Week 3 — Auth, contracts & API craft
Secure Nest APIs with JWT/RBAC, shape contracts, and craft list endpoints — then ship Notes P3 as this week’s mini-project.
- 1. JSON Web Tokens (JWT)Open
This API issues JWTs on login and reads them from an httpOnly cookie on every request. Bearer-header JWTs are the same token format used by mobile apps and API tooling — a useful mental model even though the browser flow here relies on cookies.
- 2. RBAC & guardsOpen
Two guards run globally on every request in this API: JwtAuthGuard decides who you are, RolesGuard decides what your role allows.
- 3. Middleware vs guards vs pipesOpen
Correlation ids, JWT/role checks, and DTO validation look similar — “code that runs before my controller” — but belong in different stages for a reason.
- 4. DTOs & validationOpen
Ground this in CreateTicketDto, UpdateTicketDto, and ListTicketsQueryDto, plus the global ValidationPipe options set in main.ts.
- 5. Error contracts / HTTP exceptions → stable JSONOpen
Ground in AllExceptionsFilter and ApiErrorBody from @repo/contracts.
- 6. Swagger / OpenAPI — reading /docsOpen
This API already wires Swagger in main.ts. Treat this topic as conceptual: understand what generates the document and how to read it, rather than configuring it from scratch.
- 7. Pagination & filteringOpen
Ground this in ListTicketsQueryDto and the query-builder pagination in TicketsService.list.
- 8. Soft deletesOpen
This repo currently hard-deletes tickets. Use that as the contrast case for understanding what a soft delete would change.
- 9. N+1 & loading strategyOpen
Ground this in Ticket’s assignee relation, which TicketsService.list does not currently join — a natural place N+1 could creep in.
- 10. Project planning & ERD (tickets domain)Open
This repo already has a small, real ERD: users and tickets, related by an optional assignment. Read the existing shape before extending it.
- 11. Core API vertical-slice checklistOpen
Use the tickets endpoints as the reference: every route already satisfies this checklist, which is why they are a good template for a new one.
- 12. Notes API — Auth + list craft milestoneOpen
Maps to Week 3 auth and API craft. Match cookie JWT + RolesGuard patterns from apps/api.
End-of-week mini-project · practice only
Notes API — Auth + list craft (P3)
Cookie JWT, RBAC, paginated { data, meta }, and soft-delete-safe counts on Notes.
Definition. Week 3’s mini-project is Notes P3: secure the Notes API and ship correct list pagination with soft deletes.
In simpler words. Match this monorepo’s auth style. Prove the auth matrix and meta counts with the P3 grader.
Deliverables
- httpOnly cookie login; JwtAuthGuard + RolesGuard
- Paginated list meta; soft-delete filters on page and count
- Admin-only soft delete; ownership on update
Acceptance checklist
- [ ] 401 vs 403 understood and implemented
- [ ] Soft-deleted rows excluded from data AND total
- [ ] pnpm course:validate-milestone be-notes-p3 is green
- [ ] Open topic be-notes-p3 for Nest auth doc linksTips
- Copy cookie JWT patterns from apps/api auth — not a new auth style.