nestjs.ts
@Controller(�0�)
export class UsersController {
constructor(private usersService: UsersService) {}
@Get(�3�)
findOne(@Param(�5�) id: string) {
return this.usersService.findOne(id);
}
}I have built production backends in Express, FastAPI, Spring Boot, and Go. I have mass migrated entire systems. I have onboarded junior developers and watched them struggle with "flexible" frameworks. After years of dealing with tradeoffs, I keep coming back to NestJS. This is not a balanced comparison. This is my honest take on why NestJS wins for most backend applications.
#The Problem With "Flexibility"
Express developers love to brag about flexibility. You can structure your project however you want! Use any pattern! Total freedom!
That freedom is a trap.
// Express Project A: Function-based handlers
app.get('/users', getUsersHandler);
app.post('/users', createUserHandler);
// Express Project B: Class-based controllers
router.get('/users', userController.getAll.bind(userController));
router.post('/users', userController.create.bind(userController));
// Express Project C: Route configuration objects
const routes = [
{ method: 'get', path: '/users', handler: 'UserController.getAll' },
{ method: 'post', path: '/users', handler: 'UserController.create' },
];
routes.forEach(r => {
const [ctrl, method] = r.handler.split('.');
apiRouter[r.method](r.path, controllers[ctrl][method]);
});
// Express Project D: Some hybrid monstrosity
app.use('/api/v1', apiRouter);
app.use('/api/v2', apiRouterV2);
legacyRoutes.forEach(r => app[r.method](r.path, legacyMiddleware, r.handler));When you join a new Express project, you spend the first week just understanding how they organized things. Middleware scattered across five different folders. Services that are just exported functions with no clear boundaries. No dependency injection, so everything imports everything else directly. Global state hidden in closures. Authentication logic duplicated because nobody knew where the "official" auth middleware lived.
I have seen Express codebases where finding the handler for a single endpoint required tracing through four files of route composition. I have seen others where a 3000-line app.js contained every route, every middleware, and half the business logic.
This is not flexibility. This is chaos with a marketing budget.
#The NestJS Structure: Opinionated and Correct
Every NestJS project follows the same architecture. This is not a suggestion or a "best practice guide" that nobody reads. It is enforced by the framework itself.
// Every NestJS project follows this structure
src/
├── users/
│ ├── users.module.ts // Module declaration
│ ├── users.controller.ts // HTTP request handling
│ ├── users.service.ts // Business logic
│ ├── users.repository.ts // Data access (optional)
│ ├── entities/
│ │ └── user.entity.ts // Database entity
│ ├── dto/
│ │ ├── create-user.dto.ts // Input validation
│ │ └── update-user.dto.ts
│ └── interfaces/
│ └── user.interface.ts // Type definitions
├── auth/
│ ├── auth.module.ts
│ ├── auth.controller.ts
│ ├── auth.service.ts
│ ├── strategies/
│ │ ├── jwt.strategy.ts // Passport strategies
│ │ └── local.strategy.ts
│ └── guards/
│ ├── jwt-auth.guard.ts // Route protection
│ └── roles.guard.ts
├── common/
│ ├── decorators/ // Custom decorators
│ ├── filters/ // Exception filters
│ ├── interceptors/ // Request/response interceptors
│ ├── pipes/ // Validation/transformation pipes
│ └── guards/ // Shared guards
├── config/
│ ├── config.module.ts
│ └── configuration.ts
├── database/
│ ├── database.module.ts
│ └── migrations/
├── app.module.ts // Root module
└── main.ts // Application bootstrapA developer from any NestJS project on the planet can join yours and be productive on day one. They know controllers live in *.controller.ts. They know services are injected via constructors. They know modules declare their dependencies explicitly. They know guards protect routes and interceptors transform responses.
This consistency compounds over time. Code reviews are faster because reviewers know where to look. Onboarding is faster because the mental model transfers between projects. Debugging is faster because the architecture is predictable.
The NestJS CLI reinforces this structure:
# Generate a complete module with controller, service, and tests
nest generate resource users
# Creates:
# src/users/users.module.ts
# src/users/users.controller.ts
# src/users/users.controller.spec.ts
# src/users/users.service.ts
# src/users/users.service.spec.ts
# src/users/dto/create-user.dto.ts
# src/users/dto/update-user.dto.ts
# src/users/entities/user.entity.tsOne command. Consistent structure. Every time.
#Dependency Injection That Actually Works
Spring Boot popularized dependency injection in the Java world. It also made it painful with XML configuration files, annotation soup, classpath scanning, and runtime magic that fails mysteriously in production.
NestJS takes the best parts of DI and leaves the garbage behind.
#The Basics
// Declare what your module provides and needs
@Module({
imports: [DatabaseModule, EmailModule],
controllers: [UsersController],
providers: [UsersService, UsersRepository],
exports: [UsersService], // Available to modules that import UsersModule
})
export class UsersModule {}
// Services declare their dependencies via constructor
@Injectable()
export class UsersService {
constructor(
private readonly usersRepository: UsersRepository,
private readonly emailService: EmailService,
private readonly configService: ConfigService,
) {}
async createUser(dto: CreateUserDto): Promise<User> {
const user = await this.usersRepository.create(dto);
await this.emailService.sendWelcomeEmail(user.email);
return user;
}
}No XML. No classpath scanning. No @Autowired on fields. TypeScript's type system tells NestJS what to inject. If you make a mistake, you get a compile-time error, not a production crash at 3 AM.
#Provider Patterns
NestJS supports multiple ways to provide dependencies, each with clear use cases:
@Module({
providers: [
// Standard class provider
UsersService,
// Custom value provider (great for configs)
{
provide: 'API_KEY',
useValue: process.env.API_KEY,
},
// Factory provider (for complex initialization)
{
provide: 'DATABASE_CONNECTION',
useFactory: async (configService: ConfigService) => {
const config = configService.get('database');
return createConnection(config);
},
inject: [ConfigService],
},
// Class provider with different implementation
{
provide: PaymentProcessor,
useClass: process.env.NODE_ENV === 'test'
? MockPaymentProcessor
: StripePaymentProcessor,
},
// Existing provider (alias)
{
provide: 'AliasedService',
useExisting: UsersService,
},
],
})
export class AppModule {}#Scopes for Different Lifetimes
// Singleton (default): One instance for entire application
@Injectable()
export class ConfigService {}
// Request-scoped: New instance per HTTP request
@Injectable({ scope: Scope.REQUEST })
export class RequestContextService {
constructor(@Inject(REQUEST) private request: Request) {}
}
// Transient: New instance every time it's injected
@Injectable({ scope: Scope.TRANSIENT })
export class HelperService {}#Compare to Spring Boot's Mess
// Spring Boot: Multiple ways to do the same thing, some bad
@Service
public class UserService {
// Field injection: Easy to write, hard to test
@Autowired
private UserRepository userRepository;
@Autowired
private EmailService emailService;
// To test this, you need reflection or Spring's test context
// No compile-time safety
// Circular dependencies fail at runtime
}
// "Proper" Spring Boot
@Service
public class UserService {
private final UserRepository userRepository;
private final EmailService emailService;
// Constructor injection: The right way
// But why does the framework encourage the wrong way?
public UserService(UserRepository userRepository, EmailService emailService) {
this.userRepository = userRepository;
this.emailService = emailService;
}
}
// Also Spring Boot: XML config that nobody understands anymore
<bean id="userService" class="com.example.UserService">
<property name="userRepository" ref="userRepository"/>
<property name="emailService" ref="emailService"/>
</bean>Spring Boot gives you five ways to inject dependencies. Two of them are good. Three of them are traps. Legacy codebases are full of field injection, XML configs, and @Autowired setters that make testing a nightmare.
NestJS has one way: constructor injection. It is always correct.
#TypeScript All the Way Down
FastAPI gets praise for bringing Python type hints to the backend. And it deserves credit for being the best Python has to offer. But Python's type system is fundamentally limited.
#The Python Problem
Python type hints are optional. They are not enforced at runtime by default. Half your dependencies ignore them entirely. The typing module is bolted on, not built in.
# FastAPI: Types exist but are advisory
from pydantic import BaseModel
from fastapi import FastAPI
class CreateUserDto(BaseModel):
name: str
email: str
age: int
@app.post("/users")
async def create_user(dto: CreateUserDto) -> User:
# Pydantic validates at runtime, which is good
# But what about internal code?
return await user_service.create(dto)
# Internal service: Types are suggestions
class UserService:
async def create(self, dto: CreateUserDto) -> User:
# Your IDE might help here
# But nothing enforces it
# Refactoring is still scary
user = await self.repo.save(dto)
return user # Is this actually a User? Who knows.
# Dependencies often ignore types entirely
import some_library
result = some_library.do_thing() # Returns Any, good luck#TypeScript Does It Right
TypeScript was designed for types from day one. The compiler enforces them. Your dependencies have type definitions. Refactoring is safe.
// NestJS: Types are enforced throughout the stack
@Controller('users')
export class UsersController {
constructor(private readonly usersService: UsersService) {}
@Post()
@HttpCode(HttpStatus.CREATED)
async create(@Body() dto: CreateUserDto): Promise<UserResponseDto> {
// TypeScript knows dto is CreateUserDto
// TypeScript knows the return type must be UserResponseDto
// The compiler catches mistakes
return this.usersService.create(dto);
}
@Get(':id')
async findOne(@Param('id', ParseUUIDPipe) id: string): Promise<UserResponseDto> {
// ParseUUIDPipe validates and transforms the param
// Type safety from HTTP layer to database
const user = await this.usersService.findOne(id);
if (!user) {
throw new NotFoundException(`User ${id} not found`);
}
return user;
}
}
// DTOs with runtime validation that matches compile-time types
export class CreateUserDto {
@IsString()
@MinLength(2)
@MaxLength(100)
name: string;
@IsEmail()
email: string;
@IsInt()
@Min(0)
@Max(150)
age: number;
@IsOptional()
@IsArray()
@IsString({ each: true })
roles?: string[];
}
// Response DTOs for documentation and transformation
export class UserResponseDto {
@Expose()
id: string;
@Expose()
name: string;
@Expose()
email: string;
@Exclude()
passwordHash: string; // Never sent to client
@Expose()
@Transform(({ value }) => value.toISOString())
createdAt: Date;
}The DTO validates incoming requests at runtime. The response DTO transforms outgoing data. TypeScript enforces types at compile time. Your IDE autocompletes everything. When you rename a field, the compiler tells you every place that breaks.
#Validation That Scales
NestJS validation is declarative and composable:
// Complex validation rules
export class CreateOrderDto {
@IsUUID()
customerId: string;
@IsArray()
@ValidateNested({ each: true })
@Type(() => OrderItemDto)
items: OrderItemDto[];
@IsOptional()
@ValidateNested()
@Type(() => ShippingAddressDto)
shippingAddress?: ShippingAddressDto;
@IsEnum(PaymentMethod)
paymentMethod: PaymentMethod;
@ValidateIf(o => o.paymentMethod === PaymentMethod.CREDIT_CARD)
@IsNotEmpty()
@IsCreditCard()
cardNumber?: string;
}
// Custom validation decorators
@ValidatorConstraint({ async: true })
export class IsUniqueEmailConstraint implements ValidatorConstraintInterface {
constructor(private usersService: UsersService) {}
async validate(email: string): Promise<boolean> {
const user = await this.usersService.findByEmail(email);
return !user;
}
defaultMessage(): string {
return 'Email $value is already registered';
}
}
export function IsUniqueEmail(validationOptions?: ValidationOptions) {
return function (object: object, propertyName: string) {
registerDecorator({
target: object.constructor,
propertyName,
options: validationOptions,
constraints: [],
validator: IsUniqueEmailConstraint,
});
};
}
// Usage
export class RegisterUserDto {
@IsEmail()
@IsUniqueEmail()
email: string;
}#Go: Fast but Tedious
Go is fast. Go compiles to a single binary. Go has goroutines for concurrent programming. Go has an excellent standard library.
Go also requires writing the same boilerplate in every project, has verbose error handling, and lacks the abstractions that make complex applications manageable.
#The Boilerplate Tax
// Go: A simple CRUD endpoint
func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
// Parse request body
var dto CreateUserDTO
if err := json.NewDecoder(r.Body).Decode(&dto); err != nil {
h.logger.Error("failed to decode request body", zap.Error(err))
http.Error(w, "invalid request body", http.StatusBadRequest)
return
}
// Validate
if err := h.validator.Struct(dto); err != nil {
validationErrors := err.(validator.ValidationErrors)
errors := make([]string, len(validationErrors))
for i, e := range validationErrors {
errors[i] = fmt.Sprintf("%s: %s", e.Field(), e.Tag())
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusBadRequest)
json.NewEncoder(w).Encode(map[string]interface{}{
"errors": errors,
})
return
}
// Call service
user, err := h.service.CreateUser(r.Context(), dto)
if err != nil {
if errors.Is(err, ErrEmailExists) {
http.Error(w, "email already exists", http.StatusConflict)
return
}
h.logger.Error("failed to create user", zap.Error(err))
http.Error(w, "internal server error", http.StatusInternalServerError)
return
}
// Send response
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusCreated)
if err := json.NewEncoder(w).Encode(user); err != nil {
h.logger.Error("failed to encode response", zap.Error(err))
}
}
// Now repeat this for GetUser, UpdateUser, DeleteUser, ListUsers...
// And do it again for every resource in your API// NestJS: Same functionality
@Post()
@HttpCode(HttpStatus.CREATED)
create(@Body() dto: CreateUserDto): Promise<User> {
return this.usersService.create(dto);
}
// Validation? Handled by ValidationPipe
// Error responses? Handled by exception filters
// JSON encoding? Handled by the framework
// Logging? Handled by interceptors
// Content-Type headers? Handled automaticallyGo advocates say "explicit is better than implicit." I agree for complex business logic. I disagree for JSON serialization that works the same way in every endpoint.
#The Error Handling Ceremony
// Go: Every function call needs error handling
func (s *UserService) CreateUser(ctx context.Context, dto CreateUserDTO) (*User, error) {
// Validate email uniqueness
exists, err := s.repo.EmailExists(ctx, dto.Email)
if err != nil {
return nil, fmt.Errorf("checking email existence: %w", err)
}
if exists {
return nil, ErrEmailExists
}
// Hash password
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(dto.Password), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("hashing password: %w", err)
}
// Create user
user, err := s.repo.Create(ctx, User{
Email: dto.Email,
Password: string(hashedPassword),
Name: dto.Name,
})
if err != nil {
return nil, fmt.Errorf("creating user: %w", err)
}
// Send welcome email
err = s.emailService.SendWelcome(ctx, user.Email)
if err != nil {
// Log but don't fail the request
s.logger.Warn("failed to send welcome email", zap.Error(err))
}
return user, nil
}// NestJS: Exceptions handle errors naturally
@Injectable()
export class UsersService {
async create(dto: CreateUserDto): Promise<User> {
const exists = await this.usersRepository.emailExists(dto.email);
if (exists) {
throw new ConflictException('Email already exists');
}
const hashedPassword = await bcrypt.hash(dto.password, 10);
const user = await this.usersRepository.create({
...dto,
password: hashedPassword,
});
// Fire and forget, or use a queue
this.emailService.sendWelcome(user.email).catch(err => {
this.logger.warn('Failed to send welcome email', err);
});
return user;
}
}Go forces you to handle every error at every call site. This is good for critical paths where you need explicit control. It is tedious for CRUD operations where most errors should just return 500.
#When Go Makes Sense
Go is the right choice when:
- You need maximum performance for CPU-bound work
- You want single-binary deployment with no runtime dependencies
- You are building infrastructure tools (CLIs, proxies, message brokers)
- Your team has Go expertise and the ecosystem has what you need
For typical web applications with database CRUD, authentication, and business logic, you are trading developer productivity for performance you do not need. Your database is the bottleneck, not your JSON serialization.
#The Request Lifecycle: Middleware, Guards, Interceptors, Pipes, and Filters
NestJS has a clear request lifecycle with distinct extension points. Each has a specific purpose.
Incoming Request
↓
Middleware (global → module → route)
↓
Guards (authorization)
↓
Interceptors (pre-controller)
↓
Pipes (validation/transformation)
↓
Controller Method
↓
Interceptors (post-controller)
↓
Exception Filters (if error)
↓
Outgoing Response
#Middleware: Raw Request Processing
// Logging middleware
@Injectable()
export class LoggerMiddleware implements NestMiddleware {
private readonly logger = new Logger('HTTP');
use(req: Request, res: Response, next: NextFunction) {
const { method, originalUrl } = req;
const startTime = Date.now();
res.on('finish', () => {
const { statusCode } = res;
const duration = Date.now() - startTime;
this.logger.log(`${method} ${originalUrl} ${statusCode} ${duration}ms`);
});
next();
}
}
// Apply in module
export class AppModule implements NestModule {
configure(consumer: MiddlewareConsumer) {
consumer
.apply(LoggerMiddleware, CorrelationIdMiddleware)
.forRoutes('*');
}
}#Guards: Authorization Logic
// Role-based access control
@Injectable()
export class RolesGuard implements CanActivate {
constructor(private reflector: Reflector) {}
canActivate(context: ExecutionContext): boolean {
const requiredRoles = this.reflector.getAllAndOverride<Role[]>('roles', [
context.getHandler(),
context.getClass(),
]);
if (!requiredRoles) {
return true;
}
const { user } = context.switchToHttp().getRequest();
return requiredRoles.some(role => user.roles?.includes(role));
}
}
// Decorator for setting required roles
export const Roles = (...roles: Role[]) => SetMetadata('roles', roles);
// Usage
@Controller('admin')
@UseGuards(JwtAuthGuard, RolesGuard)
export class AdminController {
@Get('users')
@Roles(Role.ADMIN, Role.SUPER_ADMIN)
findAllUsers() {
return this.adminService.findAllUsers();
}
@Delete('users/:id')
@Roles(Role.SUPER_ADMIN)
deleteUser(@Param('id') id: string) {
return this.adminService.deleteUser(id);
}
}#Interceptors: Cross-Cutting Concerns
// Transform all responses to a standard format
@Injectable()
export class TransformInterceptor<T> implements NestInterceptor<T, Response<T>> {
intercept(context: ExecutionContext, next: CallHandler): Observable<Response<T>> {
return next.handle().pipe(
map(data => ({
success: true,
data,
timestamp: new Date().toISOString(),
})),
);
}
}
// Cache interceptor
@Injectable()
export class CacheInterceptor implements NestInterceptor {
constructor(private cacheManager: Cache) {}
async intercept(context: ExecutionContext, next: CallHandler): Promise<Observable<any>> {
const request = context.switchToHttp().getRequest();
const cacheKey = `${request.method}:${request.url}`;
const cached = await this.cacheManager.get(cacheKey);
if (cached) {
return of(cached);
}
return next.handle().pipe(
tap(response => {
this.cacheManager.set(cacheKey, response, 60000);
}),
);
}
}
// Timing interceptor
@Injectable()
export class TimingInterceptor implements NestInterceptor {
private readonly logger = new Logger('Timing');
intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
const start = Date.now();
const handler = context.getHandler().name;
return next.handle().pipe(
tap(() => {
const duration = Date.now() - start;
this.logger.debug(`${handler} completed in ${duration}ms`);
}),
);
}
}#Pipes: Validation and Transformation
// Built-in validation pipe with options
app.useGlobalPipes(
new ValidationPipe({
whitelist: true, // Strip unknown properties
forbidNonWhitelisted: true, // Throw on unknown properties
transform: true, // Auto-transform to DTO types
transformOptions: {
enableImplicitConversion: true,
},
}),
);
// Custom transformation pipe
@Injectable()
export class ParseDatePipe implements PipeTransform<string, Date> {
transform(value: string): Date {
const date = new Date(value);
if (isNaN(date.getTime())) {
throw new BadRequestException(`Invalid date: ${value}`);
}
return date;
}
}
// Usage
@Get('events')
findEvents(
@Query('from', ParseDatePipe) from: Date,
@Query('to', ParseDatePipe) to: Date,
) {
return this.eventsService.findBetween(from, to);
}
// File validation pipe
@Injectable()
export class FileValidationPipe implements PipeTransform {
constructor(
private readonly maxSize: number,
private readonly allowedMimes: string[],
) {}
transform(file: Express.Multer.File): Express.Multer.File {
if (!file) {
throw new BadRequestException('File is required');
}
if (file.size > this.maxSize) {
throw new BadRequestException(`File size exceeds ${this.maxSize} bytes`);
}
if (!this.allowedMimes.includes(file.mimetype)) {
throw new BadRequestException(`Invalid file type: ${file.mimetype}`);
}
return file;
}
}#Exception Filters: Error Handling
// Global exception filter for consistent error responses
@Catch()
export class GlobalExceptionFilter implements ExceptionFilter {
private readonly logger = new Logger('ExceptionFilter');
catch(exception: unknown, host: ArgumentsHost) {
const ctx = host.switchToHttp();
const response = ctx.getResponse<Response>();
const request = ctx.getRequest<Request>();
let status = HttpStatus.INTERNAL_SERVER_ERROR;
let message = 'Internal server error';
let errors: string[] | undefined;
if (exception instanceof HttpException) {
status = exception.getStatus();
const exceptionResponse = exception.getResponse();
if (typeof exceptionResponse === 'string') {
message = exceptionResponse;
} else if (typeof exceptionResponse === 'object') {
message = (exceptionResponse as any).message || message;
errors = (exceptionResponse as any).errors;
}
} else if (exception instanceof Error) {
this.logger.error(
`Unhandled exception: ${exception.message}`,
exception.stack,
);
}
response.status(status).json({
success: false,
statusCode: status,
message,
errors,
path: request.url,
timestamp: new Date().toISOString(),
});
}
}
// Domain-specific exception filter
@Catch(PrismaClientKnownRequestError)
export class PrismaExceptionFilter implements ExceptionFilter {
catch(exception: PrismaClientKnownRequestError, host: ArgumentsHost) {
const ctx = host.switchToHttp();
const response = ctx.getResponse<Response>();
switch (exception.code) {
case 'P2002':
response.status(HttpStatus.CONFLICT).json({
success: false,
statusCode: HttpStatus.CONFLICT,
message: 'Resource already exists',
});
break;
case 'P2025':
response.status(HttpStatus.NOT_FOUND).json({
success: false,
statusCode: HttpStatus.NOT_FOUND,
message: 'Resource not found',
});
break;
default:
response.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
success: false,
statusCode: HttpStatus.INTERNAL_SERVER_ERROR,
message: 'Database error',
});
}
}
}#Configuration Management Done Right
NestJS configuration module handles environment variables, validation, and type safety:
// config/configuration.ts
export default () => ({
port: parseInt(process.env.PORT, 10) || 3000,
database: {
host: process.env.DATABASE_HOST,
port: parseInt(process.env.DATABASE_PORT, 10) || 5432,
username: process.env.DATABASE_USER,
password: process.env.DATABASE_PASSWORD,
name: process.env.DATABASE_NAME,
},
jwt: {
secret: process.env.JWT_SECRET,
expiresIn: process.env.JWT_EXPIRES_IN || '1d',
},
redis: {
host: process.env.REDIS_HOST || 'localhost',
port: parseInt(process.env.REDIS_PORT, 10) || 6379,
},
});
// config/env.validation.ts
import { plainToInstance } from 'class-transformer';
import { IsNumber, IsString, validateSync, Min, IsOptional } from 'class-validator';
class EnvironmentVariables {
@IsNumber()
@Min(1)
@IsOptional()
PORT: number = 3000;
@IsString()
DATABASE_HOST: string;
@IsNumber()
DATABASE_PORT: number = 5432;
@IsString()
DATABASE_USER: string;
@IsString()
DATABASE_PASSWORD: string;
@IsString()
DATABASE_NAME: string;
@IsString()
JWT_SECRET: string;
}
export function validate(config: Record<string, unknown>) {
const validatedConfig = plainToInstance(EnvironmentVariables, config, {
enableImplicitConversion: true,
});
const errors = validateSync(validatedConfig, {
skipMissingProperties: false,
});
if (errors.length > 0) {
throw new Error(errors.toString());
}
return validatedConfig;
}
// app.module.ts
@Module({
imports: [
ConfigModule.forRoot({
isGlobal: true,
load: [configuration],
validate,
}),
],
})
export class AppModule {}
// Type-safe configuration access
@Injectable()
export class DatabaseService {
constructor(private configService: ConfigService) {}
getConnectionConfig() {
return {
host: this.configService.get<string>('database.host'),
port: this.configService.get<number>('database.port'),
// TypeScript knows the types
};
}
}Compare this to Express where every project invents its own configuration loading:
// Express Project A
const config = require('./config.json');
// Express Project B
const config = yaml.parse(fs.readFileSync('./config.yml'));
// Express Project C
const config = {
port: process.env.PORT || 3000,
db: process.env.DATABASE_URL,
// No validation, strings everywhere
};
// Express Project D
import convict from 'convict';
const config = convict(schema);
config.loadFile('./config.json');
config.validate();
// None of them are wrong. All of them are different.#Database Integration Patterns
NestJS works with any database library, but provides first-party integration for the common ones:
#Prisma Integration
// prisma/prisma.service.ts
@Injectable()
export class PrismaService extends PrismaClient implements OnModuleInit, OnModuleDestroy {
async onModuleInit() {
await this.$connect();
}
async onModuleDestroy() {
await this.$disconnect();
}
}
// users/users.repository.ts
@Injectable()
export class UsersRepository {
constructor(private prisma: PrismaService) {}
async findById(id: string): Promise<User | null> {
return this.prisma.user.findUnique({
where: { id },
include: { profile: true },
});
}
async findByEmail(email: string): Promise<User | null> {
return this.prisma.user.findUnique({
where: { email },
});
}
async create(data: CreateUserData): Promise<User> {
return this.prisma.user.create({
data,
include: { profile: true },
});
}
async update(id: string, data: UpdateUserData): Promise<User> {
return this.prisma.user.update({
where: { id },
data,
include: { profile: true },
});
}
async delete(id: string): Promise<void> {
await this.prisma.user.delete({ where: { id } });
}
async findWithPagination(params: PaginationParams): Promise<PaginatedResult<User>> {
const { page, limit, orderBy, order } = params;
const [users, total] = await Promise.all([
this.prisma.user.findMany({
skip: (page - 1) * limit,
take: limit,
orderBy: { [orderBy]: order },
include: { profile: true },
}),
this.prisma.user.count(),
]);
return {
data: users,
meta: {
total,
page,
limit,
totalPages: Math.ceil(total / limit),
},
};
}
}#Transaction Handling
@Injectable()
export class OrdersService {
constructor(private prisma: PrismaService) {}
async createOrder(dto: CreateOrderDto): Promise<Order> {
return this.prisma.$transaction(async (tx) => {
// Check inventory
for (const item of dto.items) {
const product = await tx.product.findUnique({
where: { id: item.productId },
});
if (!product || product.stock < item.quantity) {
throw new BadRequestException(`Insufficient stock for ${item.productId}`);
}
}
// Create order
const order = await tx.order.create({
data: {
customerId: dto.customerId,
items: {
create: dto.items.map(item => ({
productId: item.productId,
quantity: item.quantity,
price: item.price,
})),
},
total: dto.items.reduce((sum, item) => sum + item.price * item.quantity, 0),
},
include: { items: true },
});
// Decrement inventory
for (const item of dto.items) {
await tx.product.update({
where: { id: item.productId },
data: { stock: { decrement: item.quantity } },
});
}
return order;
});
}
}#Authentication and Authorization Patterns
NestJS with Passport provides a clean authentication layer:
// auth/strategies/jwt.strategy.ts
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor(
private configService: ConfigService,
private usersService: UsersService,
) {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
ignoreExpiration: false,
secretOrKey: configService.get('jwt.secret'),
});
}
async validate(payload: JwtPayload): Promise<User> {
const user = await this.usersService.findById(payload.sub);
if (!user) {
throw new UnauthorizedException();
}
return user;
}
}
// auth/strategies/local.strategy.ts
@Injectable()
export class LocalStrategy extends PassportStrategy(Strategy) {
constructor(private authService: AuthService) {
super({ usernameField: 'email' });
}
async validate(email: string, password: string): Promise<User> {
const user = await this.authService.validateUser(email, password);
if (!user) {
throw new UnauthorizedException('Invalid credentials');
}
return user;
}
}
// auth/auth.service.ts
@Injectable()
export class AuthService {
constructor(
private usersService: UsersService,
private jwtService: JwtService,
) {}
async validateUser(email: string, password: string): Promise<User | null> {
const user = await this.usersService.findByEmail(email);
if (user && await bcrypt.compare(password, user.password)) {
return user;
}
return null;
}
async login(user: User): Promise<TokenResponse> {
const payload: JwtPayload = { sub: user.id, email: user.email };
const [accessToken, refreshToken] = await Promise.all([
this.jwtService.signAsync(payload, { expiresIn: '15m' }),
this.jwtService.signAsync(payload, { expiresIn: '7d' }),
]);
return { accessToken, refreshToken };
}
async refreshTokens(refreshToken: string): Promise<TokenResponse> {
try {
const payload = await this.jwtService.verifyAsync(refreshToken);
const user = await this.usersService.findById(payload.sub);
if (!user) {
throw new UnauthorizedException();
}
return this.login(user);
} catch {
throw new UnauthorizedException('Invalid refresh token');
}
}
}
// auth/auth.controller.ts
@Controller('auth')
export class AuthController {
constructor(private authService: AuthService) {}
@Post('login')
@UseGuards(LocalAuthGuard)
@HttpCode(HttpStatus.OK)
async login(@User() user: UserEntity): Promise<TokenResponse> {
return this.authService.login(user);
}
@Post('refresh')
@HttpCode(HttpStatus.OK)
async refresh(@Body() dto: RefreshTokenDto): Promise<TokenResponse> {
return this.authService.refreshTokens(dto.refreshToken);
}
@Post('logout')
@UseGuards(JwtAuthGuard)
@HttpCode(HttpStatus.NO_CONTENT)
async logout(@User() user: UserEntity): Promise<void> {
// Invalidate refresh token in database/redis
await this.authService.logout(user.id);
}
}
// Custom decorator to extract user from request
export const User = createParamDecorator(
(data: keyof UserEntity | undefined, ctx: ExecutionContext) => {
const request = ctx.switchToHttp().getRequest();
const user = request.user;
return data ? user?.[data] : user;
},
);#OpenAPI Documentation That Writes Itself
NestJS Swagger integration generates API documentation from your code:
// main.ts
async function bootstrap() {
const app = await NestFactory.create(AppModule);
const config = new DocumentBuilder()
.setTitle('My API')
.setDescription('API documentation')
.setVersion('1.0')
.addBearerAuth()
.addTag('users', 'User management endpoints')
.addTag('orders', 'Order management endpoints')
.build();
const document = SwaggerModule.createDocument(app, config);
SwaggerModule.setup('api/docs', app, document);
await app.listen(3000);
}
// Detailed endpoint documentation
@Controller('orders')
@ApiTags('orders')
@ApiBearerAuth()
@UseGuards(JwtAuthGuard)
export class OrdersController {
@Post()
@ApiOperation({ summary: 'Create a new order' })
@ApiBody({ type: CreateOrderDto })
@ApiResponse({
status: 201,
description: 'Order created successfully',
type: OrderResponseDto,
})
@ApiResponse({
status: 400,
description: 'Invalid input or insufficient stock',
})
@ApiResponse({
status: 401,
description: 'Unauthorized',
})
create(@Body() dto: CreateOrderDto, @User() user: UserEntity): Promise<OrderResponseDto> {
return this.ordersService.create(dto, user.id);
}
@Get()
@ApiOperation({ summary: 'List orders with pagination' })
@ApiQuery({ name: 'page', required: false, type: Number })
@ApiQuery({ name: 'limit', required: false, type: Number })
@ApiQuery({ name: 'status', required: false, enum: OrderStatus })
@ApiResponse({
status: 200,
description: 'Paginated list of orders',
type: PaginatedOrdersResponseDto,
})
findAll(@Query() query: OrderQueryDto, @User() user: UserEntity) {
return this.ordersService.findByCustomer(user.id, query);
}
}
// DTOs with Swagger decorators
export class CreateOrderDto {
@ApiProperty({
description: 'Array of items to order',
type: [OrderItemDto],
example: [{ productId: 'uuid', quantity: 2 }],
})
@IsArray()
@ValidateNested({ each: true })
@Type(() => OrderItemDto)
items: OrderItemDto[];
@ApiPropertyOptional({
description: 'Shipping address',
type: ShippingAddressDto,
})
@IsOptional()
@ValidateNested()
@Type(() => ShippingAddressDto)
shippingAddress?: ShippingAddressDto;
}The generated Swagger UI is always accurate because it comes from the same decorators that control validation. When you add a field, documentation updates automatically. When you change validation rules, the schema updates automatically.
#Microservices Ready
NestJS microservices module supports multiple transport layers with the same code structure:
// Hybrid application: HTTP + Message Queue
async function bootstrap() {
const app = await NestFactory.create(AppModule);
// Connect to RabbitMQ
app.connectMicroservice<MicroserviceOptions>({
transport: Transport.RMQ,
options: {
urls: ['amqp://localhost:5672'],
queue: 'orders_queue',
queueOptions: { durable: true },
},
});
// Connect to Redis pub/sub
app.connectMicroservice<MicroserviceOptions>({
transport: Transport.REDIS,
options: {
host: 'localhost',
port: 6379,
},
});
await app.startAllMicroservices();
await app.listen(3000);
}
// Message handlers look like HTTP handlers
@Controller()
export class OrdersMessageController {
constructor(private ordersService: OrdersService) {}
@MessagePattern('order.created')
async handleOrderCreated(@Payload() data: OrderCreatedEvent) {
await this.ordersService.processNewOrder(data);
}
@EventPattern('inventory.updated')
async handleInventoryUpdate(@Payload() data: InventoryUpdatedEvent) {
await this.ordersService.checkPendingOrders(data.productId);
}
}
// Sending messages to other services
@Injectable()
export class OrdersService {
constructor(
@Inject('INVENTORY_SERVICE') private inventoryClient: ClientProxy,
@Inject('NOTIFICATION_SERVICE') private notificationClient: ClientProxy,
) {}
async create(dto: CreateOrderDto): Promise<Order> {
// Request-response pattern
const stockCheck = await firstValueFrom(
this.inventoryClient.send('inventory.check', dto.items),
);
if (!stockCheck.available) {
throw new BadRequestException('Insufficient stock');
}
const order = await this.ordersRepository.create(dto);
// Fire-and-forget event
this.notificationClient.emit('order.created', {
orderId: order.id,
customerId: order.customerId,
});
return order;
}
}The same patterns work with TCP, gRPC, MQTT, NATS, and Kafka. Switch transport layers without rewriting business logic.
#Testing Is Built In
NestJS testing utilities make unit and integration tests straightforward:
// Unit test with mocked dependencies
describe('UsersService', () => {
let service: UsersService;
let repository: jest.Mocked<UsersRepository>;
let emailService: jest.Mocked<EmailService>;
beforeEach(async () => {
const module = await Test.createTestingModule({
providers: [
UsersService,
{
provide: UsersRepository,
useValue: {
findById: jest.fn(),
findByEmail: jest.fn(),
create: jest.fn(),
update: jest.fn(),
},
},
{
provide: EmailService,
useValue: {
sendWelcome: jest.fn(),
},
},
],
}).compile();
service = module.get(UsersService);
repository = module.get(UsersRepository);
emailService = module.get(EmailService);
});
describe('create', () => {
it('creates a user and sends welcome email', async () => {
const dto = { email: '[email protected]', name: 'Test', password: 'password' };
const createdUser = { id: '1', ...dto, createdAt: new Date() };
repository.findByEmail.mockResolvedValue(null);
repository.create.mockResolvedValue(createdUser);
emailService.sendWelcome.mockResolvedValue(undefined);
const result = await service.create(dto);
expect(result).toEqual(createdUser);
expect(repository.create).toHaveBeenCalled();
expect(emailService.sendWelcome).toHaveBeenCalledWith(dto.email);
});
it('throws ConflictException if email exists', async () => {
const dto = { email: '[email protected]', name: 'Test', password: 'password' };
repository.findByEmail.mockResolvedValue({ id: '1', ...dto });
await expect(service.create(dto)).rejects.toThrow(ConflictException);
});
});
});
// E2E test with real database
describe('Users (e2e)', () => {
let app: INestApplication;
let prisma: PrismaService;
beforeAll(async () => {
const moduleFixture = await Test.createTestingModule({
imports: [AppModule],
}).compile();
app = moduleFixture.createNestApplication();
app.useGlobalPipes(new ValidationPipe({ whitelist: true }));
await app.init();
prisma = app.get(PrismaService);
});
beforeEach(async () => {
await prisma.user.deleteMany();
});
afterAll(async () => {
await app.close();
});
describe('POST /users', () => {
it('creates a new user', async () => {
const response = await request(app.getHttpServer())
.post('/users')
.send({
email: '[email protected]',
name: 'Test User',
password: 'password123',
})
.expect(201);
expect(response.body).toMatchObject({
id: expect.any(String),
email: '[email protected]',
name: 'Test User',
});
expect(response.body.password).toBeUndefined();
});
it('returns 400 for invalid email', async () => {
await request(app.getHttpServer())
.post('/users')
.send({
email: 'invalid',
name: 'Test',
password: 'password',
})
.expect(400);
});
it('returns 409 for duplicate email', async () => {
await prisma.user.create({
data: {
email: '[email protected]',
name: 'Existing',
password: 'hash',
},
});
await request(app.getHttpServer())
.post('/users')
.send({
email: '[email protected]',
name: 'New User',
password: 'password',
})
.expect(409);
});
});
});#Real-World Performance
"But what about performance?" Go developers always ask this.
NestJS runs on Node.js. Node.js is fast enough. Your database queries, external API calls, and network latency dominate response times, not framework overhead.
Here are actual numbers from production systems:
| Metric | NestJS | Express | Go (stdlib) |
|---|---|---|---|
| Simple JSON response | ~50k req/s | ~55k req/s | ~100k req/s |
| With DB query | ~5k req/s | ~5k req/s | ~5.5k req/s |
| With external API call | ~500 req/s | ~500 req/s | ~500 req/s |
When you add real work, the framework overhead becomes noise. Go is faster for compute-bound workloads. For I/O-bound web applications, you will not notice the difference.
What you will notice:
- Time to implement features
- Time to onboard developers
- Time to debug issues
- Time to refactor safely
NestJS wins on all of these.
#When Not to Use NestJS
I am opinionated, not delusional. NestJS is wrong for:
Serverless functions with cold start requirements: NestJS has framework overhead. If you need sub-100ms cold starts on AWS Lambda, use a lightweight handler or consider Lambda-optimized frameworks.
Simple scripts or CLIs: You do not need dependency injection for a 200-line script. Use plain Node.js or a CLI framework like Commander.
CPU-intensive computation: Video processing, machine learning inference, or heavy mathematical computation should use Go, Rust, or a specialized service.
Teams that reject TypeScript: NestJS without TypeScript loses most of its benefits. If your team insists on plain JavaScript, use something else.
Tiny microservices with single responsibility: If your service has one endpoint that does one thing, NestJS is overkill. A simple Express handler or Fastify route is fine.
Real-time game servers: For low-latency game servers pushing thousands of updates per second, you need more control than NestJS provides. Consider Go or Rust.
For everything else, for APIs, for web backends, for typical microservices, for any application that will be maintained by a team over years, NestJS is the right choice.
#Summary
NestJS succeeds because it makes decisions for you. Good decisions. Decisions based on decades of backend development patterns. Decisions that experienced developers arrive at anyway after years of building Express apps and wondering why everything is a mess.
The opinionated structure means every NestJS project is familiar. The dependency injection means testability is built in. The TypeScript foundation means refactoring is safe. The module system means clear boundaries and scalability. The decorator pattern means readable, self-documenting code.
Express gives you freedom to make mistakes. Spring Boot gives you XML and runtime magic. FastAPI gives you Python's type system limitations. Go gives you boilerplate and "explicit" error handling for the thousandth JSON response.
NestJS gives you productivity.
Stop reinventing project structure. Stop debating folder organization in every code review. Stop writing the same middleware registration in every project. Stop explaining to new developers where the authentication logic lives.
Use NestJS. Ship features. Move on to interesting problems.
