Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,150 --> 00:00:06,320 So how does authentication work in general? 2 00:00:06,320 --> 00:00:08,980 And then also specifically in React 3 00:00:08,980 --> 00:00:11,363 and the Next.js applications. 4 00:00:12,500 --> 00:00:15,620 The core idea is always the same. 5 00:00:15,620 --> 00:00:17,010 We have our client, 6 00:00:17,010 --> 00:00:20,640 so our browser and the user visiting our page 7 00:00:20,640 --> 00:00:25,240 through that browser and our server serving that page. 8 00:00:25,240 --> 00:00:28,430 The server also is connected to a database 9 00:00:28,430 --> 00:00:33,170 where for example, all our registered users are stored. 10 00:00:33,170 --> 00:00:36,660 Now let's assume a user did already create an account. 11 00:00:36,660 --> 00:00:41,590 And now that same user visits our page and wants to log in. 12 00:00:41,590 --> 00:00:43,020 How does that work? 13 00:00:43,020 --> 00:00:47,120 Well, the user enters some data into a login form 14 00:00:47,120 --> 00:00:50,220 like this form here for example, 15 00:00:50,220 --> 00:00:51,460 in the log-in mode. 16 00:00:51,460 --> 00:00:55,740 So the user enters some data here and clicks log in 17 00:00:55,740 --> 00:00:56,940 When that happens, 18 00:00:56,940 --> 00:01:00,910 we send the request with JavaScript to the server 19 00:01:00,910 --> 00:01:03,570 our request which contains the user data, 20 00:01:03,570 --> 00:01:06,240 email and password for example, 21 00:01:06,240 --> 00:01:10,400 then on the server, we can validate that input. 22 00:01:10,400 --> 00:01:12,720 We can reach out to our database 23 00:01:12,720 --> 00:01:16,850 and see if we find an account for that email address. 24 00:01:16,850 --> 00:01:19,890 And if the entered password matches the password 25 00:01:19,890 --> 00:01:21,770 we find in the database. 26 00:01:21,770 --> 00:01:23,640 And then we sent back a response 27 00:01:23,640 --> 00:01:27,850 which basically says, yes, your credentials were correct. 28 00:01:27,850 --> 00:01:29,380 You are authenticated 29 00:01:29,380 --> 00:01:33,890 or which declines the authentication request. 30 00:01:33,890 --> 00:01:38,330 And then once we sent back that yes or no response 31 00:01:38,330 --> 00:01:39,690 though it's a bit more than that 32 00:01:39,690 --> 00:01:41,100 as you will see in a second. 33 00:01:41,100 --> 00:01:43,620 But once you send it back that response 34 00:01:43,620 --> 00:01:48,380 the client can there after also reach protected routes 35 00:01:48,380 --> 00:01:51,820 and send requests to other endpoints 36 00:01:51,820 --> 00:01:56,820 on our server to our URLs on our server 37 00:01:56,900 --> 00:01:59,810 that might require authentication. 38 00:01:59,810 --> 00:02:02,220 Like for example that profile page. 39 00:02:02,220 --> 00:02:05,960 We're only able to reach it once we are authenticated. 40 00:02:05,960 --> 00:02:10,960 And we also only can change the password if we are. 41 00:02:11,150 --> 00:02:15,013 So if that request is sent to some backend API 42 00:02:15,013 --> 00:02:18,960 that the old password should be replaced with a new one 43 00:02:18,960 --> 00:02:23,000 that kind of request should only be allowed 44 00:02:23,000 --> 00:02:27,290 and fulfilled if the user is authenticated. 45 00:02:27,290 --> 00:02:29,500 So that request which we send here 46 00:02:29,500 --> 00:02:32,870 needs some extra data attached to it 47 00:02:32,870 --> 00:02:35,740 some extra data attached to the request 48 00:02:35,740 --> 00:02:38,230 which in the end tells the backend 49 00:02:38,230 --> 00:02:40,850 that this user is authenticated. 50 00:02:40,850 --> 00:02:44,810 Because anyone could be sending requests to our API, 51 00:02:44,810 --> 00:02:49,280 and hence the request needs to carry some extra permission 52 00:02:49,280 --> 00:02:52,610 which then should be verified on the server. 53 00:02:52,610 --> 00:02:55,200 And that permission part is important. 54 00:02:55,200 --> 00:02:58,690 Because a simple yes or no sent back by the server 55 00:02:58,690 --> 00:03:01,510 to the client would not be enough. 56 00:03:01,510 --> 00:03:05,340 Because we can of course always send a request 57 00:03:05,340 --> 00:03:09,050 to some API and point that requires authentication 58 00:03:09,050 --> 00:03:11,780 and say, "Hey, I'm authenticated." 59 00:03:11,780 --> 00:03:16,320 We can't just believe that as the author of the API 60 00:03:16,320 --> 00:03:20,270 we need some proof that a user is authenticated. 61 00:03:20,270 --> 00:03:22,820 And therefore authentication involves 62 00:03:22,820 --> 00:03:26,400 this exchange of credentials for permission. 63 00:03:26,400 --> 00:03:28,060 But the permission is more 64 00:03:28,060 --> 00:03:30,000 than just a yes or no. 65 00:03:30,000 --> 00:03:32,610 To be precise we can't just save 66 00:03:32,610 --> 00:03:34,720 and use a simple yes, 67 00:03:34,720 --> 00:03:37,380 because of fake yes, could be sent. 68 00:03:37,380 --> 00:03:40,570 We can't just tell our server that we are authenticated 69 00:03:40,570 --> 00:03:43,030 and then request protected data 70 00:03:43,030 --> 00:03:45,980 or perform protected operations. 71 00:03:45,980 --> 00:03:48,560 And therefore, instead we need some proof. 72 00:03:48,560 --> 00:03:51,620 Some proof which con to be faked. 73 00:03:51,620 --> 00:03:54,550 And for this, we've got two main mechanisms. 74 00:03:54,550 --> 00:03:59,550 We got server-side sessions and authentication tokens. 75 00:03:59,720 --> 00:04:02,270 Now these are two common approaches 76 00:04:02,270 --> 00:04:06,970 for solving this problem of unfakable permissions. 77 00:04:06,970 --> 00:04:10,130 The concept of server-side sessions 78 00:04:10,130 --> 00:04:15,130 works such that we store some unique identifier on a server. 79 00:04:15,930 --> 00:04:20,550 So we generate some session ID, which is unique. 80 00:04:20,550 --> 00:04:22,790 And we store that on the server, 81 00:04:22,790 --> 00:04:24,850 for example, in a database. 82 00:04:24,850 --> 00:04:28,640 And we sent that same identifier to the client 83 00:04:28,640 --> 00:04:30,950 that sent us the credentials. 84 00:04:30,950 --> 00:04:35,950 Then on the client, we can store that ID that identifier. 85 00:04:37,020 --> 00:04:39,300 And then we can use that stored identifier 86 00:04:39,300 --> 00:04:43,090 to attach it to requests which we there after are send 87 00:04:43,090 --> 00:04:46,280 to protected resources on the server. 88 00:04:46,280 --> 00:04:49,580 And then the server is always able to extract 89 00:04:49,580 --> 00:04:52,750 that identifier from the incoming requests 90 00:04:52,750 --> 00:04:56,370 check if it's stored that identifier in the database 91 00:04:56,370 --> 00:04:59,000 and if it did grant access, 92 00:04:59,000 --> 00:05:02,210 and if it does not deny access. 93 00:05:02,210 --> 00:05:03,750 Now then only clients 94 00:05:03,750 --> 00:05:07,176 which have does identifier are able to send requests. 95 00:05:07,176 --> 00:05:11,720 Now you might say, okay, but can this identify be stolen? 96 00:05:11,720 --> 00:05:14,790 Well, whilst it's in transit it shouldn't be stolen 97 00:05:14,790 --> 00:05:17,040 because we should be using SSL 98 00:05:17,040 --> 00:05:19,940 for encrypting to connection anyways. 99 00:05:19,940 --> 00:05:22,960 And when it is stored on the client side 100 00:05:22,960 --> 00:05:25,320 it is stored in a cookie typically 101 00:05:25,320 --> 00:05:27,290 and that cookie can be configured 102 00:05:27,290 --> 00:05:31,030 such that it's not accessible through JavaScript 103 00:05:31,030 --> 00:05:34,080 to prevent against cross-site scripting attacks. 104 00:05:34,080 --> 00:05:37,740 And that it is only readable from the server 105 00:05:37,740 --> 00:05:41,040 when it is attached to outgoing requests. 106 00:05:41,040 --> 00:05:44,560 And even if it would be accessible through JavaScript 107 00:05:44,560 --> 00:05:45,830 you should be protecting 108 00:05:45,830 --> 00:05:49,300 against cross-site scripting attacks anyways. 109 00:05:49,300 --> 00:05:52,690 And if you can rule out cross-site scripting attacks 110 00:05:52,690 --> 00:05:56,010 your authentication permission stored 111 00:05:56,010 --> 00:05:59,180 in some client-side storage is pretty secure. 112 00:05:59,180 --> 00:06:02,260 Because only you, the owner of this computer 113 00:06:02,260 --> 00:06:05,260 and the user of this browser are able to view it. 114 00:06:05,260 --> 00:06:08,230 So you could only hack yourself 115 00:06:08,230 --> 00:06:11,730 and some random dude wouldn't be able to just send 116 00:06:11,730 --> 00:06:13,720 a fake request to the server 117 00:06:13,720 --> 00:06:17,070 because whilst you could come up with a random identifier 118 00:06:17,070 --> 00:06:20,710 the server would not know that identifier. 119 00:06:20,710 --> 00:06:23,630 So that's the concept of server-side sessions. 120 00:06:23,630 --> 00:06:26,970 The other concept is about authentication tokens. 121 00:06:26,970 --> 00:06:29,080 It's not that far off. 122 00:06:29,080 --> 00:06:32,760 The idea here is that the server does not store 123 00:06:32,760 --> 00:06:34,410 any identifiers. 124 00:06:34,410 --> 00:06:38,610 Instead, the server creates and signs tokens. 125 00:06:38,610 --> 00:06:42,310 Which in the end are just a random strings you could say. 126 00:06:42,310 --> 00:06:47,310 Random strings which can be unpacked to data packages 127 00:06:48,160 --> 00:06:50,030 so we take various pieces of data 128 00:06:50,030 --> 00:06:52,710 and sign them together more on that in a second. 129 00:06:52,710 --> 00:06:56,300 And then such a token is sent back to the client. 130 00:06:56,300 --> 00:06:58,470 The client can then save that token 131 00:06:58,470 --> 00:07:01,270 and again attach it to outgoing requests 132 00:07:01,270 --> 00:07:04,720 to tell the server that access should be granted. 133 00:07:04,720 --> 00:07:07,910 Now, even though the server does not store 134 00:07:07,910 --> 00:07:11,200 that token in a database or anywhere else 135 00:07:11,200 --> 00:07:14,820 the server knows how it's signed that token. 136 00:07:14,820 --> 00:07:17,080 And I'll come back to that in a second. 137 00:07:17,080 --> 00:07:19,930 So the server will be able to verify 138 00:07:19,930 --> 00:07:23,600 if a token was created by it or not. 139 00:07:23,600 --> 00:07:26,650 And therefore, again if I just come up 140 00:07:26,650 --> 00:07:28,930 with some random token string 141 00:07:28,930 --> 00:07:31,750 and I send this to a server to get access 142 00:07:31,750 --> 00:07:35,520 to some protected resource access would be denied 143 00:07:35,520 --> 00:07:37,770 because the server would not be able 144 00:07:37,770 --> 00:07:40,140 to verify my random string. 145 00:07:40,140 --> 00:07:43,300 Because it wouldn't be a validly signed token 146 00:07:43,300 --> 00:07:45,640 generated by that server. 147 00:07:45,640 --> 00:07:48,550 Now these are the two approaches we have. 148 00:07:48,550 --> 00:07:51,610 Now when we build a single-page application 149 00:07:51,610 --> 00:07:55,390 which we in the end still kind of do with Next.js 150 00:07:55,390 --> 00:07:59,110 then we typically work with tokens instead of sessions. 151 00:07:59,110 --> 00:08:01,410 And there are reasons for that. 152 00:08:01,410 --> 00:08:04,710 For one, pages are served directly and populated 153 00:08:04,710 --> 00:08:08,970 with logic without necessarily hitting the server. 154 00:08:08,970 --> 00:08:11,640 Of course, when working with Next.js, 155 00:08:11,640 --> 00:08:13,520 you can build pages 156 00:08:13,520 --> 00:08:16,400 which use get server-side props 157 00:08:16,400 --> 00:08:19,080 and therefore there will be a request handled 158 00:08:19,080 --> 00:08:22,530 by the server every time that page is being served. 159 00:08:22,530 --> 00:08:26,160 But you will also have many pages which are pre-generated. 160 00:08:26,160 --> 00:08:28,860 And once the user is on your website 161 00:08:28,860 --> 00:08:33,100 many pages won't be fetched from the backend at all 162 00:08:33,100 --> 00:08:34,690 but instead will be loaded 163 00:08:34,690 --> 00:08:39,590 and generated dynamically with front-end JavaScript 164 00:08:39,590 --> 00:08:42,720 because you still have a single-page application 165 00:08:42,720 --> 00:08:46,300 at least for many pages that make up your website 166 00:08:46,300 --> 00:08:49,240 after you initially loaded your first page 167 00:08:49,240 --> 00:08:51,950 then still JavaScript takes over, 168 00:08:51,950 --> 00:08:56,070 React takes over and handles your website. 169 00:08:56,070 --> 00:08:57,410 So that's important. 170 00:08:57,410 --> 00:09:00,630 You don't send a request for every page you visit 171 00:09:00,630 --> 00:09:03,490 because you're not using get server-side props 172 00:09:03,490 --> 00:09:04,990 on every page. 173 00:09:04,990 --> 00:09:08,660 So to server, doesn't see every request which you send 174 00:09:08,660 --> 00:09:11,130 and therefore you load pages without the server 175 00:09:11,130 --> 00:09:13,660 being able to directly find out 176 00:09:13,660 --> 00:09:16,090 if you are authenticated or not. 177 00:09:16,090 --> 00:09:19,260 In addition, backend APIs which be used 178 00:09:19,260 --> 00:09:23,010 for a single-page applications are typically stateless. 179 00:09:23,010 --> 00:09:26,850 They don't care about the individual connected clients. 180 00:09:26,850 --> 00:09:30,210 They don't keep track of all the connected clients. 181 00:09:30,210 --> 00:09:32,020 Instead, the idea is that, 182 00:09:32,020 --> 00:09:35,740 that API can work pretty much on its own. 183 00:09:35,740 --> 00:09:38,700 And it just is able to hand out permissions 184 00:09:38,700 --> 00:09:41,810 to clients who authenticated so that they can then 185 00:09:41,810 --> 00:09:45,420 later request access to protect the resources. 186 00:09:45,420 --> 00:09:49,520 The API itself does not store any extra information 187 00:09:49,520 --> 00:09:52,300 about any connected clients. 188 00:09:52,300 --> 00:09:55,840 And since this is how we build single-page applications 189 00:09:55,840 --> 00:09:59,710 the server is not involved in every request 190 00:09:59,710 --> 00:10:02,900 and every action that's happening on our page 191 00:10:02,900 --> 00:10:06,160 because we handled that with front-end JavaScript 192 00:10:06,160 --> 00:10:10,620 and we have that stateless API connected to the SPA. 193 00:10:10,620 --> 00:10:11,950 And because of all of that, 194 00:10:11,950 --> 00:10:15,640 we could say that we have kind of a detached front-end 195 00:10:15,640 --> 00:10:17,510 and back-end combination. 196 00:10:17,510 --> 00:10:20,090 They do talk to each other sometimes 197 00:10:20,090 --> 00:10:24,100 but not for every action that's going on on the page. 198 00:10:24,100 --> 00:10:27,660 And because that's the case, servers don't save information 199 00:10:27,660 --> 00:10:29,560 about authenticated clients. 200 00:10:29,560 --> 00:10:33,360 And instead clients should get that standalone permission 201 00:10:33,360 --> 00:10:37,080 which allows them to prove that they are authenticated. 202 00:10:37,080 --> 00:10:39,660 And that's why we use these tokens. 203 00:10:39,660 --> 00:10:40,930 And here specifically, 204 00:10:40,930 --> 00:10:44,210 we use a concept called JSON Web Tokens 205 00:10:44,210 --> 00:10:46,200 that is simply the most common form 206 00:10:46,200 --> 00:10:48,360 of authentication token. 207 00:10:48,360 --> 00:10:51,380 And it's simply describes the way the token is generated 208 00:10:51,380 --> 00:10:54,510 though we don't need to care about that too much 209 00:10:54,510 --> 00:10:57,780 because we'll use a third-party library for generating 210 00:10:57,780 --> 00:10:59,993 and signing that token anyways. 211 00:11:00,930 --> 00:11:04,740 So as it seems, these JSON Web Tokens are important 212 00:11:04,740 --> 00:11:06,853 and therefore we should take a closer look at them. 213 00:11:06,853 --> 00:11:11,130 We should understand how exactly JSON Web Tokens work. 214 00:11:11,130 --> 00:11:12,790 And in the end that JSON Web Tokens 215 00:11:12,790 --> 00:11:17,723 is generated with three main blocks. 216 00:11:18,560 --> 00:11:20,700 We got some issuer data. 217 00:11:20,700 --> 00:11:24,040 Some data which is automatically added into a token 218 00:11:24,040 --> 00:11:27,530 by the server when that token is generated. 219 00:11:27,530 --> 00:11:30,400 That's some metadata which we typically don't set up 220 00:11:30,400 --> 00:11:32,260 ourselves as a developer, 221 00:11:32,260 --> 00:11:35,950 but which is pre-configured by the third party packages 222 00:11:35,950 --> 00:11:38,540 we use for generating tokens. 223 00:11:38,540 --> 00:11:42,680 We can then still also add custom data to our token 224 00:11:42,680 --> 00:11:45,260 for example, some information about the user 225 00:11:46,130 --> 00:11:47,930 and then very important, 226 00:11:47,930 --> 00:11:50,490 we also set up a secret key. 227 00:11:50,490 --> 00:11:53,600 We set up that key on the server. 228 00:11:53,600 --> 00:11:56,700 The client never gets to see that key. 229 00:11:56,700 --> 00:11:59,900 And that's important because if you have that key 230 00:11:59,900 --> 00:12:02,550 you can create valid tokens, 231 00:12:02,550 --> 00:12:04,740 which are accepted by the server. 232 00:12:04,740 --> 00:12:08,120 Hence only the server knows that key. 233 00:12:08,120 --> 00:12:12,530 Then we generate a token with some third-party package 234 00:12:12,530 --> 00:12:14,860 by combining all these pieces together 235 00:12:14,860 --> 00:12:19,690 by creating a random string that incorporates all that data 236 00:12:19,690 --> 00:12:21,660 and is signed by that key. 237 00:12:21,660 --> 00:12:23,980 And that is that JSON Web Token, 238 00:12:23,980 --> 00:12:25,373 a long string. 239 00:12:26,220 --> 00:12:28,010 The important thing here is that 240 00:12:28,010 --> 00:12:30,840 signing does not mean encryption. 241 00:12:30,840 --> 00:12:34,020 The JSON Web Token is not encrypted. 242 00:12:34,020 --> 00:12:37,720 You can unpack it and read the data inside of it 243 00:12:37,720 --> 00:12:39,810 without knowing that key. 244 00:12:39,810 --> 00:12:44,810 That key only proves that a given server created that token. 245 00:12:45,710 --> 00:12:48,010 But you can read the content of the token 246 00:12:48,010 --> 00:12:49,640 without knowing that key. 247 00:12:49,640 --> 00:12:53,040 The key of course will not be included in the token though. 248 00:12:53,040 --> 00:12:55,020 So you can't read that key, 249 00:12:55,020 --> 00:12:57,733 even if you unpack the token. 250 00:12:59,390 --> 00:13:02,610 Now is that token which then is stored by the client? 251 00:13:02,610 --> 00:13:03,840 Sorry. By the browser? 252 00:13:03,840 --> 00:13:05,340 And which then is attached 253 00:13:05,340 --> 00:13:09,720 to requests two protected resources on the server. 254 00:13:09,720 --> 00:13:12,700 So two protected API routes. 255 00:13:12,700 --> 00:13:15,310 And for example, if you wanna change our password 256 00:13:15,310 --> 00:13:18,520 we don't just send the old and the new password 257 00:13:18,520 --> 00:13:23,350 but we also include that token in the outgoing request. 258 00:13:23,350 --> 00:13:27,140 And that token then is validated by the server 259 00:13:27,140 --> 00:13:28,880 which basically checks... 260 00:13:28,880 --> 00:13:33,440 Okay. If I would use my signing key which only I know 261 00:13:33,440 --> 00:13:36,830 would I be able to generate this token? 262 00:13:36,830 --> 00:13:38,160 And if the answer is, yes. 263 00:13:38,160 --> 00:13:39,900 The server knows that it's valid. 264 00:13:39,900 --> 00:13:41,060 If the answer is no. 265 00:13:41,060 --> 00:13:44,210 It's invalid and access is denied. 266 00:13:44,210 --> 00:13:47,200 So that's why we can't just generate a token 267 00:13:47,200 --> 00:13:48,730 without knowing the key. 268 00:13:48,730 --> 00:13:51,000 We can't generate a token, 269 00:13:51,000 --> 00:13:52,810 but it would be an invalid one. 270 00:13:52,810 --> 00:13:55,203 And that's why this is a secure mechanism. 271 00:13:56,140 --> 00:13:57,760 Okay. That was a lot of talking 272 00:13:57,760 --> 00:13:58,780 about of all of that, 273 00:13:58,780 --> 00:14:01,360 but that's the important theory. 274 00:14:01,360 --> 00:14:04,640 The foundation we need for then actually diving 275 00:14:04,640 --> 00:14:08,350 into authentication and implementing authentication. 276 00:14:08,350 --> 00:14:09,490 The great news is, 277 00:14:09,490 --> 00:14:13,000 that we don't need to build all these things from scratch 278 00:14:13,000 --> 00:14:15,840 but that instead for the token creation 279 00:14:15,840 --> 00:14:17,820 and validation and so on, 280 00:14:17,820 --> 00:14:21,533 we can rely on secure third-party packages. 22358