Authentication & Authorization
JWT-based authentication system with access/refresh token rotation and multi-layer authorization.
Architecture
Source: src/auth/
Authentication Flow
- User sends credentials to
POST /auth/login - Server validates password against bcrypt hash
- Access token (15 min) and refresh token (7 days) are issued
- Refresh token is stored hashed in Redis
- Every request is validated by
JwtAuthGuard
Security Guard Chain
JwtAuthGuard → PermissionsGuard → RateLimitGuard → AccountLockoutGuard → TenantInterceptor
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /auth/login | Login with email/password |
POST | /auth/register | Register new user |
POST | /auth/refresh | Refresh access token |
POST | /auth/logout | Invalidate tokens |
POST | /auth/forgot-password | Request password reset |
POST | /auth/reset-password | Reset password with token |
Key Modules
| Module | Description |
|---|---|
AuthModule | Login, register, token management |
UsersModule | User CRUD and profile management |
TwoFactorModule | TOTP-based 2FA |
Token Management
- Access token: Short-lived JWT (15 minutes), carried in
Authorization: Bearerheader - Refresh token: Long-lived (7 days), stored hashed in Redis, rotated on every use
- Token invalidation: All tokens revoked on password change or logout
Permissions
The system uses a role-based permission model. Every non-public controller must have a @Permissions() decorator.
See Two-Factor Authentication for 2FA implementation details.