Note: a lot of people are getting the error “request.isAuthenticated is not a function”. Please note that I explicitly mentioned in the video that it will not work until you properly setup sessions. If you run into that error, KEEP watching! The problem will resolve itself once you have the full setup, don’t stop at the point of error. If you watch the rest of the video and still have this problem, double check that you properly configured and registered your strategies and guards exactly as shown in the video.
Any chance this can be added as an annotation to the video at that point? I fell into the same trap! Otherwise - awesome video. Keep up the great work!
And maybe something I am missing is some notes about the logout. Currently I am calling .logout() on the request AND calling session.destroy(). Maybe only the last one would be sufficient as it removes the complete session anyways ;-)
Even today i remember how i asked the question below the similar type of video about jwt and you reply back really fast althought your video was already great. As i see you still answers the questions and its impresive.
A problem I encountered: if you use argument names other than 'username' and 'password' for local strategy, you must specify them as options in local.strategy in super({ usernameField: 'otherName1', passwordField: 'otherName2' }). If you don't, it won't even throw any errors, you'll just keep getting a 401 Unauthorized error. This drove me insane. Hope this helps others avoid this mistake. But great tutorial regardless! Content like this makes the internet amazing.
It would be terrifically useful if you would build the client side login flow that connects with the JWT strategy. This tutorial was really clear and concise.
Thanks, will consider it! For the most part the client-side is really just all about managing/storing that jwt somewhere and making sure it’s included in the headers of each request to your API. I’ll try to make a video about it sometime.
Thanks! Will consider a specific video on that topic. Not really much to it though, sign-up is basically almost the same as login, but obviously you’d be adding to a db table of users, and removing is simply deleting that record
@@mariusespejo thanks for this video Marius i'm studying jwt Login authentication with nest.js, react too. complete authentication tutorial(refresh token, logout ...stuffs) will be very helpful for me I want you to refer to making a video for this. Thanks!
Great video Marius! You made clear a lot of points around authentication that were a bit confusing to me. Could you possibly make a video about authentication using JWTs with NestJS and GraphQL (code first)? Thanks again!
Great work ! , but I was wondering , it's too many steps I think I couldn't all of these from my memory , I think it's hard at first and it's okay if I followed the documentation to implement it .. what's your opinion about that ? all love from Egypt
I mean unless you do this type of work often it’s not really something you would memorize. For most applications you probably only set up auth once and adjust it a few times. I would definitely suggest having the documentation as reference. It’s ultimately the fundamentals of auth and session management that you need to understand and know well, then you can always reference docs if you need a refresher
Well there’s logic to why it would not be authorized, that’s exactly what guards are for. Do some logging to find out why…e.g. maybe you tested with expired/wrong token, maybe user wasn’t found, maybe your sessions (if you’re doing sessions) aren’t set up correctly etc. etc. it’s not magic there are simple boolean logic behind your guards that determines does the request move forward or not, you just need to figure out the why and see if you made a configuration mistake
The gist of it is that you need to store your refresh toke somewhere, e.g. perhaps in your session store Every time your service needs to use the access token, check if it’s expired and if so refresh it using your stored refresh token. What the refresh request looks like differs depending on your identity provider, but usually it’s just a POST request with your refresh token attached
@@mariusespejo it is clear for me, thanks. but just imagine that you have at least 2 tabs with one user session and create several requests at the same time. the first request recieves 401 or checks an access token's expiry and tries to refresh one & renew in a session. it can take several ms. The parallel request tries to do the same thing and uses already expired access and refresh tokens and recieves an error "Token is invalid" . Maybe there should be smth like a lock mecanism. Or this script is wrong in the first place. I think it seems to be a great topic for the next video)
Yup will consider a follow up video. That’s definitely a valid edge case, there are several different ideas e.g. perhaps proactively check token expiration on an interval, not just on requests, or maybe flag the session to mark it as “refreshing” (similar to your locking idea) etc.. I would first consider though how likely that scenario would really happen for your use case. I can’t imagine refreshing really takes that long. Also something to consider is that in your scenario would it not simply just refresh at both requests? Meaning the second would just overwrite the token update of the first. If you make sure to wait for the refresh to complete on any request then I don’t see any real conflicts. Except for maybe when refresh tokens are rotated and become invalid, but again we’re talking about milliseconds here
@@mariusespejo however this edge case is likely to happen. I would love to see your realization anyway. Maybe there will be some tricks or tips that could help me out!
Can’t really think of better name than that though. Fyi in nest you can also create a custom decorator like @User() which can be set up to automatically give you the value of req.user
Hey Marius, old video now ik but still asking, do we need to have a JwtGuestGuard (e.g. for LOGIN route) ? If so, we need to recode a canActivate method right ?
To be more accurate, what I mean by GuestGuard is some kind of Guard that says « hey your token is still valid I can’t generate you another one / your token is missing/non-existent, I’ll generate one for you »
And btw any good practice to invalidate a user ? Maybe some kind of fullstack app would be cool to make a video of :D enjoyed your work as always tho ! :D
Hey Abriscout, sorry not sure I’m understanding the question. Did you watch the video in full? I believe I did cover having a guard that checks for the existence of a jwt on any routes that you protect, but that wouldn’t be on a login route. Not sure it makes much sense to check for a jwt on a login route when the login itself typically would generate the jwt. It is not the guard’s job to generate tokens… it’s purpose is to simply decide “should I let this user proceed or not”. E.g. it could check if the token is invalid or perhaps it’s expired, then it can respond with a status 401/403 to inform the client “hey you need to login and get a new token”. Which is why again, doesn’t make sense to check for the token at login, because you know they NEED one if they’re calling login. I think what you might be thinking about are refresh tokens, which are meant to automatically allow a client to get a new access token, basically extending the life of the session without needing to login again. As for your second question, there isn’t really a great way to invalidate a jwt…you’d have to somehow track the id of that token and maintain some kind of block list. This is also generally why you want access tokens to often have short expiration. If you were using sever-side session however, then you’re in full control with every session object, you could simply just have your store remove a session and that would effectively invalidate a user
@@mariusespejo Yeah I was confused by so many things, and then I discussed with devs that have show me some ways of how to do it. My question was not very clear, but basically it was about preventing user that is already logged in to access the login route :D Thanks !
Not really sure it’s that beneficial to do something like that. What if you wanted to allow multiple logins across different browsers/clients? The client app should be designed in such a way that it knows if the user is logged in (to prevent access to the login form and instead show logout button, for example). If a user somehow tries to login again then the client app should simply know to discard and replace any existing token, wherever it may be storing it. Or if you’re interested in some kind of invalidation then keep track of all created token IDs server-side and if the user logs in then invalidate any existing tokens they already were provided. Basically there are ways around getting the proper expected behavior without needing to restrict the login route
Very good job on this one! i decided to go with session auth for my application and it works just like promised with insomnia and postman. I'm currently setting up a frontend with angular and do now face a problem. The Session Cookie is visible in the chrome dev tools network tab, but the cookie is not set at Application > Cookies. Can some one help me please (didn't find an answer on stack overflow)
@@mariusespejo thanks a lot for the reply! i had to intercept the outgoing requests from the angular app and add {withCredentials: true} and changing origin: '*' to allow-origin: 'mything' as well as allow-credentials: true in the BE. Otherwise the cookie is not set in FE nor shipped with the Request or it results in a cors error. I should have mentioned, that BE and FE are not running under the same domain, my bad, sorry. But thanks again for your quick reply! You are doing a serious job here and i didn't find anyone who comes close to your tutorials (sound quality, speed, explainations) Thanks alot for that. best regards!
@@leo-3r i changed to jwt in the mean time. The reason is, my system is deployed to firebase and app engine and gcp does strip all cookies for security reasons. (There is a specific token name that should work though, but it did not for me, so a switched to jwt) So i am sorry, but i cant tell you how i made it work back then
Is it required the we use 'username' & 'password' as the fields and not 'name' ? I get Unauthorized when I use name instead of username, (I've also changed property for comparison)
When I finish the local strategy without tokens or jwt first, I constantly get a 401 Error and that I am unauthorized, do You maybe know why and can help me out?
@@mariusespejo I just checked my code and I did all as shown in the video and have basically the exact same code as in the video, but it still wont work.
And you’re able to log out that you’re getting a user back? Did you verify that the validate method is getting invoked? Is the strategy actually registered as a provider in the auth module? Those are some steps to debug. It’s important to have a fundamental understanding of how passport works and how it’s used in nest, and where might your errors be. Local strategy when done correctly should be able to give you back a user with the match username password.
I mean updates ideally are going through your api/controller if it’s user driven. If you don’t want to pass in the ID then you have to already have it in session store. If it’s just the system making changes then just trigger logic to update the record in database/session. I would suggest posting a more detailed question in stackoverflow
Not on github at the moment sorry, consider following the tutorial from scratch, it honestly won’t take the long, most of the video is just me explaining the details
You likely have services depending on each other.. it’s generally best to separate concerns as much as possible, e.g. I would not add /login inside your user controller. It’s better to do that in a stand-alone AuthController
@@mariusespejo A Company has Employees, Employees have Company. Then how you'd take this? This roadblock is at module-level, not just Service. Can you do some real-world app? There's someone who did Facebook clone end-to-end, not just small bits of everything and hopefully someone is clever enough to piece things together.
You can resolve the circular dependency itself if you’d like: docs.nestjs.com/fundamentals/circular-dependency But the point is to avoid it in the first place. I can’t tell you how exactly to do that, you need to understand your own dependency tree. I don’t see how this has anything to do with auth (the topic of this video)
@@mariusespejo I just mentioned that since we're talking about circular dependencies. Maybe "circular" is more on the negative side, I'll just put it as "two-way relationship", books-author, company-employee, library-books, hospital-patient and whatnot. I'm sorry if I got over excited and left my manners somewhere, but I had a great time learning the basics. So, great video. And so, would you please make a more advanced tutorial/demo -- something like a Facebook clone would be nice, or some website that is relevant today and of course with the use of this technology. Thanks in advance!
hi @Marius Espejo thanks so much for the tutorial. i keep on getting this error ERROR [ExceptionsHandler] request.isAuthenticated is not a function. what do I do ?
IsAuthenticated specifically comes from passport, that means there is something missing in your configuration. Did you set up express-session and did passport.initialize() and passport.session()? The order of those 3 things is important. Finally did you add the serializers and registered it in your module?
@@mariusespejo my error come before "Session setup", I followed your timestamp until "is.authenticated()" fault. I did replayed your vid 2 times but still have this error
The best tutorial i watched so far. Author tells the info clearly and without any useless data. So, i want to say that i was here when the num of followers had been 7k
What about an email instead of a username - I never use usernames with my applications. It doesn't work by just switching username to email... but it doesn't take much more work either, just a simple mapping object in the right place. ```export class LocalStrategy extends PassportStrategy(Strategy) { constructor(private authService: AuthService) { super({ usernameField: 'email', passwordField: 'password', }); } async validate(email: string, password: string): Promise { const user = await this.authService.validateUser(email, password); if (!user) { throw new UnauthorizedException(); } return user; } }```
Thanks a lot Marius! for Authentication session. Very well crafted beautifully explained. Just 1 suggestion if you could put this session over git. Would be great to look at the code and get relate it post watching video. Keep up the good work!!! All The Best!!
Thanks for spending the time explaining each part and drawing the parallels to his we would do it in express. Really helped me understand how to accomplish session auth. Felt a bit lost when the docs only covered JWT auth and all the tutorials I found were showing me the code to make it work... But not why it worked haha
If you have this error "ERROR [ExceptionsHandler] request.isAuthenticated is not a function" you should return request.isAuthenticated; instead of return request.isAuthenticated() at the authenticated.guard.ts file
Thanks for this tutorial, I went through the NestJS docs a few times and tried to set this up myself but there was always something wrong. Your vid helped me finally get it all working!
@Dev Guy I read the documentation first and in the span of 4 days, probably 100 times :D I actually started the project because I loved the documentation, its just on spot, with a few missing parts :)
Docs are definitely very good but it’s not always intuitive to everyone. Simply saying just read the docs is like telling people don’t go to school just read the text books….
@Dev Guy I looked at and read the documentation from Nest and Passport. The main problem for me with the documentation is Nest is all classes and Passport documentation show you how to configure the different strategies in ES6. This video is literally the only resource I've found (and I searched for over a week) that explains that (a) passport is initiated when it is included in the correct provider array and you do not need passport.use() as explained in the Passport docs and (b) the UseGuard is registering the strategy and there is no need for passport.register(), again, as explained in the Passport docs
I highly appreciate you going throug the code roughly and also briefly explaining the NPM packages which you're using / recommending. It's really fun coding along and learning in this video!
60 seconds is obviously an unrealistic expiration that was only used an example.. you should decide what makes sense for the security of your application. If you want it to automatically renew for the user you can do that with refresh tokens, not sure if the passport strategy does that automatically. Anyways otherwise yes you’d have to have them login at expiration
Hey Marius, just passing by to thank you, your video format is awesome. I love how you explain everything while showing the documentation. It really adds to us as developers, so that we know like "oh, so the information was here all the time!". It particularly helped me a lot. Keep up the good work!
Why people are using sessions? In both approaches the client side must securely save the “cookie” or the “jwt token”. The main difference is that in case of the JWT approach the server does not need to maintain a DB of sessionId for lookup
It’s a matter of where you want to store the session…. In a store or in jwt… note that if you have a lot of data for your user session having all of that in a jwt/cookies would be impractical, that’s just extra data you’re sending over the wire. So it depends on the use case. Also server-side sessions are significantly more secure in my opinion, you don’t have to worry about tokens being intercepted (which again will have some user data on it)
Hi guys, i am stuck in the chapter guard to check if user is logged in. It is an error said "request.isAuthenticated()" is not a function. I console log the keys of request object and realize that the object dont have the isAuthenticated isUnauthenticated ,user. Any suggestion guys ?
@@mariusespejo i have checked every step very clearly but can not figure out which step that i missed. Googling for days and have no hope man. The local strategy work as the video. But the authenticatedGuard implements CanActive not working. Do you have any idea for it ?
Did you actually setup sessions? Please note that in the video I explicitly said the guard won’t work until you actually have the sessions in place. That along with actually having the full passport local strategy working and correctly registered is what’s needed. Make sure to watch the rest of the video and don’t just stop at the point of error
@@mariusespejo My bad.that is the missing piece . i have finished following your tutorial. that really helpful . thanks for your answer and making such a good video. have a nice day
Hello, I have covered the first 30 minutes of the video, I keep getting this when using postman TypeError: Cannot read properties of undefined (reading 'validateUser'). I do not find the error, I have checked the documentation
That’s a bit of a loaded question that is not simple to answer in a comment. First of all there are several strategies that depends a lot on your infrastructure, your identity provider, etc. Next the “how” again will depend on the strategy. I suggest spending some time reading about it
Im not sure that the name matters as long as it is extending PassportSerializer and that you’re registering it as a provider, Nest automatically calls it by convention when you’re using sessions with passport
Hi, first of Your video is great and I think I understand whats going on, but the thing is i keep getting an error. I followed everything like You, but now I get inside my terminal [Nest] 15540 - 25.02.2023, 18:21:59 ERROR [ExceptionsHandler] Unknown authentication strategy "local" Error: Unknown authentication strategy "local" and after I use postman I get 500 internal server error as an result. Do You have any idea how to fix this? I really dont know what to do. Thanks :)
Hiiii, i´m super excited to learn more about nest.js, is a such framework. May u can give me one tip, how do i use this session savinf user, and jwt at redis in a graphql API, is the same process? what i need change to works? thank u soo much for that incredible channel, i also follow u in linkendin. Bye
Thank you so much for this tutorial, it helped clear up so much of my confusion. All the examples of different Passport strategies are written using ES6 modules, but the documentation for Nest is with classes. Your video helped translate the difference and finally got my code to work. Very clear and well explained --signed a junior developer that only learned ES6 Javascript in my bootcamp XD
You can expose an endpoint to get users details like GET /current-user The cookie basically is a key to that, assuming the user has logged in Plus any request your client sends with that cookie, your backend will know was being invoked as that user
When I enter @Post('login') login(@Request() req): any { return req.user; } I get this warning: Value of type '{ new (input: RequestInfo, init?: RequestInit): Request; prototype: Request; }' is not callable. Did you mean to include 'new'? Any idea where I may have gone wrong? using quick fix to add 'new' to Request just gave another error.
@@mariusespejo Thank you, I will try that! Is your code for this project on a github repo? I'm not able to see where I should import Request from and your github isn't linked in your description.
![[TH] FS vs BME - VCT Ascension Pacific - Lower Bracket Final](http://i.ytimg.com/vi/wnygqsR2Fig/mqdefault.jpg)
Note: a lot of people are getting the error “request.isAuthenticated is not a function”. Please note that I explicitly mentioned in the video that it will not work until you properly setup sessions. If you run into that error, KEEP watching! The problem will resolve itself once you have the full setup, don’t stop at the point of error. If you watch the rest of the video and still have this problem, double check that you properly configured and registered your strategies and guards exactly as shown in the video.
in main.ts: below fix it for me
app.use(passport.initialize());
app.use(passport.session());
Any chance this can be added as an annotation to the video at that point? I fell into the same trap! Otherwise - awesome video. Keep up the great work!
Not after it’s published sorry
@@mariusespejo Thanks
And maybe something I am missing is some notes about the logout. Currently I am calling .logout() on the request AND calling session.destroy(). Maybe only the last one would be sufficient as it removes the complete session anyways ;-)
That walkthrough at @23:45, priceless!
So there's actually a guard on the route but you can login with the right body data? neat!!
Even today i remember how i asked the question below the similar type of video about jwt and you reply back really fast althought your video was already great. As i see you still answers the questions and its impresive.
A problem I encountered: if you use argument names other than 'username' and 'password' for local strategy, you must specify them as options in local.strategy in super({ usernameField: 'otherName1', passwordField: 'otherName2' }).
If you don't, it won't even throw any errors, you'll just keep getting a 401 Unauthorized error. This drove me insane. Hope this helps others avoid this mistake.
But great tutorial regardless! Content like this makes the internet amazing.
Thank you so much man. You saved my life!!! It drove me insane for 2 hours. Thanks again
You are my savior, digital Jesus, God in TH-cam. you saved my 8 hours.
Thank you very much, you saved me so much trouble
Oof. Thanks bro, I thought I was going insane, not seeing any logs or anything.
thank you so much bro holy shit
Good job Marius, really appreciate your explanation. As I am transitioning to IT side, I find these videos very helpful.
Awesome, I wish you luck on your transition!
It would be terrifically useful if you would build the client side login flow that connects with the JWT strategy. This tutorial was really clear and concise.
Thanks, will consider it! For the most part the client-side is really just all about managing/storing that jwt somewhere and making sure it’s included in the headers of each request to your API. I’ll try to make a video about it sometime.
this is an excellent video. your explanation is spot on. thank you for taking the time to make these
Appreciate the feedback! Thanks!
This was soo good! Please post (pun intended) a video where you handle sign up and remove account!!!
With JWT!
Thanks! Will consider a specific video on that topic. Not really much to it though, sign-up is basically almost the same as login, but obviously you’d be adding to a db table of users, and removing is simply deleting that record
Hi Marius, thank you very much for your video. I hope your channel will grow more and more. Have a nice day :D
thanks Badinescu! glad you’re finding the channel useful!
Thanks, @Marius! The video is so helpful, I really learnt a lot.
VERY VERY HELPFUL VIDEO
Marius the Genius....#Legend
thank you marius, your are awesome
Great video thank you!
I looking for this same but with graphql, good video my friend, it will help me
Yes, another awesome awesome videos,
Cool content
Rly helpful
Ty!
Thank you so much for this tutorial
Can you please make a complete authentication tutorial with nestjs and react? Love the nest videos.
will definitely consider it!
@@mariusespejo thanks for this video Marius
i'm studying jwt Login authentication with nest.js, react too.
complete authentication tutorial(refresh token, logout ...stuffs) will be very helpful for me
I want you to refer to making a video for this.
Thanks!
@@mariusespejo Love your tutorials, man.
Thanks for your video, i loved!!!
Awesome tutorial like always thank you,
If you can do some new tutorial in vuejs / nestjs it will be awesome
Thanks a lot man, that was a super good material for me. Hope u will get the best in this life, good luck!
Thank you! 🙏
Great video Marius!
You made clear a lot of points around authentication that were a bit confusing to me.
Could you possibly make a video about authentication using JWTs with NestJS and GraphQL (code first)?
Thanks again!
Thanks Takis! Definitely looking to dive into more graphql stuff
fyi just published a new video specifically on that topic!
Pretty long but worth it!
Thanks! I’m trying to get better at explaining complex stuff in shorter time but it’s not easy haha
Great work ! , but I was wondering , it's too many steps I think I couldn't all of these from my memory , I think it's hard at first and it's okay if I followed the documentation to implement it .. what's your opinion about that ?
all love from Egypt
I mean unless you do this type of work often it’s not really something you would memorize. For most applications you probably only set up auth once and adjust it a few times. I would definitely suggest having the documentation as reference. It’s ultimately the fundamentals of auth and session management that you need to understand and know well, then you can always reference docs if you need a refresher
thanks but don't work for me... always say error 401 unathorized
Well there’s logic to why it would not be authorized, that’s exactly what guards are for. Do some logging to find out why…e.g. maybe you tested with expired/wrong token, maybe user wasn’t found, maybe your sessions (if you’re doing sessions) aren’t set up correctly etc. etc. it’s not magic there are simple boolean logic behind your guards that determines does the request move forward or not, you just need to figure out the why and see if you made a configuration mistake
Thanks for your video! Can you explain how to implement the server side api calls with session based token refreshing?
The gist of it is that you need to store your refresh toke somewhere, e.g. perhaps in your session store Every time your service needs to use the access token, check if it’s expired and if so refresh it using your stored refresh token. What the refresh request looks like differs depending on your identity provider, but usually it’s just a POST request with your refresh token attached
@@mariusespejo it is clear for me, thanks. but just imagine that you have at least 2 tabs with one user session and create several requests at the same time. the first request recieves 401 or checks an access token's expiry and tries to refresh one & renew in a session. it can take several ms. The parallel request tries to do the same thing and uses already expired access and refresh tokens and recieves an error "Token is invalid" . Maybe there should be smth like a lock mecanism. Or this script is wrong in the first place. I think it seems to be a great topic for the next video)
Yup will consider a follow up video. That’s definitely a valid edge case, there are several different ideas e.g. perhaps proactively check token expiration on an interval, not just on requests, or maybe flag the session to mark it as “refreshing” (similar to your locking idea) etc.. I would first consider though how likely that scenario would really happen for your use case. I can’t imagine refreshing really takes that long. Also something to consider is that in your scenario would it not simply just refresh at both requests? Meaning the second would just overwrite the token update of the first. If you make sure to wait for the refresh to complete on any request then I don’t see any real conflicts. Except for maybe when refresh tokens are rotated and become invalid, but again we’re talking about milliseconds here
@@mariusespejo however this edge case is likely to happen. I would love to see your realization anyway. Maybe there will be some tricks or tips that could help me out!
I've been looking for this. Can you do a video on nestjs database provider with mongoose?
One bit of passport magic that I had to look up: the req.user property name is optional and can be changed in initialize()
Can’t really think of better name than that though. Fyi in nest you can also create a custom decorator like @User() which can be set up to automatically give you the value of req.user
Hey Marius, old video now ik but still asking, do we need to have a JwtGuestGuard (e.g. for LOGIN route) ? If so, we need to recode a canActivate method right ?
To be more accurate, what I mean by GuestGuard is some kind of Guard that says « hey your token is still valid I can’t generate you another one / your token is missing/non-existent, I’ll generate one for you »
And btw any good practice to invalidate a user ? Maybe some kind of fullstack app would be cool to make a video of :D enjoyed your work as always tho ! :D
Hey Abriscout, sorry not sure I’m understanding the question. Did you watch the video in full? I believe I did cover having a guard that checks for the existence of a jwt on any routes that you protect, but that wouldn’t be on a login route. Not sure it makes much sense to check for a jwt on a login route when the login itself typically would generate the jwt. It is not the guard’s job to generate tokens… it’s purpose is to simply decide “should I let this user proceed or not”. E.g. it could check if the token is invalid or perhaps it’s expired, then it can respond with a status 401/403 to inform the client “hey you need to login and get a new token”. Which is why again, doesn’t make sense to check for the token at login, because you know they NEED one if they’re calling login. I think what you might be thinking about are refresh tokens, which are meant to automatically allow a client to get a new access token, basically extending the life of the session without needing to login again.
As for your second question, there isn’t really a great way to invalidate a jwt…you’d have to somehow track the id of that token and maintain some kind of block list. This is also generally why you want access tokens to often have short expiration. If you were using sever-side session however, then you’re in full control with every session object, you could simply just have your store remove a session and that would effectively invalidate a user
@@mariusespejo Yeah I was confused by so many things, and then I discussed with devs that have show me some ways of how to do it. My question was not very clear, but basically it was about preventing user that is already logged in to access the login route :D Thanks !
Not really sure it’s that beneficial to do something like that. What if you wanted to allow multiple logins across different browsers/clients? The client app should be designed in such a way that it knows if the user is logged in (to prevent access to the login form and instead show logout button, for example). If a user somehow tries to login again then the client app should simply know to discard and replace any existing token, wherever it may be storing it. Or if you’re interested in some kind of invalidation then keep track of all created token IDs server-side and if the user logs in then invalidate any existing tokens they already were provided. Basically there are ways around getting the proper expected behavior without needing to restrict the login route
BEST VIDEO
Very good job on this one!
i decided to go with session auth for my application and it works just like promised with insomnia and postman. I'm currently setting up a frontend with angular and do now face a problem. The Session Cookie is visible in the chrome dev tools network tab, but the cookie is not set at Application > Cookies.
Can some one help me please
(didn't find an answer on stack overflow)
Does your server response use the Set-Cookie header? developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
@@mariusespejo thanks a lot for the reply!
i had to intercept the outgoing requests from the angular app and add {withCredentials: true} and changing origin: '*' to allow-origin: 'mything' as well as allow-credentials: true in the BE. Otherwise the cookie is not set in FE nor shipped with the Request or it results in a cors error. I should have mentioned, that BE and FE are not running under the same domain, my bad, sorry.
But thanks again for your quick reply! You are doing a serious job here and i didn't find anyone who comes close to your tutorials (sound quality, speed, explainations)
Thanks alot for that.
best regards!
Glad you figured it out and thanks for the feedback!
@@insomnia6961 can you share the code you used to fix this? I cannot figure this out... I have the same scenario here
@@leo-3r i changed to jwt in the mean time. The reason is, my system is deployed to firebase and app engine and gcp does strip all cookies for security reasons. (There is a specific token name that should work though, but it did not for me, so a switched to jwt)
So i am sorry, but i cant tell you how i made it work back then
I haven't seen that you edited the main.ts file.
There’s like an entire section that starts with editing that file. 31:41
Is it required the we use 'username' & 'password' as the fields and not 'name' ? I get Unauthorized when I use name instead of username, (I've also changed property for comparison)
No you can change it through the strategy options, make sure to look at the docs for it
Thank you for this video!
No problem 😄
When I finish the local strategy without tokens or jwt first, I constantly get a 401 Error and that I am unauthorized, do You maybe know why and can help me out?
That means your validate() didn’t return or find a user. Or perhaps you’re incorrectly throwing the exception somewhere
@@mariusespejo How can I check what it returns or maybe debug it?
You’re in charge of implementing that, as shown in the video. You have access to it
@@mariusespejo I just checked my code and I did all as shown in the video and have basically the exact same code as in the video, but it still wont work.
And you’re able to log out that you’re getting a user back? Did you verify that the validate method is getting invoked? Is the strategy actually registered as a provider in the auth module?
Those are some steps to debug. It’s important to have a fundamental understanding of how passport works and how it’s used in nest, and where might your errors be.
Local strategy when done correctly should be able to give you back a user with the match username password.
29:09 Session
There are timestamps in the description if you need it
Hello brother.. can you please assist me on updating logged in user details without providing id in controller like @param(‘id’) id: string …
I mean updates ideally are going through your api/controller if it’s user driven. If you don’t want to pass in the ID then you have to already have it in session store.
If it’s just the system making changes then just trigger logic to update the record in database/session. I would suggest posting a more detailed question in stackoverflow
🙏 Please Give Me Git Hub Url of this Project
Not on github at the moment sorry, consider following the tutorial from scratch, it honestly won’t take the long, most of the video is just me explaining the details
I have put the /login inside the /user ... now I'm getting "circular dependency between modules" error.
You likely have services depending on each other.. it’s generally best to separate concerns as much as possible, e.g. I would not add /login inside your user controller. It’s better to do that in a stand-alone AuthController
@@mariusespejo A Company has Employees, Employees have Company. Then how you'd take this? This roadblock is at module-level, not just Service. Can you do some real-world app? There's someone who did Facebook clone end-to-end, not just small bits of everything and hopefully someone is clever enough to piece things together.
You can resolve the circular dependency itself if you’d like: docs.nestjs.com/fundamentals/circular-dependency
But the point is to avoid it in the first place. I can’t tell you how exactly to do that, you need to understand your own dependency tree. I don’t see how this has anything to do with auth (the topic of this video)
@@mariusespejo I just mentioned that since we're talking about circular dependencies. Maybe "circular" is more on the negative side, I'll just put it as "two-way relationship", books-author, company-employee, library-books, hospital-patient and whatnot.
I'm sorry if I got over excited and left my manners somewhere, but I had a great time learning the basics. So, great video. And so, would you please make a more advanced tutorial/demo -- something like a Facebook clone would be nice, or some website that is relevant today and of course with the use of this technology. Thanks in advance!
hi @Marius Espejo thanks so much for the tutorial. i keep on getting this error ERROR [ExceptionsHandler] request.isAuthenticated is not a function. what do I do ?
did u fix it? I can't not search for the solution :(
IsAuthenticated specifically comes from passport, that means there is something missing in your configuration. Did you set up express-session and did passport.initialize() and passport.session()? The order of those 3 things is important. Finally did you add the serializers and registered it in your module?
@@mariusespejo my error come before "Session setup", I followed your timestamp until "is.authenticated()" fault. I did replayed your vid 2 times but still have this error
You have to setup passport and sessions completely, did you do all 4 things that I mentioned in the previous comment?
@@mariusespejo I set up fully, but I'll try to create another proj to do it
can u share this source code,?
github repo please. haha
This tutorial I wanted today, what a coincidence
00:00 - Intro
03:35 - Initial routes
04:41 - UsersService
07:50 - AuthService
10:40 - Implementing passport-local strategy (username/password login)
18:08 - AuthGuards
23:25 - Summary of local login flow
29:02 - Guard to check if user is authenticated
31:41 - Setting up sessions
40:37 - Summary of login with sessions flow
44:25 - Setting up JWT strategy, signing and validating
1:00:25 - Summary of JWT strategy flow
1:04:22 - Conclusion
1:05:20 - Outro
0
req.isAuthenticated gives error ""request.isAuthenticated is not a function" at 29.02 section.
You are gonna be famous soon
When
Never lol
Can you do more of nestjs with graphql like auth and/or microservices. That would be a unique content!
will definitely look into that more, I’m still learning a lot of the best practices with graphql myself
second that
@@mariusespejo Can't wait to learn that combination from a master like you
hey folks, just following up: new video just posted on doing this same auth topic but in graphQL specifically
The best tutorial i watched so far. Author tells the info clearly and without any useless data. So, i want to say that i was here when the num of followers had been 7k
What about an email instead of a username - I never use usernames with my applications. It doesn't work by just switching username to email... but it doesn't take much more work either, just a simple mapping object in the right place.
```export class LocalStrategy extends PassportStrategy(Strategy) {
constructor(private authService: AuthService) {
super({
usernameField: 'email',
passwordField: 'password',
});
}
async validate(email: string, password: string): Promise {
const user = await this.authService.validateUser(email, password);
if (!user) {
throw new UnauthorizedException();
}
return user;
}
}```
Yup that’s exactly how you’d be able to do it
Thanks for sharing this Jay! Killed me for about 2 hours.
Thanks a lot Marius! for Authentication session. Very well crafted beautifully explained.
Just 1 suggestion if you could put this session over git. Would be great to look at the code and get relate it post watching video.
Keep up the good work!!!
All The Best!!
Can't thank you enough for this Marius, excellent content, pitched and paced perfectly.
Thank you! I appreciate the feedback
Thanks for spending the time explaining each part and drawing the parallels to his we would do it in express.
Really helped me understand how to accomplish session auth. Felt a bit lost when the docs only covered JWT auth and all the tutorials I found were showing me the code to make it work... But not why it worked haha
If you have this error "ERROR [ExceptionsHandler] request.isAuthenticated is not a function" you should return request.isAuthenticated; instead of return request.isAuthenticated() at the authenticated.guard.ts file
Thank you!!!!....You saved my time
@@satyamprajapati3779 You’re welcome happy coding !
Thanks for this tutorial, I went through the NestJS docs a few times and tried to set this up myself but there was always something wrong. Your vid helped me finally get it all working!
Dude, after 4 days struggling you opened my eyes. They should add all of this in their documentation. You are a gold tressure!
@Dev Guy I read the documentation first and in the span of 4 days, probably 100 times :D I actually started the project because I loved the documentation, its just on spot, with a few missing parts :)
Docs are definitely very good but it’s not always intuitive to everyone. Simply saying just read the docs is like telling people don’t go to school just read the text books….
I’m been looking for this. Thank you thank you. Would git repo of this code.
@Dev Guy I looked at and read the documentation from Nest and Passport. The main problem for me with the documentation is Nest is all classes and Passport documentation show you how to configure the different strategies in ES6. This video is literally the only resource I've found (and I searched for over a week) that explains that (a) passport is initiated when it is included in the correct provider array and you do not need passport.use() as explained in the Passport docs and (b) the UseGuard is registering the strategy and there is no need for passport.register(), again, as explained in the Passport docs
Are you stuck in 401 in protected route, bro? thats cause you to not show how succesfully request in protected route yes??
Is it possible to login just after signup (register) ?
Yeah don’t see why not
Such a masterpiece bro♥️ everything is perfect in this video 🏳️🙌
I highly appreciate you going throug the code roughly and also briefly explaining the NPM packages which you're using / recommending. It's really fun coding along and learning in this video!
Glad you’re enjoying it!
What happens when the JWT expires? Would the user have to login every 60 seconds? Does passport generate fresh tokens and handle them automatically?
60 seconds is obviously an unrealistic expiration that was only used an example.. you should decide what makes sense for the security of your application. If you want it to automatically renew for the user you can do that with refresh tokens, not sure if the passport strategy does that automatically. Anyways otherwise yes you’d have to have them login at expiration
req.isAuthenticated gives error ""request.isAuthenticated is not a function" at 29.02 section.
Hey Marius, just passing by to thank you, your video format is awesome.
I love how you explain everything while showing the documentation. It really adds to us as developers, so that we know like "oh, so the information was here all the time!". It particularly helped me a lot.
Keep up the good work!
Thanks man! Glad you found it useful 🙏
Why people are using sessions? In both approaches the client side must securely save the “cookie” or the “jwt token”. The main difference is that in case of the JWT approach the server does not need to maintain a DB of sessionId for lookup
It’s a matter of where you want to store the session…. In a store or in jwt… note that if you have a lot of data for your user session having all of that in a jwt/cookies would be impractical, that’s just extra data you’re sending over the wire. So it depends on the use case. Also server-side sessions are significantly more secure in my opinion, you don’t have to worry about tokens being intercepted (which again will have some user data on it)
Hi guys, i am stuck in the chapter guard to check if user is logged in. It is an error said "request.isAuthenticated()" is not a function. I console log the keys of request object and realize that the object dont have the isAuthenticated isUnauthenticated ,user. Any suggestion guys ?
It likely means either the guard or the strategy were not registered or configured correctly
@@mariusespejo i have checked every step very clearly but can not figure out which step that i missed. Googling for days and have no hope man. The local strategy work as the video. But the authenticatedGuard implements CanActive not working. Do you have any idea for it ?
Are you sure you registered your strategies as providers in the module?
Did you actually setup sessions? Please note that in the video I explicitly said the guard won’t work until you actually have the sessions in place. That along with actually having the full passport local strategy working and correctly registered is what’s needed. Make sure to watch the rest of the video and don’t just stop at the point of error
@@mariusespejo My bad.that is the missing piece . i have finished following your tutorial. that really helpful . thanks for your answer and making such a good video. have a nice day
(this.validate is not a function) this error had shown to me
can someone help me please
could you please share your source code?
Hi Sir, Thanks for the osm Tutorial, can we have the git link for source code plz.
I got some error when request protected
ERROR [ExceptionsHandler] Unknown authentication strategy "jwt"
Error: Unknown authentication strategy "jwt"
oh I got this
Hello, I have covered the first 30 minutes of the video, I keep getting this when using postman TypeError: Cannot read properties of undefined (reading 'validateUser'). I do not find the error, I have checked the documentation
That’s implemented in the AuthService around 7:50. Did you actually implement validateUser? Is it in the correct service?
hi marius, in AuthenticatedGuard file i get error which is "request.isAuthenticated is not a function". may i know why i get that ?
You likely didn’t setup the local strategy and its guard correctly
it would have been great to have your git hub repo to the project to interact well with your code. @Marius Espejo . Great video
it gives me this error "Error: Unknown authentication strategy "local"". I can't found the solution yet. Bye!
That likely means you didn’t register the strategy in any module
But, how it would be for email, password? because, i am triying to use passport local strategy for email, password and not working
You can configure the local strategy to use a different field e.g. email instead of username
Hi Marius, should we pass super() in constructor of JwtAuthGuard (th-cam.com/video/_L225zpUK0M/w-d-xo.html) ?
If you’re explicitly defining the constructor I believe so yes
I love this tutorial. Clear as Spring water 💯
bro with this approach the user need to register and then login, we should be able to register and automatically login
So create a jwt at register, nothing stopping you from achieving that
you did amazing job. plz tell one thing. how to implement authentication on microservice based architecture
That’s a bit of a loaded question that is not simple to answer in a comment. First of all there are several strategies that depends a lot on your infrastructure, your identity provider, etc. Next the “how” again will depend on the strategy. I suggest spending some time reading about it
What are the reasons you chose React over Angular? knowing nestjs is literally angular but backend ?
pick tools based on what you believe is best for the task, not based on similarities.
can i change the serializer service anme to CookieSerializer ? how passport know where to look for this functions of serial/deserial ?
Im not sure that the name matters as long as it is extending PassportSerializer and that you’re registering it as a provider, Nest automatically calls it by convention when you’re using sessions with passport
Hi, first of Your video is great and I think I understand whats going on, but the thing is i keep getting an error. I followed everything like You, but now I get inside my terminal [Nest] 15540 - 25.02.2023, 18:21:59 ERROR [ExceptionsHandler] Unknown authentication strategy "local"
Error: Unknown authentication strategy "local"
and after I use postman I get 500 internal server error as an result. Do You have any idea how to fix this? I really dont know what to do. Thanks :)
Likely means you didn’t register your strategy in the providers in the AuthModule
@@mariusespejo I did, at least I have LocalStrategy inside my providers array, any other ideas?
Hiiii, i´m super excited to learn more about nest.js, is a such framework. May u can give me one tip, how do i use this session savinf user, and jwt at redis in a graphql API, is the same process? what i need change to works? thank u soo much for that incredible channel, i also follow u in linkendin. Bye
Thanks! I do have a nestjs graphql auth video I think in the channel
@@mariusespejo ok, i will see it
Extremely valuable content, thanks.
you should make a video on serving html in nestjs like to create a dashboard html/htmx
Yeah could be a good video idea, htmx has been on my radar
Thank you so much for this tutorial, it helped clear up so much of my confusion. All the examples of different Passport strategies are written using ES6 modules, but the documentation for Nest is with classes. Your video helped translate the difference and finally got my code to work. Very clear and well explained --signed a junior developer that only learned ES6 Javascript in my bootcamp XD
how can i take a user information on client if i make session based auth? I get session id in cookie but what i can make with it
You can expose an endpoint to get users details like GET /current-user
The cookie basically is a key to that, assuming the user has logged in
Plus any request your client sends with that cookie, your backend will know was being invoked as that user
Awesome !! 🔥🔥, Thank you very much
So glad to know that you are following the official NestJs documentation! I also do the same.
Honestly it’s some of the best docs I’ve seen!
your nest js contents are soo good. keep it up marius
Great tutorial! Very detail and useful. Keep up the good work
Thank you!
What if I have multiple strategy.ts files for the same Strategy for passport. How would i let Passport know which file to use when!
You use the decorators on a per-route basis
@@mariusespejo okay got it! Thanks a lot!!
Thank you Marius, building a NestJS Login with MikroORM alone is a huge pain for me, is it possible to get the source code of this tutorial?
this a have a circular dependency dont?
When I enter
@Post('login')
login(@Request() req): any {
return req.user;
}
I get this warning:
Value of type '{ new (input: RequestInfo, init?: RequestInit): Request; prototype: Request; }' is not callable. Did you mean to include 'new'?
Any idea where I may have gone wrong? using quick fix to add 'new' to Request just gave another error.
Double check you’re importing Request from the correct path, sounds like you’re not
@@mariusespejo Thank you, I will try that! Is your code for this project on a github repo? I'm not able to see where I should import Request from and your github isn't linked in your description.
Not for this one sorry. You should be able to see where I’m importing from on the video right? Make sure it’s from nest and not the type from express
Hi, will you add this code to the github?
can you share github link brother??
41:40 request.isAuthenticated(); getting undefined function
That likely means you didn’t set up the local strategy and it’s guard correctly
Great video
Thank you!
Oh man, you should use the database the whole trick is within that.
Database is just storage, not required to talk about auth
Absolutely awesome tutorial, thank you so much! Your explanation is very clear and to the point, you're a fantastic teacher! :D
thank you 🙂
Do you have a this code in GitHub?