NestJs JWT - Access Tokens & Refresh Tokens - Ultimate Guide

Thank you for the tutotial, it's a good one. I just wanted to make a few points. From the security standpoint, the good practice is to have JWT in memory or basically sending through http context and save refresh token in an http only cookie so when a user leaves their browser and comes back again, the application can uses the refresh token to issue a new access token. But, by using your approach, when a user refreshes their browser or closes it they lose both access and refresh tokens and they have to sign in again in order to access the protected area of the application. In SPA applications you use a refresh token in order to issue an access token again after its expiration, so we need to keep it somewhere safe to use it again, otherwise it is pointless to use it. On top of that, when you only use one refresh token in your user's entity and every time you replace it with a new one, then users will not be able to have their multiple devices logged in, because whenever they logs in in each device,then the previous refresh token they used in another device will be replaced with a new one and their another device will be no longer logged in. So we need a user entity that has one to many relationship with a refresh token entity. You can also read more about the security recommendations for access and refresh tokens from the link below if you are interested:
dev.to/cotter/localstorage-vs-cookies-all-you-need-to-know-about-storing-jwt-tokens-securely-in-the-front-end-15id

Wish I found your video few days back. Great explanation, one of the best I heard & actually understood. Many thanks Vlad.

Hey. Nice video. Some points of interest.
1. @Injectable tells Nest to reflect on the constructor and see if there are dependencies it needs to inject into it. If there are no dependencies to inject, you don't need the decorator.
2. You can store tokens in local storage on the client, however they are open to an XSS attack and with 7 days (for the refresh token), a lot of damage can be done. I'd suggest storing the refresh token in an http only cookie. This avoids XSS attacks, as attackers won't be able to get access to the cookie. You should also add the "/refresh" path to the cookie too, so the cookie is only sent on requests made to the "/refresh" endpoint.

This tutorial is excellent.
A great teacher, who makes us go deeper into the content through knowledge, good humor, sincerity (because there were no cuts in the moments of code error) and many tips to evolve as developers.
Thanks!

This is the greatest guide to understanding JWT + refresh! Thank you so much, it really helped me really nail down this concept and practice!

What a masterclass on the subject! Thank you really much for publishing this video!

Great tutorials! Explained clearly with a very practical project! Thanks a lot for your sharing!
Looking forward to your new videos about anything :D

This is excellent content 💯. The flow of learning concepts and writing code hits the mark. Major kudos for covering typescript safety, especially for creating custom decorators and explaining the public guards. Thank you, this was an easy subscription from me.

To learn NestJS Authentication I have seen many videos and I got confuse about JWT but with your video I am pretty clear and the way you explain everything is awesome.
Thanks.

Vlad, thank you again. You are really putting a lot of effort into these videos dude and we can see it in your how you are able to tie multiple concepts together in a way that logically flows so well! You have taught us in hours what it takes some years to understand so thank you for literally giving me extra life points! 👏👏👏

This is elegant, Vlad. You inductively demystify the abstract concepts and made them look simpler for digestion. I look forward to learning the Microservice with NestJs from you.
Thanks, Man! 🥰

I was trying to find a tutorial for many days that would explain the reason for each thing and not just give me the code. Your tutorial is one of the best I've seen on CZcams and I'm surprised it's free, congratulations on something so amazing, you earned a subscriber. I hope you can launch courses, I will buy for sure. Hugs from Brazil!

wow - well done Vlad, one of the most comprehensive tutorials / real course, thanks a bunch for your effort and for sharing this knowledge!

Man... This is actually one of the best tutorial I've ever watched ! You're a really good teacher, thanks a lot !

This is amazing tutorial 🙌,
I remember before watching the video I had implement Auth-JWT and it took 3 days to understand and implement.

Прекрасное видео! Видно, что в проекте позже был использован Аргон, что тоже круто) Надеюсь увидеть в будущем более продвинутую реализацию, в том числе с функционалом активации аккаунта по почтовому ящику. Спасибо за такой ценный контент!

Not sure if the 15mins delay logout w/ refresh token hash is from who's idea. that's cunningly brilliant. one of the finest JWT tutorials ever. keep up the good work. i totally appreciate your time and effort.

Thank you very much for showing the context and how it is actually done in a real project :)

Best video I've seen so far for the JWT implementation in Nest Js. Thanks Vlad.
Subscribed :)

That was awesome! I'm new with NestJs and started to create my own demos. I've learned almost everything from you. Thank you so much for sharing that much information.

You came here and wondering is it worth watching this video? Absolutely!
Thanks, Vlad!

Thanks for this wonderful tutorial! It was great understanding refresh tokens along with Nestjs at the same time

You are awesome. You are making me to love nestjs more. Thank you sensei 😊

Not long and not tedious. That's what tutroial should be. You get the whole idea in one video and then just keep on your coding. Thank you for the tutorial

This is such an amazing video. Glad I stumbled across this. Subscribed. Would be going through the other videos on your channel. And, eager to learn more from you.
Thank you so much.

I like that you don't cut out the way you look for bugs in the code. It helps to keep track of the way you think when something goes wrong

This has been by far the best tutorial I have seen about authentication in nest with jwt, congratulations!

Can't believe I made it all the way to the end!! Thanks so much.

me recognizing the errors before vlad does proves i m getting better😂 thanks for the explanation tho i needed this

one of the best videos in authentication using refresh tokens

Thanks this is the type of quality tutorials I want to see on CZcams!

Great tutorials you make. Congrats mate! Please covers specs and integration testing.

Awesome. i followed this exciting tutorial to build authentication for my own project. Thank you

You're the best! All the things that I know in NestJS are thank to you and your videos, you explain it so well! Now I was wondering, can you make a video on Redis and sessions too?

It was good Christmas with this tutorial , thanks

You're amazing dude, I really appreciate it. You helped me out so much!

Vlad is the best tutor for me

this is awesome , this is best tutorial i have seen for jwt authentication on youtube

I was looking for this, thanks! 🙌

Vlad keep going! Amazing stuff

I think this is the best tutorial for auth flow. Thanks!

Thank you so much I finally searched all over the Internet

Amazing tutorial, so glad I found this

Thank you so much bro. This is very helpful for me and everyone

Vlad, loved your video on NextJS on Free code camp. Thank you. Really appreciate it.

Best learning content and teacher i ever seen!

Thank you, very nice tutorial, i'll try to implement this with redis too.
Sorry for my english and thank you again.

Excelente, es la mejor explicación que he encontrado. Te lo agradezo mucho

Excellent tutorial, Its very helpful. Thank you very much Boss

I just want to say this is a blessing, thank you, excellent

Спасибо, Влад! Супер комплексный подход! В самом начале долго не мог понять, так какой же стандарт жизни access токена, 15 или 50 минут. Я же дилетант, обычно делал пять часов. ) Просто обычно в слове "fifteen" ударение на последний слог, а слышалось как будто "fifty" с ударением на первый слог. Еще раз спасибо за видео!

Excellent tutorial !👏👏

This tutorial is excellent.
Thank you very much

thanks for tutorial, you explained very well and easily help me a lot.

Amazing Man! I just followed and implemented AT & RT. Yuhuuu....Thanks...!

Great video Vlad 👌🏻👌🏻👌🏻👌🏻👌🏻

Thank you so much! Very useful video

Awesome video.

Thank you. I have learned a lot.

Super detailed and useful examples !❤

this is pure gold! Thank you so much

Just helped me do the first task in my internship!
Thxxxx

Thanks a lot. Very nice 🔥🔥

Thank you for Excellent tutorial. Yes of course I like to understand testing techniques too.
Thanks

This tutorial is more then excellent.

Vlad aka darslariz juda zo'r (from Uzbekistan)

Very nice video. But get very complicated after some time. :P Thank you Vlad

amazing tutorial vlad!

WOW, very interesting, please, keep going with videos like this!

Nice tutorial, thanks! Actually it's nice seeing someone experienced mess up a little bit and find the solution on the go, that's how coding really is like.

Thanks, great tutorial!

Excellent video

Great video!

was looking for something like this!

Good job!

i'm following this tutorial using Mongo instead of Postgres and it's even simpler. i don't know if it's more appropriate but it's easier. just a few issues related to migrate and the id field but other than that, very smooth sailing

Thank you It is very helpful

Damn! You nailed it 🙏

Great tutorial 🔥👏 please do one with sessions as well

Was here for the refresh function part... Ends up watching the whole video ! Thank you for all the tips !
Can you explain why are you using index.ts ?

Nice one, thanks!

you are a GOD i watched so many tutorials and yours is the only one that actually works, 🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻🙏🏻

Чел, ты великолепен! Видео очень качественное, зашло
Мог бы написать и на английском, но не думаю, что это необходимо)

awesome man !

You are awesome!, Thank you.

Subscribed! So nice. :) thank you.

Muchas gracias hermano, bendiciones. He aprendído mucho y quiero que sepas que me estouy dedicando al back-end.

Super detailed video, thanks. It would be cool if you showed how to add Google authorization to this

you are the best pro, thank you :)

Excellent thanks very mucsh

Vlad, thanks for the great and awesome content.
Now, which theme are u using ? haha

Thanks so much!

You're awesome. Thank for this tutorial. Btw, what do you use autocomplete in command line ?

Nice video, Vlad!
Btw, did you try to use autogenerated prisma DTOs? Do you know how we can validate, cover in documentation (and all that stuff) them by any chance?

Nice!

Thanks, a lot!!!

Thankss 👏

Awesome tutorial. Thank you so much! Can you please make a tutorial about CICD with NestJs and Prisma.

I'm so glad that you are using the same tech stacks as me. Nest.js + Prisma is so powerful. Can you make a video about deployment? I'm so curious about what cloud provider you use and how you handle the deployment.

Good video