Great video. As a beginner (usually I am a doctor) that really helps to understand the topic. Another thing that would be interesting is. How would you handle authorization in NestJS? The documentation shows different ways how to do it but it would be nice to see it from an actual developer like you.
52:58 I just found out that you can create a custom decorator as a shorthand to apply all the guards and interceptors, if you want to reduce the number of lines or characters in there
@@blacktipe9922 use something like this ``` import { applyDecorators, UseGuards } from '@nestjs/common'; import { JwtAuthGuard } from '../guards/jwt-guard.guard'; export function Auth() { return applyDecorators(UseGuards(JwtAuthGuard)); } ``` now you can just use @Auth() as a decorator instead of using @UseGuards(JwtAuthGuard)
thank u very much. it is very useful. im going to implement this logic in an application im building right now. make more tutorials. u are doing great job🔥!
I was hoping the refresh token part would be covered since most content on UA-cam don't cover it when using NestJS, great video though it helped to clear some things nonetheless
Im also new to nest and mongodb, just didi my first crud with mongo db following these tutorial. In my case I first learned about Mongo, then tried to do a simple crud wiht Mongo and Nest and then followed these tutorial to apply authorization.
I have some query Please help me out What is the use of jwtauthguard, localauthguard and roles guard? Also how can we create a admin account and admin have access of everything like delete user account or change user password - how can I do this? Using passport local, passport jwt ,prisma. If you have any written docs please share Thank you
@@CodeWithVlad I managed to figure it out myself. Thank you for the info on how to setup JWT on its own though that's a bigger challenge than refresh tokens. Ill still be looking out for your tutorial on how to implement a refresh token incase I can steal something useful from that!. Hopefully you recover quickly.
hi, very good video. What is the benefit of using classes for DTOs rather then Interfaces ? I'm always using interfaces in this situation, never classes
In all of the tutorials, I see the same critial security mistake: using the Bearer token instead of Http-Only cookie. It's not safe. Don't do it like this please! Send JWT tokens only in Http-Only cookies.
I think it depends, the refresh token could be more secure in a cookie, the access token can stay in local storage -> otherwise you can't enjoy the benefit of claims in the jwt and show some ui elements based on those claims. Both methods (cookie and local storage) are vulnerable to xss. The only difference is that a malicious script will not be able to steal the refresh token from a cookie. But to be honest if you have a malicious script that is able to steal the refresh token from local storage it could pass a request as well, a cookie will not protect you from that (CSRF attack).
So in short the whole point of stealing a token is to pass a request on behalf of the user (transfer funds or do a sensitive operation => which should be protected by email confirmation or 2fa anyway). I don't think that it makes sense to steal a refresh token and to keep it. First of all if you try to pass a request with that refresh token your IP can be flagged. Second, all sensitive operations should be protected by 2FA or some kind of email confirmation. (If we are talking about how to make your application secure, this should be the first step). Stealing your token is thus theoretical. Passing requests on behalf of users from their session is highly practical. And nor local storage nor cookies will protect from that. Imo
bro..u deserve a million sub
I appreciate that!
46:45 на експрессе там миддлвейр который проверяет jwt и возвращает например распарсеный юзер по ключу user через next() на контроллер
I hope you loved this video! 🙂
A more complete video is available here: ua-cam.com/video/uAKzFhE3rxU/v-deo.html
Really appreciated for what you do ! You lessons are very awesome !
Great video. As a beginner (usually I am a doctor) that really helps to understand the topic. Another thing that would be interesting is. How would you handle authorization in NestJS? The documentation shows different ways how to do it but it would be nice to see it from an actual developer like you.
Thanks :) I usually prefer role-based authorizations. I am currently using those in one of the projects I'm working on.
52:58 I just found out that you can create a custom decorator as a shorthand to apply all the guards and interceptors, if you want to reduce the number of lines or characters in there
code?
@@blacktipe9922 use something like this
```
import { applyDecorators, UseGuards } from '@nestjs/common';
import { JwtAuthGuard } from '../guards/jwt-guard.guard';
export function Auth() {
return applyDecorators(UseGuards(JwtAuthGuard));
}
```
now you can just use @Auth() as a decorator instead of using @UseGuards(JwtAuthGuard)
Correct! This will be available in the new video that is currently being uploaded :)
Cool🎉🎉🎉🎉🎉 hope u will teach us more on nest....
thank you for share the video, its very helpful for me.
thank u very much. it is very useful. im going to implement this logic in an application im building right now. make more tutorials. u are doing great job🔥!
Very good explanation
You are an Angel! Thanks for this!
Thank You for nice tutoirals , when I try to send data by postman form-data not accept by nestjs or I not found in body ?
I was hoping the refresh token part would be covered since most content on UA-cam don't cover it when using NestJS, great video though it helped to clear some things nonetheless
You asked for it, you get it. A more in-depth video is being uploaded right now and will be live at around 10am UTC+0 :)
@@CodeWithVlad o wow! 🎊 You're amazing
does this work the same with graphql?
great explanation
Glad you liked it
Очень приятно слушать)
Would it be cool to add a simple crud + mongodb + auth +nestjs ? I hope you would consider this suggestion as a Laravel dev I'm really new to JS world
Im also new to nest and mongodb, just didi my first crud with mongo db following these tutorial. In my case I first learned about Mongo, then tried to do a simple crud wiht Mongo and Nest and then followed these tutorial to apply authorization.
Could you add mongoose to it? or just more features
Thanks for the suggestion (and sorry for the late response). I'll upload something related to mongoose but most of the time I am using prisma now
Which extensions are you using for your terminal and suggestions?
The terminal runs on github.com/ohmyzsh/ohmyzsh as for auto-suggestions i use github.com/zsh-users/zsh-autosuggestions
That was life saving 🔥
Please upload lean document (mangoose) also
I have some query
Please help me out
What is the use of jwtauthguard, localauthguard and roles guard?
Also how can we create a admin account and admin have access of everything like delete user account or change user password - how can I do this?
Using passport local, passport jwt ,prisma.
If you have any written docs please share
Thank you
Really helpful video. When will you show us how to implement the refresh token?
I'm sick at moment. I'll publish it as soon as I recover :)
@@CodeWithVlad I managed to figure it out myself. Thank you for the info on how to setup JWT on its own though that's a bigger challenge than refresh tokens. Ill still be looking out for your tutorial on how to implement a refresh token incase I can steal something useful from that!. Hopefully you recover quickly.
Great, thanks
hi, very good video. What is the benefit of using classes for DTOs rather then Interfaces ? I'm always using interfaces in this situation, never classes
Hi! The main benefit of using classes for dtos is that you can use validations on your dtos. (with class-validator and class-transformer libraries)
@@CodeWithVlad thks, will give it a try
Thank you very much
which vscode theme do you use ?
material ocean palette
T in JWT means token
Yep :) But when people use the search they type jwt tokens, so I named it jwt tokens for SEO
U saved me
In all of the tutorials, I see the same critial security mistake: using the Bearer token instead of Http-Only cookie. It's not safe. Don't do it like this please! Send JWT tokens only in Http-Only cookies.
I think it depends, the refresh token could be more secure in a cookie, the access token can stay in local storage -> otherwise you can't enjoy the benefit of claims in the jwt and show some ui elements based on those claims. Both methods (cookie and local storage) are vulnerable to xss. The only difference is that a malicious script will not be able to steal the refresh token from a cookie. But to be honest if you have a malicious script that is able to steal the refresh token from local storage it could pass a request as well, a cookie will not protect you from that (CSRF attack).
So in short the whole point of stealing a token is to pass a request on behalf of the user (transfer funds or do a sensitive operation => which should be protected by email confirmation or 2fa anyway). I don't think that it makes sense to steal a refresh token and to keep it. First of all if you try to pass a request with that refresh token your IP can be flagged. Second, all sensitive operations should be protected by 2FA or some kind of email confirmation. (If we are talking about how to make your application secure, this should be the first step).
Stealing your token is thus theoretical. Passing requests on behalf of users from their session is highly practical. And nor local storage nor cookies will protect from that. Imo
nice guide eslint-disable-next-line guy
lets w8 ts-ignore lmao