API Protection for NestJS
npm install @payk/nestjs-private-api-guard
Add a Global Guard
in the main.ts after the app creation
app.useGlobalGuards(new PrivateApiGuard(app.get(Reflector)));Each call coming from outside the internal network will carry a header stating it came from the public. Add a decorator on top of your api end point you wish to expose through the Gateway
@PublicApi()
@Get()
getAllUsers() {
return [];
}Any end-point without the @PublicApi decorator won't be accessible through the gateway.
The header being used is by default X-Public-Api and is true when coming from the public domain.
You can choose a different header key name by passing the PrivateApiGuard another parameter:
app.useGlobalGuards(new PrivateApiGuard(app.get(Reflector), 'X-My-Cool-Public'));Each OAuth2 consumer has groups defined on him. We can use those groups in order to define access to specific end-point - for example, only the BackOffice can access that end-point, not the mobile (it's not per user, it's per consumer) Add a decorator on top of your api end point you wish to expose through the Gateway to a list of groups
@AllowedConsumerGroups('backoffice', 'admins')
@Get()
getAllUsers() {
return [];
}