This demo project demonstrates how to use Cerbos in NestJS as an interceptor to validate requests based on policies defined in Cerbos.
To run the project, check package.json for prebuilt run configurations, by default NestJS offers npm run start:dev for development purposes. On top of that there also are Cerbos policies included in the repository, and to use this you can run the npm run cerbos:start. Both are combined into the single npm run start:devcerbos.
The demo includes an Document request, you can do a GET on http://localhost:3000/document/1.
Provide the authorization header with either user or admin as a value for getting a successful response, or anything else to get a rejected response. The success state depends on the author of the documents/*.
There are 3 documents defined in the src/db.ts file,
- the
document/1can only be accessed by theadminuser - the
document/2can be accessed byuseroradmin - the
document/3is fornot-the-current-userbut can be accessed byadmin.
The Cerbos policy is validated in src/document/document.cerbos.interceptor.ts file.
The response is of course currently hardcoded in the /src/document/document.controller.ts file, as this is for demonstration purposes.
Note! You should NOT use authentication as demonstrated, we recommend using a JWT Guard in NestJS
This demo project demonstrates how to use Cerbos in NestJS as an interceptor to validate requests based on policies defined in Cerbos.
Cerbos is an open-source authorization-as-a-service option for allowing decoupled access control in your software. It allows writing human-readable policy definitions that serve as context-aware access control policies for your application resources.
Cerbos works with any identity provider services like Auth0, Okta, FusionAuth, Clerk, Magic, WorkOS or even your own, bespoke directory system.
Our NestJs.js application will provide an API that uses Cerbos for authorization, to decide what actions are available on which resources for a given user.
The policies is defined in the cerbos/policies directory. Each policy is authored in the a very human-readable format which you can learn more about at the Cerbos Policy documentation site, and for the demo revolves around access to a contacts resource.
- Cerbos
- NestJs - A progressive Node.js framework for building efficient, reliable and scalable server-side applications.
- RxJs - Reactive Extensions Library for JavaScript
git clone https://github.com/cerbos/nestjs-cerbos.gitThen cd into the project directory and run npm install to install the dependencies.
npm install Alternatviely you could use yarn or pnpm or anything that runs npm scripts
To run the project, check package.json for prebuilt run configurations, by default NestJS offers npm run start:dev for development purposes. On top of that there also are Cerbos policies included in the repository, and to use this you can run the npm run cerbos:start. Both are combined into the single npm run start:devcerbos.
The demo includes an Document request, you can do a GET on http://localhost:3000/document/1.
Provide the authorization header with either user or admin as a value for getting a successful response, or anything else to get a rejected response. The success state depends on the author of the documents/*.
There are 3 documents defined in the src/db.ts file,
- the
document/1can only be accessed by theadminuser - the
document/2can be accessed byuseroradmin - the
document/3is fornot-the-current-userbut can be accessed byadmin.
The Cerbos policy is validated in src/document/document.cerbos.interceptor.ts file.
The response is of course currently hardcoded in the /src/document/document.controller.ts file, as this is for demonstration purposes.
Note! You should NOT use authentication as demonstrated, we recommend using a JWT Guard in NestJS
Your showcase is now running a local version of Cerbos, and you can easily make changes to the Policies and learn more about Cerbos and all its features.
You can use the existing set of E2E tests to test different policies and changes to existing requirements by running npm run test:e2e.
npm run cerbos:start- Starts the docker instance of cerbos server.npm run start- Start the nestJs application in development mode.npm run start:devcerbos- Starts both docker and the nestjs application
To learn more about Clerk.dev and NestJs, take a look at the following resources:
- Cerbos Website
- Cerbos Documentation
- Nest.js Documentation - learn about NestJs features.