Skip to content

Double Call of JwtUserAuthGuard in NestJS 11, Not Calling Parent Class (AuthGuard) #14857

New issue
New issue
Closed
Bug
Closed
Double Call of JwtUserAuthGuard in NestJS 11, Not Calling Parent Class (AuthGuard)#14857
Bug
Labels
needs triageThis issue has not been looked intotype: bug 😭
@haithem-moumni

Description

@haithem-moumni
haithem-moumni
opened on Mar 25, 2025

Did you read the migration guide?

  • I have read the whole migration guide

Is there an existing issue that is already proposing this?

  • I have searched the existing issues

Potential Commit/PR that introduced the regression

No response

NestJS version

10 -> 11

Describe the regression

After upgrading from NestJS 10 to NestJS 11, I noticed that the canActivate method within the custom JwtUserAuthGuard is being called twice. In NestJS 10, the method was called once as expected.

The issue stems from the fact that JwtUserAuthGuard's canActivate method is being invoked twice, but it never reaches the parent class (AuthGuard). Instead, the method resolves to the same JwtUserAuthGuard class both times.

This change in behavior appears to be a result of updates in NestJS 11, where the framework may have altered how guards are resolved and executed, causing the recursion or unnecessary invocation of the guard itself rather than delegating to the parent AuthGuard('jwt-user').

``

Minimum reproduction code

No response

Input code

import { TokenClass } from '@app/models/token-class.model';
import { ExecutionContext, Injectable } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';
import { plainToInstance } from 'class-transformer';
import { Observable } from 'rxjs';

@Injectable()
export class JwtUserAuthGuard extends AuthGuard('jwt-user') {
  
  public canActivate(
    context: ExecutionContext,
  ): boolean | Promise<boolean> | Observable<boolean> {
    const tokenClass: TokenClass = plainToInstance(
      TokenClass,
      context.switchToHttp().getRequest()?.body,
    );

    if ( tokenClass.getResponseType() === 'code') { return true }
     return super.canActivate(context);
  }
}

Expected behavior

The canActivate method in the JwtUserAuthGuard should be called only once, and it should delegate the call to the parent class (AuthGuard('jwt-user')) when necessary. Specifically, when super.canActivate(context) is invoked, it should properly call the parent class's method, not resolve to the same JwtUserAuthGuard class.

Other

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs triageThis issue has not been looked intotype: bug 😭

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions