 Do you want to protect your NestJS API from prying eyes? In this video, I'm going to walk you through how to set up your first API endpoints with nest.js and how to create an authentication guide that will check for your valid access token issued by your old zero tenant. Let's get started! We will not be covering any authentication and how to obtain an access token. If you don't already have an application that can fetch access tokens, have a look at one of our other videos by clicking on the banner on the top right hand corner. To start working with nest.js, we first need to install the command line interface. This will help us create new controllers, services and more. If you've already installed a CLI, there's no need to install it again. Once the CLI is installed globally, we can use it to create our nest.js project. Go to your development folder in your terminal and run nest new nestjs-oldzero-api. This might take a while. We'll let the CLI do its thing and once it finishes, we will see it created a folder with a basic nest.js project. Once we start the development environment with npm run start, call on dev, we can try out the default hello world endpoint. I'm using Insomnia to test API endpoints, but there are other excellent applications out there like postman for example. When we look inside the generated codebase, we'll see that the nest.js CLI has created some files for us. An app.module file that helps us set up our dependencies. An app.service file that can contain our business logic. And an app.controller file that will let us define our API endpoints. Now let's add some more API endpoints. One dog and one cat endpoint. We'll protect the cat endpoint later. As we all know, cats are less social creatures compared to dogs. We'll add the dog endpoint first and the cat endpoint later. Both will call a method from the app service, so let's add those as well. You'll see we now have a dog and a cat API endpoint available and both will return the message from their service method. Now let's generate a new authorization module and a new authorization guard. The guard will help us protect certain endpoints for which we'll need a valid access token issued by our alt zero tenant. Let's first stop our development server for a second and use the nest CLI to generate a new module. We'll run nest generate module authorization with the no spec flag because we don't want to generate tests for this demo. This will generate a new authorization module and import it into the main application module. Let's do the same, but instead of a module, we'll generate a new authorization guard. Lastly, let's install some NPM dependencies that we'll use later on in this demo and restart our development server with npm run start colon dev. If we look into our code base, we'll see that an authorization module has been added with the authorization.module.ts file. An authorization card has also been added. Let's move the card to the authorization folder. The authorization module has also been imported into the app.module file. In the authorization card file, we'll see some default code. Let's clean it up a bit. We're not going to use observables in this demo, so let's not return an observable. Now that we've cleaned up the default card, we can start adding the logic for the authorization card. Let's start by importing some of the dependencies we installed earlier. First we'll import expressjwtsecret from the jwks-rsa file. Next we'll import the promiseifyutility function. We did not install this through npm, it's a default module. Next we'll import the jwt-express-middleware. Now that we've imported our dependencies, let's create a new const checkjwt which will return our JSON web token middleware which we imported from expressjwt and will accept a configuration object. Some details about the secret, an audience which will leave blank for now, an issuer which will also leave blank for now, and the algorithms which we're going to use. By default Alt-Zero uses rs256 to sign its JSON web tokens. Here we'll use the expressjwt-secret library which we've imported from npm, which will also accept a bit of config. We'll set the cache and rate limit to true, we'll limit the request for JSON web keys to 5 per minute, and we'll leave the jwks-uri blank for now. We now have a checkjwt token function that uses the expressjwt middleware, which is an old-school, node-style, callback-based function. So let's convert it to a function that returns a promise with the promissify utility function. Now that we've got our checkjwt token function, let's use it. What we're going to do is, every time this card is executed, we'll run the checkjwt token function, which will return a promise. This means we can await the checkjwt token function. In order to await it, we have to convert this to an asynchronous function. And if that's okay, you return true. If it's not okay, we will throw an unauthorized exception, which is a default nest.js exception, which will return a 401 unauthorized status to our API endpoint, and we'll pass along the error. As you can see, the checkjwt token function is still underlined in red. That's because it needs two arguments, a request and a response. We can get both from the context of our card. So let's create a request variable and call context.getArgumentsByIndex, and the first one is going to be our request. The second one is going to be our response. Once we've got this variable, we can pass them to the checkjwt token function. Lastly, since we're working on an asynchronous function, it's always going to return a promise, so we can remove this boolean here. Let's use the alt zero command line interface to create a new API for our alt zero tenant. If you don't have the CLI installed, click on the banner in the top right hand corner to find out how you can install the CLI. Everything I'm doing through the CLI can also be done through our management dashboard at manage.altzero.com. We'll type alt zero, apis create, and call our new API nestjs-api. The identifier is going to be the same, nestjs-api. And we'll leave scopes empty for now. The alt zero CLI is going to create a new API for my alt zero tenant. As you can see, we've got our identifier available, together with my alt zero tenant sambaigo.eu.altzero.com. Now that we've created our API for our alt zero tenant, let's use it to do the actual authorization for our API endpoints. We'll create a new file and call it .env, in which we'll add some alt zero configuration variables. We'll let the alt zero audience, which is the identifier for our API we entered through the alt zero CLI, enter alt zero domain, which is my tenant's domain. It's always going to be your tenantname.region.altzero.com suffixed with a slash. To use these environment variables, let's install the nest config library. We'll run npm install at nestjs slash config. Once installed, we can import it in our cart file. Import config service from at nestjs slash config. In order to make it work, we'll also have to inject it through the application module, so let's go ahead and import a config module. After that, we can add config module dot for root in the import array, which will allow us to inject the configuration into our authorization cart. If we go back to our authorization cart, we can now create a constructor in which we can inject the config service. We'll then create a private alt zero audience and alt zero domain, which will populate in our construction function with the configuration data from our .env file. What we're doing here is using the config service to gather alt zero audience and domain from our .env file. We can now use the alt zero audience and domain to configure our express JSON web token middleware. Next up, let's add the audience. This dot alt zero audience and our issuer is going to be our alt zero domain. Lastly, our JSON web keys URI is going to be exposed by alt zero. It is always going to be under the .well known slash JWKS JSON URL. So if we take our alt zero domain and add .well known slash JWKS dot JSON, we'll be able to fetch our public keys to validate the JSON web token signature. If we open Insomnia again, we can still use our talk endpoint, which works fine without an access token because we did not add the authorization card to it. But if we ping the cat endpoint, we get a 401 unauthorized because we did add the authorization card to this endpoint. So now it's requiring us to pass along a valid access token along with each request. If we take the same API endpoint slash cat, but then append the bearer token, which will add an authorization header to each request with the access token as a bearer token, and we pass along a valid access token generated by our alt zero tenant, we should get a 200 successful response. We'd only added the authorization card to our slash cat endpoint. That's why we could still use the dog endpoint, but needed an access token for the cat one. That's all for today. If you'd like to see more Nest.js content in the future, please let us know in the comments below and don't forget to subscribe. See y'all next time.