Skip to content

nestjs-accesstime

nestjs-accesstime is a NestJS middleware and guard package that provides runtime subscription validation for any AccessTime-compatible contract. It ensures that users have valid and active access before reaching protected endpoints in your app.

🚀 Example project available on GitHub.

Features

  • 🔒 Middleware & Guard for request-level subscription access control
  • 🔧 Configurable minRemainingTime to enforce stricter access thresholds
  • 🧠 Built on top of accesstime-sdk
  • 📦 Easily injects into your NestJS modules with register()

Installation

npm install nestjs-accesstime

Setup

Importing the Module

@Module({
  imports: [
    AccessTimeModule.register({
      chain: {
        id: 84532, // chainId
      },
      contractAddress: "0xContractAddress", // deployed accesstime contract address
      minRemainingTime: 60, // seconds
    }),
  ],
})
export class PrivateModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    consumer.apply(AccessTimeMiddleware).forRoutes(PrivateController);
  }
}

Using the Guard (Optional)

@Controller("public")
export class PublicController {
  constructor(private readonly service: PublicService) {}
 
  @ApiHeaders([
    { name: "X-ACCESSTIME-AUTH-SIGNATURE", required: true },
    { name: "X-ACCESSTIME-AUTH-MESSAGE", required: true },
  ])
  @UseGuards(AccessTimeGuard)
  @Get("/private-test")
  getPrivateData() {
    return this.service.getProtected();
  }
}

Required Headers

HeaderDescription
X-ACCESSTIME-AUTH-MESSAGEHashed message created using hashMessage(message); includes timestamp to prevent replay attacks
X-ACCESSTIME-AUTH-SIGNATURESignature generated by signing the message with the user's wallet

AccessTime Context in Requests

When a user passes validation, the following is injected into req.accessTime:

{
  signerAddress: string;
  accessTimeExpiry: number;
  remainingTime: number;
  verifiedAt: Date;
}

Error Handling

If the signature is missing, invalid, or the user's subscription is expired:

  • 401 Unauthorized is returned
  • Response includes helpful error message for debugging

Use Cases

  • Secure private APIs
  • Gated access to paid features
  • Dynamic roles based on remaining subscription time