Day Implementing JWT Authentication in NestJS with Passport (Part 1)
Jan 01, 2025 am 10:25 AM
First steps
nest g resource auth
This will further ask you for a selection
? REST API
GraphQL (code first)
GraphQL (schema first)
Microservice (non-HTTP)
WebSockets
select REST API and this will generate the whole module for you with the dtos services controller and module
Register User
since we are implementing email/password-based authentication as the first step we will register the user.
- Validate first to make sure the data is legitimate and add password strength validation to mitigate brute force attacks.
- Sanitize afterward to ensure the data is safe to use.
- Check that the user record already exists in the database if exists it means the user already has an account so send a response that's this email already registered.
- if the above checks failed it means we need to register a user take the user password and hash it with a good hashing library like bcrypt or argon2
- after hashing insert user record in DB.
- send an email to the user to verify is email legitimate.
- add rate-limiting to route to avoid DDoS attacks
1 Validate incoming data
Since nest js has strong integration with recommended validation packages like class validator but from my previous experience I use zod for validation lot in react js front ends and so I found an awesome
solution for nest js ecosystem called nests zod so I'll prefer to go with this one for now. To get started first install the library
npm i nestjs-zod
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().email(),
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
and then apply validation pipe on the route
import { Controller, Post, Body, Version, UsePipes } from '@nestjs/common';
import { AuthService } from './auth.service';
import { RegisterUserDto } from './dto/register.dto';
import { ZodValidationPipe } from 'nestjs-zod';
@Controller('auth')
export class AuthController {
constructor(private readonly authService: AuthService) {}
@Version('1')
@Post()
@UsePipes(ZodValidationPipe)
async registerUser(@Body() registerUserDto: RegisterUserDto) {
return await this.authService.registerUser(registerUserDto);
}
}
if we provide all inputs correct
so we are done with the first step
Let's Sanitize Data
we have three inputs
- password: typically passwords should not be Sanitize because they are never gonna sent and displayed to frontend even if someone sends a malicious script to the password eventually it'll be hashed do not need
- confirmPassword: same story as above one
- email: yes emails are sent and rendered to clients so the email field must be Sanitize to mitigate injections and scripting attacks
but we explicitly added email: z.string().email() which is enough for this use case
but to add an extra lyre of security we can add a sanitization layer
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
import * as xss from 'xss';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().transform((input) => xss.filterXSS(input)), // Sanitizing input using xss
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
This was a test we also added again back
email: z
.string()
.email()
Step3,4,5
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().email(),
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
The main point to notice I just returned a success message with no data related
to the user like ID or email because it does not need to send back data to the user in this step. after registration user will be redirected to the login page to fill in details so avoiding sending unnecessary data is a good security practice
Rate limiting
implementing rate limiting in nestjs is very easy just install nestjs/throttler configure it globally and you're done .
to install package run npm i --save @nestjs/throttler
import { Controller, Post, Body, Version, UsePipes } from '@nestjs/common';
import { AuthService } from './auth.service';
import { RegisterUserDto } from './dto/register.dto';
import { ZodValidationPipe } from 'nestjs-zod';
@Controller('auth')
export class AuthController {
constructor(private readonly authService: AuthService) {}
@Version('1')
@Post()
@UsePipes(ZodValidationPipe)
async registerUser(@Body() registerUserDto: RegisterUserDto) {
return await this.authService.registerUser(registerUserDto);
}
}
then add nestjs throttle guard as global guard
import { createZodDto } from 'nestjs-zod';
import { z } from 'zod';
import * as xss from 'xss';
const passwordStrengthRegex =
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$/;
const registerUserSchema = z
.object({
email: z.string().transform((input) => xss.filterXSS(input)), // Sanitizing input using xss
password: z
.string()
.min(8)
.regex(
passwordStrengthRegex,
'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character',
),
confirmPassword: z.string().min(8),
})
.refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
});
export class RegisterUserDto extends createZodDto(registerUserSchema) {}
and here it is
import {
BadRequestException,
Injectable,
InternalServerErrorException,
} from '@nestjs/common';
import { RegisterUserDto } from './dto/register.dto';
import { PrismaService } from 'src/prismaModule/prisma.service';
import * as argon2 from 'argon2';
@Injectable()
export class AuthService {
constructor(private readonly prismaService: PrismaService) {}
async registerUser(registerUserDto: RegisterUserDto) {
// data is validate and sanitized by the registerUserDto
const { email, password } = registerUserDto;
try {
// check if user already exists
const user = await this.prismaService.user.findFirst({
where: {
email,
},
});
if (user) {
throw new BadRequestException('user already eists ');
}
//if use not exists lets hash user password
const hashedPassword = await argon2.hash(registerUserDto.password);
// time to create user
const userData = await this.prismaService.user.create({
data: {
email,
password: hashedPassword,
},
});
if (!userData) {
throw new InternalServerErrorException(
'some thing went wrong while registring user',
);
}
// if user is created successfully then send email to user for email varification
return {
success: true,
message: 'user created successfully',
};
} catch (error) {
throw error;
}
}
}
since registering the user endpoint is a sensitive endpoint brute-force
or dictionary attack can happen we kept the rate limit strict
Send Verification Email
for sending a verification email to a user's use Resend is an awesome easy-to-use service. but I decided to create a separate episode for the whole notification service so that understanding it becomes easier for everyone
The above is the detailed content of Day Implementing JWT Authentication in NestJS with Passport (Part 1). For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How does garbage collection work in JavaScript?
Jul 04, 2025 am 12:42 AM
JavaScript's garbage collection mechanism automatically manages memory through a tag-clearing algorithm to reduce the risk of memory leakage. The engine traverses and marks the active object from the root object, and unmarked is treated as garbage and cleared. For example, when the object is no longer referenced (such as setting the variable to null), it will be released in the next round of recycling. Common causes of memory leaks include: ① Uncleared timers or event listeners; ② References to external variables in closures; ③ Global variables continue to hold a large amount of data. The V8 engine optimizes recycling efficiency through strategies such as generational recycling, incremental marking, parallel/concurrent recycling, and reduces the main thread blocking time. During development, unnecessary global references should be avoided and object associations should be promptly decorated to improve performance and stability.
How to make an HTTP request in Node.js?
Jul 13, 2025 am 02:18 AM
There are three common ways to initiate HTTP requests in Node.js: use built-in modules, axios, and node-fetch. 1. Use the built-in http/https module without dependencies, which is suitable for basic scenarios, but requires manual processing of data stitching and error monitoring, such as using https.get() to obtain data or send POST requests through .write(); 2.axios is a third-party library based on Promise. It has concise syntax and powerful functions, supports async/await, automatic JSON conversion, interceptor, etc. It is recommended to simplify asynchronous request operations; 3.node-fetch provides a style similar to browser fetch, based on Promise and simple syntax
JavaScript Data Types: Primitive vs Reference
Jul 13, 2025 am 02:43 AM
JavaScript data types are divided into primitive types and reference types. Primitive types include string, number, boolean, null, undefined, and symbol. The values are immutable and copies are copied when assigning values, so they do not affect each other; reference types such as objects, arrays and functions store memory addresses, and variables pointing to the same object will affect each other. Typeof and instanceof can be used to determine types, but pay attention to the historical issues of typeofnull. Understanding these two types of differences can help write more stable and reliable code.
React vs Angular vs Vue: which js framework is best?
Jul 05, 2025 am 02:24 AM
Which JavaScript framework is the best choice? The answer is to choose the most suitable one according to your needs. 1.React is flexible and free, suitable for medium and large projects that require high customization and team architecture capabilities; 2. Angular provides complete solutions, suitable for enterprise-level applications and long-term maintenance; 3. Vue is easy to use, suitable for small and medium-sized projects or rapid development. In addition, whether there is an existing technology stack, team size, project life cycle and whether SSR is needed are also important factors in choosing a framework. In short, there is no absolutely the best framework, the best choice is the one that suits your needs.
JavaScript time object, someone builds an eactexe, faster website on Google Chrome, etc.
Jul 08, 2025 pm 02:27 PM
Hello, JavaScript developers! Welcome to this week's JavaScript news! This week we will focus on: Oracle's trademark dispute with Deno, new JavaScript time objects are supported by browsers, Google Chrome updates, and some powerful developer tools. Let's get started! Oracle's trademark dispute with Deno Oracle's attempt to register a "JavaScript" trademark has caused controversy. Ryan Dahl, the creator of Node.js and Deno, has filed a petition to cancel the trademark, and he believes that JavaScript is an open standard and should not be used by Oracle
Understanding Immediately Invoked Function Expressions (IIFE) in JavaScript
Jul 04, 2025 am 02:42 AM
IIFE (ImmediatelyInvokedFunctionExpression) is a function expression executed immediately after definition, used to isolate variables and avoid contaminating global scope. It is called by wrapping the function in parentheses to make it an expression and a pair of brackets immediately followed by it, such as (function(){/code/})();. Its core uses include: 1. Avoid variable conflicts and prevent duplication of naming between multiple scripts; 2. Create a private scope to make the internal variables invisible; 3. Modular code to facilitate initialization without exposing too many variables. Common writing methods include versions passed with parameters and versions of ES6 arrow function, but note that expressions and ties must be used.
Handling Promises: Chaining, Error Handling, and Promise Combinators in JavaScript
Jul 08, 2025 am 02:40 AM
Promise is the core mechanism for handling asynchronous operations in JavaScript. Understanding chain calls, error handling and combiners is the key to mastering their applications. 1. The chain call returns a new Promise through .then() to realize asynchronous process concatenation. Each .then() receives the previous result and can return a value or a Promise; 2. Error handling should use .catch() to catch exceptions to avoid silent failures, and can return the default value in catch to continue the process; 3. Combinators such as Promise.all() (successfully successful only after all success), Promise.race() (the first completion is returned) and Promise.allSettled() (waiting for all completions)
What is the cache API and how is it used with Service Workers?
Jul 08, 2025 am 02:43 AM
CacheAPI is a tool provided by the browser to cache network requests, which is often used in conjunction with ServiceWorker to improve website performance and offline experience. 1. It allows developers to manually store resources such as scripts, style sheets, pictures, etc.; 2. It can match cache responses according to requests; 3. It supports deleting specific caches or clearing the entire cache; 4. It can implement cache priority or network priority strategies through ServiceWorker listening to fetch events; 5. It is often used for offline support, speed up repeated access speed, preloading key resources and background update content; 6. When using it, you need to pay attention to cache version control, storage restrictions and the difference from HTTP caching mechanism.
