@nathapp/nestjs-auth
v3.3.0
Published
nestjs-auth
Readme
@nathapp/nestjs-auth
JWT authentication + CASL authorization library for NestJS.
Installation
npm install @nathapp/nestjs-auth @nestjs/passportNote for Fastify users: There is slightly different request/response handling for Fastify. Interceptors and middleware check
req.rawfor Fastify vs Express compatibility.
JWKS (Remote Identity Provider)
To verify tokens issued by an external IdP (Auth0, Cognito, Okta, Keycloak), install the optional jwks-rsa peer dependency:
npm install jwks-rsaThen configure your module:
import { Module } from '@nestjs/common';
import { AuthenticationModule, createJwksStrategyProvider } from '@nathapp/nestjs-auth';
import { MyAuthProvider } from './my-auth-provider';
@Module({
imports: [
AuthenticationModule.forRoot({
jwtOptions: {
signOption: { algorithm: 'RS256' },
issuer: 'https://my-tenant.auth0.com/',
audience: 'https://api.example.com',
jwks: {
jwksUri: 'https://my-tenant.auth0.com/.well-known/jwks.json',
// optional tuning:
// cacheMaxAge: 600000,
// jwksRequestsPerMinute: 10,
// algorithms: ['RS256'],
},
},
authProvider: MyAuthProvider,
}),
],
// Override the default JwtStrategyProvider with the JWKS factory.
// Must be registered AFTER AuthenticationModule so DI resolves this provider.
providers: [createJwksStrategyProvider()],
})
export class AppModule {}Note: Don't pass
strategyProvider: JwksJwtStrategyProviderdirectly — this monorepo usesuseFactoryregistration (see CLAUDE.md). ThecreateJwksStrategyProvider()helper wiresJWT_OPTIONS+AUTH_PROVIDERinjection for you.
JWKS Security Defaults
issueris required when using JWKS (prevents accepting tokens from any key the URI serves).algorithmsdefaults to['RS256']. HMAC algorithms (HS*) andnoneare rejected.jwksUrimust use HTTPS (setallowInsecure: trueonly for local dev against a mock server).sign()throws in JWKS mode — the strategy is verify-only.
