#Services across modules

Hello im creating authentication / authorization and i have guard called auth.guard

├── api
│   ├── authentication
│   │   ├── authentication.controller.ts
│   │   ├── authentication.module.ts
│   │   ├── authentication.service.ts
│   │   ├── constants.ts
│   │   ├── dto
│   │   │   ├── auth.dto.ts
│   │   │   └── session.dto.ts
│   │   └── guards
│   │       ├── protected.guard.ts
│   │       └── register.guard.ts
│   ├── authorization
│   │   ├── decorators
│   │   │   └── permission.decorator.ts
│   │   └── guards
│   │       └── permission.guard.ts
│   ├── user
│   │   ├── dto
│   │   │   └── user.dto.ts
│   │   ├── user.controller.ts
│   │   ├── user.module.ts
│   │   └── user.service.ts
```  here is sneak peek of my tree

the problem is

when i want to create user, login im requesting to authentication module,
from authentication module im getting info from user module

i have authentication guard in authentication module but if i have to use that guard somewhere else like for example "language" module, i have to import user module

i don't want to import is it easy way to inject

for example im using protectedRoute inside of siteSettings module

What does your user and authentication module look like?

[Nest] 33115  - 11/11/2023, 4:13:57 PM   ERROR [ExceptionHandler] Nest can't resolve dependencies of the ProtectedRoute (JwtService, ?). Please make sure that the argument UserService at index [1] is available in the SiteSettingsModule context.

Potential solutions:
- Is SiteSettingsModule a valid NestJS module?
- If UserService is a provider, is it part of the current SiteSettingsModule?
- If UserService is exported from a separate @Module, is that module imported within SiteSettingsModule?
  @Module({
    imports: [ /* the Module containing UserService */ ]
  })

That's your authentication module. User Module is what is relevant first.

Also, the error is for the SiteSettings Module. What does that module look like?

it uses protectedroute guard from authentication

problem is causing of this i guess

yes its because of that

ProtectedRoute is part of AuthenticationModule.
ProtectedRoute includes UserModule,

If i want to use protectedroute, i have to import user module

my question is, is it possible to not import and use it

Huh? Just because a controller has a guard on it, doesn't mean everything used in the guard is available to inject in the service.

But the error is saying you are trying to access the User Service in the SiteSettings service.

yes

it happens like this

SiteSettings ----------> ProtectedRoute --------------> UserService

And again, using a global guard in a controller doesn't set up the User service to be injectable in what it is guarding.

how can i make it injectable

You import the user module.

yes my question was that

is it possible to not import

Make it global?

smth like it yea

for example if i have 10 modules

i have to import UserModule even i don't want to change user data

goal of this is validate jwt with database

im getting user id and trying to valdiate

In the SiteSettings service?

in ProtectedRoute

but theoratically yea

Then import the user module into the module that defines the guard.

in site settings

is it good practice

even if i don't use module for modify data in user

Well, I'd say no, if you are working with JWTs. The JWT has the user info in it.

i just wanted to double check

if jwt.id === database.id

For what purpose?

actually

btw

i realized that while talking with u

that has no purpose

Well, in terms of refresh tokens, you should be keeping a white/ or blacklist, if you are doing JWTs properly.

You need to be able to revoke the tokens at will as a form of session control.

let me tell u my strategy

maybe you can tell pros cons

i have auth guard that checks if authorization header provided or not.
if provided decode jwt.

then set request.user to decoded jwt
if fail occurs, throw not authorized error.

but i'll implement refresh token

so my system will be

Login

check credentials
create jwt
create refresh token

set request.user
set request.refreshtoken

and in the auth guard, if its expired, im gonna use refresh token to refresh and set token of client

The server should send a 403 for the invalid access token and the client then sends a request to refresh with an http-only cookie. The server than checks the validity of the refresh token and if it is white listed, usually via a cache and if all is good, new tokens are issued and sent back.

should i store my token into cookies

The refresh token, yes! And http-only.

So the client code has no access to it.

what if jwt

i mean

access token

The access token can be sent back any way you'd like.

I send it as part of the login and refresh process responses.

ahh i get it

you don't send access token because you can reach it via req.user

oh wait

if i don't send access token to client

how do i use authorization header from client

I just said, you send back the access token in the successful login or refresh responses.

as a cookie right ?

oh no as a response

cuz client can't read if i sent it as cookie

No, as plain text, json value. The access token should be short lived, like 5 minutes at most. If anyone gets it, it will be old, before they can do any damage with it.

yea makes sense

access token is plain

refresh token is cookie with http only

Correct.

thank you scott

i was using passportjs and express sessions

i decided back to plain jwt

cuz i didn't get it passport it has some complex stuff