Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-auth-jwt.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown147 linesFree

rules/security-auth-jwt.md

1---
2title: Implement Secure JWT Authentication
3impact: CRITICAL
4impactDescription: Essential for secure APIs
5tags: security, jwt, authentication, tokens
6---
7 
8## Implement Secure JWT Authentication
9 
10Use `@nestjs/jwt` with `@nestjs/passport` for authentication. Store secrets securely, use appropriate token lifetimes, implement refresh tokens, and validate tokens properly. Never expose sensitive data in JWT payloads.
11 
12**Incorrect (insecure JWT implementation):**
13 
14```typescript
15// Hardcode secrets
16@Module({
17  imports: [
18    JwtModule.register({
19      secret: 'my-secret-key', // Exposed in code
20      signOptions: { expiresIn: '7d' }, // Too long
21    }),
22  ],
23})
24export class AuthModule {}
25 
26// Store sensitive data in JWT
27async login(user: User): Promise<{ accessToken: string }> {
28  const payload = {
29    sub: user.id,
30    email: user.email,
31    password: user.password, // NEVER include password!
32    ssn: user.ssn, // NEVER include sensitive data!
33    isAdmin: user.isAdmin, // Can be tampered if not verified
34  };
35  return { accessToken: this.jwtService.sign(payload) };
36}
37 
38// Skip token validation
39@Injectable()
40export class JwtStrategy extends PassportStrategy(Strategy) {
41  constructor() {
42    super({
43      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
44      secretOrKey: 'my-secret',
45    });
46  }
47 
48  async validate(payload: any): Promise<any> {
49    return payload; // No validation of user existence
50  }
51}
52```
53 
54**Correct (secure JWT with refresh tokens):**
55 
56```typescript
57// Secure JWT configuration
58@Module({
59  imports: [
60    JwtModule.registerAsync({
61      imports: [ConfigModule],
62      inject: [ConfigService],
63      useFactory: (config: ConfigService) => ({
64        secret: config.get<string>('JWT_SECRET'),
65        signOptions: {
66          expiresIn: '15m', // Short-lived access tokens
67          issuer: config.get<string>('JWT_ISSUER'),
68          audience: config.get<string>('JWT_AUDIENCE'),
69        },
70      }),
71    }),
72    PassportModule.register({ defaultStrategy: 'jwt' }),
73  ],
74})
75export class AuthModule {}
76 
77// Minimal JWT payload
78@Injectable()
79export class AuthService {
80  async login(user: User): Promise<TokenResponse> {
81    // Only include necessary, non-sensitive data
82    const payload: JwtPayload = {
83      sub: user.id,
84      email: user.email,
85      roles: user.roles,
86      iat: Math.floor(Date.now() / 1000),
87    };
88 
89    const accessToken = this.jwtService.sign(payload);
90    const refreshToken = await this.createRefreshToken(user.id);
91 
92    return { accessToken, refreshToken, expiresIn: 900 };
93  }
94 
95  private async createRefreshToken(userId: string): Promise<string> {
96    const token = randomBytes(32).toString('hex');
97    const hashedToken = await bcrypt.hash(token, 10);
98 
99    await this.refreshTokenRepo.save({
100      userId,
101      token: hashedToken,
102      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
103    });
104 
105    return token;
106  }
107}
108 
109// Proper JWT strategy with validation
110@Injectable()
111export class JwtStrategy extends PassportStrategy(Strategy) {
112  constructor(
113    private config: ConfigService,
114    private usersService: UsersService,
115  ) {
116    super({
117      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
118      secretOrKey: config.get<string>('JWT_SECRET'),
119      ignoreExpiration: false,
120      issuer: config.get<string>('JWT_ISSUER'),
121      audience: config.get<string>('JWT_AUDIENCE'),
122    });
123  }
124 
125  async validate(payload: JwtPayload): Promise<User> {
126    // Verify user still exists and is active
127    const user = await this.usersService.findById(payload.sub);
128 
129    if (!user || !user.isActive) {
130      throw new UnauthorizedException('User not found or inactive');
131    }
132 
133    // Verify token wasn't issued before password change
134    if (user.passwordChangedAt) {
135      const tokenIssuedAt = new Date(payload.iat * 1000);
136      if (tokenIssuedAt < user.passwordChangedAt) {
137        throw new UnauthorizedException('Token invalidated by password change');
138      }
139    }
140 
141    return user;
142  }
143}
144```
145 
146Reference: [NestJS Authentication](https://docs.nestjs.com/security/authentication)
147

Marketplace

Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-auth-jwt.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown147 linesFree

rules/security-auth-jwt.md

1---
2title: Implement Secure JWT Authentication
3impact: CRITICAL
4impactDescription: Essential for secure APIs
5tags: security, jwt, authentication, tokens
6---
7 
8## Implement Secure JWT Authentication
9 
10Use `@nestjs/jwt` with `@nestjs/passport` for authentication. Store secrets securely, use appropriate token lifetimes, implement refresh tokens, and validate tokens properly. Never expose sensitive data in JWT payloads.
11 
12**Incorrect (insecure JWT implementation):**
13 
14```typescript
15// Hardcode secrets
16@Module({
17  imports: [
18    JwtModule.register({
19      secret: 'my-secret-key', // Exposed in code
20      signOptions: { expiresIn: '7d' }, // Too long
21    }),
22  ],
23})
24export class AuthModule {}
25 
26// Store sensitive data in JWT
27async login(user: User): Promise<{ accessToken: string }> {
28  const payload = {
29    sub: user.id,
30    email: user.email,
31    password: user.password, // NEVER include password!
32    ssn: user.ssn, // NEVER include sensitive data!
33    isAdmin: user.isAdmin, // Can be tampered if not verified
34  };
35  return { accessToken: this.jwtService.sign(payload) };
36}
37 
38// Skip token validation
39@Injectable()
40export class JwtStrategy extends PassportStrategy(Strategy) {
41  constructor() {
42    super({
43      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
44      secretOrKey: 'my-secret',
45    });
46  }
47 
48  async validate(payload: any): Promise<any> {
49    return payload; // No validation of user existence
50  }
51}
52```
53 
54**Correct (secure JWT with refresh tokens):**
55 
56```typescript
57// Secure JWT configuration
58@Module({
59  imports: [
60    JwtModule.registerAsync({
61      imports: [ConfigModule],
62      inject: [ConfigService],
63      useFactory: (config: ConfigService) => ({
64        secret: config.get<string>('JWT_SECRET'),
65        signOptions: {
66          expiresIn: '15m', // Short-lived access tokens
67          issuer: config.get<string>('JWT_ISSUER'),
68          audience: config.get<string>('JWT_AUDIENCE'),
69        },
70      }),
71    }),
72    PassportModule.register({ defaultStrategy: 'jwt' }),
73  ],
74})
75export class AuthModule {}
76 
77// Minimal JWT payload
78@Injectable()
79export class AuthService {
80  async login(user: User): Promise<TokenResponse> {
81    // Only include necessary, non-sensitive data
82    const payload: JwtPayload = {
83      sub: user.id,
84      email: user.email,
85      roles: user.roles,
86      iat: Math.floor(Date.now() / 1000),
87    };
88 
89    const accessToken = this.jwtService.sign(payload);
90    const refreshToken = await this.createRefreshToken(user.id);
91 
92    return { accessToken, refreshToken, expiresIn: 900 };
93  }
94 
95  private async createRefreshToken(userId: string): Promise<string> {
96    const token = randomBytes(32).toString('hex');
97    const hashedToken = await bcrypt.hash(token, 10);
98 
99    await this.refreshTokenRepo.save({
100      userId,
101      token: hashedToken,
102      expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
103    });
104 
105    return token;
106  }
107}
108 
109// Proper JWT strategy with validation
110@Injectable()
111export class JwtStrategy extends PassportStrategy(Strategy) {
112  constructor(
113    private config: ConfigService,
114    private usersService: UsersService,
115  ) {
116    super({
117      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
118      secretOrKey: config.get<string>('JWT_SECRET'),
119      ignoreExpiration: false,
120      issuer: config.get<string>('JWT_ISSUER'),
121      audience: config.get<string>('JWT_AUDIENCE'),
122    });
123  }
124 
125  async validate(payload: JwtPayload): Promise<User> {
126    // Verify user still exists and is active
127    const user = await this.usersService.findById(payload.sub);
128 
129    if (!user || !user.isActive) {
130      throw new UnauthorizedException('User not found or inactive');
131    }
132 
133    // Verify token wasn't issued before password change
134    if (user.passwordChangedAt) {
135      const tokenIssuedAt = new Date(payload.iat * 1000);
136      if (tokenIssuedAt < user.passwordChangedAt) {
137        throw new UnauthorizedException('Token invalidated by password change');
138      }
139    }
140 
141    return user;
142  }
143}
144```
145 
146Reference: [NestJS Authentication](https://docs.nestjs.com/security/authentication)
147

NestJS Best Practices

rules/security-auth-jwt.md

Preparing the source view

NestJS Best Practices

rules/security-auth-jwt.md