This demo project demonstrates how to use Cerbos in NestJS as an interceptor to validate requests based on policies defined in Cerbos.
To run the project, check package.json
for prebuilt run configurations, by default NestJS
offers npm run start:dev
for development purposes. On top of that there also are Cerbos policies included in the repository, and to use this you can run the npm run cerbos:start
. Both are combined into the single npm run start:devcerbos
.
The demo includes an Document
request, you can do a GET
on http://localhost:3000/document/1
.
Provide the authorization
header with either user
or admin
as a value for getting a successful response, or anything else to get a rejected response. The success state depends on the author
of the documents/*
.
There are 3 documents defined in the src/db.ts
file,
- the
document/1
can only be accessed by theadmin
user - the
document/2
can be accessed byuser
oradmin
- the
document/3
is fornot-the-current-user
but can be accessed byadmin
.
The Cerbos policy is validated in src/document/document.cerbos.interceptor.ts
file.
The response is of course currently hardcoded in the /src/document/document.controller.ts
file, as this is for demonstration purposes.
Note! You should NOT use authentication as demonstrated, we recommend using a JWT Guard in NestJS
This demo project demonstrates how to use Cerbos in NestJS as an interceptor to validate requests based on policies defined in Cerbos.
Cerbos is an open-source authorization-as-a-service option for allowing decoupled access control in your software. It allows writing human-readable policy definitions that serve as context-aware access control policies for your application resources.
Cerbos works with any identity provider services like Auth0, Okta, FusionAuth, Clerk, Magic, WorkOS or even your own, bespoke directory system.
Our NestJs.js application will provide an API that uses Cerbos for authorization, to decide what actions are available on which resources for a given user.
The policies is defined in the cerbos/policies
directory. Each policy is authored in the a very human-readable format which you can learn more about at the Cerbos Policy documentation site, and for the demo revolves around access to a contacts
resource.
- Cerbos
- NestJs - A progressive Node.js framework for building efficient, reliable and scalable server-side applications.
- RxJs - Reactive Extensions Library for JavaScript
git clone https://github.com/cerbos/nestjs-cerbos.git
Then cd
into the project directory and run npm install
to install the dependencies.
npm install
Alternatviely you could use yarn
or pnpm
or anything that runs npm scripts
To run the project, check package.json
for prebuilt run configurations, by default NestJS
offers npm run start:dev
for development purposes. On top of that there also are Cerbos policies included in the repository, and to use this you can run the npm run cerbos:start
. Both are combined into the single npm run start:devcerbos
.
The demo includes an Document
request, you can do a GET
on http://localhost:3000/document/1
.
Provide the authorization
header with either user
or admin
as a value for getting a successful response, or anything else to get a rejected response. The success state depends on the author
of the documents/*
.
There are 3 documents defined in the src/db.ts
file,
- the
document/1
can only be accessed by theadmin
user - the
document/2
can be accessed byuser
oradmin
- the
document/3
is fornot-the-current-user
but can be accessed byadmin
.
The Cerbos policy is validated in src/document/document.cerbos.interceptor.ts
file.
The response is of course currently hardcoded in the /src/document/document.controller.ts
file, as this is for demonstration purposes.
Note! You should NOT use authentication as demonstrated, we recommend using a JWT Guard in NestJS
Your showcase is now running a local version of Cerbos, and you can easily make changes to the Policies and learn more about Cerbos and all its features.
You can use the existing set of E2E tests to test different policies and changes to existing requirements by running npm run test:e2e
.
npm run cerbos:start
- Starts the docker instance of cerbos server.npm run start
- Start the nestJs application in development mode.npm run start:devcerbos
- Starts both docker and the nestjs application
To learn more about Clerk.dev and NestJs, take a look at the following resources:
- Cerbos Website
- Cerbos Documentation
- Nest.js Documentation - learn about NestJs features.