2FA in NestJS Application

Tushar Roy Chowdhury
3 min readApr 11, 2021

--

Hello everyone! I am going to describe Two Factor Authentication(2FA) in NestJS using a Todo application. So let’s jump in.

N.B. I already wrote this tutorial series for Todo application using — NestJS, JWT, PostgresSQL, PgAdmin4 and Docker. Feel free to look at it. Link- ToDo-App
and the code — GitHub

N.B. Refresh token generator using the same application. Link- JWT-Token
I recommand to understand the Refresh-token-generator. It will be better for this tutorial and code — GitHub

We are going to use otplib for secret generator & qrcode for keyUri. So let’s run the below command

// under docker env
docker-compose run nestjs npm install otplib grcode
// without docker env
npm install otplib grcode

First, let’s update the .env file and a line

TWO_FACTOR_AUTHENTICATION_APP_NAME=todo-app

And also add a line in config/development.yml (Those who are not going to use docker as their environment)

jwt:
  ...
  twoFactorAppName: 'todo-app'

Now we need to store 2FA secret code & the visibility of 2FA in DB. So let’s update the auth/entity/user.entity.ts file

...
@Column({ nullable: true })
twoFactorAuthSecret?: string@Column({ default: false })
public isTwoFactorEnable: boolean
...

Let’s do the migration using this below command

// under docker environment
docker-compose run nestjs npm run typeorm:generate anyNameYouLike
docker-compose run nestjs npm run typeorm:run// without docker environment
npm run typeorm:generate anyNameYouLike
npm run typeorm:run

N.B. You have to empty the migration folder before you run the above command and if you have stale migration files.

update the auth/interface/jwt-payload.interface.ts file

export interface JwtPayload {
    isTwoFactorEnable?: boolean
    ...
    isTwoFaAuthenticated?: boolean
}

Update the validateUserPassword() in auth/repository/user.repository.ts and the signIn() in auth/service/auth.service.ts files and create auth/dto/two-fa-auth.dto.ts file

Create src/auth/strategy/jwt-2fa-strategy.ts, auth/service/two-factor-auth.service.ts, auth/controller/two-factor-auth.controller.ts & guards/jwt-two-factor.guard.ts fileguards/jwt-two-factor.guard.ts

As you noticed that, We didn’t update @UseGuards(JwtAuthenticationGuard) To @UseGuards(JwtTwoFactorGuard). Because if we use JwtTwoFactorGuard then we will not able to generate QR-code. The concept is-
1. After sign-in we will get the accessToken
2. With that token we will call /generate-qr API to generate QR which will be scanned by the google-authenticator application and generate codes.
3. After that we will call /turn-on-qr to turn on the QR as well as check the inserted code from the google-authenticator app in /authenticate API.
4. If those steps are correct then it will sign-in again & set the JwtTwoFactorGuard all over the application.
5. After successful login we don’t need to generate the QR code frequently. Just get the code & submit it through /authenticate API.

N.B. You will find those logics at the below codes

Update the validate() in auth/strategy/jwt-refresh-strategy.ts file

async validate(payload: JwtPayload) {
    const { username } = payload;
    const user = await this.userRepository.findOne({ username });if (!user) {
        throw new UnauthorizedException();
    }if (!user.isTwoFactorEnable) {
        return user;
    }if (payload.isTwoFaAuthenticated) {
        return user;
    }
}

Update todo/todo.controller.ts & user/user.controller.ts file

update 
@UseGuards(JwtAuthenticationGuard) To @UseGuards(JwtTwoFactorGuard)

Update auth/controller/auth.controller.ts file

...
@Post('/signin')
signIn(
    @Body(ValidationPipe) signinCredentialsDto: SignInCredentialsDto
): Promise<{ accessToken: string, refreshToken?: string, user?: JwtPayload }>{
    return this.authService.signIn(signinCredentialsDto);
}...
@UseGuards(JwtTwoFactorGuard)
@Get('/logout')...
@ApiBearerAuth()
@UseGuards(JwtRefreshTokenGuard)
@Post('/refresh-token')
async refreshToken(
   @GetUser() user: User,
   @Body() token: RefreshTokenDto
){
   const user_info = await this.authService.getUserIfRefreshTokenMatches(token.refresh_token, user.username)
   if (user_info) {
      const userInfo = {
         username: user_info.username,
         user_info: user_info.user_info
      }if (user.isTwoFactorEnable) {
         userInfo['isTwoFaAuthenticated'] = true;
         userInfo['isTwoFactorEnable'] = user.isTwoFactorEnable;
                
      }return this.authService.getNewAccessAndRefreshToken(userInfo)
    } else{
        return null
    }
}

And update auth/auth.module.ts file

controllers: [AuthController, TwoFactorAuth],
providers: [
   ...
   TwoFactorAuthService,
   ...
   JwtTwoFaStrategy
],
exports: [
   ...
   JwtTwoFaStrategy
]

So this is it. Just play around with swagger/postman And obviously the code in GitHub. I think this tutorial might help you.

Thank You !!!

Nestjs
Swagger
2fa Authentication
Postgresql
Docker Compose

--

--

Tushar Roy Chowdhury

Written by Tushar Roy Chowdhury

67 Followers

I am a passionate programmer and always keep eye on new technologies and scrutinize them until getting into shape.

More from Tushar Roy Chowdhury

See all from Tushar Roy Chowdhury

Recommended from Medium

Lists

A search field with results below. In the background are book covers.

Now in AI: Handpicked by Better Programming

266 stories154 saves
Databricks role-based and specialty certification line-up.

New_Reading_List

174 stories115 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams