Add "Security" section

[kamilmysliwiec]

I'm submitting a...

[ ] Regression 
[ ] Bug report
[ ] Feature request
[x] Documentation issue or request (new chapter/page)
[ ] Support request => Please do not submit support request here, instead post your question on Stack Overflow.

Current behavior

Expected behavior

As a user, I would like to see Security chapter.

Minimal reproduction of the problem with instructions

What is the motivation / use case for changing the behavior?

Environment

For Tooling issues:
- Node version: XX  
- Platform:  

Others:

[jamshally]

A comprehensive security section would be extremely helpful. There is a lot of complexity and confusion around the best way to accomplish tight security using NestJS - which is essential if it is to be used for production applications. There are very few examples available to follow. The examples that do exist all seem to either be too simple, have problems, or be somewhat contradictory.

Existing Examples:

• NestJS Auth Chapter

  • Pro: NestJS best practice - straight from kamilmysliwiec

  • Pro: Illustrates some of the code for handling JWT auth

  • Con: Examples/docs do not seem in depth enough to provide a solid foundation for production use

  • Con: Comments like "... in a best-case scenario the jwt package and token configuration (secret key and expiration time) should be registered as custom providers"... melted my already overloaded brain. An code example of this would be super.

  • Con: It is unclear exactly how a "local" passport auth strategy (username and password) would be implemented... or if it could be done with the existing code. In the current examples, it is not obvious where username and password checking could/should be inserted. The simplification of the code for example purposes (by using a faked user) has in some ways made it more confusing to understand.

  • Con: Not clear how this would integrate with social login, CRSF etc

  • NesJS Basic Auth and Sessions Blogpost (artonio)

  • Pro: Step by step commentary for implementing auth

  • Con: Implementation too basic for a production system... and yet somehow still seems complicated

  • Con: Even with this basic implementation, finds (and reports) a bug in the Nest Passport library, which is as-yet unfixed

  • Con: No CRSF protection

  • Con: No use of helmet or such for additional security

  • NestJS Starter Project (CanKattwinkel)

  • Pro: Includes CSRF protection

  • Pro: Seems to use NestJS best practices (like using Nest middleware)

  • Con: A lot of custom complexity, including custom sessions, which makes the auth specific code hard to follow, and distinguish which is necessary auth, and what is extraneous

  • Con: The CSRF protection is very hard to follow

  • Con: Not leveraging the Nest/Passport libraries

  • Con: No license, so can be used for example only

  • Con: Does not support mobile auth

  • Nest-Angular open Source Project (bojidaryovchev)

  • Pro: Comprehensive example including social authentication, and helmet

  • Con: Seems to not use standard NestJS techniques (uses express and express middleware directly instead of NestJS style, uses custom JOI validation via middleware)

  • Con: Uses "off brand" passport strategies for reasons that are not clear

  • Con: No CRSF protection

Some Specific Points of Confusion

• How to reconcile Passport Strategy session needs with NestJS
• If CRSF is a threat to NestJS and how to mitigate
• How to handle auth token refresh needs
• If/how auth for mobile devices would be accommodated. Especially with the long-lived auth requirement of apps

Wishlist

• How to implement local authentication using JWT Bearer Tokens
  • How to accommodate the token timeout and refresh scenarios
  • How to position this to accommodate both web and mobile clients
  • How to integrate auth via social login
  • How to implement CRSF protection
  • How to implement additional hardening (such as via helmet)
  • Nice to have: 2FA example

Any guidance for the above would be much appreciated. I think that NestJS is a fantastic project, and would love to start using it in production with confidence that I have got the security right.

Thanks for all the time and effort on NestJS!

[jamshally]

One more plug for the above guidance... if NestJS could had a solid production-ready auth strategy, it could be a game-changer in the NodeJS field. Having been reading around in preparation to implement my own auth, I have seen so much confusion and out of date and incorrect guidance, it is clear that this is a NodeJS-wide challenge, and not just a NestJS challenge.

This article gives a pretty good peek-behind-the-curtain of the state of affairs: https://hackernoon.com/your-node-js-authentication-tutorial-is-wrong-f1a3bf831a46

[abouroubi]

Hello @ahrnee I'm working on a sample nestjs app, that will be used mainly by a mobile application. It will use short lived JWT access tokens and sliding refresh tokens, Facebook and Google connect.

I'll try to push it on GitHub by the end of the week. Comments, issues and PR's are welcome.

[bhaidar]

Any follow up on how to use CSRF in Nestjs?

[johnbiundo]

@bhaidar I think most of the considerations are not specific to Nest. I use the csurf module, and cookie parser. I also use express sessions for session management, and found that there's a side-effect in relying only on sessions for storing the csurf secret (probably particular to my use case), hence relying on cookies instead for that function. So my main.ts looks like

  app.use(cookieParser());
  app.use(csurf({ cookie: true }));

I mentioned the details above because they are generic Express/Sessions/CSurf issues, not Nest-specific, and illustrate the point that if your use case is complex (e.g., also using sessions), you may have to do some additional research into those packages.

Another aspect of the CSRF equation is your client side. In my case, for example, I have a SPA and use Angular, which handles the client side transparently. If you have an MVC style app, you'll need to do more work in how you render pages so that you pass the CSRF token to the forms so they're passed back on POSTs (just as one example).

[bhaidar]

Thanks @johnbiundo I figured out that CSRF should be used with MVC apps rather than SPAs. I also use Angular with Nest.

I believe the docs need more work regarding MVC unless building MVC apps with Nest or Node is not popular.

[kamilmysliwiec]

MVC apps are very rare nowadays @bhaidar