Intermediate workshop
Nx for Scalable Architecture
Master Nx to enforce architecture, speed up your development workflow and improve code quality
This article is the third part of a series that explores integrating Ory, within the NestJS framework. In the previous articles, we introduced Ory and its core components and discussed creating dedicated NestJS libraries to simplify Ory integration. In this post, we will build upon the concepts and libraries developed in the previous articles and dive into the practical aspects of integrating Ory in a NestJS application.
What is better than a concrete example to demonstrate the integration? Our demonstration app is a web-based platform (REST API) called CatFoster
CatFoster
Note: The CatFoster application is a simplified example that demonstrates the integration of Ory in a NestJS application. The application will not cover frontend development and deployment, focusing solely on showcasing the backend implementation of the authentication and authorization features of Ory.
The journey to integrate Ory in the CatFoster
Design Phase: We will outline the architecture, user flows, entities, and permissions for the CatFoster
Implementation Phase: We will create a new Nx workspace, set up a NestJS application, configure Ory Kratos and Ory Keto using Docker Compose, and implement the necessary modules, services, controllers, and entities to integrate Ory into the CatFoster application.
Testing Phase: We will start with manual testing and then write end-to-end tests for the application by running the application locally. This phase will show how to set up an Ory environment for testing.
Note: If this is your first time working with Ory, I recommend reading the Introduction to Ory article to familiarize yourself with the core components and concepts of Ory.
User Authentication and Profile Management:
Ory Integration: Utilize Ory's authentication system to handle user registrations, logins, password resets, and profile management.
User Roles: There is one static user role, Admin
Cat Profiles:
Listing and Management: Cat owners can create profiles for their cats, including photos, descriptions, special care instructions, and availability for fostering. Admins can edit and delete cat profiles.
Search and Filters: Users looking to foster cats can search for them based on filters.
Fostering Matchmaking:
Requests and Approvals: Cat fosters can send fostering requests to cat owners, who can review and approve or deny them based on the foster's profiles.
Authorization Checks: Use Ory to manage authorization, ensuring that only cat owners can approve fostering requests and only registered users can send requests.
Self-service UI: This is the frontend where users can log in and manage their accounts. It communicates directly with Ory Kratos for authentication-related tasks.
Ory Kratos: Handles authentication. It's responsible for user login, account management, and session management. It interacts with the NestJS app via HTTP webhooks to replicate user data on signup.
HTTP Webhooks: Serve as the communication link between Ory Kratos and the NestJS app, ensuring the user is replicated in the local database upon signup.
NestJS App: The core of your application is handling business logic, CRUD operations with the Postgres database, authentication checks with Ory Kratos, and authorization with Ory Keto.
Ory Keto: Manages authorization, determining what authenticated users are allowed to do within the application.
Postgres: The database where user data (replicated from Ory on signup), cat profiles and fostering requests are stored. The NestJS app interacts with Postgres for all data storage and retrieval operations.
To visualize the user flow for the CatFoster
It all starts with the user creating a cat profile. Once the profile is created, the user (owner or member of the admin group) can update or delete it. The following sequence diagrams illustrate these flows.
This flow ensures that users can request to foster a cat only if they meet specific criteria, such as not being the cat's owner and not already fostering this cat. This mechanism helps prevent conflicts and ensures a smooth fostering process.
This flow ensures that only cat owners can approve fostering requests, maintaining control over who fosters their cats.
The diagram below represents the entities of CatProfile
User
Fostering
User: Represents users of the system, which can be cat owners, fosters, or both. Attributes include basic user information like id
name
email
ownedCats
CatProfile
fosteringActivities
Fostering
CatProfile: Represents the profiles of cats available for fostering. Attributes include the cat's id
name
age
description
ownerId
User
photosUrls
Fostering
Fostering: Represents a fostering arrangement between a user (foster) and a cat. Attributes include id
catId
CatProfile
fosterUserId
User
startDate
endDate
status
In Ory Keto (the authorization component of Ory), developers can express relationships using the Ory Permission Language. You can compare them to DDD Aggregates, where relations between entities and permissions are defined based on the context of the user and the entity with which they interact.
Ory uses the following terminology:
Subjects: users or groups interacting with the system (e.g., User
Objects: entities in the system (e.g., CatProfile
Fostering
Relations: associations between objects (e.g., owns
participatesIn
includedIn
Permissions: actions that users can perform on objects (e.g., edit
foster
approve
To manage access control in the CatFoster
Note: The permissions will be implemented using Ory Permission Language Code in the following steps.
Note The relations are always defined as arrays to allow multiple users or groups to be associated with a specific entity. The permissions are defined as functions that receive a context object and return a boolean value based on the user's authorization level.
In the implementation phase, we will create a new Nx workspace containing our NestJS application, configure Ory Kratos and Ory Keto using Docker Compose, and set up the necessary modules, services, controllers, and entities to integrate Ory into the CatFoster application.
Create a new Nx workspace using the following command:
Install the NestJS plugin for Nx:
Add a new NestJS application to the workspace:
Install the required libraries:
Intermediate workshop
Master Nx to enforce architecture, speed up your development workflow and improve code quality
We will use Docker Compose to set up Ory Kratos and Ory Keto services. This setup will allow us to run these services locally and interact with them from our NestJS application.
To make the Ory services configuration process more straightforward and reusable for all environments (self-hosted and cloud), we will create separate (template) configuration files for Ory Kratos and Ory Keto that can be extended with environment-specific values.
As a convention, we will:
create an infra
prefix environment variables with the service name (e.g., kratos_
keto_
Note: Ory Kratos and Ory Keto supports directly using environment variables for configuration. However, using configuration files can be more convenient for managing multiple environments and sharing configurations across different services and more importantly, to configure the Ory Network (the cloud offering of Ory) tenant.
Our Ory Kratos configuration will require four different files:
kratos-template.yaml:
In this file, we use the notation @@
##
The configuration file template includes settings for Ory Kratos's self-service UI, authentication methods, error handling, and session management. These settings can be adjusted based on your application's requirements and security policies.
In the configuration file:
In dsn
In selfservice.flows.registration.after
In identity.schemas
Tips:
For a complete list of configuration options and their descriptions, refer to the Configuration Reference.
The easiest way to create a configuration file for Ory Kratos is to use the Configuration Editor tool. This tool provides a user-friendly interface to generate a configuration file based on your application's requirements and security policies.
identity.schema.json:
In this file, we set the JSON schema to represent the user identity, including the required properties, formats, and additional settings for authentication, verification, and recovery. Ory Kratos will use this schema to validate user data and enforce security policies.
Tips: You can learn more about the Ory Kratos identity schema and how to customize it for your application in the Ory Kratos documentation.
after-webhook.jsonnet:
This Jsonnet file defines the payload to be sent to the webhook server after a successful registration. In this example, we check if the user's email starts with "test-" and cancel the registration process. You can customize this file to include additional data or perform specific actions based on your application's requirements.
Tips: You can customize this file to include additional data or perform specific actions based on your application's requirements, see docs.
Ory Keto's configuration is less complex than Ory Kratos, as it focuses on defining relationships between entities and permissions based on the Ory Permission Language. We will create three files for Ory Keto:
keto-template.yaml:
The namespace.location
namespaces.ts
Tips:
For a complete list of configuration options and their descriptions, refer to the Configuration Reference.
The easiest way to create a configuration file for Ory Keto is to use the Configuration Editor tool.
namespaces.ts:
This file defines the namespaces, relations, and permissions for Ory Keto. It includes the relationships between entities (e.g., User
CatProfile
Fostering
edit
foster
approve
The built-in types from the @ory/permission-namespace-types
To substitute the placeholders in the configuration files with actual values (from the .env
This script makes the workflow (much) more efficient and less error-prone than manually updating the configuration files. You should check it out in the tools/ory/generate-config.ts.
We can consume it with the package.json
Note: As a convention, I created a
directory at the root of the workspace to store the helper scripts and utilities. tools
docker-compose.yaml:
Our Docker Compose configuration will include services for Ory Kratos, Kratos self-service UI, Ory Keto, and a PostgreSQL database to store user and cat profile data. We will also include a service for MailSlurper, a fake SMTP server that we will use to test email notifications.
Note:
The
and kratos-migrate
services run the database migrations for Ory Kratos and Ory Keto, respectively, before starting the main services. keto-migrate
The
service runs the self-service UI for Ory Kratos, allowing users to interact with the authentication flows with a user-friendly interface. kratos-selfservice-ui-node
.env:
Create a .env
.env.example
Note: The
and keto_dsn
values are the connection strings for the PostgreSQL databases used by Ory Keto and Ory Kratos, respectively. These values should match the database services' configurations in the kratos_dsn
file. They are set to docker-compose.yaml
by default, meaning the data will be stored in memory and lost when the service is restarted. memory
To test the configuration, run the following commands:
In the next steps, we will create the necessary modules, services, controllers, and entities in the NestJS application to integrate Ory Kratos and Ory Keto into the CatFoster application.
Each domain (User, CatProfile, Fostering) will have a scoped directory. Under the libs
user
cat
fostering
However, entities will be shared in a single directory - entities
libs
Intermediate workshop
Mastering NestJS: From Basics to Advanced Application Design
Each domain will have an entity class using TypeORM decorators to define the database schema. Entities' primary and foreign keys will be UUIDs, and the relationships will be declared using the @ManyToOne
@OneToMany
@ManyToMany
subjects
objects
The entities library with Nx generators:
You can refer to the entity classes in the following files:
The @nestjs/config module will load environment variables and configuration files into the NestJS application. The configuration module will be responsible for loading the Ory Kratos and Ory Keto configuration files and making them available to the application.
To validate the configuration, we will create an environment-variables.ts
Note:
When using the cloud hosted Ory Network,
, ORY_KETO_ADMIN_URL
, ORY_KETO_PUBLIC_URL
, and ORY_KRATOS_PUBLIC_URL
should be configured with the Ory Network tenant URL. ORY_KRATOS_ADMIN_URL
and ORY_KETO_API_KEY
should be set to the API key generated on the Ory Network tenant. ORY_KRATOS_API_KEY
is a custom API key used to authenticate requests from Ory Kratos webhooks. It should be the same as the one configured in the Ory Kratos configuration file via ORY_ACTION_API_KEY
environment variable. selfservice_flows_registration_after_hook_config_auth_config_value
The
function is consumed by the validateEnvironmentVariables
, it uses the ConfigModule
library to validate the environment variables based on the class-validator
class. If any validation errors occur, the function throws an error with the details of the validation errors. EnvironmentVariables
The UsersModule
The UsersController
To protect the routes, we will create the OryActionGuard
OryAuthenticationGuard
Note:
The
and onSignUp
methods handle the requests from the Ory Kratos webhooks for user registration and sign-in. The onSignIn
method retrieves the current user information from the Ory Kratos session. getCurrentUser
The
authenticates requests from Ory Kratos webhooks using the OryActionGuard
environment variable. The ORY_ACTION_API_KEY
authenticates users using the Kratos session passed in the request headers (cookie or authorization token) and sets the user information in the request object. OryAuthenticationGuard
The paths for the
and onSignUp
methods should match the paths defined in the Ory Kratos configuration file for the respective webhooks ( onSignIn
and selfservice_flows_login_after_hook_config_url
) selfservice_flows_registration_after_hook_config_url
Check the previous article for more details on the OryAuthenticationGuard
The UsersService
After signing up, create an internal user and bind it to the new identity under the metadata_public
Before signing in, check if the identity has a verified email address unless the identity schema does not require email verification.
Note:
In the
method modifies the identity before its storage in the Ory Kratos DB, see documentation here. Since the identity is not created yet, the identity id is set to onSignUp
. 00000000-0000-0000-0000-000000000000
In the
method, if the user's email address is not verified, an error is thrown to prevent login, see documentation. This logic is similar to the original onSignIn
hook in Ory Kratos. Unless the identity schema does not require email verification, the user can log in without a verified email address. We will use this logic to skip the email verification step for our end-to-end tests. The require_verified_address
class is a custom error class that extends the OryWebhookError
class from NestJS. It formats the error response in the format expected by Ory Kratos webhooks allowing the error message to be displayed in the Self-Service UI. HttpException
The CatProfilesModule
The CatProfilesController
OryAuthenticationGuard
OryAuthorizationGuard
Note:
The
uses the CatProfilesController
decorator to define permissions that needs to be evaluated in OryPermissionChecks
. OryAuthorizationGuard
For more details on the
check the previous article and the source code in the GitHub repository. OryAuthorizationGuard
The functions isOwnerPermission
isAdminPermission
ExecutionContext
Note: The tuple will look like
for the CatProfile:<catProfileId>#owners@User:<currentUserId>
function and isOwnerPermission
for the Group:admin#members@User:<currentUserId>
function. isAdminPermission
The CatProfilesService
CatProfileSchema Repository
Note:
The
uses the CatProfilesService
to create relationships between users and cat profiles in Ory Keto. The OryRelationshipsService
and createAdminRelationship
methods create relationships between the cat profile and the admin group and the user, respectively. The createOwnerRelationship
and deleteAdminRelationship
methods delete the relationships when the cat profile is deleted. deleteOwnerRelationship
To understand the relationship queries, refer to the Ory Keto example and the
documentation. @getlarge/keto-relations-parser
The FosteringModule
The FosteringController
CatProfilesController
OryAuthenticationGuard
OryAuthorizationGuard
Note: The
, canRequestFosteringPermission
, canReadFosteringPermission
and canApproveFosteringPermission
factories will return the following relationship tuples: canRejectFosteringPermission
for the CatProfile <catProfileId>#foster@User:<userId>
function canRequestFosteringPermission
for the Fostering: <fosteringId>#read@User:<userId>
function canReadFosteringPermission
for the Fostering <fosteringId>#approve@User:<userId>
function canApproveFosteringPermission
for the Fostering:<fosteringId>#reject@User:<userId>
function canRejectFosteringPermission
The FosteringService
FosteringSchema Repository
The user who requested the fostering can edit the request
The cat profile owner can approve or reject the fostering request
Both can read the fostering request
Note: The
and catProfileRelationQuery
factories will return the following relationship tuples: participantRelationQuery
for the Fostering:<fosteringId>#participants@User:<userId>
function participantRelationQuery
for the Fostering:<fosteringId>#catProfiles@CatProfile:<catProfileId>
function catProfileRelationQuery
The AppModule
UsersModule
CatProfilesModule
FosteringModule
ConfigModule
LoggerModule
TypeOrmModule
Note:
When running the application in test mode, the
will load the ConfigModule
file; this will allow us to use a different database for end-to-end testing. .env.test
The
is configured to connect to the PostgreSQL database using the TypeOrmModule
environment variable. POSTGRES_URL
We made it; we are the Ory champions! ๐ But wait, we must test our application to ensure everything works as expected.
We will start with a round of manual tests to ensure the application behaves as expected. We will create users, assign users to the admin group, edit cat profiles, and manage fostering requests.
I built some CLI tools to help you with the manual tests:
kratos-cli will help you create users and generate session tokens to authenticate against the API.
keto-cli will help you to create relationships and check permissions.
First of all, start the services and the API:
Use the link in the email sent to the user:
check email in the local MailSlurper UI
open the latest email with the subject: Please verify your email address
click on the link ๐
Then copy the session token (starting with ory_st) and paste it in the Authorization
Reproduce the steps above to create a new user and get the user_id
keto-cli
It should log the generated relationship:
You can test the permissions by:
updating a cat profile that does not belong to you, using the cat_profile_id
updating a cat profile with an admin user => it should succeed.
You can test the permissions by:
requesting a fostering for a cat profile that does not belong to the current user => it should succeed.
requesting a fostering for a cat profile that belongs to the current user => it should be forbidden.
You can test the permissions by:
approving a fostering request targeting the current user's cat profile => it should succeed.
approving a fostering request targeting another user's cat profile => it should be forbidden.
To show you how to configure Ory for your automated tests, we will create end-to-end tests to manage cat profiles.
One of the great benefits of Ory is that you can quickly adapt the configuration for the testing environment and apply it to your Docker containers. For instance, we don't need to persist the data in the Kratos and Keto databases between tests. We can also turn off the email address verification in the Kratos configuration to simplify the testing process.
create .env.test
create apps/cat-fostering-api/.env.test
use Jest global setup to reconfigure Ory Kratos and Ory Keto and initialize the test database before running the tests
use Jest global teardown to clean up the test database and revert the Ory Kratos and Ory Keto configurations after running the tests
build factories to create users and cat profiles
write the end-to-end tests
start the application in test mode npx nx run cat-fostering-api:serve:test
NODE_ENV
test
run the tests npx nx run cat-fostering-api-e2e:e2e
Create a .env.test
.env.example
Create the apps/cat-fostering-api/.env.test
We will use the Jest files auto-generated by Nx to configure the global setup and teardown hooks.
To configure the global setup, update the apps/cat-fostering-api-e2e/src/support/global-setup.ts
Note:
The
function is a helper function to ensure the test database exists and is clean. It will use the same configuration as the application. createTestConnection
The
will be used to destroy the connection in the global teardown. globalThis.__DB_CONNECTION__
The
will be used to log the teardown message. globalThis.__TEARDOWN_MESSAGE__
The
function is used to run the scripts to generate the Ory test configuration and restart the Docker containers. execSync
Continue with the global teardown configuration in the apps/cat-fostering-api-e2e/src/support/global-teardown.ts
Note: The global teardown will destroy the test database connection and revert the Ory configurations to the initial state.
The factories will wrap the CLI tools we used for the manual tests to create users and permissions. You can find them in the apps/cat-fostering-api-e2e/src/cat-fostering-api/helpers.ts
The end-to-end tests suite will use the factories to create users (including one admin) and cat profiles. To verify that the application creates relationships correctly, we will send HTTP requests to the API to test the following scenarios:
An (authenticated) user can access their profile
An (authenticated) user can create a cat profile
A user can update a cat profile they own
An admin can update any cat profile
A user cannot update a cat profile they do not own
If you have made it this far, congratulations! ๐ You have successfully integrated Ory into your NestJS application. You have learned how to configure Ory Kratos and Ory Keto for multiple environments, create libraries to interact with the Ory services, and use the Ory APIs in your application.
The following step would be to deploy the application to a cloud provider and use the Ory Network instead of the local containers, which I highly recommend and will be the topic of the upcoming post.