NestJS 认证与授权:JWT、OAuth 和 RBAC 实现

缠丝猫  论坛元老 | 2024-12-29 08:38:57 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 1613|帖子 1613|积分 4839

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?立即注册

x
在上一篇文章中,我们先容了 NestJS 的数据库操纵和 TypeORM 集成。本文将深入探究如安在 NestJS 中实现完备的认证和授权体系。
JWT 认证实现

1. 安装依赖

  1. npm install @nestjs/jwt @nestjs/passport passport passport-jwt bcrypt
  2. npm install -D @types/passport-jwt @types/bcrypt
复制代码
2. JWT 战略配置

  1. // src/auth/strategies/jwt.strategy.ts
  2. import { Injectable } from '@nestjs/common';
  3. import { PassportStrategy } from '@nestjs/passport';
  4. import { ExtractJwt, Strategy } from 'passport-jwt';
  5. import { ConfigService } from '@nestjs/config';
  7. @Injectable()
  8. export class JwtStrategy extends PassportStrategy(Strategy) {
  9.   constructor(private configService: ConfigService) {
  10.     super({
  11.       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
  12.       ignoreExpiration: false,
  13.       secretOrKey: configService.get('JWT_SECRET'),
  14.     });
  15.   }
  17.   async validate(payload: any) {
  18.     return {
  19.       userId: payload.sub,
  20.       username: payload.username,
  21.       roles: payload.roles
  22.     };
  23.   }
  24. }
  26. // src/auth/auth.module.ts
  27. import { Module } from '@nestjs/common';
  28. import { JwtModule } from '@nestjs/jwt';
  29. import { PassportModule } from '@nestjs/passport';
  30. import { ConfigModule, ConfigService } from '@nestjs/config';
  31. import { JwtStrategy } from './strategies/jwt.strategy';
  32. import { AuthService } from './auth.service';
  34. @Module({
  35.   imports: [
  36.     PassportModule.register({ defaultStrategy: 'jwt' }),
  37.     JwtModule.registerAsync({
  38.       imports: [ConfigModule],
  39.       useFactory: async (configService: ConfigService) => ({
  40.         secret: configService.get('JWT_SECRET'),
  41.         signOptions: {
  42.           expiresIn: '1d',
  43.           issuer: 'nestjs-app'
  44.         },
  45.       }),
  46.       inject: [ConfigService],
  47.     }),
  48.   ],
  49.   providers: [AuthService, JwtStrategy],
  50.   exports: [AuthService],
  51. })
  52. export class AuthModule {}
复制代码
3. 认证服务实现

  1. // src/auth/auth.service.ts
  2. import { Injectable, UnauthorizedException } from '@nestjs/common';
  3. import { JwtService } from '@nestjs/jwt';
  4. import { UsersService } from '../users/users.service';
  5. import * as bcrypt from 'bcrypt';
  7. @Injectable()
  8. export class AuthService {
  9.   constructor(
  10.     private usersService: UsersService,
  11.     private jwtService: JwtService,
  12.   ) {}
  14.   async validateUser(username: string, password: string): Promise<any> {
  15.     const user = await this.usersService.findByUsername(username);
  16.     if (user && await bcrypt.compare(password, user.password)) {
  17.       const { password, ...result } = user;
  18.       return result;
  19.     }
  20.     return null;
  21.   }
  23.   async login(user: any) {
  24.     const payload = {
  25.       username: user.username,
  26.       sub: user.id,
  27.       roles: user.roles
  28.     };
  30.     return {
  31.       access_token: this.jwtService.sign(payload),
  32.       user: {
  33.         id: user.id,
  34.         username: user.username,
  35.         email: user.email,
  36.         roles: user.roles
  37.       }
  38.     };
  39.   }
  41.   async register(createUserDto: CreateUserDto) {
  42.     // 检查用户是否已存在
  43.     const existingUser = await this.usersService.findByUsername(
  44.       createUserDto.username
  45.     );
  46.     if (existingUser) {
  47.       throw new ConflictException('Username already exists');
  48.     }
  50.     // 加密密码
  51.     const hashedPassword = await bcrypt.hash(createUserDto.password, 10);
  53.     // 创建新用户
  54.     const newUser = await this.usersService.create({
  55.       ...createUserDto,
  56.       password: hashedPassword,
  57.     });
  59.     // 返回用户信息和令牌
  60.     const { password, ...result } = newUser;
  61.     return this.login(result);
  62.   }
  63. }
复制代码
4. 认证控制器

  1. // src/auth/auth.controller.ts
  2. import { Controller, Post, Body, UseGuards, Get } from '@nestjs/common';
  3. import { AuthService } from './auth.service';
  4. import { JwtAuthGuard } from './guards/jwt-auth.guard';
  5. import { GetUser } from './decorators/get-user.decorator';
  7. @Controller('auth')
  8. export class AuthController {
  9.   constructor(private authService: AuthService) {}
  11.   @Post('login')
  12.   async login(@Body() loginDto: LoginDto) {
  13.     const user = await this.authService.validateUser(
  14.       loginDto.username,
  15.       loginDto.password
  16.     );
  17.     if (!user) {
  18.       throw new UnauthorizedException('Invalid credentials');
  19.     }
  20.     return this.authService.login(user);
  21.   }
  23.   @Post('register')
  24.   async register(@Body() createUserDto: CreateUserDto) {
  25.     return this.authService.register(createUserDto);
  26.   }
  28.   @UseGuards(JwtAuthGuard)
  29.   @Get('profile')
  30.   getProfile(@GetUser() user: any) {
  31.     return user;
  32.   }
  33. }
复制代码
OAuth2.0 集成

1. Google OAuth2 实现

  1. // src/auth/strategies/google.strategy.ts
  2. import { PassportStrategy } from '@nestjs/passport';
  3. import { Strategy, VerifyCallback } from 'passport-google-oauth20';
  4. import { Injectable } from '@nestjs/common';
  5. import { ConfigService } from '@nestjs/config';
  7. @Injectable()
  8. export class GoogleStrategy extends PassportStrategy(Strategy, 'google') {
  9.   constructor(private configService: ConfigService) {
  10.     super({
  11.       clientID: configService.get('GOOGLE_CLIENT_ID'),
  12.       clientSecret: configService.get('GOOGLE_CLIENT_SECRET'),
  13.       callbackURL: 'http://localhost:3000/auth/google/callback',
  14.       scope: ['email', 'profile'],
  15.     });
  16.   }
  18.   async validate(
  19.     accessToken: string,
  20.     refreshToken: string,
  21.     profile: any,
  22.     done: VerifyCallback,
  23.   ): Promise<any> {
  24.     const { name, emails, photos } = profile;
  25.     const user = {
  26.       email: emails[0].value,
  27.       firstName: name.givenName,
  28.       lastName: name.familyName,
  29.       picture: photos[0].value,
  30.       accessToken,
  31.     };
  32.     done(null, user);
  33.   }
  34. }
  36. // src/auth/controllers/oauth.controller.ts
  37. import { Controller, Get, UseGuards, Req } from '@nestjs/common';
  38. import { AuthGuard } from '@nestjs/passport';
  40. @Controller('auth/google')
  41. export class OAuthController {
  42.   @Get()
  43.   @UseGuards(AuthGuard('google'))
  44.   async googleAuth(@Req() req) {}
  46.   @Get('callback')
  47.   @UseGuards(AuthGuard('google'))
  48.   async googleAuthRedirect(@Req() req) {
  49.     // 处理 Google 认证回调
  50.     return this.authService.googleLogin(req.user);
  51.   }
  52. }
复制代码
2. GitHub OAuth2 实现

  1. // src/auth/strategies/github.strategy.ts
  2. import { Injectable } from '@nestjs/common';
  3. import { PassportStrategy } from '@nestjs/passport';
  4. import { Strategy } from 'passport-github2';
  5. import { ConfigService } from '@nestjs/config';
  7. @Injectable()
  8. export class GithubStrategy extends PassportStrategy(Strategy, 'github') {
  9.   constructor(private configService: ConfigService) {
  10.     super({
  11.       clientID: configService.get('GITHUB_CLIENT_ID'),
  12.       clientSecret: configService.get('GITHUB_CLIENT_SECRET'),
  13.       callbackURL: 'http://localhost:3000/auth/github/callback',
  14.       scope: ['user:email'],
  15.     });
  16.   }
  18.   async validate(
  19.     accessToken: string,
  20.     refreshToken: string,
  21.     profile: any,
  22.     done: Function,
  23.   ) {
  24.     const user = {
  25.       githubId: profile.id,
  26.       username: profile.username,
  27.       email: profile.emails[0].value,
  28.       accessToken,
  29.     };
  30.     done(null, user);
  31.   }
  32. }
复制代码
RBAC 权限控制

1. 角色定义

  1. // src/auth/enums/role.enum.ts
  2. export enum Role {
  3.   USER = 'user',
  4.   ADMIN = 'admin',
  5.   MODERATOR = 'moderator',
  6. }
  8. // src/auth/decorators/roles.decorator.ts
  9. import { SetMetadata } from '@nestjs/common';
  10. import { Role } from '../enums/role.enum';
  12. export const ROLES_KEY = 'roles';
  13. export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);
复制代码
2. 角色守卫

  1. // src/auth/guards/roles.guard.ts
  2. import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
  3. import { Reflector } from '@nestjs/core';
  4. import { Role } from '../enums/role.enum';
  5. import { ROLES_KEY } from '../decorators/roles.decorator';
  7. @Injectable()
  8. export class RolesGuard implements CanActivate {
  9.   constructor(private reflector: Reflector) {}
  11.   canActivate(context: ExecutionContext): boolean {
  12.     const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
  13.       context.getHandler(),
  14.       context.getClass(),
  15.     ]);
  17.     if (!requiredRoles) {
  18.       return true;
  19.     }
  21.     const { user } = context.switchToHttp().getRequest();
  22.     return requiredRoles.some((role) => user.roles?.includes(role));
  23.   }
  24. }
复制代码
3. 权限实体设计

  1. // src/auth/entities/permission.entity.ts
  2. import { Entity, Column, ManyToMany } from 'typeorm';
  3. import { BaseEntity } from '../../common/entities/base.entity';
  4. import { Role } from '../enums/role.enum';
  6. @Entity('permissions')
  7. export class Permission extends BaseEntity {
  8.   @Column()
  9.   name: string;
  11.   @Column()
  12.   description: string;
  14.   @Column('simple-array')
  15.   allowedRoles: Role[];
  16. }
  18. // src/users/entities/user.entity.ts
  19. import { Entity, Column, ManyToMany, JoinTable } from 'typeorm';
  20. import { Role } from '../../auth/enums/role.enum';
  21. import { Permission } from '../../auth/entities/permission.entity';
  23. @Entity('users')
  24. export class User extends BaseEntity {
  25.   // ... 其他字段
  27.   @Column('simple-array')
  28.   roles: Role[];
  30.   @ManyToMany(() => Permission)
  31.   @JoinTable({
  32.     name: 'user_permissions',
  33.     joinColumn: { name: 'user_id' },
  34.     inverseJoinColumn: { name: 'permission_id' },
  35.   })
  36.   permissions: Permission[];
  37. }
复制代码
4. 权限查抄服务

  1. // src/auth/services/permission.service.ts
  2. import { Injectable, ForbiddenException } from '@nestjs/common';
  3. import { InjectRepository } from '@nestjs/typeorm';
  4. import { Repository } from 'typeorm';
  5. import { Permission } from '../entities/permission.entity';
  6. import { User } from '../../users/entities/user.entity';
  8. @Injectable()
  9. export class PermissionService {
  10.   constructor(
  11.     @InjectRepository(Permission)
  12.     private permissionRepository: Repository<Permission>,
  13.   ) {}
  15.   async checkPermission(user: User, permissionName: string): Promise<boolean> {
  16.     const permission = await this.permissionRepository.findOne({
  17.       where: { name: permissionName },
  18.     });
  20.     if (!permission) {
  21.       throw new ForbiddenException('Permission not found');
  22.     }
  24.     // 检查用户角色是否有权限
  25.     return permission.allowedRoles.some(role => user.roles.includes(role));
  26.   }
  28.   async grantPermission(user: User, permissionName: string): Promise<void> {
  29.     const permission = await this.permissionRepository.findOne({
  30.       where: { name: permissionName },
  31.     });
  33.     if (!permission) {
  34.       throw new ForbiddenException('Permission not found');
  35.     }
  37.     user.permissions = [...user.permissions, permission];
  38.     await this.userRepository.save(user);
  39.   }
  40. }
复制代码
5. 利用示例

  1. // src/posts/posts.controller.ts
  2. import { Controller, Post, Body, UseGuards } from '@nestjs/common';
  3. import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
  4. import { RolesGuard } from '../auth/guards/roles.guard';
  5. import { Roles } from '../auth/decorators/roles.decorator';
  6. import { Role } from '../auth/enums/role.enum';
  7. import { GetUser } from '../auth/decorators/get-user.decorator';
  8. import { User } from '../users/entities/user.entity';
  9. import { PostsService } from './posts.service';
  10. import { CreatePostDto } from './dto/create-post.dto';
  12. @Controller('posts')
  13. @UseGuards(JwtAuthGuard, RolesGuard)
  14. export class PostsController {
  15.   constructor(
  16.     private postsService: PostsService,
  17.     private permissionService: PermissionService,
  18.   ) {}
  20.   @Post()
  21.   @Roles(Role.USER)
  22.   async createPost(
  23.     @GetUser() user: User,
  24.     @Body() createPostDto: CreatePostDto,
  25.   ) {
  26.     // 检查用户是否有创建文章的权限
  27.     const hasPermission = await this.permissionService.checkPermission(
  28.       user,
  29.       'create_post'
  30.     );
  32.     if (!hasPermission) {
  33.       throw new ForbiddenException('You do not have permission to create posts');
  34.     }
  36.     return this.postsService.create(user, createPostDto);
  37.   }
  39.   @Post('publish')
  40.   @Roles(Role.MODERATOR, Role.ADMIN)
  41.   async publishPost(
  42.     @GetUser() user: User,
  43.     @Body('postId') postId: string,
  44.   ) {
  45.     return this.postsService.publish(user, postId);
  46.   }
  47. }
复制代码
安全最佳实践

1. 密码加密

  1. // src/common/utils/crypto.util.ts
  2. import * as bcrypt from 'bcrypt';
  3. import * as crypto from 'crypto';
  5. export class CryptoUtil {
  6.   static async hashPassword(password: string): Promise<string> {
  7.     const salt = await bcrypt.genSalt(10);
  8.     return bcrypt.hash(password, salt);
  9.   }
  11.   static async comparePasswords(
  12.     password: string,
  13.     hashedPassword: string,
  14.   ): Promise<boolean> {
  15.     return bcrypt.compare(password, hashedPassword);
  16.   }
  18.   static generateRandomToken(length: number = 32): string {
  19.     return crypto.randomBytes(length).toString('hex');
  20.   }
  21. }
复制代码
2. 请求限流

  1. // src/common/guards/throttle.guard.ts
  2. import { Injectable } from '@nestjs/common';
  3. import { ThrottlerGuard } from '@nestjs/throttler';
  5. @Injectable()
  6. export class CustomThrottlerGuard extends ThrottlerGuard {
  7.   protected getTracker(req: Record<string, any>): string {
  8.     return req.ips.length ? req.ips[0] : req.ip;
  9.   }
  10. }
  12. // src/app.module.ts
  13. import { Module } from '@nestjs/common';
  14. import { ThrottlerModule } from '@nestjs/throttler';
  16. @Module({
  17.   imports: [
  18.     ThrottlerModule.forRoot({
  19.       ttl: 60,
  20.       limit: 10,
  21.     }),
  22.   ],
  23. })
  24. export class AppModule {}
复制代码
3. 安全头部配置

  1. // src/main.ts
  2. import { NestFactory } from '@nestjs/core';
  3. import { AppModule } from './app.module';
  4. import * as helmet from 'helmet';
  6. async function bootstrap() {
  7.   const app = await NestFactory.create(AppModule);
  9.   // 安全头部
  10.   app.use(helmet());
  12.   // CORS 配置
  13.   app.enableCors({
  14.     origin: process.env.ALLOWED_ORIGINS.split(','),
  15.     methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
  16.     credentials: true,
  17.   });
  19.   await app.listen(3000);
  20. }
  21. bootstrap();
复制代码
写在最后

本文详细先容了 NestJS 中的认证与授权实现:

  • JWT 认证的完备实现
  • OAuth2.0 社交登录集成
  • RBAC 权限控制体系
  • 安全最佳实践
在下一篇文章中,我们将探究 NestJS 的中间件与拦截器实现。
假如以为这篇文章对你有资助,别忘了点个赞
回复

使用道具 举报

0 个回复

正序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

缠丝猫

论坛元老
这个人很懒什么都没写!

楼主热帖

标签云

集成商 AI 运维 CIO 存储 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表