Guard System Deep Dive
NestJS guards used for authentication, authorization, and tenant isolation.
Guard Execution Orderโ
Core Guardsโ
TenantPermissionGuardโ
The most commonly used guard. Validates:
- User is authenticated (JWT valid)
- User belongs to the requested tenant
- User has required permissions
@UseGuards(TenantPermissionGuard)
@Permissions(PermissionsEnum.ORG_EMPLOYEES_VIEW)
@Get()
async findAll() {}
RoleGuardโ
Restricts access by user role:
@UseGuards(RoleGuard)
@Roles(RolesEnum.SUPER_ADMIN, RolesEnum.ADMIN)
@Delete(':id')
async delete(@Param('id') id: string) {}
PermissionGuardโ
Checks specific permissions:
@UseGuards(PermissionGuard)
@Permissions(PermissionsEnum.INVOICES_EDIT)
@Put(':id')
async update() {}
OrganizationPermissionGuardโ
Validates organization-level access:
@UseGuards(OrganizationPermissionGuard)
@Get()
async findByOrg() {}
Guard Hierarchyโ
| Guard | Validates | Usage |
|---|---|---|
AuthGuard('jwt') | JWT token valid | All endpoints |
TenantBaseGuard | Tenant exists in request | Most endpoints |
TenantPermissionGuard | Tenant + permissions | CRUD operations |
RoleGuard | User role matches | Admin endpoints |
PermissionGuard | Specific permission | Feature access |
OrganizationPermissionGuard | Org membership | Org endpoints |
Creating Custom Guardsโ
@Injectable()
export class ProjectMemberGuard implements CanActivate {
async canActivate(context: ExecutionContext): Promise<boolean> {
const request = context.switchToHttp().getRequest();
const projectId = request.params.projectId;
const userId = request.user.id;
return this.projectService.isMember(projectId, userId);
}
}
Related Pagesโ
- Request Lifecycle โ full request flow
- Interceptor Patterns โ interceptors
- Testing Guards โ guard testing