Middleware & Guards

The NestJS request pipeline processes each request through multiple layers before it reaches the controller.

Request → Middleware → Guard → Interceptor → Controller → Exception Filter → Response

Middleware

Global Middleware

Middleware	Description
`withCorrelationId`	Attaches a unique correlation ID to every request for distributed tracing
`CorsMiddleware`	Configures Cross-Origin Resource Sharing rules

Guards

Guards handle authentication and authorization. They run before the controller and can reject requests.

Authentication Guards

Guard	Token Type	Used By
`RetailerAuthGuard`	Retailer JWT	Retailer management endpoints
`AdminAuthGuard`	Admin JWT	Admin panel operations
`ApiKeyAuthGuard`	API Key	Reporting API, external integrations
`PortalAuthGuard`	Portal JWT	Merchant portal SSO
`ReactivateAuthGuard`	Reactivate token	Reactivate module endpoints
`ReactivateApiKeyGuard`	API Key	Reactivate API access

Rate Limiting Guards

Guard	Description
`GqlThrottlerGuard`	Rate limiting for GraphQL operations (Redis-backed)
`EmailRateLimitGuard`	Per-email address rate limiting
`IpRateLimitGuard`	Per-IP address rate limiting
`IpBlacklistGuard`	IP blacklist filtering

Access Control Guards

Guard	Description
`WorkEmailGuard`	Validates work email domains for access
`CachedReportGuard`	Serves cached reports when available
`CustomerManagementGuard`	Controls bulk customer operations
`InternalCatalogGuard`	Restricts product catalog access

Interceptors

Interceptors wrap the execution of controllers, allowing pre- and post-processing.

Interceptor	Description
`AuditLoggingInterceptor`	Records audit trail for retailer operations
`ReportDeduplicationInterceptor`	Prevents duplicate webhook processing

Exception Filters

Exception filters transform errors into consistent API responses.

Filter	Description
`ShoptokenErrorFilter`	Custom error formatting for domain-specific errors
`BadRequestExceptionFilter`	Transforms validation errors into readable responses

Request Pipeline Example

// A typical protected endpoint
@Controller('reactivate')
@UseGuards(ReactivateAuthGuard)       // 1. Validate reactivate token
@UseInterceptors(AuditLoggingInterceptor) // 2. Log the operation
export class CampaignController {

  @Post('campaigns')
  @UseGuards(IpRateLimitGuard)        // 3. Rate limit by IP
  async createCampaign(@Req() req) {
    // 4. Controller logic
    return this.campaignService.create(req.body);
  }
}

Introduction

Getting Started

Core Concepts

Integrations

Modules

Infrastructure

Middleware & Guards

Middleware

Global Middleware

Guards

Authentication Guards

Rate Limiting Guards

Access Control Guards

Interceptors

Exception Filters

Request Pipeline Example

Introduction

Getting Started

Core Concepts

Integrations

Modules

Infrastructure

​Middleware

​Global Middleware

​Guards

​Authentication Guards

​Rate Limiting Guards

​Access Control Guards

​Interceptors

​Exception Filters

​Request Pipeline Example

Middleware

Global Middleware

Guards

Authentication Guards

Rate Limiting Guards

Access Control Guards

Interceptors

Exception Filters

Request Pipeline Example