Guard & Interceptor Chain
Detailed reference for all guards, interceptors, and decorators used in the API.
Guards
TenantPermissionGuard
The first guard in the chain. Extracts the tenant from the JWT token and sets it in the RequestContext.
@UseGuards(TenantPermissionGuard)
Logic:
- Extract JWT from
Authorizationheader - Decode token to get
tenantId - Validate tenant exists and is active
- Set
RequestContext.currentTenantId
PermissionGuard
Checks if the current user has the required permission(s).
@UseGuards(PermissionGuard)
@Permissions(PermissionsEnum.ORG_USERS_VIEW)
Logic:
- Read
@Permissions()decorator metadata - Compare with user's role permissions
- Allow if any required permission matches
OrganizationPermissionGuard
Same as PermissionGuard but also validates organization context.
RoleGuard
Restricts access to specific roles.
@UseGuards(RoleGuard)
@Roles(RolesEnum.SUPER_ADMIN)
FeatureFlagGuard
Checks if a feature is enabled for the current tenant.
@UseGuards(FeatureFlagGuard)
@Feature(FeatureEnum.FEATURE_SPRINT)
Interceptors
TransformInterceptor
Wraps controller responses in a standard format:
{
"data": { ... },
"message": "Success"
}
TimeoutInterceptor
Enforces request timeout:
@UseInterceptors(TimeoutInterceptor)
@Timeout(30000) // 30 seconds
LazyLoadInterceptor
Handles lazy loading of entity relations from query parameters.
Decorators Reference
| Decorator | Target | Description |
|---|---|---|
@Permissions(...) | Method | Required permissions |
@Roles(...) | Method | Required roles |
@Feature(...) | Method | Required feature flag |
@Public() | Method | Skip authentication |
@UseValidationPipe() | Method | Apply validation pipe |
@Timeout(ms) | Method | Request timeout |
@RequestContext() | Parameter | Inject request context |
Custom Guard Example
@Injectable()
export class MyCustomGuard implements CanActivate {
canActivate(context: ExecutionContext): boolean {
const request = context.switchToHttp().getRequest();
const user = RequestContext.currentUser();
return this.validateCustomLogic(user);
}
}
Related Pages
- Request Lifecycle — full request flow
- API Security Best Practices — security
- Plugin API Reference — available decorators