NestJS: How to Implement Session-Based User Authentication
Want to implement user authentication for your NestJS apps? Follow this tutorial to learn how you can implement session-based authentication for your NestJS apps along with MongoDB.
Introduction
It is an indisputable reality that authentication is critical in any application or system if you want to secure user data and enable secure access to information. Authentication is the procedure of establishing or demonstrating that something is true, legitimate, or valid.
Prerequisites
This tutorial is a hands-on demonstration. To follow along, ensure you have the following in place:
What is NestJS?
Nest (NestJS) is a Node.js server-side application framework for building scalable, efficient applications.
It is written in TypeScript and built on Express, a very minimalistic framework that is great on its own but lacks structure. It combines programming paradigms such as object-oriented programming, functional programming, and functional reactive programming.
It is a framework to use if you want a lot of structure on your backend. Its syntax and structure are very similar to AngularJS, a front-end framework. And it uses TypeScript, services, and dependency injection in the same way that AngularJS does.
It employs modules and controllers, and you can build controllers for a file using the command-line interface.
NestJS modules allow you to group related controllers and service providers into a single code file. Simply put, a NestJS module is a TypeScript file with the @Module annotation (). This decorator informs the NestJS framework about which controllers, service providers, and other associated resources will be instantiated and used by the app code later.
What is Session-based Authentication?
Session-based authentication is a method of user authentication in which the server creates a session after a successful log-in, with the session ID stored in a cookie or local storage in your browser.
Upon subsequent requests, your cookie is validated against the session ID stored on the server. If there is a match, the request is considered valid and processed.
When using this authentication method, it is critical to keep the following security best practices in mind:
- Generate long and random session IDs (128 bits is the recommended length) to make brute force attacks ineffective
- Avoid storing any sensitive or user-specific data
- Make HTTPS communications mandatory for all session-based apps
- Create cookies that have secure and HTTP-only attributes
Why Session-based Authentication?
Session-based authentication is more secure than most authentication methods because it is simple, secure, and has a limited storage size. It is also thought to be the best option for websites in the same root domain.
Project Setup
Start your project setup by installing Nest CLI globally. You don’t need to do this if you already have NestJS CLI installed.
The Nest CLI is a command-line interface tool for setting up, developing, and maintaining Nest applications.
Now, let’s set up your project by running the following command:
The above command creates a Nest application with some boilerplates, then prompts you to choose your preferred package manager to install the required modules to run your application. For demonstration, this tutorial uses npm. Hit the enter key to continue with npm.
If everything went well, you should see an output like the one on the screenshot below on your terminal.
Once the installation is complete, move into your project directory, and run the application with the command below:
The above command runs the application and watches for changes. Your project folder structure should look as follows.
Install Dependencies
Now that your application is set up, let's install the dependencies needed.
The above command installs Passport.js, a popular nest.js authentication library.
Also, install the types for the strategy with the command below:
It contains type definitions for .
Set Up MongoDB Database in NestJS
To set up and connect your database, install the Mongoose package and the NestJS wrapper with the following command:
The Mongoose NestJS wrapper helps you use Mongoose in the NestJS application and gives approved TypeScript support.
Now, head over to your , and import the module from . Then call the method, a method provided by the Mongoose module, and pass in your database URL string.
Setting up your database connection in helps your application connect to the database immediately as the server starts — after running your application since it’s the first module to be loaded.
Create Users Module
For separation concerns, to make your code clean and well organized, create a module specifically for users using the NestJS CLI by running the following command:
The above command creates a folder with and updates
Also, create and files with the following commands:
Note that you can create your folders and files manually without using the nest CLI, but using the CLI automatically updates the necessary folders and makes your life easier.
Create User Schema
The next step is to create your UserSchema, but first, add a file, where you will create
This should be the shape of our application folder now.
To create , import everything as mongoose from the mongoose package in . Then call the new mongoose schema, a blueprint of the user Model, and pass in a JavaScript object where you will define the user object and data.
Also, create an interface for your Model that extends mongoose, a document that helps you populate your MongoDB collections.
Head over to your and import in the imports array. Then call the method provided by , and pass in an array of object that takes in name and schema.
This will enable you to share the file anywhere with the help of dependency injection.
In , export the to enable you to access it in another module.
It's usually a good idea to encapsulate the business logic in a separate class. Such a class is known as a service. The job of this class is to process the controller's requests and perform the business logic.
In file, import from , from , and from . Then add a method to the class that takes a username and password, and call the method .
Now that the class is ready, you need to inject it into your controller. But first, let's talk about storing the users' passwords securely.
The most critical aspect of the registration procedure is the users’ passwords, which must not be saved in plain text. It is the responsibility of the user to create a strong password, but it is your obligation as a developer to keep their passwords secure. If a database breach occurs, the users' passwords would be exposed. And what happens if it’s stored in plain text? I believe you know the answer. To address this, hash the passwords using bcrypt.
So, install and with the following command:
With that out of the way, set up your controller. First, import your class and everything from . Then add a constructor and a method that allows you to add a user; it will handle incoming post requests, call it , with a function body where you'll hash the password.
The registration happens in the file, which is achieved by adding the to the decorator's imports' array in .
Congratulations! You are done with the registration. You can now register a user with a username and password.
Now, with registration out of the way, add a function to your with the method to find a user by username.
Create Authentication Module
Just as for users, create an auth module and service specifically for all the authentications/verifications. To do that, run the following commands:
The above will create an auth folder, , and , and update the and files.
At this point, the shape of your application folder should look as follows.
The above generate command will update your , and it will look like the code snippet below:
Authenticate Users
Go to your file and add in the imports array to enable access to the exported from the file.
In your file, call the constructor so you can inject the , and add a method for validation that will take a username and password.
To add some basic validations, check if the user exists in the database, and compare the given password with the one in your database to ensure it matches. If it exists, return the user in the object — else, return null.
Going further, create a new file and name it . This file will represent the strategy from , which you installed earlier, that is the . And within it, pass in the strategy, which is the from .
Create a constructor and inject the , call the method; ensure to call the method.
Go back to your file. Then add to imports and to providers.
Now, add the login route to your :
Now that you have all these put in place, you still cannot log in a user because there is nothing to trigger the login route. Here, use Guards to achieve that.
Create a file and name it , then a class that extends from , where you will provide the name of the strategy and pass in the name of your strategy, .
Add the decorator to your login route in the file, and pass in the .
Finally, you can log in a user with a registered username and password.
Protect Authentication Routes
You have successfully set up user authentication. Now, protect your routes from unauthorized access by limiting access to just authenticated users. Go to your file, and add another route — name it ‘protected’ and make it return the object.
The protected route in the above code will return an empty object instead of returning the user’s details when a logged-in user makes a request to it because it already lost the login.
To get that sorted, this is where the session-based authentication comes in.
In session-based authentication, when a user logs in, the user is saved in a session so that any subsequent request by the user after login will grab the details from the session and grant the user easy access. The session expires when the user logs out.
To start session-based auth, install express-session and the NestJS types using the following command:
When the installation is completed, go to your file, the root of your application, and do the configurations there.
Import everything from and , then add passport initialize and passport session.
It is preferable to keep your secret key in your environment variables.
Add a new file, , in your folder. And create a new Guard that checks if there is a session for the user making the request — name it .
In the above code, the request is gotten from the context and checked if authenticated. comes from automatically; it says. "hey! does a session exist for this user? If so, keep going."
To trigger the login, in your file:
- import from ;
- add the decorator to the route; and,
- pass in .
At this point, it still fails because you've only configured but didn't implement it.
When a user logs in, you need to save the user in a session so that the user can access other routes with the session.
One thing to keep in mind is that by default, the library stores the session in the web server's memory.
Before it goes into the session, you need to serialize the user. As it comes out of the session, deserialize the user.
So, create a new file in the auth folder for serializer and deserializer, name it .
At this point, the shape of our application folder should look like this.
Go back to your file, provide the , and add the method to the .
Add some codes within the in the file.
Call the method in and pass in the request to trigger the actual login by creating a session. If you want to use sessions, you must remember to trigger the .
If you log in now, you will see the session ID stored in a cookie, which is just a key to the session store, and the cookie gets saved in the browser. The cookie is automatically attached to the rest of the request.
Now that the session is working, you can access the protected route; it will return the expected user’s details.
Logout Users
As mentioned earlier, once a user logs out, you destroy all sessions.
To log out a user, go to the file, add a logout route, and call the method. You can return a message notifying that the user’s session has ended.
So, once you log out, it returns a message notifying you that the user session has ended. The code for this tutorial is hosted here on my Github repository.
Test Your Application
You have successfully implemented user signup, authentication, and protected the route to enable authorized access only.
It’s time to test the application. If everything is in order, your server should be running. Else, restart your server with the following command:
Head over to your Postman. And let’s finally test our application.
Sign Up As a User
Log In As a User
Logged-in User’s Cookie ID
Request the Protected Route
User Logout
Alternatively, Implement User Authentication with LoginRadius
LoginRadius provides a variety of registration and authentication services to assist you in better connecting with your consumers.
On any web or mobile application, LoginRadius is the developer-friendly Identity Platform that delivers a complete set of APIs for authentication, identity verification, single sign-on, user management, and account protection capabilities like multi-factor authentication.
To implement LoginRadius in your NestJS application, follow this tutorial: NestJS User Authentication with LoginRadius API.
Conclusion
Congratulations! In this tutorial, you've learned how to implement session-based authentication in a NestJS application with the MongoDB database. You've created and authenticated a user and protected your routes from unauthorized access.
You can access the sample code used in this tutorial on GitHub.
Note: Session storage is saved by default in 'MemoryStore,' which is not intended for production use. So, while no external datastore is required for development, once in production, a data store such as Redis or another is suggested for stability and performance. You can learn more about session storage here.
