controller';
import { TypedConfigService } from './config/typed-config.service';
import { typeOrmConfig } from './config/database.config';
import { Request } from 'express';
import { authConfig } from './config/auth.config';
import { appConfigSchema } from './config/config.types';
import { UserModule } from './user/user.module';
import { AuthModule } from './auth/auth.module';
import { User } from './user/user.entity';

@Module({
  imports: [
    TypeOrmModule.forRootAsync({
      imports: [ConfigModule],
      inject: [ConfigService],
      useFactory: async (configService: TypedConfigService) => ({
        ...(await configService.get('database')),
        entities: [User],
      }),
    }),

    ConfigModule.forRoot({
      isGlobal: true,
      load: [typeOrmConfig, authConfig],
      validationSchema: appConfigSchema,
      validationOptions: {
        abortEarly: true,
      },
    }),

    GraphQLModule.forRoot<ApolloDriverConfig>({
      driver: ApolloDriver,
      graphiql: true,
      autoSchemaFile: join(process.cwd(), 'src/schema.gql'),
      sortSchema: true,
      context: ({ req, res }: { req: Request; res: Response }) => ({
        req,
        res,
      }), // We'll need this for cookies
    }),

    UserModule,
    AuthModule,
  ],
  controllers: [AppController],
  providers: [
    AppService,
    {
      provide: TypedConfigService,
      useExisting: ConfigService,
    },
  ],
})
export class AppModule {}

Password Service

// src/auth/password.service.ts
import { Injectable } from '@nestjs/common';
import * as bcrypt from 'bcryptjs';

@Injectable()
export class PasswordService {
  private readonly SALT_ROUNDS = 10;

  public async hash(password: string): Promise<string> {
    return await bcrypt.hash(password, this.SALT_ROUNDS);
  }

  public async verify(
    plainPassword: string,
    hashedPassword: string,
  ): Promise<boolean> {
    return await bcrypt.compare(plainPassword, hashedPassword);
  }
}

I use 10 salt rounds as it provides a good balance between security and performance. Higher values would be more secure but significantly slower.

User service and DTOs

Before building the UserService, I need to define the data transfer objects:

// src/user/dto/create-user.input.ts
import { InputType, Field } from '@nestjs/graphql';
import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';

@InputType()
export class CreateUserInput {
  @Field()
  @IsNotEmpty()
  @IsString()
  name: string;

  @Field()
  @IsNotEmpty()
  @IsEmail()
  email: string;

  @Field()
  @IsNotEmpty()
  @IsString()
  @MinLength(8)
  password: string;

  @Field({ defaultValue: false })
  isEmailVerified?: boolean;

  @Field({ nullable: true })
  emailVerificationExpires?: Date;
}

// src/user/dto/update-email-verification.input.ts
import { Field, InputType } from '@nestjs/graphql';

@InputType()
export class UpdateEmailVerificationInput {
  @Field()
  userId: string;

  @Field()
  isEmailVerified: boolean;

  @Field(() => Date, { nullable: true })
  emailVerificationExpires: Date | null;
}

User Service

Now for the actual business logic:

// src/user/user.service.ts
import { Injectable, NotFoundException } from '@nestjs/common';
import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm';
import { User } from './user.entity';
import { CreateUserInput } from './dto/create-user.input';
import { PasswordService } from '../auth/password.service';
import { UpdateEmailVerificationInput } from './dto/update-email-verification.input';

@Injectable()
export class UserService {
  constructor(
    @InjectRepository(User)
    private usersRepository: Repository<User>,
    private passwordService: PasswordService,
  ) {}

  async findAll(): Promise<User[]> {
    return this.usersRepository.find();
  }

  async findById(id: string): Promise<User> {
    const user = await this.usersRepository.findOne({ where: { id } });
    if (!user) {
      throw new NotFoundException(`User with ID ${id} not found`);
    }
    return user;
  }

  async findByEmail(email: string): Promise<User | undefined> {
    const user = await this.usersRepository.findOne({ where: { email } });
    return user ?? undefined;
  }

  async create(createUserData: CreateUserInput): Promise<User> {
    // Hash the password before creating the user
    if (createUserData.password) {
      createUserData.password = await this.passwordService.hash(
        createUserData.password,
      );
    }

    const user = this.usersRepository.create(createUserData);
    return await this.usersRepository.save(user);
  }

  async updateEmailVerification(
    input: UpdateEmailVerificationInput,
  ): Promise<User> {
    const user = await this.findById(input.userId);
    user.isEmailVerified = input.isEmailVerified;
    user.emailVerificationExpires = input.emailVerificationExpires;
    return this.usersRepository.save(user);
  }

  async update(id: string, updateData: Partial<User>): Promise<User> {
    const user = await this.findById(id);

    // Hash password if it is being updated
    if (updateData.password) {
      updateData.password = await this.passwordService.hash(
        updateData.password,
      );
    }

    Object.assign(user, updateData);
    return this.usersRepository.save(user);
  }

  async remove(id: string): Promise<User> {
    const user = await this.findById(id);
    await this.usersRepository.remove(user);
    return user;
  }
}

The key thing here is that passwords get hashed automatically on create and update. This way you never accidentally store a plaintext password.

User Module

// src/user/user.module.ts
import { forwardRef, Module } from '@nestjs/common';
import { TypeOrmModule } from '@nestjs/typeorm';
import { UserService } from './user.service';
import { UserResolver } from './user.resolver';
import { User } from './user.entity';
import { ConfigService } from '@nestjs/config';
import { TypedConfigService } from 'src/config/typed-config.service';
import { AuthModule } from 'src/auth/auth.module';
import { PasswordService } from 'src/auth/password.service';

@Module({
  imports: [TypeOrmModule.forFeature([User]), forwardRef(() => AuthModule)],
  providers: [
    UserService,
    UserResolver,
    PasswordService,
    {
      provide: TypedConfigService,
      useExisting: ConfigService,
    },
  ],
  exports: [UserService, PasswordService],
})
export class UserModule {}

The forwardRef() is there because of circular dependencies – UserModule needs stuff from AuthModule and vice versa. It's annoying but necessary.

What's Next

So far we've got:

A solid foundation with proper database setup
User entity that doesn't leak passwords everywhere
Password hashing
User service with all the CRUD operations we need
Type-safe configuration

In the next part, I'll cover the actual authentication flow – user registration, email verification, login with JWTs, and role-based access control. The foundation we've built here makes all of that much cleaner to implement.

Continue to Part 2: JWT Authentication & Email Verification

Get the complete source code on GitHub