NestJS Authorization: RBAC, ABAC, claims-based, and more! | NestJS Guards Tutorial
Vložit
- čas přidán 5. 07. 2024
- In this video we'll discuss the fundamentals of doing authorization on a NestJS API. We'll take a look at how to use custom decorators to add metadata to controller methods. We'll then work on creating a new guard specifically for authorization. We'll take a look at how to extract a user's roles and determine if they are allowed to process with the request or not. We'll also briefly discuss more advanced scenarios where you might want to use claims-based or perhaps attribute-based (ABAC) authorization techniques using libraries like CASL and accesscontrol.
Video on NestJS AUTHENTICATION (user logins): • NestJS Authentication:...
00:00 - Intro
00:44 - Creating new application
02:08 - Defining User entity and Roles enum
05:37 - Defining our auth requirements
07:33 - Using SetMetadata decorator
08:40 - Creating a custom Roles decorator
10:51 - Creating a new Roles Guard
15:47 - Accessing user roles within a guard
21:08 - Discussing more advanced authorization with claims or permissions/attributes
25:31 - NestJS CASL Integration
25:47 - Outro
very useful. i wish this video was around when my company built a new project in nestjs and rbac last year
thank you so much... straight to the point.... best nest js explanations i've seen so far.
thankyou for creating such a great content covering everything making it easy for everyone to understand
Thank you for your useful videos. Would be great to have more in deep tutorial about CASL with NestJS.
Thank you, Marius. I'm just switching from making the nodejs API from scratch to using a library like nestjs. This helps me a lot
Awesome glad to hear! Nest is an awesome choice
Great job Marius, your videos are very useful and simple at the same time, keep rocking 🤘
Thanks Alireza! 🤘🤘
Thanks (again!) for this content Marius. Would love to see a long-form CASL workshop for managing routes and resources.
Yes, thanks for this content :). CASL-"workshop" would be nice + a included database with the relations between the roles/permissions and the user-entity. ❤️
You are always so helpful! Thank you Marius! 🤗
You’re welcome Cecilia!
Once again, thanks for an amazing video! I love to see these videos to get some inspiration!
I would love to see a video about Passport with the Local Strategy together with JWT, I know you have done this but I still feel it would be nice to cover JWT refresh in the backend, and hopefully in the frontend as well.
Thank you! Yeah I’m hoping to maybe put together a longer video which mixes all these topics together. And refresh flow definitely has been requested a few times. Technically it is really just introducing a second token (refresh token) and having your access token expire at a shorter time. It’s probably the underlying logic, where you’d store the tokens, etc. that would be good to cover in a video
@@mariusespejo Please when will you be able to put up this video
Thanks, mate. Very educational.
Thanks, bro. Appreciate the video. I was hoping for a GraphQL implementation, but after watching your tutorial, I figured out how to do it.
Yeah as far as I know guards work pretty much the exact same way even if you are using graphql
Great Stuff once again. Your NestJs content has helped me a lot.
🙌😄
Next Tutorial about CASL sir
thank you for the wonderful explanation! I hope that you will continue to help us
Absolutely! You’re welcome!
Hey, Nice video, thankyou for all these explanations, The CASL video would be nice!
Great tutorial ❤️. Please make a video implementing casl in nest js. I read the docs but didn't understand properly.
thank you! very clear and straightforward
Thanks for feedback!
Thanks for feedback!
Great video!!! Thank you for this video
Glad you think so! Thanks!
Thanks Marius, very cool!
Thanks man for this.
Excelent content bro
Thank you, nice straightforward explanation :D now I'm SUBSCRIBED (with the bell ON)
Hope you the best
Thank you 🙏😄
awesome video, you are just great teacher
Thank you 🙏
truly amazing
it solved my problem, thank you
Great video Marius, I just watced all the NestJs related videos. You did a very good job, they are very usefull.
Right now I am trying to do a Nestjs authentication trough Firebase auth IDP.
It would be awesome if you will do a video that covers that.
Thank you! Yeah a couple folks have mentioned firebase, I’ve used it back in the day but it likely has changed a lot since then, I’ll have to look into it again
спасибо, как всегда все доходчиво и понятно
Very helpful dude 💪🏻 I like your format. Would be amazing if you could do a video on CASL and its integration with NestJS 😋 thanks
I’m interested in CASL myself so me covering it is likely!
@@mariusespejo what is your general thought about NestJS?? I am study it now and your videos are cool! Could you suggest me an easy project that I can create with it? Thanks
General thoughts: the express ecosystem is massive and Nest simply builds on top of it and gives you a nice architecture out of the box, it integrates well with a lot of things. You can’t go wrong with using it.
I would suggest a project that you’re personally interested in and something that involves perhaps doing CRUD with a database as well as authentication/authorization. E.g. perhaps creating an API for a blog with multiple users and allowing for creating/editing posts as well as adding comments to posts
CASL in nestjs would be awesome :)
Great video as always. Do you have repos for any of these videos? It would be nice to look at the code directly. Thanks.
Thanks Marius, I would love to see a video on Nestjs authorization with CASL Integration.
Definitely would like to look into CASL myself so I’ll likely cover it in the future
@@mariusespejo that would be great! I'm about to implement authorization in my project and likely to use CASL. Looking forward to see the video in the future. 🙂
Started working with nest a couple of months ago and your videos really helped me out, thank you!
Btw, what do you think of a nestjs project wrapped within the docker ? Would that be something interesting to make?
Docker in general is useful, I mean it really depends on how you want to do development and deployments. If you have a need for containers yeah why not
make a video in this topic
the best !
Hi Marius, love your videos. Please do a tutorial on authentication with firebase admin sdk
Will look into it!
Thanks
Great tutorial Marius! You won a subscriber :)!! I have a question though, what if you want to allow the user to edit their own data but only admins are allowed to edit or delete other users data? Thanks in advance :)
Thanks! 🙌 Basically you’d have to create a slightly more custom guard where you load in the user record and check ownership, return false if not owned or not an admin. As your access control requirements gets more complex that’s also when I’d recommend looking at adding things like CASL or similar
@@mariusespejo Thanks Marius :) I dit and its working properly.
Awesome!
thank u sir.very helpful video.Plz make a video on CASL authorizatoin
Thanks yeah will likely cover that in the future
@@mariusespejo thank u sir....🙏 Can u please make a video on ORY Kratos implement on nest app!🙏🙏
I don’t know what that is haha will try to look into it
@@mariusespejo thank u sir... 😀🙏
Thanks sir. Can you do also a video with keycloak integration? Thank you so much!
Hmm have not heard of keycloak, will look into it
Hello Marius, first of all, thank you for the great content!
I was using jwt guard for authentication and my request has a user object but I can't take the user object in RolesGuard. It says it is undefined but I can see it in my controller when I try to pull the request object. Is JwtGuard running before that RolesGuard? But My JwtGuard was applied on the controller level, and RolesGuard was applied on the method level. Any idea or suggestion?
Not positive what the problem might be there, assuming your jwt guard puts the user in req.user, if you’re seeing it’s not there on the rolesguard then you might have the wrong execution order somehow. Maybe try to debug by putting both on the method level?
Thank you for this amazing Content , Is there a way or Guide on How to do ABAC with Typeorm , dynamic roles , privileges loaded from DB ( mariaDB maybe )
You can use something like CASL, which I’ve made videos about. You’d just need to store the user privileges in the DB and map them to abilities in casl. Since it’s dynamic that means you likely will want to query your DB for current user privileges and construct the ability for each request
@@mariusespejo Thank you for your response , I will try that out , thank you so much your videos are a great help
Nest js Casl Authorization ABAC more on this would be great..
It is posible that a could retrieve the result of my authentication guard and use it in my authorization guard? I have the role there.
Pretty good video this was really helpful.
Would you also consider tutorial using fastify for NestJS ?
As far as actually doing that there’s really not much to it and it is documented in the nest site. The bigger changes would be things that rely on express will no longer work so you’d have to maybe find some alternative integrations
You mean there's a lot functionality nestjs supports on express compared to fastify (or that fastify does not have)?
As of now all I know is that fastify does not support nested routes. It is mentioned in their documentation.
I don’t know what is and isn’t supported or how much. All i can tell you i that any express-specific integrations, e.g. if you were using express-session, then you’d have to use whatever the fastify equivalent of that is. As for actually just switching to fastify that’s documented and is fairly simple to enable
It would be really great if you upload the code in a github repository.
Can you do an example for testing in nestjs graphql?
i do have one on Nest testing but in REST, it’s honestly pretty much the same fundamentals except you have resolvers instead of controllers
Can you make a video on nestjs best practices and folder structure for making scalable applications. Covering all aspects like auth, database, graphql etc.
Check out the channel! Most of those I’ve already covered
would you make a video on cookie based auth and storing it in redis
I did! Find the nestjs auth video in my channel. It covers session-based auth, which is maintained via cookie containing the session ID. The session library can use whatever storage you want, including redis
how are we gonna get user from req? You just hardcoded that part, what I need to get those user information from the request?
I have videos on how to do authentication if you want to see how. If you do it correctly typically the user session would be stored in req.user, just like in express. That’s the assumption that’s being made here
Could you go through the process for graphql queries please?
In nest guards should pretty much work the same I think regardless if you’re using rest or graphql. Only thing different is your guard logic will need to create/work with the graphql context
thank you sir great video ,
can you please also explain how to verify loggedin user woth context, it shows me Undefined
That’s more of an authentication topic, I have some videos about it in the channel if you’re interested
@@mariusespejo can u please specify which video .........
it would be a great help
The APP_GUARD runs before the JwtGuard (when authentication is set up). Thus the user is simply not available in the request at that time, what to do in that scenario.
Were you able to figure this out?
Guard execution starts with global guards, then proceeds to controller guards, and finally to route guards.
Just adjust in the order that you need.
@mariusespejo thank you. I am done with the implementation. Just adjust the guards in the order you want them to be. If you want the jwt guard first then don't add the roleguard globally
please I do get the link to Jwt Session video? thanks
NestJS Authentication: JWTs, Sessions, logins, and more! | NestJS PassportJS Tutorial
czcams.com/video/_L225zpUK0M/video.html
Can you give me a link of your background, thank you!
can you please let me know you customize your terminal?
Nowadays I mostly use oh-my-zsh and some basic plugins for autocompletion and syntax highlighting. Not really much more to it than that
T
hank you, can you tell me how to make exception filter prisma js for nestjs
Exception filters are fairly well documented in the next docs, custom ones simply require catching a specific error either directly from prisma or one that your throw yourself
i actually need assistance on a logic please.
i am working on a project that has five different users [hospital, pharmacy, laboratory, patients and a bot] and i am not building them as a microservice. each of them have their own tables in the same db , with ofcus different dtos. now i need help on how to implement the logic of authenticating all the different users using just one Jwt Authentication Service. i am developing this project with nestjs typescript. please i need help on howto craft out that logic
If you check my channel i do have videos on how to do authentication with jwt in nest. I imagine authentication for any of your users should be mostly the same, what likely would differ is their authorization which is what this video covers. If that doesn’t help I suggest asking in stackoverflow
wp gg
Really offtopic question, but what is the origin of your first name? 😁
My parents picked it hahaha if you’re asking actual origins I know that it sort of started as a Roman name in ancient history lol
Hey @Marius, awesome content so far!
How would you go about building a NestJS backend based on Clean Code Architecture? Nest already has dependency injection and separation of concerns, but I like some of the ideas and points made in this video: czcams.com/video/CnailTcJV_U/video.html
Could you build something similar to this using Nest and TS? It would be really interesting to see how you approach it.
I would suggest watching the nestjs crash course on my channel. Technically Nest.js is already providing you with an architecture out of the box, it’s not exactly the same as the one outlined in that video but the core principles are the same, e.g. you’ll notice Nest documents and recommends a clear separation between controllers, services (this is probably closest to “use cases” in that video’s diagram) for business logic, and data repository/model (close to entities in that diagram) for data access/manipulation logic. Although you definitely can customize things a bit and make it look exactly like in that video (e.g. perhaps labeling things as use cases instead of services), however that seems counterproductive to me when Nest is already designed to give you a predefined architecture that’s already out of the box close to what you’re looking for and is solving the same exact problem
Thumbnail 😂😅
🤣
Thanks