Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,160 --> 00:00:03,130 So previously, we already implemented 2 00:00:03,130 --> 00:00:05,420 a simple signup functionality, 3 00:00:05,420 --> 00:00:06,490 but in this lecture, 4 00:00:06,490 --> 00:00:08,760 we will actually also log the user in 5 00:00:08,760 --> 00:00:11,700 making a more real signup process. 6 00:00:11,700 --> 00:00:13,830 So starting from this lecture, 7 00:00:13,830 --> 00:00:16,760 we will really start to implement our authentication, 8 00:00:16,760 --> 00:00:19,683 and so this where it gets really serious. 9 00:00:21,230 --> 00:00:23,210 And so therefore, before we start 10 00:00:23,210 --> 00:00:25,150 I want to give you a warning here, 11 00:00:25,150 --> 00:00:28,740 so authentication is very hard to get right 12 00:00:28,740 --> 00:00:31,330 and many tutorials out there that you're gonna find 13 00:00:31,330 --> 00:00:32,970 when you search for authentication 14 00:00:32,970 --> 00:00:35,492 with like Node.js and Express, 15 00:00:35,492 --> 00:00:38,480 many of these make many serious mistakes 16 00:00:38,480 --> 00:00:42,220 and oversimplify things that should not be simplified. 17 00:00:42,220 --> 00:00:45,270 All right, this is not to say that all tutorials out there 18 00:00:45,270 --> 00:00:46,740 are bad, all right, 19 00:00:46,740 --> 00:00:48,500 or that are useless or something, 20 00:00:48,500 --> 00:00:52,400 but I really spend weeks researching all the best practices 21 00:00:52,400 --> 00:00:54,670 and refining and improving my code, 22 00:00:54,670 --> 00:00:56,410 to make this authentication section 23 00:00:56,410 --> 00:00:59,550 that we're gonna start implementing now as good as possible, 24 00:00:59,550 --> 00:01:02,000 for a beginner like you, all right, 25 00:01:02,000 --> 00:01:05,227 and that is because we need to be really really 26 00:01:05,227 --> 00:01:08,950 extra careful when writing this part of the application, 27 00:01:08,950 --> 00:01:12,730 because remember, our user's data is at stake here, 28 00:01:12,730 --> 00:01:15,650 and the trust in the company who runs the application, 29 00:01:15,650 --> 00:01:17,200 is at stake as well, 30 00:01:17,200 --> 00:01:19,080 and so implementing authentication, 31 00:01:19,080 --> 00:01:21,200 is a real responsibility 32 00:01:21,200 --> 00:01:24,360 where you should not make any mistakes at all. 33 00:01:24,360 --> 00:01:25,980 Now there are some libraries out there 34 00:01:25,980 --> 00:01:28,470 that can help us implement authentication 35 00:01:28,470 --> 00:01:31,360 and authorization and the most well known one 36 00:01:31,360 --> 00:01:33,130 is called Passport, 37 00:01:33,130 --> 00:01:34,740 but even a library like that 38 00:01:34,740 --> 00:01:37,470 doesn't take all the work and all the responsibility 39 00:01:37,470 --> 00:01:39,510 away from you, all right. 40 00:01:39,510 --> 00:01:40,630 Now in this case here, 41 00:01:40,630 --> 00:01:42,810 we are actually gonna implement the whole login 42 00:01:42,810 --> 00:01:46,380 protecting and authorization logic all by ourselves, 43 00:01:46,380 --> 00:01:49,910 except of course for the Jason web token implementation 44 00:01:49,910 --> 00:01:52,310 that we talked about in the last video itself. 45 00:01:52,310 --> 00:01:54,820 Okay, so all the signing and verification 46 00:01:54,820 --> 00:01:58,170 all that stuff, we're gonna leave to the WJT library 47 00:01:58,170 --> 00:02:00,450 but then the rest, we're gonna implement ourselves 48 00:02:00,450 --> 00:02:02,920 over the next couple of lectures. 49 00:02:02,920 --> 00:02:04,430 Now as I mentioned earlier, 50 00:02:04,430 --> 00:02:07,830 we already have our signup function here, right, 51 00:02:07,830 --> 00:02:09,240 but right now, all it does 52 00:02:09,240 --> 00:02:11,500 is to simply create a new user 53 00:02:11,500 --> 00:02:14,010 and then send it back to the client. 54 00:02:14,010 --> 00:02:17,410 Now shortly after finishing recording this course, 55 00:02:17,410 --> 00:02:18,640 I actually noticed that 56 00:02:18,640 --> 00:02:21,239 there is a very serious security flaw 57 00:02:21,239 --> 00:02:23,920 in this way of signing up users, 58 00:02:23,920 --> 00:02:26,630 so basically the problem is that right now, 59 00:02:26,630 --> 00:02:30,640 we create a new user using all the data that is coming in 60 00:02:30,640 --> 00:02:32,850 with the body right, 61 00:02:32,850 --> 00:02:36,350 and so the problem here is that like this, 62 00:02:36,350 --> 00:02:40,960 anyone can specify the role as an admin right, 63 00:02:40,960 --> 00:02:45,360 so basically, everyone can now simply register as an admin 64 00:02:45,360 --> 00:02:46,670 into our application, 65 00:02:46,670 --> 00:02:49,620 and so that's of course not we need. 66 00:02:49,620 --> 00:02:53,090 So again this is a serious security flaw 67 00:02:53,090 --> 00:02:55,860 and we of course we'll need to fix that 68 00:02:55,860 --> 00:02:58,420 and to fix is actually quite simple. 69 00:02:58,420 --> 00:03:01,150 So what you need instead of this line of code, 70 00:03:01,150 --> 00:03:02,670 that is selected here 71 00:03:02,670 --> 00:03:06,370 is this piece of code that I just put here on the screen. 72 00:03:06,370 --> 00:03:07,460 Okay. 73 00:03:07,460 --> 00:03:10,900 So again, please go ahead and delete this line of code 74 00:03:10,900 --> 00:03:12,720 that is currently selected here 75 00:03:12,720 --> 00:03:15,320 and replace it with the code that I just put here 76 00:03:15,320 --> 00:03:16,690 on the screen. 77 00:03:16,690 --> 00:03:19,070 Now what's actually the big difference here, 78 00:03:19,070 --> 00:03:21,010 well, with this new code, 79 00:03:21,010 --> 00:03:24,580 basically we only allow the data that we actually need 80 00:03:24,580 --> 00:03:26,550 to be put into the new user 81 00:03:26,550 --> 00:03:30,370 so just a name, the E-mail and then the passwords. 82 00:03:30,370 --> 00:03:34,370 And so now, even if a user tries to manually input a role, 83 00:03:34,370 --> 00:03:37,030 we will not store that into the new user, 84 00:03:37,030 --> 00:03:38,750 and the same for other stuff, 85 00:03:38,750 --> 00:03:41,170 like for example, a photo. 86 00:03:41,170 --> 00:03:45,120 So this is the quick and easy fix for that problem. 87 00:03:45,120 --> 00:03:45,983 Now what this will do, 88 00:03:45,983 --> 00:03:49,890 is that we can actually no longer register as an admin, 89 00:03:49,890 --> 00:03:52,570 and so if we need to add a new administrator 90 00:03:52,570 --> 00:03:53,680 to our system, 91 00:03:53,680 --> 00:03:57,030 we can then very simply just create a new user normally 92 00:03:57,030 --> 00:03:59,610 and then go into MongoDB Compass, 93 00:03:59,610 --> 00:04:02,440 and basically edit that role in there. 94 00:04:02,440 --> 00:04:03,930 So edit it from user 95 00:04:03,930 --> 00:04:06,470 to admin manually, okay. 96 00:04:06,470 --> 00:04:09,070 Of course we could also define a special route 97 00:04:09,070 --> 00:04:10,910 for just creating admins 98 00:04:10,910 --> 00:04:13,610 but that would be a bit too much. 99 00:04:13,610 --> 00:04:16,209 Okay, so let's now move on. 100 00:04:16,209 --> 00:04:18,820 Just notice that the code in the rest of the video 101 00:04:18,820 --> 00:04:20,790 and all the videos in this course 102 00:04:20,790 --> 00:04:25,090 will of course still be this old wrong version, all right, 103 00:04:25,090 --> 00:04:27,270 but actually in the final code 104 00:04:27,270 --> 00:04:29,240 that is in the GitHub repository, 105 00:04:29,240 --> 00:04:32,773 I already fixed that and we have the correct code in there. 106 00:04:33,610 --> 00:04:37,770 Anyway, usually when we sign up for any web application, 107 00:04:37,770 --> 00:04:41,060 then you also get automatically logged in, right, 108 00:04:41,060 --> 00:04:43,500 and so let's very quickly implement that here. 109 00:04:43,500 --> 00:04:45,350 So log the new user in, 110 00:04:45,350 --> 00:04:48,120 as soon as he signed up, okay, 111 00:04:48,120 --> 00:04:50,090 and remember from the previous lecture, 112 00:04:50,090 --> 00:04:51,680 how that works, 113 00:04:51,680 --> 00:04:53,440 well all we really need to do, 114 00:04:53,440 --> 00:04:55,350 is to sign a Jason web token 115 00:04:55,350 --> 00:04:58,490 and then send it back to the user, okay, 116 00:04:58,490 --> 00:05:01,270 but let's now first of all install the MPM package 117 00:05:01,270 --> 00:05:03,350 that we're gonna use for everything related 118 00:05:03,350 --> 00:05:04,893 to Jason web tokens. 119 00:05:06,160 --> 00:05:08,180 So in our other terminal, 120 00:05:08,180 --> 00:05:12,660 let's say MPM install, Jason web token, 121 00:05:12,660 --> 00:05:14,370 so all of this together like this 122 00:05:16,240 --> 00:05:18,630 and that should then install this package 123 00:05:18,630 --> 00:05:19,790 and let's actually go ahead 124 00:05:19,790 --> 00:05:22,211 and take a look at it at GitHub, 125 00:05:22,211 --> 00:05:23,950 just to see the documentation 126 00:05:28,000 --> 00:05:29,380 and let's do that here, 127 00:05:29,380 --> 00:05:31,830 we no longer need this one here for now at least, 128 00:05:33,370 --> 00:05:38,370 and so this will take us to the page on MPM, 129 00:05:38,810 --> 00:05:40,300 and so you see 130 00:05:40,300 --> 00:05:42,170 how popular this package actually is, 131 00:05:42,170 --> 00:05:45,100 so we have 2.3 million weekly downloads, 132 00:05:45,100 --> 00:05:47,930 so that really is a ton of downloads 133 00:05:47,930 --> 00:05:50,730 and we can take a look at the documentation here as well, 134 00:05:50,730 --> 00:05:53,540 but I personally prefer to do it on GitHub. 135 00:05:53,540 --> 00:05:56,090 I think it looks a lot cleaner here, 136 00:05:56,090 --> 00:05:58,240 and I'm so used to it at this point, 137 00:05:58,240 --> 00:06:02,410 and so I usually just see it here, okay. 138 00:06:02,410 --> 00:06:04,690 Anyway, the first functio that we're gonna use 139 00:06:04,690 --> 00:06:08,070 with JWT here is sign, okay, 140 00:06:08,070 --> 00:06:11,320 so in order to basically create a new token, 141 00:06:11,320 --> 00:06:13,330 and for that of course we need the payload, 142 00:06:13,330 --> 00:06:16,080 we need the key so that private secret 143 00:06:16,080 --> 00:06:17,280 that I mentioned before 144 00:06:17,280 --> 00:06:19,750 that's only stored on our server 145 00:06:19,750 --> 00:06:21,607 and that we need to sign the token 146 00:06:21,607 --> 00:06:23,830 and then we can pass on some options 147 00:06:23,830 --> 00:06:26,040 and we will do all that in a second, 148 00:06:26,040 --> 00:06:29,270 I just want to show the other function that we have here, 149 00:06:29,270 --> 00:06:32,040 and that we really have a ton of options here, 150 00:06:32,040 --> 00:06:34,149 for example the expires in, 151 00:06:34,149 --> 00:06:36,353 which we're gonna use to use also, 152 00:06:38,070 --> 00:06:39,830 so all of this stuff 153 00:06:39,830 --> 00:06:41,600 and then we have verify. 154 00:06:41,600 --> 00:06:44,200 So we also talked about the verification process 155 00:06:44,200 --> 00:06:47,700 and that's basically implemented in this function, okay, 156 00:06:47,700 --> 00:06:49,490 and so this is the one that we're gonna use, 157 00:06:49,490 --> 00:06:52,740 when logging in a user, okay, 158 00:06:52,740 --> 00:06:54,610 and that's really all there is, 159 00:06:54,610 --> 00:06:56,858 so you have all this different options here, okay, 160 00:06:56,858 --> 00:06:58,400 you have also decode 161 00:06:58,400 --> 00:07:01,140 but that one is not really important, okay, 162 00:07:01,140 --> 00:07:03,990 so you see that this package really only includes 163 00:07:03,990 --> 00:07:04,980 the two functionalities 164 00:07:04,980 --> 00:07:07,870 that we discussed in the previous video. 165 00:07:07,870 --> 00:07:11,683 So signing and then verifying, okay. 166 00:07:12,590 --> 00:07:15,060 So let's go back here 167 00:07:15,060 --> 00:07:18,193 and actually start using the Jason web token package. 168 00:07:19,830 --> 00:07:21,363 So let's import it here, 169 00:07:24,380 --> 00:07:26,800 and it's usually simply called JWT 170 00:07:31,040 --> 00:07:33,920 and require the Jason web token. 171 00:07:33,920 --> 00:07:37,053 Okay, so lets create our token here, 172 00:07:39,290 --> 00:07:40,460 okay, 173 00:07:40,460 --> 00:07:43,710 and I'll like to simply call it like this so just token, 174 00:07:43,710 --> 00:07:48,080 okay, then JWT dot sign, 175 00:07:48,080 --> 00:07:50,460 and now the first thing is the payload, 176 00:07:50,460 --> 00:07:52,650 and this is basically an object for all the data 177 00:07:52,650 --> 00:07:55,260 that we're going to store inside of the token, 178 00:07:55,260 --> 00:07:56,093 and in this case, 179 00:07:56,093 --> 00:07:59,410 we really only want the ID of the user, all right, 180 00:07:59,410 --> 00:08:02,210 so nothing crazy here, not a lot of data 181 00:08:02,210 --> 00:08:04,150 that's not really important. 182 00:08:04,150 --> 00:08:06,890 So we say that the ID is 183 00:08:06,890 --> 00:08:09,550 and then we simply get the ID from the new user 184 00:08:09,550 --> 00:08:12,830 that was just created, okay, 185 00:08:12,830 --> 00:08:17,530 so new user dot and then remember that in MonogoDB, 186 00:08:17,530 --> 00:08:21,460 the ID is actually called underscore ID, all right, 187 00:08:21,460 --> 00:08:23,760 and so that is the object that's the data, 188 00:08:23,760 --> 00:08:27,083 the payload, that we want to put in our JWT. 189 00:08:27,920 --> 00:08:30,820 Next up, we need the secret, okay, 190 00:08:30,820 --> 00:08:32,090 so basically a string 191 00:08:33,580 --> 00:08:35,350 for a secret, all right, 192 00:08:35,350 --> 00:08:38,530 of course this is a terrible one, all right, 193 00:08:38,530 --> 00:08:40,340 this is just kind of a place holder 194 00:08:40,340 --> 00:08:42,770 because actually, our configuration file 195 00:08:42,770 --> 00:08:46,720 is a perfect place to store this kind of secret data, 196 00:08:46,720 --> 00:08:49,460 so just like password for example, 197 00:08:49,460 --> 00:08:53,633 and so let's go add and edit here, okay, 198 00:08:55,720 --> 00:09:00,070 so let's call it JWT, secret, 199 00:09:00,070 --> 00:09:02,220 and of course the name that we give here, 200 00:09:02,220 --> 00:09:03,430 doesn't really matter 201 00:09:03,430 --> 00:09:06,920 but what does matter is the secret that we specify here, 202 00:09:06,920 --> 00:09:11,920 all right, because using the standard HSA 256 encryption 203 00:09:11,940 --> 00:09:15,320 for the signature, the secret should at least be 204 00:09:15,320 --> 00:09:17,880 thirty two characters long, all right, 205 00:09:17,880 --> 00:09:19,847 but the longer the better actually 206 00:09:19,847 --> 00:09:22,240 and this is where many tutorials out there fail, 207 00:09:22,240 --> 00:09:25,280 some of them simply put a very short string here, 208 00:09:25,280 --> 00:09:27,010 but that's not ideal again, 209 00:09:27,010 --> 00:09:29,290 so for best encryption of the signature, 210 00:09:29,290 --> 00:09:32,940 again you should at least use thirty two characters, 211 00:09:32,940 --> 00:09:34,584 so I'm gonna create my secret here now 212 00:09:34,584 --> 00:09:37,763 but you should really really use another one, okay, 213 00:09:37,763 --> 00:09:40,490 please don't use the same one as I am doing 214 00:09:40,490 --> 00:09:42,590 because that could become a security issue 215 00:09:42,590 --> 00:09:44,180 for your application, okay, 216 00:09:44,180 --> 00:09:47,460 always use a unique secret for your applications 217 00:09:47,460 --> 00:09:49,400 and never the same, all right, 218 00:09:49,400 --> 00:09:52,100 and especially not the one from someone else 219 00:09:52,100 --> 00:09:54,883 so definitely not the one that I'm typing now. 220 00:09:56,750 --> 00:09:57,820 So this can be anything, 221 00:09:57,820 --> 00:10:00,160 it doesn't have to be weird characters or stuff, 222 00:10:00,160 --> 00:10:02,390 I prefer to use a phrase like this, 223 00:10:02,390 --> 00:10:04,443 my ultra secure and 224 00:10:07,860 --> 00:10:10,903 ultra long secret, 225 00:10:11,990 --> 00:10:13,363 so what happened here, 226 00:10:14,690 --> 00:10:17,670 anyway this should be thirty two characters long 227 00:10:17,670 --> 00:10:18,730 and so this is the one 228 00:10:18,730 --> 00:10:21,400 that we're gonna use for my Jason web tokens, 229 00:10:21,400 --> 00:10:24,193 but again please use another one, all right. 230 00:10:25,489 --> 00:10:29,290 Anyway, let's go back to the authentication controller here, 231 00:10:29,290 --> 00:10:30,733 and now actually use it. 232 00:10:31,810 --> 00:10:34,970 So remember a environment variable 233 00:10:34,970 --> 00:10:39,913 is process dot end dot JWT secret, 234 00:10:41,100 --> 00:10:42,100 okay. 235 00:10:42,100 --> 00:10:44,490 So at this point, we have the payload 236 00:10:44,490 --> 00:10:46,320 and we have the secret. 237 00:10:46,320 --> 00:10:49,400 The token header will actually created automatically 238 00:10:49,400 --> 00:10:50,670 but now what we can also do 239 00:10:50,670 --> 00:10:52,390 is to pass on some options, 240 00:10:52,390 --> 00:10:54,470 and the option that I'm gonna pass in 241 00:10:54,470 --> 00:10:57,390 is when the JWT should expire. 242 00:10:57,390 --> 00:10:59,600 So this means that after the time 243 00:10:59,600 --> 00:11:01,240 that we're gonna pass in here, 244 00:11:01,240 --> 00:11:03,110 the Jason web token is no longer 245 00:11:03,110 --> 00:11:04,240 gonna be valid, 246 00:11:04,240 --> 00:11:06,890 even if it otherwise would be correctly verified, 247 00:11:06,890 --> 00:11:08,060 all right, 248 00:11:08,060 --> 00:11:10,570 so this is basically for logging out a user 249 00:11:10,570 --> 00:11:12,670 after a certain period of time 250 00:11:12,670 --> 00:11:15,320 simply as a security measure, okay. 251 00:11:15,320 --> 00:11:19,500 So let's actually define that expiration time also 252 00:11:19,500 --> 00:11:21,493 as a configuration variable here, 253 00:11:23,320 --> 00:11:28,320 so JWT expires in 254 00:11:28,360 --> 00:11:30,536 and so here of course , you can use the same time 255 00:11:30,536 --> 00:11:31,950 as I am putting. 256 00:11:31,950 --> 00:11:33,630 So we can use a special string 257 00:11:33,630 --> 00:11:36,170 like for example 90D 258 00:11:36,170 --> 00:11:38,807 and the signing algorithm will then automatically figure out 259 00:11:38,807 --> 00:11:42,350 that this means ninety days, okay, 260 00:11:42,350 --> 00:11:47,350 you could also use like ten hours or five minutes 261 00:11:47,360 --> 00:11:49,720 or three seconds or something like this, 262 00:11:49,720 --> 00:11:50,800 or just any number, 263 00:11:50,800 --> 00:11:53,330 which will then be treated as milliseconds 264 00:11:53,330 --> 00:11:55,820 but I think it's best to simply use ninety 265 00:11:55,820 --> 00:11:59,350 or something D, so in this case, ninety days, all right, 266 00:11:59,350 --> 00:12:01,120 and so again, after ninety days, 267 00:12:01,120 --> 00:12:03,860 the JWT will no longer be valid, 268 00:12:03,860 --> 00:12:07,770 even if the signature is correct and everything is valid. 269 00:12:07,770 --> 00:12:11,503 Okay, so again just like an additional security measure, 270 00:12:12,880 --> 00:12:13,713 okay, 271 00:12:13,713 --> 00:12:17,180 so these options as always, we passed them in as an object 272 00:12:17,180 --> 00:12:19,820 and then let's specify the expires in, 273 00:12:19,820 --> 00:12:24,640 so expires in and then process dot end 274 00:12:26,120 --> 00:12:31,120 and then JWT expires in, okay, 275 00:12:32,050 --> 00:12:34,190 and this here will then add some additional data 276 00:12:34,190 --> 00:12:35,530 to the payload, 277 00:12:35,530 --> 00:12:37,480 but that's of course no problem at all. 278 00:12:38,410 --> 00:12:40,220 So we just created a token, 279 00:12:40,220 --> 00:12:41,500 now all we need to do, 280 00:12:41,500 --> 00:12:43,463 is to send it to the client. 281 00:12:44,910 --> 00:12:48,240 So let's put it here before the user actually 282 00:12:48,240 --> 00:12:50,420 and then that's actually it. 283 00:12:50,420 --> 00:12:53,350 That's really all we need to do to log in a new user, 284 00:12:53,350 --> 00:12:54,840 because right now we're not checking 285 00:12:54,840 --> 00:12:56,250 if any password is correct 286 00:12:56,250 --> 00:12:59,530 or if the user actually exists in the database 287 00:12:59,530 --> 00:13:00,970 because here in this case, 288 00:13:00,970 --> 00:13:02,890 the user was really just created, 289 00:13:02,890 --> 00:13:03,840 and so right away, 290 00:13:03,840 --> 00:13:05,880 we logged user into the application 291 00:13:05,880 --> 00:13:08,070 by sending a token, okay, 292 00:13:08,070 --> 00:13:10,010 and the use of client should then in some ways 293 00:13:10,010 --> 00:13:12,780 store that token, just as we talked about before 294 00:13:12,780 --> 00:13:15,430 in the previous lecture, okay, 295 00:13:15,430 --> 00:13:16,760 so let's give it a save here, 296 00:13:16,760 --> 00:13:21,370 and let's actually try it out, okay, 297 00:13:21,370 --> 00:13:24,160 so let's us my old address here, 298 00:13:24,160 --> 00:13:27,040 hello@jonas.io, let's send it, 299 00:13:27,040 --> 00:13:29,210 and let's wait for it 300 00:13:29,210 --> 00:13:32,910 and indeed, here is our Jason web token 301 00:13:32,910 --> 00:13:35,050 so congratulations, you just created 302 00:13:35,050 --> 00:13:37,490 your very first Jason web token 303 00:13:37,490 --> 00:13:39,760 which should look a little bit like this, 304 00:13:39,760 --> 00:13:42,310 and of course it's not gonna look exactly the same, 305 00:13:42,310 --> 00:13:45,360 because our secret is also not the same, right, 306 00:13:45,360 --> 00:13:46,770 and now what I want to show you, 307 00:13:46,770 --> 00:13:48,810 is the JWT debugger, 308 00:13:48,810 --> 00:13:50,730 that I showed you as a screenshot earlier 309 00:13:50,730 --> 00:13:52,010 in the last video. 310 00:13:52,010 --> 00:13:54,140 So let's go ahead and copy this token 311 00:13:56,050 --> 00:14:00,453 and then let's go to JWT.io, 312 00:14:02,850 --> 00:14:03,683 okay, 313 00:14:04,540 --> 00:14:06,790 then down here we have the debugger 314 00:14:06,790 --> 00:14:10,683 and so let's delete this one here, 315 00:14:12,170 --> 00:14:14,830 and put ours and right away 316 00:14:14,830 --> 00:14:17,580 you see that our signature is invalid, 317 00:14:17,580 --> 00:14:20,570 but that's because the sign function edits 318 00:14:20,570 --> 00:14:22,090 these two properties here, 319 00:14:22,090 --> 00:14:25,140 because we specified an expiration date basically. 320 00:14:25,140 --> 00:14:27,600 So this here is issued at, 321 00:14:27,600 --> 00:14:30,223 and this is expiration time, okay, 322 00:14:31,450 --> 00:14:35,050 so if we remove these two from here, 323 00:14:35,050 --> 00:14:36,350 you will see that now, 324 00:14:36,350 --> 00:14:38,620 this signature is actually verified, 325 00:14:38,620 --> 00:14:42,260 okay so what's important to notice here, 326 00:14:42,260 --> 00:14:44,815 is that of course the header is visible 327 00:14:44,815 --> 00:14:47,840 okay it's easily decodable basically, 328 00:14:47,840 --> 00:14:50,820 and so you that we did not specify any of this, 329 00:14:50,820 --> 00:14:54,530 it was the Jason web token package that did it for us, 330 00:14:54,530 --> 00:14:58,560 but that here is actually the payload that we specified, 331 00:14:58,560 --> 00:15:00,800 so if we take a look at this ID, 332 00:15:00,800 --> 00:15:03,860 it should be exactly the same as we have in postman, 333 00:15:03,860 --> 00:15:06,343 so ending on six OF, 334 00:15:07,960 --> 00:15:11,493 and so indeed, it is exactly the same right, 335 00:15:13,600 --> 00:15:16,260 okay, so these two here are open 336 00:15:16,260 --> 00:15:19,920 and then the signature of course, we cannot really see, 337 00:15:19,920 --> 00:15:22,930 because of course our secret is just that, 338 00:15:22,930 --> 00:15:26,270 it's really secret, all right, 339 00:15:26,270 --> 00:15:29,600 so this was just to show you that everything works, 340 00:15:29,600 --> 00:15:31,242 and let's close this up, 341 00:15:31,242 --> 00:15:35,550 and yeah, we're not able to log users in, 342 00:15:35,550 --> 00:15:38,050 but only if the user just signed up, 343 00:15:38,050 --> 00:15:40,980 because in that case, we do not need to verify 344 00:15:40,980 --> 00:15:42,290 the email in the database, 345 00:15:42,290 --> 00:15:44,490 and also not the password, okay. 346 00:15:44,490 --> 00:15:47,400 So doing all that is a way more complex process, 347 00:15:47,400 --> 00:15:49,340 and so that's actually what we're gonna do 348 00:15:49,340 --> 00:15:50,940 in the next lecture, 349 00:15:50,940 --> 00:15:53,660 so next up, we will actually log in users, 350 00:15:53,660 --> 00:15:56,543 based on their email address and their password. 26778