Add "Security" section

A comprehensive security section would be extremely helpful. There is a lot of complexity and confusion around the best way to accomplish tight security using NestJS - which is essential if it is to be used for production applications. There are very few examples available to follow. The examples that do exist all seem to either be too simple, have problems, or be somewhat contradictory.

Existing Examples:

• NestJS Auth Chapter

  • Pro: NestJS best practice - straight from kamilmysliwiec
  • Pro: Illustrates some of the code for handling JWT auth
  • Con: Examples/docs do not seem in depth enough to provide a solid foundation for production use
  • Con: Comments like “… in a best-case scenario the jwt package and token configuration (secret key and expiration time) should be registered as custom providers”… melted my already overloaded brain. An code example of this would be super.
  • Con: It is unclear exactly how a “local” passport auth strategy (username and password) would be implemented… or if it could be done with the existing code. In the current examples, it is not obvious where username and password checking could/should be inserted. The simplification of the code for example purposes (by using a faked user) has in some ways made it more confusing to understand.
  • Con: Not clear how this would integrate with social login, CRSF etc

• NesJS Basic Auth and Sessions Blogpost (artonio)

  • Pro: Step by step commentary for implementing auth
  • Con: Implementation too basic for a production system… and yet somehow still seems complicated
  • Con: Even with this basic implementation, finds (and reports) a bug in the Nest Passport library, which is as-yet unfixed
  • Con: No CRSF protection
  • Con: No use of helmet or such for additional security

• NestJS Starter Project (CanKattwinkel)

  • Pro: Includes CSRF protection
  • Pro: Seems to use NestJS best practices (like using Nest middleware)
  • Con: A lot of custom complexity, including custom sessions, which makes the auth specific code hard to follow, and distinguish which is necessary auth, and what is extraneous
  • Con: The CSRF protection is very hard to follow
  • Con: Not leveraging the Nest/Passport libraries
  • Con: No license, so can be used for example only
  • Con: Does not support mobile auth

• Nest-Angular open Source Project (bojidaryovchev)

  • Pro: Comprehensive example including social authentication, and helmet
  • Con: Seems to not use standard NestJS techniques (uses express and express middleware directly instead of NestJS style, uses custom JOI validation via middleware)
  • Con: Uses “off brand” passport strategies for reasons that are not clear
  • Con: No CRSF protection

Some Specific Points of Confusion

• How to reconcile Passport Strategy session needs with NestJS
• If CRSF is a threat to NestJS and how to mitigate
• How to handle auth token refresh needs
• If/how auth for mobile devices would be accommodated. Especially with the long-lived auth requirement of apps

Wishlist

• How to implement local authentication using JWT Bearer Tokens
  • How to accommodate the token timeout and refresh scenarios
  • How to position this to accommodate both web and mobile clients
• How to integrate auth via social login
• How to implement CRSF protection
• How to implement additional hardening (such as via helmet)
• Nice to have: 2FA example

Any guidance for the above would be much appreciated. I think that NestJS is a fantastic project, and would love to start using it in production with confidence that I have got the security right.

Thanks for all the time and effort on NestJS!

One more plug for the above guidance… if NestJS could had a solid production-ready auth strategy, it could be a game-changer in the NodeJS field. Having been reading around in preparation to implement my own auth, I have seen so much confusion and out of date and incorrect guidance, it is clear that this is a NodeJS-wide challenge, and not just a NestJS challenge.

This article gives a pretty good peek-behind-the-curtain of the state of affairs: https://hackernoon.com/your-node-js-authentication-tutorial-is-wrong-f1a3bf831a46