@payk/nestjs-private-api-guard
v1.1.0
Published
A NestJS API guard to block request to private apis
Downloads
7
Readme
Installation
npm install @payk/nestjs-private-api-guard
What does it do?
Quick Start
Add a Global Guard
in the main.ts
after the app
creation
app.useGlobalGuards(new PrivateApiGuard(app.get(Reflector)));
Public End-Point
Each call coming from outside the internal network will carry a header stating it came from the public. Add a decorator on top of your api end point you wish to expose through the Gateway
@PublicApi()
@Get()
getAllUsers() {
return [];
}
Any end-point without the @PublicApi
decorator won't be accessible through the gateway.
The header being used is by default X-Public-Api
and is true
when coming from the public domain.
You can choose a different header key name by passing the PrivateApiGuard
another parameter:
app.useGlobalGuards(new PrivateApiGuard(app.get(Reflector), 'X-My-Cool-Public'));
Consumer Group End-Point (ACL)
Each OAuth2 consumer has groups defined on him. We can use those groups in order to define access to specific end-point - for example, only the BackOffice can access that end-point, not the mobile (it's not per user, it's per consumer) Add a decorator on top of your api end point you wish to expose through the Gateway to a list of groups
@AllowedConsumerGroups('backoffice', 'admins')
@Get()
getAllUsers() {
return [];
}