Auth0 Home Blog Docs

Developing a Secure API with NestJS

Learn how to use NestJS, a Node.js framework powered by TypeScript, to build a secure API.

Read on :cat2:

Brought to you by @dan-auth0 :man_technologist:t2:

1 Like

I’m loving TypeScript. NestJS made it much easier to integrate it within the context of NodeJS. Let me know what you think about this tutorial, please :pray: Loved it? Hated it?

@dan-auth0 This seems like a great tutorial! I’ve been meaning to try NestJS for quite some time now, and this article looks like a very good entry point.

There’s one thing I don’t understand though, and that is need to create the @Permissions decorator.
In the final example, you use it like this:

@UseGuards(AuthGuard('jwt'), PermissionsGuard)
@Post()
@Permissions('create:items')
create(@Body('item') item: Item) {
  this.itemsService.create(item);
}

But I really don’t see the added value of the @Permissions (other than the fact that I like decorators :sweat_smile:) . Is there any particular reason why you didn’t pass the permissions to PermissionsGuard through an argument like it’s done for the AuthGuard?

@UseGuards(AuthGuard('jwt'), PermissionsGuard('create:items'))
@Post()
create(@Body('item') item: Item) {
  this.itemsService.create(item);
}

That would avoid the creation of a new decorator. Did I miss something?

But I really like the syntax simplicity of the @Permission decorator :smiley:
Wouldn’t it be possible instead to declare the PermissionGuard to be used globally for all methods (since it doesn’t prevent access to method without attached permissions anyway)?
This way, we wouldn’t have to add the guard to methods that do have the @Permission decorator, like this:

@UseGuards(AuthGuard('jwt'))
@Post()
@Permissions('create:items')
create(@Body('item') item: Item) {
  this.itemsService.create(item);
}

Anyway, kudos again for this tutorial. I’ll surely do more than just read it sometime :+1:

1 Like

Thank you for reading and for your feedback :slight_smile:

To address your question:

Is there any particular reason why you didn’t pass the permissions to PermissionsGuard through an argument like it’s done for the AuthGuard ?

It’s for educational purposes as to how to create a custom decorator. Both methods would work well. I do prefer the @Permissions() decorator as it reads so cleanly but also could be used by something different than the guard, perhaps :thinking: