A clean, maintainable NestJS microservice template implementing essential microservice patterns with optional advanced features. Designed for rapid development with production-ready defaults. You can view the ARCHITECTURE.md file for more details.
🎯 Philosophy: Simple by default, scalable by choice. Enable only what you need.
- �️ Feature Flags System - Flags to enable/disable services as needed
- 🚀 Fast Startup - Lightweight by default, everything optional
- � Modular Design - Focused managers for transport, streaming, scheduling, caching
- 🔧 Type Safety - Comprehensive TypeScript interfaces eliminate runtime errors
- 🚀 Fast Startup - Minimal resource usage with selective service loading
- 📊 Performance Monitoring - Optional performance interceptors and metrics
- 🔧 Environment-Specific Configs - Different feature sets for dev/test/prod
- Clean Services - Single responsibility focused managers
- Protocol Support - HTTP/REST, GraphQL, WebSocket, MQTT (gRPC optional)
- Microservice Ready - Optional TCP, Redis, NATS, RabbitMQ transports
- Configuration Diet - Essential configs only, no complexity bloat
- SOLID Principles - Maintainable and extensible codebase
- Event-Driven Architecture - Kafka integration for scalable messaging
- Database Support - PostgreSQL (via Prisma) or MongoDB with runtime selection
- Simple Repository Pattern - Clean data access abstraction
- Connection Management - Health checks and proper connection handling
- Database Migrations - Prisma/MongoDB migrations and seed scripts
- Connection Management - Proper connection pooling and health checks
- JWT Authentication - Access and refresh tokens
- CASL Authorization - Role-based access control
- Password Security - bcrypt hashing
- Security Headers - Helmet, CORS, rate limiting
- Input Validation - class-validator integration
- REST API - Fastify Clean HTTP endpoints
- GraphQL API - Optional GraphQL schema with resolvers
- OpenAPI/Swagger - Interactive API documentation
- Event Streaming - Kafka producer/consumer for user lifecycle events
- Background Jobs - BullMQ for async tasks
- Service Discovery - Consul integration for service registration
- Distributed Tracing - Jaeger integration for request tracing
- Health Checks - Comprehensive health monitoring endpoints
- Configuration Management - Environment-based configuration
- Graceful Shutdown - Proper resource cleanup on termination
- Message Queues - Optional Kafka/BullMQ for async tasks
- Real-time - WebSocket support for live updates
All features disabled by default - enable what you need:
- Microservice Transports - TCP, Redis, NATS, RabbitMQ (set
ENABLE_*_MICROSERVICE=true) - Service Discovery - Consul integration (set
ENABLE_CONSUL_DISCOVERY=true) - Distributed Tracing - Jaeger integration (set
ENABLE_JAEGER_TRACING=true) - Circuit Breakers - Resilience patterns (set
ENABLE_CIRCUIT_BREAKER=true) - Performance Monitoring - Metrics collection (set
ENABLE_PERFORMANCE_MONITORING=true) - Advanced Caching - Redis cache (set
ENABLE_REDIS_CACHE=true)
Philosophy: Template includes everything but enables only essentials by default.
- Unit Tests - Comprehensive test coverage with mocking
- Integration Tests - Real database testing capabilities
- E2E Tests - Full application flow testing
- Performance Tests - Load testing with concurrent requests
- Code Quality - ESLint, Prettier, and pre-commit hooks
- Docker Support - Multi-stage builds and compose files
- Kubernetes Ready - Helm charts for K8s deployment
- CI/CD Pipeline - GitHub Actions with automated testing
- Production Monitoring - Health checks and observability
- Environment Management - Development, staging, and production configs
# Copy environment template (simplified configuration)
cp .env.example .env
# For advanced features (MQTT, NATS, gRPC, advanced observability):
# cp .env.example.legacy .env
# Configure database type (postgresql, mysql/mariadb or mongodb)
DATABASE_TYPE=postgresql # or mysql | mariadb | mongodb
DATABASE_URL=postgresql://dev:dev@localhost:5432/dev
# For MySQL/MariaDB:
# MYSQL_URL=mysql://dev:dev@localhost:3306/dev
# MONGODB_URL=mongodb://dev:dev@localhost:27017/nestjs-app
# Security (REQUIRED)
JWT_SECRET=your-strong-secret-key-change-in-production
ALLOWED_ORIGINS=https://yourdomain.com,https://api.yourdomain.com
# Services
REDIS_URL=redis://localhost:6379
KAFKA_BROKERS=localhost:9092
# Microservices (Optional)
CONSUL_HOST=localhost
CONSUL_PORT=8500
JAEGER_ENDPOINT=http://localhost:14268/api/traces
# Protocols (Optional)
SSL_CERT_PATH=/path/to/cert.pem
SSL_KEY_PATH=/path/to/key.pem
MQTT_BROKER_URL=mqtt://localhost:1883
GRPC_PORT=5000
# Security Settings
RATE_LIMIT_MAX=100
RATE_LIMIT_WINDOW=60000
BODY_LIMIT=1048576
# Email/SMTP Configuration
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_SECURE=false
[email protected]
SMTP_PASS=your-app-password
[email protected]
# Feature Flags - Protocols
ENABLE_WEBSOCKET=true
ENABLE_MQTT=false
ENABLE_HTTPS=true
ENABLE_GRPC=false
# Feature Flags - Services
ENABLE_JAEGER_TRACING=false
ENABLE_REDIS_CACHE=true
ENABLE_CONSUL_DISCOVERY=false
ENABLE_CIRCUIT_BREAKER=false
ENABLE_PERFORMANCE_MONITORING=false
ENABLE_EMAIL_SERVICE=true
DATABASE_TYPE: Database type selection (postgresql,mysql,mariadbormongodb)DATABASE_URL: PostgreSQL connection stringMYSQL_URL: MySQL/MariaDB connection string (used whenDATABASE_TYPEismysqlormariadb)MONGODB_URL: MongoDB connection string
JWT_SECRET: Secret key for JWT token signing (required in production)ACCESS_TOKEN_EXP: Access token expiration time (default: 15m)REFRESH_TOKEN_EXP: Refresh token expiration time (default: 7d)ALLOWED_ORIGINS: CORS allowed origins (comma-separated)RATE_LIMIT_MAX: Maximum requests per window (default: 100)RATE_LIMIT_WINDOW: Rate limit window in ms (default: 60000)BODY_LIMIT: Request body size limit in bytes (default: 1048576)
SERVICE_NAME: Microservice identifierSERVICE_VERSION: Service version for discoverySERVICE_HOST: Service host bindingPORT: HTTP server port (default: 3000)
REDIS_URL: Redis connection string for caching and sessionsKAFKA_BROKERS: Kafka broker addresses (comma-separated)CONSUL_HOST: Consul server host for service discoveryCONSUL_PORT: Consul server port (default: 8500)JAEGER_ENDPOINT: Jaeger tracing endpoint URL
SSL_CERT_PATH: SSL certificate file path for HTTPSSSL_KEY_PATH: SSL private key file path for HTTPSMQTT_BROKER_URL: MQTT broker connection URLMQTT_USERNAME: MQTT authentication usernameMQTT_PASSWORD: MQTT authentication passwordWS_PORT: WebSocket server port (default: 3001)GRPC_PORT: gRPC server port (default: 5000)
SMTP_HOST: SMTP server hostnameSMTP_PORT: SMTP server port (default: 587)SMTP_SECURE: Use secure connection (default: false)SMTP_USER: SMTP authentication usernameSMTP_PASS: SMTP authentication passwordSMTP_FROM: Default sender email address
NODE_ENV: Environment mode (development,production,test)LOG_LEVEL: Logging level (info,debug,warn,error)APP_URL: Application base URL for linksAPI_BASE_URL: API base URL for external references
pnpm install# Basic services (PostgreSQL, Redis, Kafka)
pnpm docker:up
# Full stack with MongoDB, Consul, Jaeger (OTel enabled)
pnpm docker:fullPostgreSQL:
pnpm prisma:generate
pnpm prisma:migrate:dev
pnpm prisma:seedMongoDB:
pnpm mongodb:migrate
MONGODB_URL=mongodb://user:pass@localhost:27017/dbpnpm start:dev# Unit tests only
pnpm test:unit
# All tests (unit + e2e with mocked DB)
pnpm test:all
# Full test suite (unit + integration + E2E mocked DB)
pnpm test:full
# Full REAL E2E (hits Postgres/Redis/Kafka from docker:full)
pnpm test:e2e:realDATABASE_TYPE=postgresql
DATABASE_URL=postgresql://user:pass@localhost:5432/dbSet the database type and URL, then generate Prisma client and run migrations:
DATABASE_TYPE=mysql # or mariadb
MYSQL_URL=mysql://user:pass@localhost:3306/dbNotes:
- Prisma schema provider must match the selected engine. This repo includes a small helper script that switches the Prisma datasource
providerbased onDATABASE_TYPEautomatically beforeprisma generateandstart:dev. - For a fresh MySQL/MariaDB setup, run:
- pnpm prisma:generate
- pnpm prisma:migrate:dev --name init
- pnpm prisma:seed (optional)
- Existing PostgreSQL migrations won’t apply to MySQL. Create new migrations when switching engines in development.
DATABASE_TYPE=mongodbThe application automatically selects the appropriate repository implementation based on DATABASE_TYPE.
- Prisma (PostgreSQL): Prisma manages connections internally. In production, it’s recommended to front Postgres with PgBouncer and point
DATABASE_URLto the pooler for robust pooling at scale.- You can override the datasource URL at runtime via
DATABASE_URL(already wired inPrismaService).
- You can override the datasource URL at runtime via
- MongoDB: The driver’s pool is enabled by default. You can tune with optional envs:
MONGODB_MAX_POOL_SIZE,MONGODB_MIN_POOL_SIZE,MONGODB_MAX_IDLE_TIME_MS,MONGODB_WAIT_QUEUE_TIMEOUT_MS
Docker full stack includes a PgBouncer service. The app is preconfigured to use it in docker/docker-compose.full.yml:
DATABASE_URL: 'postgresql://dev:dev@pgbouncer:6432/dev?pgbouncer=true'CONSUL_HOST=localhost
CONSUL_PORT=8500
SERVICE_NAME=nestjs-apiJAEGER_ENDPOINT=http://localhost:14268/api/tracesKAFKA_BROKERS=localhost:9092REDIS_URL=redis://localhost:6379Enable a service-wide circuit breaker to protect endpoints and wrap outbound calls.
Env flags:
ENABLE_CIRCUIT_BREAKER=true
# Trip circuit after N consecutive failures
CB_THRESHOLD=5
# Per-request timeout (ms) before considering a failure
CB_TIMEOUT=2000
# Time (ms) to stay open before trying a half-open probe
CB_RESET_TIMEOUT=10000Behavior:
- When the threshold is reached, requests get HTTP 503 with message "Circuit open" until reset timeout elapses.
- After
CB_RESET_TIMEOUT, one request is allowed in half-open state to probe recovery. - The Fastify plugin is applied globally to all routes when enabled.
Programmatic usage for outbound HTTP calls (via HttpClientService):
// Example
await httpClient.fetch('https://api.example.com', { timeoutMs: 1500, cbName: 'upstreamA' });Introspection endpoint:
curl http://localhost:3000/health/circuit/globalNotes: Uses @fastify/circuit-breaker (Fastify v4 compatible). E2E tests cover open/half-open/close semantics.
A pluggable storage service with a simple interface for upload/download/list/delete and signed URLs. By default, an in-memory adapter is used (great for tests). Cloud adapters are wired to their real SDKs but are disabled by default behind a feature flag.
Env flags:
# Master on/off switch (defaults to false → memory adapter)
ENABLE_STORAGE=false
# Select provider: aws | azure | gcp | none (defaults to none → in-memory)
STORAGE_PROVIDER=none
# AWS S3 (when STORAGE_PROVIDER=aws)
S3_BUCKET=your-bucket
S3_REGION=us-east-1
S3_ACCESS_KEY_ID=...
S3_SECRET_ACCESS_KEY=...
# Optional for S3-compatible stores (e.g., MinIO):
S3_ENDPOINT=http://localhost:9000
# Azure Blob (when STORAGE_PROVIDER=azure)
AZURE_BLOB_CONNECTION_STRING=...
AZURE_BLOB_CONTAINER=your-container
# Google Cloud Storage (when STORAGE_PROVIDER=gcp)
GCP_PROJECT_ID=your-project
GCS_BUCKET=your-bucket
# One of these (standard GCP ways to auth):
GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
# or
GCP_APPLICATION_CREDENTIALS=/path/to/key.jsonStreaming usage (large files) via demo endpoints in development/test environments:
- Upload (optionally gzip on the fly):
- curl -X POST --data-binary @bigfile.bin "http://localhost:3000/demo/upload-stream?key=big.bin&gzip=1"
- Download (optionally gunzip on the fly):
- curl -L "http://localhost:3000/demo/download-stream?key=big.bin&gunzip=1" -o out.bin
Programmatic usage example:
import { Controller, Post, Get, Param, Body } from '@nestjs/common';
import { StorageService } from '@/common/storage/storage.service';
@Controller('files')
export class FilesController {
constructor(private readonly storage: StorageService) {}
@Post()
async upload(@Body() body: { key: string; content: string }) {
await this.storage.upload(body.key, Buffer.from(body.content, 'utf8'), {
contentType: 'text/plain',
});
return { ok: true };
}
@Get(':key')
async get(@Param('key') key: string) {
const buf = await this.storage.download(key);
return buf.toString('utf8');
}
}- Linting:
pnpm lint- ESLint with TypeScript support - Formatting:
pnpm format- Prettier code formatting - Pre-commit hooks: Automatically run linting, formatting, and unit tests
- Pre-push hooks: Run full test suite before pushing
- Unit tests:
pnpm test:unit- 52 tests with full mocking - E2E tests:
pnpm test:e2e- Application startup and endpoint tests - All tests:
pnpm test:all- Test suite for CI/CD - Coverage: Add
--coverageflag to any test command for coverage reports
All tests use comprehensive mocking (Prisma, Redis, bcrypt) and run without external dependencies.
- Register:
POST /auth/register- Create new user account - Login:
POST /auth/login- Authenticate and get tokens - Refresh:
POST /auth/refresh- Refresh access token - Logout:
POST /auth/logout- Revoke refresh token - Profile:
GET /auth/profile- Get current user (protected) - Users:
GET /auth/users- List all users (admin only)
- JWT Tokens: Short-lived access tokens (15m) + refresh tokens (7d)
- Token Revocation: Redis-based blacklist for immediate logout
- Password Security: bcrypt hashing with configurable rounds
- Rate Limiting: Configurable request limits per IP
- CORS Protection: Environment-based origin restrictions
- Security Headers: Helmet integration with CSP
- Input Validation: Comprehensive validation with sanitization
- CASL Integration: Fine-grained permission system
- Policy Guards: Declarative permission checks
- Role Management: User and admin roles with different capabilities
- Resource Protection: Method-level authorization
- Base URL:
http://localhost:3000 - Documentation:
http://localhost:3000/api(Swagger UI) - OpenAPI Spec:
http://localhost:3000/api-json - Health Check:
http://localhost:3000/health
- Endpoint:
http://localhost:3000/graphql - Playground:
http://localhost:3000/graphql(development mode) - Schema: Auto-generated from resolvers
- Introspection: Enabled in development
- GraphQL Schema:
http://localhost:3000/schemas/graphql - Kafka Events:
http://localhost:3000/schemas/kafka - All Schemas:
http://localhost:3000/schemas
- Health Checks:
http://localhost:3000/health - Readiness:
http://localhost:3000/health/ready - Liveness:
http://localhost:3000/health/live - Jaeger UI:
http://localhost:16686(when enabled) - Consul UI:
http://localhost:8500(when enabled)
This template includes OpenTelemetry (OTel) support for distributed tracing and metrics, plus structured logs enriched with correlation metadata.
Set the following in your .env:
ENABLE_OPENTELEMETRY=true
SERVICE_NAME=nestjs-mstv
# Traces (OTLP over HTTP)
OTEL_TRACES_EXPORTER=otlp
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
# Optional auth headers (JSON or comma-separated key=value pairs)
# OTEL_EXPORTER_OTLP_HEADERS=api-key=xxx
# Metrics (choose one)
OTEL_METRICS_EXPORTER=none # prometheus | otlp | none
ENABLE_PROMETHEUS_METRICS=false
PROMETHEUS_HOST=0.0.0.0
PROMETHEUS_PORT=9464
# Convenience endpoints (OTLP-compatible)
# SigNoz
ENABLE_SIGNOZ_TRACING=false
SIGNOZ_ENDPOINT=http://localhost:4318/v1/traces
# Datadog
ENABLE_DATADOG_TRACING=false
DATADOG_OTLP_ENDPOINT=http://localhost:4318/v1/tracesThe app auto-initializes OTel at startup when ENABLE_OPENTELEMETRY=true.
- Jaeger (via OTLP): set
OTEL_EXPORTER_OTLP_ENDPOINT=http://jaeger-collector:4318 - SigNoz: set
SIGNOZ_ENDPOINT=http://signoz-otel-collector:4318/v1/traces(or useOTEL_EXPORTER_OTLP_ENDPOINT) - Datadog: set
DATADOG_OTLP_ENDPOINT=http://datadog-agent:4318/v1/traces(or useOTEL_EXPORTER_OTLP_ENDPOINTand headers) - Prometheus metrics: set
ENABLE_PROMETHEUS_METRICS=true(scrapehttp://host:9464/metrics) - OTLP metrics: set
OTEL_METRICS_EXPORTER=otlpandOTEL_EXPORTER_OTLP_ENDPOINT
Notes
- All three backends (Jaeger, SigNoz, Datadog) can ingest OTLP; pick the URL that matches your setup.
- Optional headers for auth can be provided via
OTEL_EXPORTER_OTLP_HEADERS.
Pino logs automatically include these fields per request:
traceId,requestId,userId,method,url,ip, plusserviceandenv.
Every HTTP response also includes the headers:
x-trace-idandx-request-idfor cross-system correlation.
If OpenTelemetry is enabled, the logger will reuse the active OTel trace id, aligning logs with traces.
# Register user
curl -X POST http://localhost:3000/auth/register \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"password123","name":"John Doe"}'
# Login
curl -X POST http://localhost:3000/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"password123"}'
# Get profile (with JWT token)
curl -X GET http://localhost:3000/auth/profile \
-H "Authorization: Bearer YOUR_JWT_TOKEN"# Register user
mutation {
register(input: { email: "[email protected]", password: "password123", name: "John Doe" }) {
id
email
name
role
}
}
# Login
mutation {
login(input: { email: "[email protected]", password: "password123" }) {
access_token
refresh_token
user {
id
email
name
role
}
}
}
# Get current user
query {
me {
id
email
name
role
}
}
# Get all users (admin only)
query {
getAllUsers {
id
email
name
role
createdAt
}
}- User Events:
user.registered,user.updated,user.deleted - Auth Events:
user.logged_in,user.logged_out,token.refreshed - Email Events:
email.welcome,email.password_reset,email.verification
- Email Processing: Welcome emails, password resets, verification (provider not implemented)
- Queue Management: Job retry logic and dead letter queues
- Monitoring: Queue statistics and job status tracking
All events follow standardized schemas defined in /src/schemas/kafka.schemas.ts:
{
event: 'user.registered',
userId: 'cuid123',
email: '[email protected]',
timestamp: '2023-01-01T00:00:00.000Z'
}# Basic services
docker-compose -f docker/docker-compose.yml up -d
# Full microservice stack
docker-compose -f docker/docker-compose.full.yml up -d# Deploy with Helm
helm upgrade --install nestjs-api ./helm/nest-ddd-chart
# With custom values
helm upgrade --install nestjs-api ./helm/nest-ddd-chart -f values.prod.yaml- GitHub Actions: Automated testing and deployment
- Multi-stage builds: Optimized Docker images
- Health checks: Kubernetes readiness and liveness probes
- Rolling updates: Zero-downtime deployments
Comprehensive testing strategy with multiple test types and environments.
- Command:
pnpm test:unit - Coverage: 17 tests covering core business logic
- Mocks: All external dependencies (Prisma, Redis, Kafka, BullMQ)
- Speed: Fast execution for development feedback
- Command:
pnpm test:integration - Purpose: Test with real database connections
- Setup: Requires running database services
- Scope: Database operations and service interactions
- Command:
pnpm test:e2e - Purpose: Application startup and endpoint availability
- Environment: No external dependencies required
- CI/CD: Suitable for continuous integration
- Command:
pnpm test:e2e:full - Purpose: Application flows with real services
- Environment: Full Docker stack required
- Scope: End-to-end user journeys
- Command:
pnpm test:performance - Purpose: Load testing and concurrent request handling
- Metrics: Response times and throughput measurement
- Location:
test/performance/load.test.ts
# Quick feedback loop
pnpm test:unit
# CI/CD pipeline
pnpm test:all
# Full validation
pnpm test:full
# With coverage
pnpm test:unit --coverage- Prisma Client with CRUD operations
- Redis client with get/set/del operations
- bcrypt for password hashing
- Kafka producer/consumer
- BullMQ queue and worker
- Enhanced Prisma mocks with conditional responses
- Redis mocks for token management
- bcrypt mocks for authentication
- NODE_ENV: Set to 'test' automatically
- JWT_SECRET: Test-specific secret
- DATABASE_URL: Mock URL to prevent real connections
- REDIS_URL: Mock URL for Redis operations
The PoliciesGuard includes special handling for test environments:
- Automatically provides mock admin user when
NODE_ENV=test - Allows testing protected endpoints without JWT setup
- Gracefully handles missing context methods in test mocks
# Run all tests (recommended for CI)
pnpm test:all
# Run specific test types
pnpm test:unit
pnpm test:e2e
pnpm test:e2e:full
# Run with coverage
pnpm test:unit --coverage
# Run specific test file
pnpm test:unit test/auth.service.spec.tstest/
├── e2e/ # End-to-end tests
│ ├── mock.e2e.spec.ts # Basic app startup tests
│ ├── auth.e2e.spec.ts # Authentication flow tests
│ ├── graphql.e2e.spec.ts # GraphQL API tests
│ └── users.e2e.spec.ts # User management tests
├── setup.ts # Global test setup with mocks
├── setup.e2e.mock.ts # E2E test setup with enhanced mocks
└── *.spec.ts # Unit test files
The project is configured for GitHub Actions with:
- Pre-commit hooks running unit tests
- Pre-push hooks running all tests
- CI pipeline running
pnpm test:all
All tests run without external dependencies, making them suitable for any CI environment.
# Run tests in Docker container (no external dependencies)
docker-compose -f docker/docker-compose.simple-test.yml up --build --abort-on-container-exit
# Run tests with real database services
docker-compose -f docker/docker-compose.test.yml up --build --abort-on-container-exit
# Clean up after tests
docker-compose -f docker/docker-compose.test.yml down --volumes# Test Docker build process
docker build -f docker/Dockerfile -t nestjs-test .
# Validate Docker Compose configurations
docker-compose -f docker/docker-compose.yml config
docker-compose -f docker/docker-compose.test.yml config- docker-compose.yml - Development with PostgreSQL, Redis, Kafka
- docker-compose.full.yml - Full stack with MongoDB, Consul, Jaeger
- docker-compose.test.yml - Testing with real database services
- docker-compose.simple-test.yml - Testing without external dependencies
- Write Operations - Commands handled by CommandBus
- Read Operations - Queries handled by QueryBus
- Event Processing - Events handled by EventBus
- Auto-discovery - Handlers registered automatically via decorators
Commands → CommandBus → CommandHandlers → Repository → Events
Queries → QueryBus → QueryHandlers → Repository → Results
Events → EventBus → EventHandlers → Side Effects
- CreateUserCommand - Create new user with validation
- UpdateUserCommand - Update user information
- DeleteUserCommand - Remove user from system
- GetUserQuery - Retrieve user by ID
- GetAllUsersQuery - List all users with pagination
- UserCreatedEvent - Published when user is created
- UserUpdatedEvent - Published when user is modified
- UserDeletedEvent - Published when user is removed
// In your service
const user = await this.commandBus.execute(
new CreateUserCommand('[email protected]', 'password123', 'John Doe')
);// In your service
const user = await this.queryBus.execute(new GetUserQuery('user-id-123'));
const users = await this.queryBus.execute(
new GetAllUsersQuery(10, 0) // limit, offset
);@EventHandler(UserCreatedEvent)
export class UserCreatedHandler implements IEventHandler<UserCreatedEvent> {
async handle(event: UserCreatedEvent): Promise<void> {
// Send welcome email, update analytics, etc.
}
}# Run CQRS-specific tests
pnpm test test/cqrs.spec.ts
# All CQRS tests are included in unit tests
pnpm test:unitexport class YourCommand implements ICommand {
readonly type = 'YourCommand';
constructor(public readonly data: any) {}
}@Injectable()
@CommandHandler(YourCommand)
export class YourCommandHandler implements ICommandHandler<YourCommand> {
async execute(command: YourCommand): Promise<any> {
// Handle command logic
}
}@Module({
imports: [CqrsModule],
providers: [YourCommandHandler],
})
export class YourModule {}// Configure SSL certificates
SSL_CERT_PATH = /path/ot / cert.pem;
SSL_KEY_PATH = /path/ot / key.pem;
// Make secure API calls
const httpsService = new HttpsService(new FeatureFlagsService());
const response = await httpsService.makeSecureRequest('https://api.example.com/data');// Client-side WebSocket connection
const socket = io('ws://localhost:3000/ws');
// Send message
socket.emit('message', { text: 'Hello WebSocket!' });
// Join room for targeted messaging
socket.emit('join-room', 'user-notifications');
// Listen for responses
socket.on('response', (data) => console.log(data));# Configure MQTT broker
MQTT_BROKER_URL=mqtt://localhost:1883
MQTT_USERNAME=your_username
MQTT_PASSWORD=your_password// Publish user events
mqttService.publishUserEvent('user123', 'login', { ip: '192.168.1.1' });
// Publish system alerts
mqttService.publishSystemAlert('error', 'Database connection failed');
// Subscribe to topics
mqttService.subscribe('sensors/temperature');# Configure gRPC
GRPC_PORT=5000// gRPC client usage
const client = new UserServiceClient('localhost:5000');
// Create user via gRPC
const user = await client.createUser({
email: '[email protected]',
name: 'John Doe',
password: 'secure123',
});
// Get user via gRPC
const userData = await client.getUser({ id: 'user123' });# Test all protocol implementations
pnpm test test/protocols.spec.ts
# Protocol tests are included in unit tests
pnpm test:unit- Content Security Policy (CSP): Prevents XSS attacks
- X-Frame-Options: Prevents clickjacking (set to DENY)
- X-Content-Type-Options: Prevents MIME type sniffing
- Referrer-Policy: Controls referrer information
- Default: 100 requests per minute per IP
- Configurable: Via
RATE_LIMIT_MAXandRATE_LIMIT_WINDOWenv vars - IP-based: Uses client IP for rate limiting
- Graceful: Skips on error to maintain availability
- Encodings: gzip, deflate
- Performance: Reduces bandwidth usage
- HTTP errors: Standardized error responses
- Utilities: Common HTTP status codes and helpers
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: Restricts geolocation, microphone, camera
- Auth endpoints (
/auth/*): No caching - User endpoints (
/users/*): No caching - Headers: Cache-Control, Pragma, Expires
- Origin: Allow all origins
- Credentials: Enabled
- Origin: Restricted to
ALLOWED_ORIGINSenv var - Methods: GET, POST, PUT, DELETE, OPTIONS only
- Credentials: Enabled for authenticated requests
- Whitelist: Only allow defined properties
- Transform: Auto-transform input types
- Forbid non-whitelisted: Reject unknown properties
- Production: Disable detailed error messages
- Default: 1MB request body limit
- Configurable: Via
BODY_LIMITenv var - Protection: Prevents DoS via large payloads
- Secret: Configurable via
JWT_SECRETenv var - Expiration: Short-lived access tokens (15m default)
- Refresh tokens: Longer-lived, stored securely
- Redis-based: Revoked tokens stored in Redis
- Logout: Immediate token invalidation
- Security: Prevents token reuse after logout
- CASL integration: Fine-grained permissions
- Guards: Protect sensitive endpoints
- Policies: Declarative permission checks
- Swagger UI: Disabled in production
- Error messages: Sanitized in production
- Host binding: Secure host binding for production
- Enabled: For proper IP detection behind proxies
- Rate limiting: Accurate IP-based limiting
- Security headers: Proper forwarded headers handling
JWT_SECRET=your-strong-secret-key
ALLOWED_ORIGINS=https://yourdomain.com,https://api.yourdomain.com
RATE_LIMIT_MAX=100
RATE_LIMIT_WINDOW=60000
BODY_LIMIT=1048576- Defense in Depth: Multiple security layers
- Principle of Least Privilege: Minimal permissions by default
- Input Validation: All inputs validated and sanitized
- Secure Headers: Comprehensive security headers
- Rate Limiting: Protection against abuse
- HTTPS Ready: Secure transport layer support
- Error Handling: No sensitive information in errors
- Token Security: Secure JWT implementation with revocation
All security measures are tested in the test suite:
- Unit tests for authentication logic
- E2E tests for endpoint security
- Validation tests for input sanitization
- Authorization tests for access control
- Request logging: All requests logged with IP and user agent
- Error logging: Security-relevant errors logged
- Rate limit logging: Abuse attempts logged
- Authentication logging: Login/logout events logged
Regular updates of dependencies and security patches:
- Automated dependency scanning
- Security vulnerability monitoring
- Regular security audits
This template includes an optional hybrid coordination package using Temporal to support:
- Cron schedules (Temporal Schedules)
- Orchestration (Saga-style workflows + compensations)
- Choreography via Signals (external services signaling progress)
Docs: see coordination/README.md.
Quick commands:
# Start local Temporal and UI
npm run coordination:temporal:up
# Run the coordination worker
npm run coordination:worker
# Run the hybrid smoke (starts workflow and signals it)
npm run coordination:smoke
# One-step orchestrated smoke (brings up Temporal, starts worker, runs smoke)
npm run coordination:smoke:local
# Tear down local Temporal
npm run coordination:temporal:downThese diagrams illustrate how this template can be used in different setups. They are examples; tailor to your needs.
Comprehensive microservice service in /src/common/microservice/ enables all NestJS microservice protocols and implementations including RPC, Pub/Sub, AMQP, cron scheduling, and streaming.
microservice.service.ts- Main service implementing all microservice protocolsmicroservice-config.service.ts- Configuration management for all transportsmicroservice.controller.ts- HTTP API endpoints for microservice operationsmicroservice.module.ts- NestJS module wiring everything togetherexample-usage.service.ts- Comprehensive examples of service usageindex.ts- Export declarations for clean importsREADME.md- Comprehensive documentation
test/microservice.integration.spec.ts- Integration tests with 29 passing test cases
✅ TCP - Simple TCP-based communication
✅ Redis - Redis as message broker
✅ NATS - NATS messaging system
✅ RabbitMQ (AMQP) - Advanced Message Queuing Protocol
✅ gRPC - High-performance RPC framework
✅ Kafka - Distributed streaming platform (integrated with existing KafkaService)
✅ MQTT - Lightweight messaging protocol (integrated with existing MqttService)
✅ BullMQ - Job queue system (integrated with existing BullMQService)
✅ Real-time Streaming - Server-Sent Events with multiple channels
✅ Cron Scheduling - Full cron job management with @nestjs/schedule
✅ Health Monitoring - Automatic health checks for all transports
✅ Circuit Breaker - Fault tolerance configuration
✅ Retry Logic - Configurable retry mechanisms
✅ Comprehensive Configuration - Environment-based configuration for all features
GET /microservice/status- Service status and available transportsGET /microservice/health- Comprehensive health checkGET /microservice/metrics- System and service metricsGET /microservice/config- Configuration overview
POST /microservice/message- Send message via any transportPOST /microservice/event- Emit event via any transportPOST /microservice/kafka/message- Send Kafka messagePOST /microservice/mqtt/message- Publish MQTT messagePOST /microservice/queue/job- Add job to BullMQ queue
POST /microservice/stream- Stream data to channelGET /microservice/stream/channels- List available channelsGET /microservice/stream/:channel- Subscribe to stream (SSE)GET /microservice/status/live- Live status updates (SSE)
POST /microservice/cron- Add cron jobPOST /microservice/cron/:name/remove- Remove cron job
POST /microservice/test/:transport- Test transport connectivity
# Microservice Transports
ENABLE_TCP_MICROSERVICE=false
ENABLE_REDIS_MICROSERVICE=true
ENABLE_NATS_MICROSERVICE=false
ENABLE_RABBITMQ_MICROSERVICE=false
ENABLE_KAFKA=true
ENABLE_BULLMQ=true
ENABLE_STREAMING=true
# Transport-specific configurations
TCP_HOST=localhost
TCP_PORT=3001
NATS_SERVERS=nats://localhost:4222
RABBITMQ_URL=amqp://localhost:5672
STREAMING_CHANNELS=user-events,system-metrics,audit-logs,notifications,real-time-data
# Scheduler/Cron configurations
ENABLE_HEALTH_CHECK_CRON=true
HEALTH_CHECK_CRON=*/30 * * * *
ENABLE_METRICS_COLLECTION_CRON=false
METRICS_COLLECTION_CRON=*/5 * * * *
# Plus many more detailed configuration options...- Added
MicroserviceModuletosrc/apps/api-gateway/app.module.ts - Added
MicroserviceControllerto expose HTTP endpoints - Integrated with existing
MessagingModuleandProtocolsModule
@nestjs/schedule- For cron job managementcron- For cron expression parsing
// Inject the service
constructor(private readonly microserviceService: MicroserviceService) {}
// Send messages
await microserviceService.sendMessage('redis', 'user.create', userData);
// Stream data
microserviceService.streamData('user-events', eventData);
// Add cron jobs
microserviceService.addCronJob('backup', '0 2 * * *', backupCallback);
// Subscribe to streams
microserviceService.subscribeToStream('notifications').subscribe(msg => {
console.log('Received:', msg);
});# Send a Redis message
curl -X POST http://localhost:3000/microservice/message
-H "Content-Type: application/json"
-d '{"transport": "redis", "pattern": "user.create", "data": {"name": "John"}}'
# Stream data
curl -X POST http://localhost:3000/microservice/stream
-H "Content-Type: application/json"
-d '{"channel": "user-events", "data": {"event": "user_login"}}'
# Subscribe to stream (SSE)
curl http://localhost:3000/microservice/stream/user-events✅ 29 passing test cases covering:
- Service initialization and configuration
- All transport configurations
- Streaming functionality
- External service integration (Kafka, BullMQ, MQTT)
- Service status and health monitoring
- Cron job management
- Error handling scenarios
The implementation follows a clean layered architecture:
- Controller Layer - HTTP API endpoints with proper error handling
- Service Layer - Core business logic and transport management
- Configuration Layer - Environment-based configuration management
- Integration Layer - Seamless integration with existing services
- Unified Interface - Single service to manage all microservice protocols
- Feature Flag Support - Individual transports can be enabled/disabled
- Production Ready - Comprehensive error handling, health checks, and monitoring
- Extensible - Easy to add new transports or features
- Well Tested - Full test coverage with integration tests
- Documentation - Comprehensive README and inline documentation
The microservice service is ready for production use. To get started:
- Configure desired transports via environment variables
- Start the application:
pnpm start:dev - Access the API at
http://localhost:3000/microservice/status - Use the HTTP endpoints or inject the service programmatically
The implementation provides a solid foundation for building scalable microservice architectures with NestJS.
## 🎆 **Production Development Readiness**
## ✅ **Completed Features**
### Architecture & Design
- ✅ Clean Architecture/DDD implementation
- ✅ Hexagonal architecture with ports and adapters
- ✅ SOLID principles throughout codebase
- ✅ Event-driven architecture with Kafka
### Database & Persistence
- ✅ Flexible database support (Prisma/PostgreSQL/MongoDB)
- ✅ Repository pattern with clean abstractions
- ✅ Database migrations and seeding
- ✅ Connection pooling and health monitoring
### Security & Authentication
- ✅ JWT authentication with refresh tokens
- ✅ CASL-based authorization system
- ✅ Comprehensive security headers
- ✅ Rate limiting and CORS protection
- ✅ Input validation and sanitization
### APIs & Communication
- ✅ REST API with OpenAPI documentation
- ✅ GraphQL API with playground
- ✅ Event streaming with Kafka
- ✅ Background job processing with BullMQ
### Microservice Features
- ✅ Service discovery (Consul)
- ✅ Distributed tracing (Jaeger)
- ✅ Health checks and monitoring
- ✅ Configuration management
- ✅ Graceful shutdown handling
### CQRS Implementation
- ✅ **Command Bus** - Write operations with command handlers
- ✅ **Query Bus** - Read operations with query handlers
- ✅ **Event Bus** - Event-driven architecture with event handlers
- ✅ **Auto-discovery** - Automatic handler registration via decorators
- ✅ **Complete separation** - Commands, queries, events, and handlers
### Testing & Quality
- ✅ Comprehensive test suite (42 unit tests)
- ✅ Integration and E2E testing capabilities
- ✅ Performance testing framework
- ✅ Code quality tools (ESLint, Prettier)
- ✅ Pre-commit and pre-push hooks
- ✅ Docker testing with containerized E2E tests
### DevOps & Deployment
- ✅ Docker containerization
- ✅ Kubernetes Helm charts
- ✅ CI/CD pipeline with GitHub Actions
- ✅ Multi-environment configuration
- ✅ Production monitoring and observability
## 🚀 **Ready for Development**
This template provides a complete production-ready foundation for building scalable NestJS microservices with:
- **Enterprise-grade architecture** following industry best practices
- **Complete CQRS implementation** with command/query separation
- **Comprehensive security** with multiple protection layers
- **Multi-protocol support** (HTTPS, WebSocket, MQTT, gRPC)
- **Flexible data persistence** supporting PostgreSQL and MongoDB
- **Event-driven scalability** with Kafka and background job processing
- **Full observability** with health checks, tracing, and monitoring
- **DevOps automation** with containerization and CI/CD pipelines
- **Quality assurance** with 42 comprehensive tests and code quality tools
- **Docker-ready deployment** with optimized containers and orchestration
## **Feature Matrix**
| Feature Category | Implementation | Status |
| ------------------ | ---------------------------------------------------------- | -------- |
| **Architecture** | Clean Architecture, DDD, Hexagonal | Complete |
| **CQRS** | Command/Query/Event Buses with Auto-discovery | Complete |
| **Database** | PostgreSQL (Prisma) + MongoDB with Repository Pattern | Complete |
| **Authentication** | JWT + Refresh Tokens + Redis Revocation | Complete |
| **Authorization** | CASL-based Fine-grained Permissions | Complete |
| **Security** | Multi-layer (Helmet, CORS, Rate Limiting, Validation) | Complete |
| **Protocols** | HTTPS, WebSocket, MQTT, gRPC | Complete |
| **APIs** | REST (OpenAPI) + GraphQL with Playground | Complete |
| **Messaging** | Kafka Event Streaming + BullMQ Background Jobs | Complete |
| **Microservices** | Service Discovery (Consul) + Tracing (Jaeger) | Complete |
| **Monitoring** | Health Checks + Performance Monitoring + Circuit Breaker | Complete |
| **Testing** | 42 Tests (Unit + E2E + Integration + Performance + Docker) | Complete |
| **DevOps** | Docker + Kubernetes + Helm + CI/CD | Complete |
| **Code Quality** | ESLint + Prettier + Pre-commit Hooks + Zero Lint Issues | Complete |