NestJS: JWT- and Role based API Protection | Blog Project V-04

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to the next video of the serious block of mysterious and angular business video for in this video we will add a property role to our user we will will add a custom has role annotation where we can just put in the role that we but the user needs to access his end point and so we will add our Trey WT guard in a row with Scott at the end we will add a new protective end point for changing or switching the role of the user the structure of this video is like the videos before at first you want to have a look at the video outcome and we write a user story for this and at the end we will implement the user story and close it please keep in mind but I'm doing this in my free time so sometimes it's not that excessive as it could be this is what we are building we have our opmod here we make some custom decorators some custom guards and what they are doing is they you are calling this endpoint here but we also edit where you update a role of the user for example from user to editor or to admin it this is annotated with our admin role and this just checks first is the user that's calling the endpoint is heading in Bellator aww team that is not expired when assigned with our secret that is not trained to anything and then it's a tracking if the user that is calling is having this guy this role that we specified here so we're tracking this user that's calling this endpoint is heading the up and away and if yes when everything is OK and executing and if not it's declined so we can look at this and postman also so protected role is our update role of user and first we can go and get all users that we are having and you see we will have we are having here for users and you can see that our user free is having broad user at the moment so if you now update this role we have to pass and here authorization Bureau talking and this authenticates us as this user here but we can first will remove this and send to repress and want to change our user free and give him our old editor and if we send it now we will get unauthorized cost we're not having me trade already baddest valid so if we pass this in and execute it again now we have affected one and you would see that our user here free as now our user and if we send that again our old users having the editor away and if we try this with and to execute this we need our tray WT from the user that is having yep Monroe way as always we start with a quick look at our story so here we are video for and we want to be able to protect some of our outs with and has her own annotation so well as a user you will need a specific role to access this endpoint and as a technical lead I wonder that we are able to protect end points if the custom has rolled annotation and he ran below a name you can put an admin or user or editor so Alvaro names that we are adding so we can protect endpoints of I are only available for user well developed rae WT and the specific grower so if someone is calling the endpoint we are looking is there a tray WTH is it valid and then we extract the user from it and we are looking in the database is the user actually having the role that is needed to access this endpoint in the PS when we execute the method and if not we deny it so we accept this criteria as we should be able to use the has role annotation we want to use the tray WT guard and row it's got of course the users would have a property role and we want to add a protected endpoint with the road upman so has rolled up man and it is a put there we update the users role so we don't want this to be done in the normal update request where we use us but it should be a protected one apartment because everyone would be able to update its own row will when it's basically basically useless so only the admin is allowed to add or change Rohit's abnormal user and you can see here in the next video we are adding some implement we implement Peggy nation for some end points or for getting all users for the end point so now we stop video 4 and we can move this to doing as always we want now to switch to our new branch so in this time it's video 4 but first I want to show you something so we have our readme and there I added some between the last video now so the repositories up to date so we have fear that you are we need to add all and file if you download the code so it's working and you have to add your own database URL and you trade a beauty secret and I ended the video where these things are explained from the database and the trader beauty secret and he has a little bit of an example of the file of identifiers and that last we are coming all the links to the published YouTube videos and if you want you can also cause business written in markdown you can have a preview of Central v + V and then you can see how it's supposed to look so now we can switch to our branch and we can say or we can do this with get flow and we can say git flow feature start video 4 and here you can say we have created a new feature branch when you for based on develop and if you want to finish it we can use this comment later and so now we are our new pouch you can verify this by angular status and we see we are here and now it can clear at the concert and start so before we go into coding we can have quick look at my stress so I search fenestra s has role and therefore we can use a guard so if you see we make it requests it's protected that's protected by God and it's only executed if it's passing the guard so here it says as mentioned authorization as a great use case for God's because specific route available only when McCullough usually a specific authenticated user and sufficient permissions the off guard that will bid now assumes in the authenticated user and that therefore token is attached to the requested us it will extract and validate a token like I said before and used to be extracted information to determine whether the request and procedure not so we will extract between WT and validated token and then use this information to find our user and track even if he's having the royal so for this we will need to add here a new folder we can name this decorator or on a safe and then we can adhere our Rohit's decorator decorator top TS and here we can use something from nest tree as you can say export const has roads you can spread it and then use string array and this set meter data from Astraeus coming and we want to set the robots here now we want to add some guards so we add a new folder Winkle named guards and we can read some of the documentation so I'm here in the techniques authentication and one of the first guard so it's very easy to implement we can use the tradability off guard so it is very just listing here so we can just copy this and paste it in and we can name this JWT - guard dog TS and just pass it in taste it in import from next class and off guard should be from passport if you don't have a dress Indians Ivan not get it here mmm-hmm service should already be working and the next thing that we need is tray WT surgery so we can add a new photo file here to WT - straddle three TS you can just search for it here again and this is what we will do we want to extract betray WT from the request so this method is just doing this for us we don't want to ignore the exploration so if the tag ability is expired we want to we don't want to offend ik 8 the user and here we insert our tray WT secret from our identifier and this is what we want to return if the user is validated so we can just complete the same and we have to look at everything that we are doing years good so we don't have here - aw - Constance but we need in our constructor or config service and then we can go here like config service get and we can go for a little AWT secret this is the same as we did here come pick service get train WT secret I will let's see if it is compiling or not and we don't yeah we don't need this year but we can trust at for example user and then we named get the pin or dot user so basically we are attaching to the request the extractor tray WT so the payload to the request and the left next and last guard that we need is our old start and this will be a little bit complicated so we're now in our row it's guard and we can have a short look here so now they are adding here bro it's card implementing can activate and there we have to reflector and you can see here there it gets from the context AMBER Alerts so later we will have the annotation hands roads and it gets it out there which role is needed to access it and if there is nothing then we will not execute but if there's a role and we'll check if it matches with the user always better users having so we have to expand this a bit this yes very basic but we can do the service we will need of course and we can listen click table and support from asturias common and deactivate would be feminist try as common that's a common one is here okay so we can activate yeah so we have to do this so we have our reflector and I think we will also need our user service because we want to search in our database for the user and probably we are running into a loop because the user service or the user module is using the out module and now we are using the user module in the out module ik so we are will have an infinite loop so we will have to solve this later I think first we have to look what we want to do here now so what are they doing so the execution context is needed here and then by a return of guellen-- so what we were to return we want to return boolean promise cooling or probably an absorber I think that's what we are going to going with you can change this later too what we are needing so first we want to get our Rohit so you remember we have this decorator and so we need to get this from our our reflector like here so we had our oh it's we get swing roads get handler service is basically the same as in documentation so with a reflector we get the robots or the array here and then we can say if there is nothing then we just return true because if there's not a role annotation at one point then it can just pass this connectivity method so now we switch I will just copy it and then we can and you know we have to expand it a bit we have requests we switch to HTTP and then we have our user and then we have to look here where our user is logged a lot requests and we trust can return true so this will work and so we have to expand this layer later but now we have to look what we are actually doing here now we can go into our user module and just annotate what we control us with it to track it everything is working so we can just annotate it to get endpoint we can say at as and here we want to use our cards and this is the tray WT off guard and biro itself that Robert Scott so now we have to and we also call it the OP module and in the automat here for this to work we need to add our provide us or Road scarlet our JWT off guard and our I was called a WTS territory very diminutive Strela tree then we can just give it a run at the M run start yeah and look I think we are running in some errors now yeah the nest conducive dependency of road Scott reflector please make sure that the argument you deserves at India is available in the off merkel context okay so in the off mode here of course we have to import now our user mode Hewitt and I think we can't do this normally so we can search on Astraeus for what ref I think is it now circular dependency services what we are getting here and this is what you get when two clouds depend on each other so you saw at our trade ability so our old Scott is using the user service so our out module is needing the user module and the user mode using the art materials so we are like having in loop here so it can arise between modules and between providers well it circular dependencies should be a white but possible you can't always do so in such case nests enables resolving circular dependence between providers in two ways we can use for word wrap so we can just use this here for one from what Hewitt's is that interest use this yeah I think we can go this and we can just say we imported here don't pick not you well I know we don't know in class we headed for route and now we can go forward wrap and then use our user not you where you can see what is it doing now [Music] you can go again here what before would happen we can say at inject for what is it insane nothing known and here we can say forward wrath again like before and then just using the universe Louis as before now can Transcom piling if you are still here and see what it's doing if we are getting an error or not I think we should get some probably yeah so I don't know did we exploit it I don't think so yeah yes sir now you see now it's compelling and doing everything and now we can start postman and you saw we protected our endpoint get oil so we filled up the ADA to execute this now so we have here get all users now you'll see we are unauthorized so this is quite good so we get it for a one code which means via unauthorized and if we login now we get Nexus token we can use this and then we go to our get all users and we add boliviano token and we ascend again and then we get on and now we should see here exactly because what we are doing now is they track do we have a well a tray WT and the next thing is is it's going through our roads guard and in the roads guard it extracts our hazards our admin here from the hazards and then flexible user has overall since we have not implemented it correctly right now it has returns true and yeah but now we can look cuz I said here I once a current console lock or request so here we have the complete request and here we have our user with this attached to it and this is because in our tray WT territory we extracted the JWT and then we edit the user property with our payload from the user from our tray WT to the request so to the method and so this is now in this request and so a big console lock the user we should trust get the user so we can save it oops mistake so we save it it's compiling again so it's working if we sent the request again yeah so I think the tray WT is X it's not valid anymore cause of the time that we can make it here we set a hundred seconds it's just make ten thousand seconds so we are not running into this issue and we lock in again and then we will get a new tray WT which is valid for ten thousand seconds and we will get it in here and then we should get it again and we are not running into this issue the next minutes and you see here we lock out in our roads guard our user and so now this is something that we can work with and now we have to think what do we want to do we have our user and this user is of course from our type user make it a little bit clearer and now we want to look into our database and get our user so normally it is very safe that the it is safe and if the user and the JWT user but it's in this database but for example if he talking is has a very long expiry date or something or it's not refreshed whatever then probably the users are already having a new role attached in the database or a new name and so I would always look after a little bit up into the database so here we can go we want to return this user service and then we have our find one method and there we can pass in our user ID that we get from our user object here you see our ID - and then we can type this and map the outcome so we get a user back which is from type user and what we want to do now is we want to look if he is having a role and he can just name it house row and make method out of it and then we want our Rohit's but we are adding here or look the parolee from our user is inside this roads but he's having so we compare our user has a row with admin we will look up admin is in the roads that we added here to our end point so this admin is not only a reflector so here this is our oh it's upman and now we look it up if it contains that david contains it it's valid and if not then we will say the user has no permission to do this and so we can just use index off user dot roll it's bigger than minus one and so what it's saying now the user is not having a role object right now so this is something that we have to add so now we'll expand it with Rowell this is also a string and then we need our entity where we can say we have our column and we have our it's named row way and this will be from type user row it I mean use a row way so we don't have it right now and so we were just not making even you know later we can refactor all of this and write into our database but missus like taking a uterus step and be too much for this video we went name this admin you will have an editor editor for writing the blocked content and block entries and you will have how can we call it treat editor you can publish the blocks if they are and finish by the editor and we want to have custom the users that are able to read a block or to comment or to do something special so with all that we need and now we have here or if it's from user role and we can expand this a little bit so we are having the type and the type is an enum and the Union is from type user role and we have a deep wardrobe so if there's nothing specified we will have the user away dot user so now we will get some air Lascaux service it's not implemented everywhere right now are we just clear it a bit I'm not seeing everything so now we are compiling cancer cast salad with top row it's got nothing to worry you can remove this so we have our user service and it's in 964 ok type strings and assign able to type user yeah so this is my mistake so of course our model entity or interface should also use way so if we say it properly this mistake is gone and now we have to trust our rohit's card and this is saying cannot find map and we're going to end up in quarters from here and now where we have to return just say untrue so the error on us can now see if it's compiling yeah so now it's working again and solo it's gives you a little bit explanation what we did here so now we have our role here for our user interface and I think we can move this here there and then our user entity we just have to imported so this makes it a little bit clearer but this we still belong together so we have every user will have a role and this is one of these throw it so the up man I think is there later to do everything that is allowed so for example we can give other users roads or trains roads like we said no a story that we want to be able to train roads of users our treat editor is fair to later we are having a block sector in year 2 and then he is able to publish one clock entry and the editor is able to write news and the user can like you're not in order if you logged in as a user you can read the block newest and you can write sound a comment or something we are doing this also and in our oh it's cart now we are having here our s role and we can look if this is bigger than one and one of the stars is we can have a quick look here index off JavaScript and I think there's I saw on Lake round here so we have banana orange Oh probably will find a better example here so it will return now we are here our string hello world welcome to the universe and then this string here index often we are searching for welcome so welcome will be here and now it will return the number of when the characters coming so one two three four five six seven eight nine ten eleven twelve thirteen so it's coming here and when we search now for something that is not here it will return a negative so minus one so when we run it and we try it we get Rho minus one so if it's bigger than minus one so then it is in there you see and so we can just say if it's bigger than minus one and then we can go for s permission or we can name it as permission and we want them just it to be a big boolean and it has first four words and then we can check if as role here then has permission is too and if not we will and then we will return our user and ask permission and so I think we can now switch this up to now we can't because we need our pool in here and we can delete this and now we can just a constant lock so you would see what it's doing our has role and we can make it a little bit clearer here also as true and now we can execute this endpoint again so power talking something we should I think get a nun for authorized because because we are not having our you are rolling with our user right now let's then use a service find one you have to make it a little bit to consider user make it again and let's see if you're finding one this structure property password of user others only find user service 54 so we're not here for in this country and if we add a new user and give them see what it's doing now so we will have new user and he's having overall user yes so let's think what we are doing so we are going into our endpoint we are creating a user and then ah you know we are not setting the road so we have to set now over Rho 2 Rho s user dot Rho and so now we set and you use a Thomas 5 and we go for the email because I think beam I was doing unique thing and we go with admin as specified and add some beef it have parole admin yeah this looks great and if we now login with this and get our kwt and then we go to our get all users and point back again get an internal server error and so let's close it a bit and have a look we are in our user and are oh it's God and he is having an issue at our user service so he's not having a password property so we've been going into our find one we just lock out our user let's see what we are getting so we are getting an undefined and let's see why it is like this so we can concern lock and we can see that our user as having never user property so we have to go for request dot user dot user in it and then this referred so now we are forbidden you have to look so we are first we're having here so we'll get every forbidden and now we have to look by it it is like this so what what we aren't head hurry quest let's close with this folder and have a look at our user module I use a controller we had our role is of course an Earthman but admin or now what we can also do this we can go our user Rohit's user our dot admin and now it should work ya know it so we are getting all of the users and we see so we are adding here our has roads we add the admin to our context and then we are using trust betray WT go and look if they are saturate WT attached and if it is like this then we are using v-ray WT Strela tree and we extract betray WT from the app that a spirit open we are not ignoring the exploration and we look with our secret vs. right and then we are validating it and we turn our and we add our user property here to it then we are going to our row it's card and we get our contact center our Rohit's from the end point so this year and we are having here in our the admin and then we check if there are no roads then we return true because when there is no annotation on this endpoint and we can just pass it through it not we are getting very quest like witnessed from the documentation then we get our user object and we get our user service and we find one user now we can concern lakh litres and we get our website and then we are having our user here and we check if the role that our user has yeah let's use a role that we get from the database is inside this robots array that we get from our reflector here so if the admin is contained in admin or if whatever be role is contained here if it's bigger than one you can see that we call this then we look out we have row true and if not we can when we see we are setting it to true and if not it is set as their two parts so now you will need to get all users you will need the upland method so now we can make it a little bit so so now this is our oh it's card so now we can remove it from here because this is not necessary but we want to use it later on our another end point where we change the role of a user then we will need and one thing that you have to keep in mind and later we will have another story on our video where we change our update method because now we can just update one and we are not checking that the one who is updating the user is actually the user so we have to do this later but this is like out of context now and the second thing is that we the user not be able to update its own row way so now we have to add another endpoint to change the role of the user so now we add another endpoint and this will also be a put request and this will go to ID / role and then we can say update role of user and we of course are as always we want to return observable and this is of type user and we want to return our user service dot update user so we will need to implement this right now and what we get here is we get our ID and we get from our body the new role of the user other thing that we want to update so now which dangerous user this is so glad and so we want to get this the ID and we want to give it as a number and our user now we can go into our user service and we named this [Music] update roll up user we can just have a look here update user and we want our ID of the user and we have a user and we want to return observe the also off type any and then we returned from this stuff user repository but update and we update the ID and user property so we will just have updating the role this is very simple so we are stating as a lot of code so we can check this now so you see we have here our users and now we can make a new request we can copy this this will also be a put request and then we have here the royal and now we see we have here user we can update user to and now use the to is having role user and now we are giving it here the raw trace internet make it an object and then we say royal is now editor editor and we send it and then we have an affected one and if we now get all users we see which visit if we update user to but user to now is an editor so but what we are doing now is as we said we don't want that everyone can do this so we will move this annotations that we created from there to here and so if we run this now we should get and that we are unauthorized but if we are getting our token come here and we also adhere our error token then we get affected one and this should work we can test it again if we go with user six and we make beer oil now to the editor then you see here setting the user role and now use a six setting the editor away and you can also see that for example if we adhere name then it makes narrow because this is not inside of the enum that we specified so I think business are working so what we can do is we can add to our next another story in our block project when you think it's will be verb in your six value will change it refactoring user endpoints and I will just add some information we can specify later user should not be able to change its own row creating a new user should add the custom should be the user role yeah so we will have to do this this is I think this is all for this video we can now as always I will run it again we will add this post on request here to our folder we can name this update role of user come and protect it here and row so you will need a role make a WT to call this and I'm adding this to our YouTube blog now I export it completely do this and now we have it here so we can now just have a quick look at everything is fine right now so it's very simple so later what we will do is we will first make all this secure we can also make this now we are just adding simple roads that are as an enum here which is not very good but for the first thing it's enough and later we can make aura or site or roads and everything in the database last thing we are doing now as we close our branch or we finish our plant so we shut this down and we say get that - upper area and we made it with the commit message and services video for and we say implement it oh gods custom as roller on rotation and 3wt oh god then we can push it so I have not been setting this so we would set this and push it and then we can say get lower feet so what this does now as always we are finishing up our picture so we are murdering teacher back into our develop so these are all the changes we made and now we are back on develop and we also have to push this branch and now we can see that here in our block repository we are in our overview folder you see we are master there we are not having our API sorry so here we are not having our endpoints ready we have our out folder but we are not having our decorators but if we switch to our develop branch you can see that we are now having our decorators our regards everything that we just did so now we can merge it into our master and of course we want to keep our sauce sauce brand so we want to keep the develop branch and good merchant and the last thing that we do is our taking our story so we have the a troll annotation we are using the trader and the T and the art card and we are having the property royal and we have a protected endpoint to update the role of the user so we can maintain this to done at last we have a short look at the next video so Nvidia v we want to add pagination for getting all the users so you can for example say we want to get 10 users and can we get a second page with another 10 users so yeah but the first page user 1 to 10 and the second page user 11 to 20 and so on so it's easier to display this in the front end later and then we will reflector 8 the code so the user can change or cannot change its own role I'm like we specified in the next stories and we want to do some Manufacturing's so thanks for watching and see you in the next video

Info

Channel: Thomas Oliver

Views: 14,630

Rating: 4.9711189 out of 5

Keywords: javascript, typescript, nest, nestjs, nest.js, angular, typeorm, git, gitflow, node, blog, development, api, observables, rxjs, nestjs7, bcrypt, jwt, authentication, rbac, role based access control, roles, role, role protection, git-flow, gitFlow

Id: Wzn1rzqPq_s

Channel Id: undefined

Length: 56min 9sec (3369 seconds)

Published: Fri May 22 2020