I am making a project using nestjs.
I want to prevent users with a specific role in all controllers except for one controller.
I know, add #UseGuard(RoleGuard) #Role(UserRole.Guest) to each controller.
But I have a lot of controllers, and more will be added over and over again.
Is there a way to do it all at once like middleware?
thank you!
Could you not have a base controller that you extend and add the decorator to the constructor or something?
Also, check out useGlobalPipes to see if that can help with shared request logic.
Related
I am very new to NestJS and I am trying to create a project with multiple subapps. The query that I have is, if one entity is present in one sub-app, can we use that same entity in another sub-app of the same project?
This is my project strucutre:
apps
subApp1
entities
- entityone.ts
controller, modules and services
subApp2
entities
- entityTWo.ts
controller, modules and services
I want to use the entity one in subApp2 service. Is it possible? If so, how we can acheive this? Is there any better way to approach this situation where I need to use Entity of one sub app into another.
I tried exporting the Entity from one sub-app and import the Module in another sub app. But I am getting this error:
Nest cannot export a provider/module that is not a part of the currently processed module (StoreModule). Please verify whether the exported Store is available in this particular context.
I am not sure, if it was the correct way for this situation, but this solution came into my mind and i tried it.
you don't need to specify entities for every module.
keep them all together apart, so you can use them wherever you want.
Greeting, guys
I'm currently working on an authorization function on NestJS for my side project and use Casbin to apply my policies and permissions for users.
One step is that I want to provide an array of [handler name(ie. getAllUsers), api route(ie. api/v1/users), method(ie. get)] as an policy list while app bootstrap which will be wrote to database.
Getting api&method list is not a problem but question is I could't find a solution to get all of the handler name while app bootstrap
Do you have any experience or thoughts on it? would be much appreciate for your valuable sharing.
for the api&method way, I took this post as a reference and it worked well.
for handler name, I was thinking about the ExecutionContext from NestJs but it seems to be working in an interceptor while there is a request
** for those who might wonder why I need to put handler name in my polices, here is the way I implement the Casbin rule.
list a basic policies for all my apis.
create an role and add policies to it by handler name.
appoint the role to the user(whatever the user is) and the user can only access the allowed apis to perform.
Summary
I am seeing a lot of contradictory architectural examples of a REST API in my work and keep getting different opinions on the subject.
I am familiar with the principles of REST and seeing as each endpoint points to a resource followed by a verb such as /project/create project/123/read.
Following the MVC pattern assuming I have a controller that is responsible for updating a project resource:
router.put("/project/:id/update", ProjectController.put)
First question:
Should this route be responsible for all updates to this resource, in example, assuming different features on my client like marking a project as finished or changing it's title are separated and might not have anything in common for the user. Ending up with the route described above, or should there be something like this:
router.put("/project/:id/mark-as-done", ProjectController.markAsDone)
router.put("/project/:id/update-info", ProjectController.updateInfo)
Second question:
Assuming I want to create a notification resource if a project is created/updated/deleted. Since the notification is a resource on it's own I am not sure how to go about this, but what I assumed and was taught is to use another callback:
router.put("/project/:id/update", ProjectController.put, NotificationController.create)
Third question:
Could I use the same controller to read all resources or just one, for example:
router.get("/project/read", ProjectController.get)
router.get("/project/:id/read", ProjectController.get)
Making the logic in the controller method determinate if it will return all projects or just one. Or should it be separated into different methods?
I would define APIs like this:-
CRUD for Project entity
create- router.post(/projects)
update:- router.put(/projects/:id)
delete:- router.delete(/projects/:id)
read:- router.get(/projects) and/or router.get(/projects/:id)
You can define all above routes in ProjectController.
Regarding Notification entity you can define as follows
read:- router.get(/projects/:id/notifications)
The same can be applied to PUT, DELETE, POST
Here is a good article defining rest guidelines https://stackoverflow.blog/2020/03/02/best-practices-for-rest-api-design/
I'd greatly appreciate if someone could kindly explain [Route] attribute / routes.Add() method, its parts. I'm used to MVC framework / WebAPI and know that those pertain to Controllers and Actions. For instance the classes, DTO objects have them as opposed to methods. Thanks a bunch in advance.
Update 7/17/2013
http://pluralsight.com/training/Courses/TableOfContents/service-stack
Excellent course that answers everything
The route attributes you are referring to routes specific dtos to services based on the path in the route. so something like base.Routes.Add("/files", "GET,POST") would allow GET and POST requests to the /files path. So if my api lives in /api I can hit
http://localhost/api/files
with a GET or a POST and it should be routed to the correct service(s). You can think of this like what mvc does and keep in mind that mvc WILL mess with teh routes of service stack if the path is not ignored in mvc. In your route config of mvc make sure to put something like this:
routes.IgnoreRoute "api/{*pathInfo}"
assuming you installed service stack to run on the path /api (this can be found in your web.config). Also, if you are using mvc4 i would recommend taking out the webapi stuff so you dont get any conflicts with that either.
I've been trying to use RedBean ORM (http://redbeanphp.com) to implement UserInterface and UserProviderInterface of the Silex Security Provider Package.
Because of the way the RedBean ORM handles functions for its objects, I've needed to wrap the bean object in another class.
This works great for authentication, but fails tests for Remember Me functionality.
I noticed that somewhere along the chain the Security Package serializes the object.
I thought maybe this was the reason for the error, so I created properties for "id" and "password" in my wrapper class and used __sleep and __wakeup methods to ignore the bean during sleep and reload it on wakeup. Despite everything seeming to load properly during __wakeup the test for "Remember Me" functionality is still failing.
I have created a github repository of my code. If anyone has any ideas, I'd much appreciate it!
For some reason RedBean, Silex and PHPUnit aren't allowing themselves to be included in the repository. A simple composer update should pull them down for you. If anyone has any ideas why, I'd appreciate an answer to that as well.
The github repository can be found at:
https://github.com/christianmagill/silex-redbean-security
The applicable files are
To create the test user in the database:
/setup.php
To run the test:
/index.php
My implementation of UserInterface:
/src/App/Model/UserSecurityWrapper.php
My implementation of UserProviderInterface:
/src/App/Model/UserProvider.php
My modified test:
/src/App/Test/RememberMeRedBeanServiceProviderTest.php
The original test:
/vendor/silex/silex/tests/Silex/Tests/Provider/RememberMeServiceProviderTest.php
The problem was with my custom UserProvider's supportsClass method. I was not taking namespacing into account. It seems like this function is not called for basic authentication, but is needed for the remember me provider.