Getting Started
Technical overview
Overview
Architectural Decision Records
API Design Guide
Authentication System Overview
Code Reviews
Code Standards
Devops
Feature Flags
Monorepo
Personas
Teamwork
Technical Direction
X-Road / Straumurinn
Repository
AWS Secrets
External Contributions
Generating a New Project
GitBook Contributions
Auto Generated Schemas
Workspace Settings
Apps
Air Discount Scheme
API
Application System
[DEPRECATED] Gjafakort
Judicial System
Reference Backend
Reference Next App
Service Portal
Services
Car Recycling - Skilavottorð
Web
Libs
API
API Catalogue
Application
Auth
Auth API Lib
Auth Nest Tools
Clients
Content Search Index Manager
Content Search Indexer
Content Search Metrics
Content Search Toolkit
Contentful Extensions Overview
Dokobit Signing
Email Service
Feature Flags
Health Insurance
Island UI
Localization
Nest Modules
NOVA SMS
Plausible
Service Portal
Shared
Misc
GitBook Template
Glossary
Powered by GitBook

Auth Nest Tools

This library contains a reusable module (AuthModule) with guards that can be used to protect other REST controllers and GraphQL resolvers.

Using guards

There are a couple of guards available.

  • IdsUserGuard: validates that the request has a valid JWT bearer authorization from our identity server and checks that it has a nationalId claim, representing an authenticated user. Information from the JWT can be accessed using the CurrentAuth and CurrentUser parameter decorators.

  • IdsAuthGuard: same as IdsUserGuard but does not verify the nationalId claim. Information from the JWT can be accessed using the CurrentAuth parameter decorator.

  • ScopesGuard: checks if the access token has required scopes. These can be configured using the Scopes decorator.

You should generally add IdsUserGuard and ScopesGuard to endpoints that return user resources for the authenticated user. You can use IdsAuthGuard for endpoints that need to be available for clients authenticating with client credentials.

Configuration

Import and configure the AuthModule, example:

@Module({
  imports: [
    AuthModule.register({
      audience: 'protected_resource',
      issuer: 'https://localhost:6001',
    }),

where audience is the name your resource was registered under in IdS and issuer the IdS url.

Using in REST controller

Decorate the controller with @UseGuards:

@UseGuards(IdsUserGuard, ScopesGuard)
@Controller('clients')
export class ClientsController {

and individual protected methods with @Scopes:

  @Scopes('protected_resource/read', 'protected_resource/admin')
  @Get(':id')
  @ApiOkResponse({ type: Client })
  async findOne(@Param('id') id: string): Promise<Client> {
    // ...
  }

If no @Scopes are applied to a method, then no access control is enforced for that method.

Information about the logged in user can be obtained by adding @CurrentUser() user: User as an input parameter to the controller method.

Using in GraphQL resolver

Decorate the resolver with @UseGuards:

@UseGuards(IdsUserGuard, ScopesGuard)
@Resolver()
export class UserProfileResolver {

and individual protected methods with @Scopes:

  @Scopes('userProfileScope')
  @Query(() => UserProfile, { nullable: true })
  async getUserProfile(@CurrentUser user: User) {
    // ... user.nationalId
  }

If no @Scopes are applied to a method, then no access control is enforced for that method.

Information about the logged in user can be obtained by adding @CurrentUser() user: User as an input parameter to the resolver method.

Opting out of auth

If a small subsection of your controller or app has public endpoints you can explicitly opt out of auth for those sections.

Decorate the resolver or controller with @BypassAuth:

@BypassAuth()
@Controller('clients')
export class ClientsController {
Libs - Previous
Auth API Lib
Next - Libs
Clients
Last updated 2 months ago
Edit on GitHub
Contents
Using guards
Configuration
Using in REST controller
Using in GraphQL resolver
Opting out of auth