Concept Flow - Protected routes with guards
Request to route
Guard checks condition
Allow
Route handler executes
When a request comes in, the guard checks if access is allowed. If yes, the route runs. If no, access is denied.
0
0
Protected routes with guards in NestJS - Step-by-Step Execution
Execution Sample
NestJS
import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common'; @Injectable() export class AuthGuard implements CanActivate { canActivate(context: ExecutionContext): boolean { const request = context.switchToHttp().getRequest(); return !!request.user; } }
This guard checks if the request has a user object to allow access.
Execution Table
| Step | Action | Request.user | Guard Result | Route Execution |
|---|---|---|---|---|
| 1 | Request arrives at protected route | undefined | Check if user exists | No |
| 2 | Guard runs canActivate() | undefined | false | Blocked, 403 returned |
| 3 | Request arrives at protected route | { id: 1, name: 'Alice' } | Check if user exists | Yes |
| 4 | Guard runs canActivate() | { id: 1, name: 'Alice' } | true | Route handler runs |
💡 Execution stops when guard returns false, blocking access with 403.
Variable Tracker
| Variable | Start | After Step 1 | After Step 3 | Final |
|---|---|---|---|---|
| request.user | undefined | undefined | { id: 1, name: 'Alice' } | { id: 1, name: 'Alice' } |
| guard.canActivate result | N/A | false | true | true |
Key Moments - 2 Insights
Why does the route handler not run when request.user is undefined?
Because the guard's canActivate method returns false (see execution_table step 2), blocking access before the route runs.
What does the guard check to allow access?
It checks if request.user exists and is truthy (execution_table steps 3 and 4). If yes, it returns true to allow the route.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 2. What is the guard's result when request.user is undefined?
💡 Hint
Check the 'Guard Result' column at step 2 in the execution_table.
At which step does the route handler run?
💡 Hint
Look at the 'Route Execution' column in the execution_table.
If request.user is always undefined, what will happen to all requests?
💡 Hint
Refer to variable_tracker for request.user values and guard results.
Concept Snapshot
Protected routes use guards to check access. Guard's canActivate returns true or false. If true, route runs; if false, access denied (403). Common check: request.user exists. Guards run before route handlers.
Full Transcript
In NestJS, protected routes use guards to control access. When a request comes in, the guard's canActivate method runs. It checks if the request has a user object. If the user exists, canActivate returns true, allowing the route handler to execute. If not, it returns false, blocking access and returning a 403 error. This process ensures only authenticated users reach protected routes.