Kalau lo lagi ngoding backend pake NestJS, pasti bakal ketemu dua istilah ini: Authentication sama Authorization.
Dua-duanya keliatan mirip, tapi sebenernya beda fungsi 👇
🤔 Apa Itu Authentication?
Authentication = proses ngebuktiin siapa lo.
Contoh gampang:
- Login pake username & password
- Login pake Google/Facebook OAuth
- Login pake token JWT
Jadi, authN itu kayak penjaga pintu yang ngecek “Lo beneran orang ini gak?”
🤔 Apa Itu Authorization?
Authorization = proses ngecek lo boleh ngapain aja setelah login.
Contoh:
- User biasa cuma bisa lihat data, gak bisa hapus.
- Admin bisa CRUD semua data.
- Premium user bisa akses fitur spesial.
Jadi, authZ itu kayak satpam di dalam gedung yang ngecek “Lo punya akses ke ruangan ini gak?”
🛠️ Implementasi di NestJS
1️⃣ Setup Authentication (JWT)
Paling sering dipakai → JWT (JSON Web Token).
Flow-nya gini:
- User login → backend generate JWT.
- JWT dikirim balik ke client.
- Setiap request, client kirim JWT di header → backend validasi.
Install Package
npm install @nestjs/jwt passport-jwt passportauth.module.ts
import { Module } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
import { PassportModule } from '@nestjs/passport';
import { AuthService } from './auth.service';
import { JwtStrategy } from './jwt.strategy';
import { AuthController } from './auth.controller';
@Module({
imports: [
PassportModule,
JwtModule.register({
secret: process.env.JWT_SECRET || 'superSecretKey', // simpan di .env
signOptions: { expiresIn: '1h' },
}),
],
providers: [AuthService, JwtStrategy],
controllers: [AuthController],
})
export class AuthModule {}auth.service.ts (generate token)
import { Injectable } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
@Injectable()
export class AuthService {
constructor(private jwtService: JwtService) {}
async login(user: any) {
const payload = { username: user.username, sub: user.id, role: user.role };
return {
access_token: this.jwtService.sign(payload),
};
}
}jwt.strategy.ts (cek token)
import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy } from 'passport-jwt';
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor() {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
secretOrKey: process.env.JWT_SECRET || 'superSecretKey',
});
}
async validate(payload: any) {
return { userId: payload.sub, username: payload.username, role: payload.role };
}
}2️⃣ Setup Authorization (Role Based Access)
Setelah user ter-authenticate, kita tentuin apa yang dia boleh akses.
Pakai Guard di NestJS.
roles.decorator.ts
import { SetMetadata } from '@nestjs/common';
export const Roles = (...roles: string[]) => SetMetadata('roles', roles);roles.guard.ts
import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
@Injectable()
export class RolesGuard implements CanActivate {
constructor(private reflector: Reflector) {}
canActivate(context: ExecutionContext): boolean {
const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
if (!requiredRoles) return true;
const { user } = context.switchToHttp().getRequest();
return requiredRoles.includes(user.role);
}
}Example di Controller
import { Controller, Get, UseGuards } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';
import { RolesGuard } from './roles.guard';
import { Roles } from './roles.decorator';
@Controller('users')
export class UserController {
@Get('profile')
@UseGuards(AuthGuard('jwt'))
getProfile() {
return { message: 'Ini profile kamu' };
}
@Get('admin')
@UseGuards(AuthGuard('jwt'), RolesGuard)
@Roles('admin')
getAdminData() {
return { message: 'Hanya admin yang bisa lihat ini' };
}
}⚡ Flow Lengkap
- User login → dapet JWT.
- Request ke API bawa JWT di Authorization: Bearer <token>.
- JwtStrategy validasi → masukin user ke
req.user. - Guard jalan → cek role → tentuin boleh akses endpoint atau engga.
🎯 Kesimpulan
- Authentication = cek siapa lo (login, JWT, OAuth).
- Authorization = cek boleh ngapain aja (role, permission).
- Di NestJS → biasanya combine Passport (JWT) buat authN + Guard + Decorator buat authZ.
