NestJs Authentication : Login, Signup, Refresh Tokens, JWT, Guards

No video

NestJs Authentication : Login, Signup, Refresh Tokens, JWT, Guards

Рет қаралды 3,834

Күн бұрын

We implement : Login, Signup and Refresh Tokens APIs and learn the differences between an access and a refresh token, and how to handle them in our authentication flow.
Configuration episode: • NestJs - Configuration...
MongoDB episode: • NestJs - MongoDB [11]
You can donate here: buymeacoffee.com/computerix
Make sure to leave a like & Subscribe!
Timestamps:
-------------------------
0:00 - Introduction & Overview
2:02 - Signup API (Schema, DTOs, Logic)
13:48 - Login API & JWT
25:44 - Handling Refresh Tokens
31:00 - Refresh Tokens API
38:00 - Authentication Guard & Protected Routes
50:15 - Storing one refresh token per person
52:50 - Summary

Пікірлер: 28

@JayTailor45 2 ай бұрын

I recently came across with your videos. I found these videos extremely easy to understand and helpful. Thank you so much for your time and efforts for making such content.

@Computerix 2 ай бұрын

Thank you so much for your comment Jay! More videos coming soon !

@SakshamKarnawat Ай бұрын

Amazing explanation. Thanks a lot!

@Computerix Ай бұрын

My pleasure !

@juhandvan Ай бұрын

I really like your video. Thanks

@muhammadfawwad6782 23 күн бұрын

Please make full stack apps with nestjs , Really liked your videos they are very easy to understand as compared to other tutorials

@Naya-ss7vs 2 ай бұрын

So useful as usual!

@Computerix 2 ай бұрын

Thanks :)

@ibrahimraad3009 13 күн бұрын

thanks 😁

@Computerix 13 күн бұрын

You're very welcome!

@amrhussien4334 2 ай бұрын

Awsome, thank you for your efforts.

@amrhussien4334 2 ай бұрын

How can I contact you. I want to discuss something.

@Computerix Ай бұрын

@@amrhussien4334 Here is my linkedin : www.linkedin.com/in/charbel-el-helou-6523a5200 Thanks for the feedback!

@nidhalchelhi2655 14 күн бұрын

Very helpful ! can you make a video about authorization (roles: admin, user.. )

@Computerix 13 күн бұрын

Yes, this is on my list :)

@HamzahAhmad-db5cy Ай бұрын

Excellent video. Thank you for your effort. is there a particular reason why you used a different package for refresh tokens, instead of using the jwt package here as well?

@Computerix Ай бұрын

Since the refresh token is not a JSON Web Token but rather a random string, we used a random generator

@mrbite9959 7 күн бұрын

The source code plz

@quang.luu.179 2 ай бұрын

👏👏👏👏👏 Thanks for your video. Can I ask if is there anyway to declare a jwt service for global level and another one in Auth module scope, like: using it for refresh only?

@Computerix 2 ай бұрын

You're welcome! Yes, you can register another Jwt Module in the AuthModule with its own secret and config.. and it would work. However, be careful, your Auth guard will be using one of the two jwt services (Most probably the global one).. So you would need to find a way to dynamically use the correct secret key when verifying your tokens.. Now if you have the same secret for both modules, but you're using different config options such as expiry etc.. I don't think you would face any issues.. you could also override the default config used in the global jwt module, by simply assigning them explicitly such as : jwtService.verify(token, { ...override-config-here ...}, in case you don't want to register a second jwt module. I'm not sure why you would use the jwtService with the refresh however, as the refresh token is a long random string (rather than a Json Web Token) Hope my answer helps!

@quang.luu.179 2 ай бұрын

@@Computerix Thanks for your reply! I know I can inject any configuration into the JWT service to achieve this. Just asking for another approach. Regarding refresh tokens, generally, I see two ways in other samples: * Using a random string like you suggested. * Using JWT format. ( I dont know why) Updated: Ah, I guess the jwt can take the advantage of expired date that encoded into the self token without query the db for persistent. I mostly saw it from microservice architecture where a gateway is kinda the first line of token validator,

@problemchild959 2 күн бұрын

@@Computerix a lot of people use a jwt token as the refresh token so that it while lasting much longer (a week or so) still has an expire time. using a refresh token that never expires is considered a bad security practice by a lot of people/companies.

@Computerix 2 күн бұрын

@@problemchild959 Correct about the expiration. BUT, you don't need to have the refresh token as a JWT for it to have an expiry date. You can use a random long string, and use an expirationDate field that you check against whenever you're calling your refresh token API to refresh the tokens. If that field has a value date in the past (meaning it expired), you force the user to login again.

@problemchild959 2 күн бұрын

@@Computerix while that is true, a JWT has such functionality built in vs having to create it from scratch for a string, when your already using a jwt for the access token. either way is of coarse valid, just imo the jwt as a refresh token would be far more simple.

@andr4chik399 Ай бұрын

wtf, you update refresh token per request why????? also why you protected all routes instead of what you real needed, video is like 5/10. good start - bad finish

@Computerix Ай бұрын

You misunderstood the point. I called the refresh token API multiple times on purpose to show the behaviour. Of course you shouldn't call it unless the access token expires -.- + We added the authGuard on the controller level to protect all routes, assuming this is our use case.