 Hey, what's going on, YouTubers? My name's Lee Brandt. I'm a developer advocate at Okta. Today, we're going to build our first NestJS app. Let's check it out. Okay, the first thing we're going to want to do is create an Okta application. We can use the Okta CLI to do this. Easiest way to do it. So we just do Okta apps, create, and it'll give me a little prompt here. So since we'll be using Postman to test it, this is going to be a little weird because rather than creating a React app or a View or Angular app as a front end to test our API, we're just going to test it with Postman. And so the stuff we're going to put in is going to feel a little weird. But let's just call this PostmanTester. We're going to call it a single-page app because Postman really is a single-page app. And the callback URI, we're going to want it to be the Postman callback URI, which is this right here, which is just oauth.pstmn or postmanwithoutthevowels.io.v1.callback. The post logout redirect URI, you want it to be oauth.postman.io, which is what's already set in the default. Now it's going to go off and it's going to configure this new application in Okta, and then it's going to spit out our issuer and our client ID. So I'm just going to copy it here off into a file so I can refer to it later. Copy it back in here in just a few minutes. So now that that's done, we're going to need to open our application, basically create a folder and create the API in Visual Studio. So let's do that next. All right, so now that you've got Postman set up to be your front-end for this API, let's go ahead and do what we came here to do, which is creating a NestJS API. So if you don't have the Nest CLI installed, you want to install it, and that's the command for that to install it globally is this, which is just npm install globally nestjscli at 7.5.4, which is the latest version, but I already have it installed. So what we're going to do is it's going to create the application. So we'll do nest new library API. And this will go ahead and create the application. We want to use npm for our package manager. You can use yarn if you'd like, in which case your command would have been yarn install nestjscli. But once it's installed, then all we've got to do is open that file in Visual Studio. So we come in here to our file and here's our application. So now that we've got this set up, the next thing we're going to want to do is install some dependencies that we need. The first one being .env. Now .env is an environment variable creator. What it does is it allows you to create environment variables by putting them into a special file called a .env file. So it's basically just properties, like a name and a value. And once you start up your application, it'll read all of that into environment variables for you. The next thing we want to do is install Passport, which is 0.4.1 as of the time of this recording. The next thing we're going to need to install for Passport is the HTTP bearer, which allows us to read bearer tokens in Passport. The next thing we need is we need to be able to connect Nest to Passport. And last but not least, the Octa JWT verifier. And what this will do is once we get a token, we can pass it back to the API. And then the API can verify that that token is valid before doing anything. So now in order to use the .env package, we're going to create a new file here at the root called .env. And we're just going to put some values in there that we're going to want to use. In this case, our client ID, which we just got from the Octa CLI a few minutes ago, so we'll get that and plug it in here. And then the issuer we also got from the Octa CLI. So let's go ahead and grab that over here. My little text file that I saved it off to. And now that we've got that, that can be saved and we're all good. Now we can start writing our application. Okay, so to get started with our application, there's a few terms we need to get out of the way first. It's just kind of nests things. The first one is controllers. And controllers kind of handle the requests coming in from the client, where they go and who's going to handle them. Providers is kind of a catch all name for services, factories, any other type of classes, repositories, whatever. And they can be injected into other classes by decorating them with the injectable decorator. Finally, their modules, the role of a module is kind of glue everything together to glue controllers and services provide controllers and providers together. So the first thing we're going to do is we're going to go ahead and we're going to write our first off module. So we'll create a new folder here called off called off. And inside of that, we'll create a new file and we'll call it htp.strategy.ts. Okay. And the code for this is here. So you'll see we're bringing in the HTTP exception and injectable from the common nest library. We're also bringing in passport from the nest passport library. And we're bringing in strategies from passport. So the off service, don't worry about that quite yet. We're not to creating that yet. But so the HTTP strategy we've got here extends the passport strategy, which we brought in from up here. It is marked as injectable. And it's got a constructor here that's going to bring in the off service, just like normal. Let me go ahead and format this document. So you can see it right. And so it's just going to pass things up to super or call this call the super. And then every just about everything in nest is asynchronous. So the validate function is going to take the token string and the done function. And it's going to return an await. And it's basically going to validate the token from the off service, which we're going to create in a minute here. If it does catch an error, it's just going to call the done method. And basically, which is going to throw this exception is going to say that the tokens not valid. It didn't pass the token validation. All right, so that's pretty straightforward. But let's take a look at the off service itself. So we'll create in that same folder. We'll just call this off dot service dot T s. Now the off service code. We're bringing injectable again from common. We're bringing in the octa JWT verifier and the config service, which we haven't created yet. We're making the off service injectable. We're going to have an octa verifier and an audience that we want to get, which we're going to get from config. Except for the octa verifier, of course. Now the octa verifier is going to be created in here. The config service gets injected. The octa verifier right here is going to create a new octa verifier with the issuer and the client ID from the configuration file. And the audience is also going to be set from the configuration file. But we don't need that to create the octa verifier. We need that when we go to actually verify the access token. So this async method here, this validate token takes in that token string and it waits to see if the access verify token and then it returns the JWT. If everything went okay. All right, now that we've got the off service created, we can go ahead and save that. And the next thing we need to do is create the module that's going to glue these two together. So create a new file here and we'll call this auth.module.ts. And we'll go ahead and bring in this code. It's not very much code here. All we're doing is we're importing the config module, which we haven't created yet, the off service and the HTTP strategy, which we have created. But since it's relying on something that hasn't been created yet, Visual Studio doesn't doesn't like this very much. But sometimes Visual Studio gets a little confused and you can just do that. Oh, because I called it HTTP strategy. Okay, so let's rename this to the right name. And now it probably looks just fine. Okay. So all this is going to do is just tie the providers and the config module together. So now that we've created the off service and everything in the off module folder, we're going to create a folder under source called config so we can create that config stuff. And inside of config, we're going to create the service for that config.service.ts. Now I'm nervous. Okay, looks like it's spelled right. And my config service looks like this. We're going to bring in .env because we need it to read in those environment files. The config service basically is just going to read in those values and create the key value string, the value string, we're going to pass it a key, it's going to pass as a value string back. Sorry, trying to format the document while I'm talking. So now we have the config for service setup. And you can see that's basically all it's doing is it's reading in from that .env file. And whatever key you send it, it's got a property here that will return you back the value for that key. So next thing we need to do to the config folder is add the module new file config.module.ts. Make sure I spelled that right. And the config module is also not super complicated. We're just bringing in module because we need that for the decorator. We're going to set up our providers, which is our config service. And we're going to use this value for the config service. We're going to pass in a new config service with the node environment .env. So this can be used for production or testing. We're using nothing switch just .env. And it's going to export the config service. And that's how our config module just glues together that one config service file. Next we need to write a controller. So we're just going to use the one that's already built here in the app.service.ts file. And we're going to import some code into it that does some of our routing for us. So we want the app service to be injectable. And the app service has an array in it of books rather than connecting to a database. We're just going to get them from a list. So we've got get all books, get a book, and then update a book. So the next thing we need to do is go over to our app module to kind of wire this all together. And you see, we just brought in the app controller and we said, hey, we've got a controller in here called app controller. Then the app controller code is the guy that does most of our work for us. So in here we've brought in controller, get, post, param, all those things from NestJS common. We've marked this as a controller for books. So when somebody goes to slash books, that's where they're going to get. And it's going to take in the app service that we just updated. So we're going to also use guards, which is the off guard, which is our NestJS passport. And since we've told passport that we're going to be using this HTTP strategy, that's what it will use. So the get all books function, let me again format this, goes and does app service get all books, which is going to go to our app service and run get all books. But it is already protected by our off guard so they can't even get to it until they've authenticated or until the token's been validated that gets sent. Again, get book takes in an ID param and just does app service dot get book with that ID. This post method uses the guard again, but it just updates the book. So it takes in the body as a book and it returns this dot app service update book and update book will do that for us. So that is all of our NestJS application. So at this point, we should be able to run this thing and watch it work. Okay, so to get tested to get started testing the applications a little bit more complicated than normal because we're going to be doing our authentication through postman. So the first thing we're going to want to do is we're going to want to run this application. So let's just go in here and do an npm run start or you can just type npm start and we'll have the nest start here and it's started. So now our application is running and we can actually make requests to it. Okay, now that our NestJS API is up and running, we're going to test it with postman. So once you've got postman open, just go here and create a new request, go right to the authorization tab. We're going to choose OAuth 2 and over here it's going to prefix it with bearer for me. Now I've done this a couple of times now. So make sure bearer is in the header prefix. Authorization with pkce is what we want or authorization with code with pixie. We want to make sure that authorized using browser is turned on because basically what it's going to do is going to redirect out to octo login and then send me back my token. The URL that you want to put in the OAuth is the one that you've got with that is your issuer with slash v1 slash authorized on the end of it. That's the authorization endpoint and then your issuer again with slash v1 slash token is your token endpoint. Put in your client ID, which that is the one, SHA256. The scopes that you want to look for are open ID, email and profile. Again, these are likely pre-populated for me because I've done this a couple of times now. So some of these things you may have to type in yourself. This state string can be anything you want it to be. It's just a state key to check and then send client credentials and body. Then when you click get new access token, it'll pop you up onto a browser. You'll log in and when you come back, it'll say authentication complete. Now once you proceed, it'll take you to use that token. Then you can click on use that token. It'll populate it over here in the available tokens and then I can put a URL in here, which we want to go to localhosts port 3000 slash books. And when I run it, hopefully I did type it correct. When I run it, I'll see those three books are returned. Now if I just went to like books one, I can send it and I'll just return that one. Books two, okay. So you can test this out to your heart's content and this is a really good way to test APIs, especially if you're an API builder. It's been my experience as a lot of companies have like an API team and a UI team. This is a postman is a really great way to test your API. And this is all part of the new postman UI that will allow you to create or log in to the application without having to build a little log in API or log in UI for you to test. And you can actually see it if you come in here and let's say you just, let's just put a dash one on the end of this and I try and run this. It should say, well, it says internal server error. The status code should be should be 401 on authorized. Yeah. So I'm sure the internal error was the fact that it had a dash one on the end of it. And it was like that's that access token is definitely not valid, but I'm trying to process it and it's too long for an access token. Hey, thanks for joining me today. I hope you get out a lot out of this nest.js application. Make sure you like and subscribe. That's what the kids say, right? Like and subscribe and make sure to hit the bell notification thing. So you get notifications when we have new content coming out. I hope you enjoyed the tutorial and we'll see you next time.