Fullstack CourseLearn by building
Back to week 3

Topic

Notes API — Auth + list craft milestone

Definition

Milestone P3 proves cookie JWT auth, RBAC, paginated { data, meta } lists, and soft deletes with consistent counts on the Notes API.

In simpler words

Secure Notes like this monorepo’s tickets API — then run the Week 3 grader.

Maps to Week 3 auth and API craft. Match cookie JWT + RolesGuard patterns from apps/api.

After this you can

  • Login that sets httpOnly cookie; JwtAuthGuard + RolesGuard
  • Return paginated meta with page/limit/total/totalPages
  • Soft-delete with matching list and count filters

How to work this milestone

Definition

A milestone is an auto-checked Notes API stage in apps/notes-practice: read the official Nest chapter, inspect the monorepo reference, implement the stage, then run the grader.

In simpler words

Literacy quiz (≥80%) still matters. The milestone command proves you can ship the week’s code.

Official tutorial order: docs/academy/fe-to-api/README.md (Week 3 — AuthN / AuthZ).

Official docs: Nest Authentication + Authorization — https://docs.nestjs.com/security/authentication

Repo reference (read-only teaching slice): apps/api/src/modules/auth/*, common/auth/auth.decorators.ts, tickets list pagination

Supplemental Nest/SQL links live under /resources.

Implement in apps/notes-practice, then run: pnpm course:validate-milestone be-notes-p3

On green, the CLI posts POST /course/milestones/:id/complete (cookie session) so progress saves with passedVia=milestone.

Acceptance checklist

- [ ] httpOnly cookie login
- [ ] @Roles('admin') on delete + ForbiddenException path
- [ ] { data, meta } pagination + soft-delete filters
- [ ] pnpm course:validate-milestone be-notes-p3 is green

The grader encodes these checks; unchecked boxes mean the milestone is not done.

Deliverables

Definition

Deliverables are the concrete Nest files and behaviors this stage must produce.

In simpler words

Ship the smallest vertical slice that makes the grader green — not a redesign of the monorepo.

Cookie JWT login; @Public on login/health

Admin-only soft delete; member ownership on update

Paginated list excluding soft-deleted rows in data and total

Keep in mind

  • 401 = not authenticated; 403 = authenticated but wrong role.
  • Reuse the same QueryBuilder filters for page and count.

Test

Check your understanding

At least 10 questions — mix of concept, syntax, practical, and logic. Score ≥ 80% (enforced by the API) to save progress.

Checking your session…

10 questions · concept 3 · syntax 3 · practical 2 · logic 2

Concept1. Hands-on: which statement is correct about Notes P3 auth and list craft?
Syntax2. Hands-on: which implementation matches proving P3?
Practical3. Hands-on scenario for Notes P3 auth and list craft — what should you do?
Logic4. Hands-on: which reasoning about proving P3 holds up in production?
Concept5. Hands-on: which statement is correct about Notes P3 auth and list craft?
Syntax6. Hands-on: which implementation matches proving P3?
Practical7. Hands-on scenario for Notes P3 auth and list craft — what should you do?
Logic8. Hands-on: which reasoning about proving P3 holds up in production?
Concept9. Hands-on: which statement is correct about Notes P3 auth and list craft?
Syntax10. Hands-on: which implementation matches proving P3?