By Syed Rizwan

securing-apis-with-oauth2-and-jwt-in-a-nestjs-application.html

Securing APIs with OAuth2 and JWT in a NestJS Application

As the demand for secure and scalable applications rises, developers are increasingly adopting robust authentication and authorization protocols. Among the most popular methods are OAuth2 for authorization and JSON Web Tokens (JWT) for secure information exchange. This article will guide you through securing APIs in a NestJS application using OAuth2 and JWT, providing clear code examples and actionable insights.

Understanding OAuth2 and JWT

What is OAuth2?

OAuth2 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It enables applications to authenticate users without requiring them to share their passwords. Instead, OAuth2 uses access tokens, which represent the user's permission to access specific resources.

What is JWT?

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The token contains a JSON object that is encoded and signed. This allows the server to verify the token's integrity without needing to store session information on the server.

Use Cases

  • Web Applications: Secure APIs for client-server architectures.
  • Mobile Applications: Authenticate users and manage sessions effectively.
  • Third-Party Integrations: Allow secure access to APIs without exposing user credentials.

Setting Up Your NestJS Application

To get started, ensure you have NestJS installed. If you haven’t set it up yet, you can do so by running:

npm i -g @nestjs/cli
nest new my-nest-app
cd my-nest-app
npm install @nestjs/jwt @nestjs/passport passport passport-jwt

Step-by-Step Implementation

Step 1: Create the Authentication Module

In your NestJS application, create an authentication module:

nest g module auth
nest g service auth
nest g controller auth

Step 2: Configure JWT Strategy

In your auth.service.ts, implement the JWT strategy to handle user validation.

import { Injectable } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';

@Injectable()
export class AuthService {
  constructor(private jwtService: JwtService) {}

  async validateUser(username: string, password: string): Promise<any> {
    // Validate user credentials (e.g., check against a database)
    const user = { username }; // Replace with actual user lookup
    if (user && user.password === password) {
      return user;
    }
    return null;
  }

  async login(user: any) {
    const payload = { username: user.username, sub: user.userId };
    return {
      access_token: this.jwtService.sign(payload),
    };
  }
}

Step 3: Create JWT Strategy

Create a new file jwt.strategy.ts within the auth directory.

import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy } from 'passport-jwt';
import { AuthService } from './auth.service';

@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
  constructor(private authService: AuthService) {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      secretOrKey: 'your_jwt_secret', // Replace with your secret key
    });
  }

  async validate(payload: any) {
    return { userId: payload.sub, username: payload.username };
  }
}

Step 4: Implement Authentication Controller

In your auth.controller.ts, set up the login endpoint.

import { Body, Controller, Post } from '@nestjs/common';
import { AuthService } from './auth.service';

@Controller('auth')
export class AuthController {
  constructor(private readonly authService: AuthService) {}

  @Post('login')
  async login(@Body() user: any) {
    return this.authService.login(user);
  }
}

Step 5: Protect Routes with Guards

To protect your routes, create an auth.guard.ts file in the auth directory.

import { Injectable } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';

@Injectable()
export class JwtAuthGuard extends AuthGuard('jwt') {}

Now, you can apply the guard to any route that requires authentication:

import { Controller, Get, UseGuards } from '@nestjs/common';
import { JwtAuthGuard } from './auth.guard';

@Controller('protected')
export class ProtectedController {
  @UseGuards(JwtAuthGuard)
  @Get()
  getProtectedResource() {
    return { message: 'This is a protected resource' };
  }
}

Step 6: Set Up OAuth2 Flow (Optional)

For OAuth2 integration, you can leverage third-party providers like Google or GitHub. NestJS supports this through various Passport strategies, such as passport-google-oauth20. Install the required package:

npm install passport-google-oauth20

Step 7: Testing Your API

With your basic setup complete, you can now test your API using tools like Postman or Insomnia. Make POST requests to /auth/login with valid user credentials to receive a JWT. Use this token as a Bearer token in the Authorization header for accessing protected routes.

Troubleshooting Common Issues

  • Invalid Token Error: Ensure the token is being sent correctly and matches the expected format.
  • Authorization Errors: Double-check the secret key used in your JWT strategy. It must match the key used to sign the tokens.
  • User Validation Failures: Ensure your user validation logic is correctly implemented and that user data is being retrieved correctly.

Conclusion

Securing your APIs with OAuth2 and JWT in a NestJS application is a robust approach to managing user authentication and authorization. By following the steps outlined in this article, you can build a secure system that effectively protects your resources. Remember, security is an ongoing process, so stay updated with best practices and regularly review your implementation for potential vulnerabilities.

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.