First steps
nest g resource auth
This will further ask you for a selection
❯ REST API
GraphQL (code first)
GraphQL (schema first)
Microservice (non-HTTP)
WebSockets
select REST API and this will generate the whole module for you with the dtos services controller and module
Register User
since we are implementing email/password-based authentication as the first step we will register the user.
- Validate first to make sure the data is legitimate and add password strength validation to mitigate brute force attacks.
- Sanitize afterward to ensure the data is safe to use.
- Check that the user record already exists in the database if exists it means the user already has an account so send a response that's this email already registered.
- if the above checks failed it means we need to register a user take the user password and hash it with a good hashing library like bcrypt or argon2
- after hashing insert user record in DB.
- send an email to the user to verify is email legitimate.
- add rate-limiting to route to avoid DDoS attacks
1 Validate incoming data
Since nest js has strong integration with recommended validation packages like class validator but from my previous experience I use zod for validation lot in react js front ends and so I found an awesome
solution for nest js ecosystem called nests zod so I'll prefer to go with this one for now. To get started first install the library
npm i nestjs-zod
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().email(),
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
and then apply validation pipe on the route
import { Controller, Post, Body, Version, UsePipes } from '@nestjs/common';
import { AuthService } from './auth.service';
import { RegisterUserDto } from './dto/register.dto';
import { ZodValidationPipe } from 'nestjs-zod';
@Controller('auth')
export class AuthController {
constructor(private readonly authService: AuthService) {}
@Version('1')
@Post()
@UsePipes(ZodValidationPipe)
async registerUser(@Body() registerUserDto: RegisterUserDto) {
return await this.authService.registerUser(registerUserDto);
}
}
if we provide all inputs correct
so we are done with the first step
Let's Sanitize Data
we have three inputs
- password: typically passwords should not be Sanitize because they are never gonna sent and displayed to frontend even if someone sends a malicious script to the password eventually it'll be hashed do not need
- confirmPassword: same story as above one
- email: yes emails are sent and rendered to clients so the email field must be Sanitize to mitigate injections and scripting attacks
but we explicitly added email: z.string().email() which is enough for this use case
but to add an extra lyre of security we can add a sanitization layer
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
import * as xss from 'xss';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().transform((input) => xss.filterXSS(input)), // Sanitizing input using xss
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
This was a test we also added again back
email: z
.string()
.email()
Step3,4,5
import {
BadRequestException,
Injectable,
InternalServerErrorException,
} from '@nestjs/common';
import { RegisterUserDto } from './dto/register.dto';
import { PrismaService } from 'src/prismaModule/prisma.service';
import * as argon2 from 'argon2';
@Injectable()
export class AuthService {
constructor(private readonly prismaService: PrismaService) {}
async registerUser(registerUserDto: RegisterUserDto) {
// data is validate and sanitized by the registerUserDto
const { email, password } = registerUserDto;
try {
// check if user already exists
const user = await this.prismaService.user.findFirst({
where: {
email,
},
});
if (user) {
throw new BadRequestException('user already eists ');
}
//if use not exists lets hash user password
const hashedPassword = await argon2.hash(registerUserDto.password);
// time to create user
const userData = await this.prismaService.user.create({
data: {
email,
password: hashedPassword,
},
});
if (!userData) {
throw new InternalServerErrorException(
'some thing went wrong while registring user',
);
}
// if user is created successfully then send email to user for email varification
return {
success: true,
message: 'user created successfully',
};
} catch (error) {
throw error;
}
}
}
The main point to notice I just returned a success message with no data related
to the user like ID or email because it does not need to send back data to the user in this step. after registration user will be redirected to the login page to fill in details so avoiding sending unnecessary data is a good security practice
Rate limiting
implementing rate limiting in nestjs is very easy just install nestjs/throttler configure it globally and you're done .
to install package run npm i --save @nestjs/throttler
@Module({
imports: [
ThrottlerModule.forRoot([{
ttl: 60000,
limit: 10,
}]),
],
})
export class AppModule {}
then add nestjs throttle guard as global guard
providers: [
AppService,
{
provide: APP_GUARD,
useClass: ThrottlerGuard,
},
],
and here it is
import { Controller, Post, Body, Version, UsePipes, Req } from '@nestjs/common';
import { AuthService } from './auth.service';
import { RegisterUserDto } from './dto/register.dto';
import { ZodValidationPipe } from 'nestjs-zod';
import { Throttle } from '@nestjs/throttler';
@Controller('auth')
export class AuthController {
constructor(private readonly authService: AuthService) {}
@Throttle({
default: {
ttl: 100000, // 1 minute
limit: 5, // 5 requests per minute
},
})
@Version('1')
@Post()
@UsePipes(ZodValidationPipe)
async registerUser(@Body() registerUserDto: RegisterUserDto, @Req() req) {
return await this.authService.registerUser(registerUserDto, req);
}
}
since registering the user endpoint is a sensitive endpoint brute-force
or dictionary attack can happen we kept the rate limit strict
Send Verification Email
for sending a verification email to a user's use Resend is an awesome easy-to-use service. but I decided to create a separate episode for the whole notification service so that understanding it becomes easier for everyone
Top comments (0)