Guard & Interceptor Chain
Detailed reference for all guards, interceptors, and decorators used in the API.
Guardsโ
TenantPermissionGuardโ
The first guard in the chain. Extracts the tenant from the JWT token and sets it in the RequestContext.
@UseGuards(TenantPermissionGuard)
Logic:
- Extract JWT from
Authorizationheader - Decode token to get
tenantId - Validate tenant exists and is active
- Set
RequestContext.currentTenantId
PermissionGuardโ
Checks if the current user has the required permission(s).
@UseGuards(PermissionGuard)
@Permissions(PermissionsEnum.ORG_USERS_VIEW)
Logic:
- Read
@Permissions()decorator metadata - Compare with user's role permissions
- Allow if any required permission matches
OrganizationPermissionGuardโ
Same as PermissionGuard but also validates organization context.
RoleGuardโ
Restricts access to specific roles.
@UseGuards(RoleGuard)
@Roles(RolesEnum.SUPER_ADMIN)
FeatureFlagGuardโ
Checks if a feature is enabled for the current tenant.
@UseGuards(FeatureFlagGuard)
@Feature(FeatureEnum.FEATURE_SPRINT)
Interceptorsโ
TransformInterceptorโ
Wraps controller responses in a standard format:
{
"data": { ... },
"message": "Success"
}
TimeoutInterceptorโ
Enforces request timeout:
@UseInterceptors(TimeoutInterceptor)
@Timeout(30000) // 30 seconds
LazyLoadInterceptorโ
Handles lazy loading of entity relations from query parameters.
Decorators Referenceโ
| Decorator | Target | Description |
|---|---|---|
@Permissions(...) | Method | Required permissions |
@Roles(...) | Method | Required roles |
@Feature(...) | Method | Required feature flag |
@Public() | Method | Skip authentication |
@UseValidationPipe() | Method | Apply validation pipe |
@Timeout(ms) | Method | Request timeout |
@RequestContext() | Parameter | Inject request context |
Custom Guard Exampleโ
@Injectable()
export class MyCustomGuard implements CanActivate {
canActivate(context: ExecutionContext): boolean {
const request = context.switchToHttp().getRequest();
const user = RequestContext.currentUser();
return this.validateCustomLogic(user);
}
}
Related Pagesโ
- Request Lifecycle โ full request flow
- API Security Best Practices โ security
- Plugin API Reference โ available decorators