Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-use-guards.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown136 linesFree

rules/security-use-guards.md

1---
2title: Use Guards for Authentication and Authorization
3impact: HIGH
4impactDescription: Enforces access control before handlers execute
5tags: security, guards, authentication, authorization
6---
7 
8## Use Guards for Authentication and Authorization
9 
10Guards determine whether a request should be handled based on authentication state, roles, permissions, or other conditions. They run after middleware but before pipes and interceptors, making them ideal for access control. Use guards instead of manual checks in controllers.
11 
12**Incorrect (manual auth checks in every handler):**
13 
14```typescript
15// Manual auth checks in every handler
16@Controller('admin')
17export class AdminController {
18  @Get('users')
19  async getUsers(@Request() req) {
20    if (!req.user) {
21      throw new UnauthorizedException();
22    }
23    if (!req.user.roles.includes('admin')) {
24      throw new ForbiddenException();
25    }
26    return this.adminService.getUsers();
27  }
28 
29  @Delete('users/:id')
30  async deleteUser(@Request() req, @Param('id') id: string) {
31    if (!req.user) {
32      throw new UnauthorizedException();
33    }
34    if (!req.user.roles.includes('admin')) {
35      throw new ForbiddenException();
36    }
37    return this.adminService.deleteUser(id);
38  }
39}
40```
41 
42**Correct (guards with declarative decorators):**
43 
44```typescript
45// JWT Auth Guard
46@Injectable()
47export class JwtAuthGuard implements CanActivate {
48  constructor(
49    private jwtService: JwtService,
50    private reflector: Reflector,
51  ) {}
52 
53  async canActivate(context: ExecutionContext): Promise<boolean> {
54    // Check for @Public() decorator
55    const isPublic = this.reflector.getAllAndOverride<boolean>('isPublic', [
56      context.getHandler(),
57      context.getClass(),
58    ]);
59    if (isPublic) return true;
60 
61    const request = context.switchToHttp().getRequest();
62    const token = this.extractToken(request);
63 
64    if (!token) {
65      throw new UnauthorizedException('No token provided');
66    }
67 
68    try {
69      request.user = await this.jwtService.verifyAsync(token);
70      return true;
71    } catch {
72      throw new UnauthorizedException('Invalid token');
73    }
74  }
75 
76  private extractToken(request: Request): string | undefined {
77    const [type, token] = request.headers.authorization?.split(' ') ?? [];
78    return type === 'Bearer' ? token : undefined;
79  }
80}
81 
82// Roles Guard
83@Injectable()
84export class RolesGuard implements CanActivate {
85  constructor(private reflector: Reflector) {}
86 
87  canActivate(context: ExecutionContext): boolean {
88    const requiredRoles = this.reflector.getAllAndOverride<Role[]>('roles', [
89      context.getHandler(),
90      context.getClass(),
91    ]);
92 
93    if (!requiredRoles) return true;
94 
95    const { user } = context.switchToHttp().getRequest();
96    return requiredRoles.some((role) => user.roles?.includes(role));
97  }
98}
99 
100// Decorators
101export const Public = () => SetMetadata('isPublic', true);
102export const Roles = (...roles: Role[]) => SetMetadata('roles', roles);
103 
104// Register guards globally
105@Module({
106  providers: [
107    { provide: APP_GUARD, useClass: JwtAuthGuard },
108    { provide: APP_GUARD, useClass: RolesGuard },
109  ],
110})
111export class AppModule {}
112 
113// Clean controller
114@Controller('admin')
115@Roles(Role.Admin) // Applied to all routes
116export class AdminController {
117  @Get('users')
118  getUsers(): Promise<User[]> {
119    return this.adminService.getUsers();
120  }
121 
122  @Delete('users/:id')
123  deleteUser(@Param('id') id: string): Promise<void> {
124    return this.adminService.deleteUser(id);
125  }
126 
127  @Public() // Override: no auth required
128  @Get('health')
129  health() {
130    return { status: 'ok' };
131  }
132}
133```
134 
135Reference: [NestJS Guards](https://docs.nestjs.com/guards)
136

Marketplace

Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-use-guards.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown136 linesFree

rules/security-use-guards.md

1---
2title: Use Guards for Authentication and Authorization
3impact: HIGH
4impactDescription: Enforces access control before handlers execute
5tags: security, guards, authentication, authorization
6---
7 
8## Use Guards for Authentication and Authorization
9 
10Guards determine whether a request should be handled based on authentication state, roles, permissions, or other conditions. They run after middleware but before pipes and interceptors, making them ideal for access control. Use guards instead of manual checks in controllers.
11 
12**Incorrect (manual auth checks in every handler):**
13 
14```typescript
15// Manual auth checks in every handler
16@Controller('admin')
17export class AdminController {
18  @Get('users')
19  async getUsers(@Request() req) {
20    if (!req.user) {
21      throw new UnauthorizedException();
22    }
23    if (!req.user.roles.includes('admin')) {
24      throw new ForbiddenException();
25    }
26    return this.adminService.getUsers();
27  }
28 
29  @Delete('users/:id')
30  async deleteUser(@Request() req, @Param('id') id: string) {
31    if (!req.user) {
32      throw new UnauthorizedException();
33    }
34    if (!req.user.roles.includes('admin')) {
35      throw new ForbiddenException();
36    }
37    return this.adminService.deleteUser(id);
38  }
39}
40```
41 
42**Correct (guards with declarative decorators):**
43 
44```typescript
45// JWT Auth Guard
46@Injectable()
47export class JwtAuthGuard implements CanActivate {
48  constructor(
49    private jwtService: JwtService,
50    private reflector: Reflector,
51  ) {}
52 
53  async canActivate(context: ExecutionContext): Promise<boolean> {
54    // Check for @Public() decorator
55    const isPublic = this.reflector.getAllAndOverride<boolean>('isPublic', [
56      context.getHandler(),
57      context.getClass(),
58    ]);
59    if (isPublic) return true;
60 
61    const request = context.switchToHttp().getRequest();
62    const token = this.extractToken(request);
63 
64    if (!token) {
65      throw new UnauthorizedException('No token provided');
66    }
67 
68    try {
69      request.user = await this.jwtService.verifyAsync(token);
70      return true;
71    } catch {
72      throw new UnauthorizedException('Invalid token');
73    }
74  }
75 
76  private extractToken(request: Request): string | undefined {
77    const [type, token] = request.headers.authorization?.split(' ') ?? [];
78    return type === 'Bearer' ? token : undefined;
79  }
80}
81 
82// Roles Guard
83@Injectable()
84export class RolesGuard implements CanActivate {
85  constructor(private reflector: Reflector) {}
86 
87  canActivate(context: ExecutionContext): boolean {
88    const requiredRoles = this.reflector.getAllAndOverride<Role[]>('roles', [
89      context.getHandler(),
90      context.getClass(),
91    ]);
92 
93    if (!requiredRoles) return true;
94 
95    const { user } = context.switchToHttp().getRequest();
96    return requiredRoles.some((role) => user.roles?.includes(role));
97  }
98}
99 
100// Decorators
101export const Public = () => SetMetadata('isPublic', true);
102export const Roles = (...roles: Role[]) => SetMetadata('roles', roles);
103 
104// Register guards globally
105@Module({
106  providers: [
107    { provide: APP_GUARD, useClass: JwtAuthGuard },
108    { provide: APP_GUARD, useClass: RolesGuard },
109  ],
110})
111export class AppModule {}
112 
113// Clean controller
114@Controller('admin')
115@Roles(Role.Admin) // Applied to all routes
116export class AdminController {
117  @Get('users')
118  getUsers(): Promise<User[]> {
119    return this.adminService.getUsers();
120  }
121 
122  @Delete('users/:id')
123  deleteUser(@Param('id') id: string): Promise<void> {
124    return this.adminService.deleteUser(id);
125  }
126 
127  @Public() // Override: no auth required
128  @Get('health')
129  health() {
130    return { status: 'ok' };
131  }
132}
133```
134 
135Reference: [NestJS Guards](https://docs.nestjs.com/guards)
136

NestJS Best Practices

rules/security-use-guards.md

Preparing the source view

NestJS Best Practices

rules/security-use-guards.md