Nest.js authorization verification method example

0x0 Introduction

System authorization refers to the process of logged-in users performing operations. For example, administrators can perform user operations on the system and manage website posts, while non-administrators can perform operations such as authorized reading of posts. Therefore, an identity authentication mechanism is required to implement system authorization. The following is an implementation of the most basic role-based access control system.

0x1 RBAC Implementation

Role-based access control (RBAC) is an access control mechanism that is independent of role privileges and defined policies. First, create a role.enum.ts file that represents the system role enumeration information:

export enum Role {
 User = 'user',
 Admin = 'admin'
}

If it is a more complex system, it is recommended to store the role information in a database for better management.

Then create a decorator and use @Roles() to run the specified resource roles required for access. Create roles.decorator.ts:

import { SetMetadata } from '@nestjs/common'
import { Role } from './role.enum'

export const ROLES_KEY = 'roles'
export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles)

The above creates a decorator named @Roles(), which can be used to decorate any route controller, such as user creation:

@Post()
@Roles(Role.Admin)
create(@Body() createUserDto: CreateUserDto): Promise<UserEntity> {
 return this.userService.create(createUserDto)
}

Finally, create a RolesGuard class, which will compare the role assigned to the current user with the role required by the current routing controller. In order to access the routing role (custom metadata), the Reflector tool class will be used. Create a new roles.guard.ts:

import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common'
import { Reflector } from '@nestjs/core'

import { Role } from './role.enum'
import { ROLES_KEY } from './roles.decorator'

@Injectable()
export class RolesGuard implements CanActivate {
 constructor(private reflector: Reflector) {}

 canActivate(context: ExecutionContext): boolean {
 const requireRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [context.getHandler(), context.getClass()])
 if (!requireRoles) {
  return true
 }
 const { user } = context.switchToHttp().getRequest()
 return requireRoles.some(role => user.roles?.includes(role))
 }
}

Assume request.user contains the roles attribute:

class User {
 // ...other properties
 roles: Role[]
}

Then RolesGuard is registered globally in the controller:

providers:
 {
 provide: APP_GUARD,
 useClass: RolesGuard
 }
]

When a user accesses a request beyond the scope of the role:

{
 "statusCode": 403,
 "message": "Forbidden resource",
 "error": "Forbidden"
}

0x2 Claims-based authorization

After creating an identity, the system can assign one or more declarative permissions to the identity, which means telling the current user what to do, rather than what the current user is. In the Nest system, declarative authorization is implemented in a similar way to RBAC above, but there is a difference. Instead of judging a specific role, permissions need to be compared. Each user is assigned a set of permissions, such as defining a @RequirePermissions() decorator, and then accessing the required permission attributes:

@Post()
@RequirePermissions(Permission.CREATE_USER)
create(@Body() createUserDto: CreateUserDto): Promise<UserEntity> {
 return this.userService.create(createUserDto)
}

Permission is similar to the Role enumeration in PRAC, which contains the permission groups that the system can access:

export enum Role {
 CREATE_USER = ['add', 'read', 'update', 'delete'],
 READ_USER = ['read']
}

0x3 Integrated CASL

CASL is a homogeneous authorization library that can limit the routing controller resources accessed by clients. Installation dependencies:

yarn add @casl/ability

The following is the simplest example to implement the CASL mechanism and create two entity classes: User and Article:

class User {
 id: number
 isAdmin: boolean
}

The User entity class has two attributes, namely the user ID and whether the user has administrator privileges.

class Article {
 id: number
 isPublished: boolean
 authorId: string
}

The Article entity class has three attributes, namely the article number, article status (whether it has been published), and the author number who wrote the article.

Based on the two simplest examples above, we can create the simplest function:

• Users with Admin privileges can manage all entities (create, read, update, and delete)
• The user has read-only access to all content
• Users can update their own articles authorId === userId
• Published articles cannot be deleted. article.isPublished === true

For the above functions, you can create an Action enumeration to represent the user's operations on the entity:

export enum Action {
 Manage = 'manage',
 Create = 'create',
 Read = 'read',
 Update = 'update',
 Delete = 'delete',
}

Manage is a special keyword in CASL, which means that any operation can be performed.

To implement the function, you need to encapsulate the CASL library twice. Execute nest-cli to create the required business:

nest g module casl
nest g class casl/casl-ability.factory

Define the createForUser() method of CaslAbilityFactory to create objects for users:

type Subjects = InferSubjects<typeof Article | typeof User> | 'all'

export type AppAbility = Ability<[Action, Subjects]>

@Injectable()
export class CaslAbilityFactory {
 createForUser(user: User) {
 const { can, cannot, build } = new AbilityBuilder<
  Ability<[Action, Subjects]>
 >(Ability as AbilityClass<AppAbility>);

 if (user.isAdmin) {
  can(Action.Manage, 'all') // Allow any read and write operations } else {
  can(Action.Read, 'all') // read-only operation}

 can(Action.Update, Article, { authorId: user.id })
 cannot(Action.Delete, Article, { isPublished: true })

 return build({
  // Details: https://casl.js.org/v5/en/guide/subject-type-detection#use-classes-as-subject-types
  detectSubjectType: item => item.constructor as ExtractSubjectType<Subjects>
 })
 }
}

Then import it in CaslModule:

import { Module } from '@nestjs/common'
import { CaslAbilityFactory } from './casl-ability.factory'

@Module({
 providers: [CaslAbilityFactory],
 exports: [CaslAbilityFactory]
})
export class CaslModule {}

Then import CaslModule into any business and inject it into the constructor to use it:

constructor(private caslAbilityFactory: CaslAbilityFactory) {}

const ability = this.caslAbilityFactory.createForUser(user)
if (ability.can(Action.Read, 'all')) {
 // "user" can read and write all content}

If the current user is a non-administrator user with normal permissions, he can read articles but cannot create new articles or delete existing articles:

const user = new User()
user.isAdmin = false

const ability = this.caslAbilityFactory.createForUser(user)
ability.can(Action.Read, Article) // true
ability.can(Action.Delete, Article) // false
ability.can(Action.Create, Article) // false

This is obviously problematic. If the current user is the author of the article, he should be able to do this:

const user = new User()
user.id = 1

const article = new Article()
article.authorId = user.id

const ability = this.caslAbilityFactory.createForUser(user)
ability.can(Action.Update, article) // true

article.authorId = 2
ability.can(Action.Update, article) // false

0x4 PoliceiesGuard

The above simple implementation does not meet more complex requirements in complex systems, so we will use the previous authentication article to extend the class-level authorization strategy mode and extend the original CaslAbilityFactory class:

import { AppAbility } from '../casl/casl-ability.factory'

interface IPolicyHandler {
 handle(ability: AppAbility): boolean
}

type PolicyHandlerCallback = (ability: AppAbility) => boolean

export type PolicyHandler = IPolicyHandler | PolicyHandlerCallback

Provides support objects and functions for policy checking on each routing controller: IPolicyHandler and PolicyHandlerCallback.

Then create a @CheckPolicies() decorator to run the specified access policy for a particular resource:

export const CHECK_POLICIES_KEY = 'check_policy'
export const CheckPolicies = (...handlers: PolicyHandler[]) => SetMetadata(CHECK_POLICIES_KEY, handlers)

Create a PoliciesGuard class to extract and execute all policies bound to the routing controller:

@Injectable()
export class PoliciesGuard implements CanActivate {
 constructor(
 private reflector: Reflector,
 private caslAbilityFactory: CaslAbilityFactory,
 ) {}

 async canActivate(context: ExecutionContext): Promise<boolean> {
 const policyHandlers =
  this.reflector.get<PolicyHandler[]>(
  CHECK_POLICIES_KEY,
  context.getHandler()
  ) || []

 const { user } = context.switchToHttp().getRequest()
 const ability = this.caslAbilityFactory.createForUser(user)

 return policyHandlers.every((handler) =>
  this.execPolicyHandler(handler, ability)
 )
 }

 private execPolicyHandler(handler: PolicyHandler, ability: AppAbility) {
 if (typeof handler === 'function') {
  return handler(ability)
 }
 return handler.handle(ability)
 }
}

Assuming request.user contains a user instance, policyHandlers are assigned via the decorator @CheckPolicies(), using aslAbilityFactory#create to construct an Ability object method to verify if the user has sufficient permissions to perform a specific action, and then pass this object to the policy handling method, which can be an implementation function or an instance of the class IPolicyHandler, and expose a handle() method that returns a Boolean value.

@Get()
@UseGuards(PoliciesGuard)
@CheckPolicies((ability: AppAbility) => ability.can(Action.Read, Article))
findAll() {
 return this.articlesService.findAll()
}

You can also define the IPolicyHandler interface class:

export class ReadArticlePolicyHandler implements IPolicyHandler {
 handle(ability: AppAbility) {
 return ability.can(Action.Read, Article)
 }
}

Use as follows:

@Get()
@UseGuards(PoliciesGuard)
@CheckPolicies(new ReadArticlePolicyHandler())
findAll() {
 return this.articlesService.findAll()
}

This is the end of this article about the Nest.js authorization verification method example. For more related Nest.js authorization verification content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!