Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,040 --> 00:00:03,969 So far in our authentication implementation 2 00:00:03,969 --> 00:00:07,780 we have logged users in with a correct password. 3 00:00:07,780 --> 00:00:11,170 So basically we completed this first step 4 00:00:11,170 --> 00:00:13,170 of the authentication workflow 5 00:00:13,170 --> 00:00:15,760 where a JSON web token is created 6 00:00:15,760 --> 00:00:18,730 and sent back to the client if the user provides 7 00:00:18,730 --> 00:00:21,440 a correct email and password. 8 00:00:21,440 --> 00:00:25,350 So next up we will actually implement protected routes. 9 00:00:25,350 --> 00:00:28,630 So basically using the created JSON web token 10 00:00:28,630 --> 00:00:32,930 in order to give logged in users access to protected routes. 11 00:00:32,930 --> 00:00:36,220 And this is the second step of authentication. 12 00:00:36,220 --> 00:00:39,823 And so let's now go ahead and implement this functionality. 13 00:00:41,620 --> 00:00:43,880 So let's say that we wanted to protect the 14 00:00:43,880 --> 00:00:45,670 getAllTours route. 15 00:00:45,670 --> 00:00:48,470 So basically only allowing logged in users 16 00:00:48,470 --> 00:00:51,560 to get access to a list of all our tours. 17 00:00:51,560 --> 00:00:53,830 And what what means is that before running 18 00:00:53,830 --> 00:00:55,700 the get all tours handler, 19 00:00:55,700 --> 00:00:57,353 so let's take a look at that. 20 00:00:58,340 --> 00:01:01,330 Okay, so before running this handle here, 21 00:01:01,330 --> 00:01:03,240 we would need to have some check in place 22 00:01:03,240 --> 00:01:05,120 in order to verify if the user 23 00:01:05,120 --> 00:01:07,760 is actually logged in or not, right? 24 00:01:07,760 --> 00:01:09,540 And so the best way of doing that 25 00:01:09,540 --> 00:01:11,640 as you already know at this point probably, 26 00:01:11,640 --> 00:01:15,160 is to use a middleware function, all right? 27 00:01:15,160 --> 00:01:17,300 So in this video, in order to protect routes, 28 00:01:17,300 --> 00:01:19,640 we're gonna to create a middleware function which is 29 00:01:19,640 --> 00:01:23,560 gonna run before each of these handlers, okay. 30 00:01:23,560 --> 00:01:26,320 So a function that is gonna sit right here, 31 00:01:26,320 --> 00:01:29,440 so before this functio here can run. 32 00:01:29,440 --> 00:01:32,050 And this middleware will then either return an error 33 00:01:32,050 --> 00:01:34,140 if the user is not authenticated, 34 00:01:34,140 --> 00:01:35,850 so if he's not logged in, 35 00:01:35,850 --> 00:01:37,780 or it will call the next middleware 36 00:01:37,780 --> 00:01:42,150 which is in this case the getAllTours handler, right? 37 00:01:42,150 --> 00:01:44,730 And that than effective protects this route 38 00:01:44,730 --> 00:01:47,080 from unauthorized access. 39 00:01:47,080 --> 00:01:48,810 So let's go ahead and quickly create 40 00:01:48,810 --> 00:01:50,290 that middleware function 41 00:01:50,290 --> 00:01:51,480 and then put it here 42 00:01:51,480 --> 00:01:54,060 in order to illustrate what I just said. 43 00:01:54,060 --> 00:01:57,620 Okay, so here in our auth controller again 44 00:01:57,620 --> 00:02:00,170 we will create a new middleware function 45 00:02:03,920 --> 00:02:06,283 and it's called protect. 46 00:02:08,509 --> 00:02:09,342 All right, 47 00:02:09,342 --> 00:02:11,600 and just like before I'm gonna use catchAsync 48 00:02:12,480 --> 00:02:14,740 because once more all of these functions 49 00:02:14,740 --> 00:02:16,553 are async function actually. 50 00:02:17,990 --> 00:02:21,210 All right, and then here of course, our middleware function 51 00:02:24,320 --> 00:02:27,270 and for now let's very simply call next here 52 00:02:27,270 --> 00:02:30,190 just so that we have actually any body here 53 00:02:30,190 --> 00:02:32,240 in this middleware function 54 00:02:32,240 --> 00:02:35,090 and then let's go back to our tour routes 55 00:02:35,090 --> 00:02:38,540 and then protect this route, okay? 56 00:02:38,540 --> 00:02:42,190 So first of all I need to actually require this 57 00:02:42,190 --> 00:02:44,620 authentication controller module. 58 00:02:44,620 --> 00:02:45,453 So const 59 00:02:50,550 --> 00:02:52,350 and then require 60 00:02:56,410 --> 00:02:57,920 it's in controllers, 61 00:02:57,920 --> 00:02:59,713 and then authController, okay. 62 00:03:01,430 --> 00:03:04,150 So now let's plug it in, right here 63 00:03:04,150 --> 00:03:07,460 in the getAllTours route. 64 00:03:07,460 --> 00:03:08,293 Okay. 65 00:03:09,550 --> 00:03:13,913 So authController.protect. 66 00:03:14,860 --> 00:03:15,693 Okay. 67 00:03:15,693 --> 00:03:18,740 And so right now this middleware function is gonna run first 68 00:03:18,740 --> 00:03:21,875 and again, if the user is not authenticated 69 00:03:21,875 --> 00:03:22,950 then there will be an error. 70 00:03:22,950 --> 00:03:25,070 And of course then the next middleware 71 00:03:25,070 --> 00:03:26,690 so the one which actually gets 72 00:03:26,690 --> 00:03:30,540 and sends all of the tours will then not be executed. 73 00:03:30,540 --> 00:03:31,373 Okay. 74 00:03:31,373 --> 00:03:34,700 And so again, this will effectively protect the access 75 00:03:34,700 --> 00:03:38,223 to this resource here from users that are not logged in. 76 00:03:39,250 --> 00:03:42,700 All right, so let's go back here. 77 00:03:42,700 --> 00:03:44,340 Not the user routes, 78 00:03:44,340 --> 00:03:45,993 but the auth controller. 79 00:03:46,850 --> 00:03:49,760 All right, and now about the implementation of 80 00:03:49,760 --> 00:03:51,180 this protect middleware. 81 00:03:51,180 --> 00:03:53,660 What exactly will we have to do? 82 00:03:53,660 --> 00:03:56,583 Well, let's start by lining out a couple of steps here. 83 00:03:57,460 --> 00:04:00,660 All right, and actually first of all we need to mark 84 00:04:00,660 --> 00:04:03,720 this function as Async, otherwise we wouldn't really need 85 00:04:03,720 --> 00:04:05,630 the catchAsync, right? 86 00:04:05,630 --> 00:04:09,260 And you will see why we need this to be an Async function 87 00:04:09,260 --> 00:04:11,360 in a second, all right? 88 00:04:11,360 --> 00:04:13,760 But now let's actually lay out the steps that we need 89 00:04:13,760 --> 00:04:16,803 to take in order to implement this protect middleware. 90 00:04:18,459 --> 00:04:19,839 So just like before, 91 00:04:19,839 --> 00:04:21,990 I'm gonna put these steps here as comments. 92 00:04:23,340 --> 00:04:26,173 First off we need to actually get the token. 93 00:04:28,720 --> 00:04:29,553 And check 94 00:04:30,660 --> 00:04:32,610 if it's there basically, 95 00:04:32,610 --> 00:04:34,303 so checking if it exists. 96 00:04:35,400 --> 00:04:39,113 Then next up we need to validate the token. 97 00:04:41,860 --> 00:04:44,383 And so this is basically that super important step 98 00:04:44,383 --> 00:04:48,900 that we talked about before where the JWT algorithm verifies 99 00:04:48,900 --> 00:04:50,680 if the signature is valid 100 00:04:50,680 --> 00:04:51,513 or if it's not. 101 00:04:51,513 --> 00:04:54,950 And so therefore if the token is valid or not, okay? 102 00:04:54,950 --> 00:04:57,450 And so actually let's call this here verification. 103 00:04:58,930 --> 00:05:01,680 I think that's what we called it in that slide where we 104 00:05:01,680 --> 00:05:03,630 talked about this before, all right. 105 00:05:03,630 --> 00:05:06,040 And if you don't really remember how that worked, 106 00:05:06,040 --> 00:05:07,350 well you can always go back 107 00:05:07,350 --> 00:05:10,003 and re watch that lecture, all right? 108 00:05:11,470 --> 00:05:15,750 Then next up, so if the verification was actually successful 109 00:05:15,750 --> 00:05:18,930 then we also need to check if the user who's trying 110 00:05:18,930 --> 00:05:21,870 to access the route still exists, okay? 111 00:05:21,870 --> 00:05:25,940 So check if user still exists, 112 00:05:25,940 --> 00:05:28,090 and I will talk more about why each of these steps 113 00:05:28,090 --> 00:05:32,610 are necessary once we start implementing them, all right? 114 00:05:32,610 --> 00:05:35,410 So for now this may not make so much sense to you, 115 00:05:35,410 --> 00:05:38,950 but again I will talk about each stop once we get there. 116 00:05:38,950 --> 00:05:39,783 All right? 117 00:05:39,783 --> 00:05:41,440 And finally we need to also check 118 00:05:42,980 --> 00:05:43,813 if 119 00:05:45,490 --> 00:05:47,000 user changed password 120 00:05:50,090 --> 00:05:51,720 after the JWT 121 00:05:53,060 --> 00:05:54,993 was issued, okay? 122 00:05:56,690 --> 00:05:58,280 Well, let's just say token here, 123 00:05:58,280 --> 00:06:01,060 we called it token everywhere else, okay? 124 00:06:01,060 --> 00:06:03,320 And so only if there was no problems 125 00:06:03,320 --> 00:06:05,310 in any of these steps here 126 00:06:05,310 --> 00:06:08,480 only then of course next will be called which will then 127 00:06:08,480 --> 00:06:11,210 get access to the route that we protected. 128 00:06:11,210 --> 00:06:16,210 So in our current example, again, this getAllTours handler. 129 00:06:16,420 --> 00:06:17,610 Right? 130 00:06:17,610 --> 00:06:19,260 Okay, but let's go back 131 00:06:19,260 --> 00:06:22,540 and start implementing our very first step here. 132 00:06:22,540 --> 00:06:24,380 So basically getting the token 133 00:06:24,380 --> 00:06:26,860 and then check if it actually exists. 134 00:06:26,860 --> 00:06:31,340 So a common practice is to send a token using an http header 135 00:06:31,340 --> 00:06:33,380 with the request, okay? 136 00:06:33,380 --> 00:06:36,580 So let's take a look at how we can set headers in Postman 137 00:06:36,580 --> 00:06:38,427 to send him along with the request 138 00:06:38,427 --> 00:06:40,420 and then also how we can get access 139 00:06:40,420 --> 00:06:42,410 to these headers in Express. 140 00:06:42,410 --> 00:06:45,300 And let's actually do that one first. 141 00:06:45,300 --> 00:06:50,300 So here in apt.js I think we have this nice middleware here, 142 00:06:51,240 --> 00:06:54,610 and so in here let's actually log to the console 143 00:06:56,290 --> 00:06:59,890 request.headers, 144 00:06:59,890 --> 00:07:03,250 Okay, so we talked about http headers before, 145 00:07:03,250 --> 00:07:07,140 and so this is how we can get access to them in Express. 146 00:07:07,140 --> 00:07:10,350 Okay, so basically to the request headers, 147 00:07:10,350 --> 00:07:13,753 so the ones that a client can send along with their request. 148 00:07:14,600 --> 00:07:17,890 Okay, and so here in Postman, let's now actually 149 00:07:19,060 --> 00:07:22,150 get to the route that we're actually trying to protect. 150 00:07:22,150 --> 00:07:24,270 And then here set a header. 151 00:07:24,270 --> 00:07:25,670 And let's just do a test one 152 00:07:29,100 --> 00:07:32,070 and set it to jonas, okay? 153 00:07:32,070 --> 00:07:33,340 Now I will just send this 154 00:07:35,140 --> 00:07:38,240 and here in Express, let's take a look at that. 155 00:07:38,240 --> 00:07:41,800 And so indeed here we get an object with all of the headers 156 00:07:41,800 --> 00:07:43,900 that are part of the request. 157 00:07:43,900 --> 00:07:45,700 So all of this here. 158 00:07:45,700 --> 00:07:48,380 And you see that there are a bunch of headers that Postman 159 00:07:48,380 --> 00:07:51,090 actually sends automatically along with the request 160 00:07:51,090 --> 00:07:54,740 for example, it says the the user-agent is Postman 161 00:07:54,740 --> 00:07:56,970 it also sends the host, 162 00:07:56,970 --> 00:07:59,370 and some other ones that we're gonna talk about later 163 00:07:59,370 --> 00:08:00,943 like accept for example. 164 00:08:01,800 --> 00:08:04,070 Now what matters here is actually the header 165 00:08:04,070 --> 00:08:05,470 that we set ourselves. 166 00:08:05,470 --> 00:08:08,730 Okay, so the test header set to jonas that we just sent 167 00:08:08,730 --> 00:08:10,360 in our request. 168 00:08:10,360 --> 00:08:14,240 Now to send a JSON web token as a header, there's actually 169 00:08:14,240 --> 00:08:16,470 a standard for doing that. 170 00:08:16,470 --> 00:08:21,080 So let's go back here, get rid of all of this. 171 00:08:21,080 --> 00:08:24,760 And so that standard for sending a token is that we should 172 00:08:24,760 --> 00:08:27,503 always use a header called authorization. 173 00:08:30,430 --> 00:08:31,263 Okay? 174 00:08:31,263 --> 00:08:32,940 So just like this 175 00:08:32,940 --> 00:08:35,890 and then the value of that header should always start 176 00:08:35,890 --> 00:08:37,409 with Bearer, okay? 177 00:08:37,409 --> 00:08:42,299 Because basically we bear, we have, we possess this token 178 00:08:42,299 --> 00:08:44,680 and then here the value of the token. 179 00:08:44,680 --> 00:08:47,750 So just like this random string that we got before. 180 00:08:47,750 --> 00:08:51,610 So let's just leave it her at this as an example, 181 00:08:51,610 --> 00:08:53,323 and so let's send that now. 182 00:08:55,180 --> 00:08:57,913 And then indeed, we should get it here. 183 00:08:59,050 --> 00:09:00,310 Okay. 184 00:09:00,310 --> 00:09:03,620 Now Express then automatically turns all header names 185 00:09:03,620 --> 00:09:06,160 to lowercase, as you can see here, 186 00:09:06,160 --> 00:09:09,950 but of course, our header value here is still the same. 187 00:09:09,950 --> 00:09:13,550 Okay, and so basically this piece of the header value 188 00:09:13,550 --> 00:09:15,050 is our token. 189 00:09:15,050 --> 00:09:16,870 And so that's how we should now read 190 00:09:16,870 --> 00:09:18,720 that token from the header. 191 00:09:18,720 --> 00:09:19,553 All right? 192 00:09:20,550 --> 00:09:21,960 So 193 00:09:21,960 --> 00:09:22,793 if 194 00:09:24,130 --> 00:09:29,130 there actually is req.headers.authorization, 195 00:09:32,730 --> 00:09:34,300 okay, 196 00:09:34,300 --> 00:09:39,300 and if it starts basically with this bearer string here 197 00:09:39,810 --> 00:09:40,643 okay, 198 00:09:42,720 --> 00:09:46,670 so req.headers.authorization 199 00:09:46,670 --> 00:09:48,240 and now this is a string and so we can 200 00:09:48,240 --> 00:09:50,050 use startsWith on that 201 00:09:52,210 --> 00:09:55,290 okay, so this is just normal JavaScript again 202 00:09:57,910 --> 00:09:58,930 okay. 203 00:09:58,930 --> 00:10:03,020 And so these are the conditions under which we actually want 204 00:10:03,020 --> 00:10:05,430 to save a token, okay? 205 00:10:05,430 --> 00:10:08,530 So, again, in case that tghe header exists 206 00:10:08,530 --> 00:10:13,260 and that its value starts with Bearer, okay. 207 00:10:13,260 --> 00:10:18,260 Then in that case we want to say that the token is equal 208 00:10:18,460 --> 00:10:22,257 to req.headers.authorization 209 00:10:23,890 --> 00:10:26,810 and now how do we actually get this second part 210 00:10:26,810 --> 00:10:28,350 of the string? 211 00:10:28,350 --> 00:10:30,820 Well, we're basically gonna split the string 212 00:10:30,820 --> 00:10:33,050 by this space character, okay, 213 00:10:33,050 --> 00:10:34,610 which will then create an array 214 00:10:34,610 --> 00:10:35,890 with this Bearer 215 00:10:35,890 --> 00:10:37,860 and with this token 216 00:10:37,860 --> 00:10:39,690 and so then we're gonna take that part 217 00:10:39,690 --> 00:10:41,063 of the array that we want. 218 00:10:42,260 --> 00:10:45,080 So split using space, 219 00:10:45,080 --> 00:10:48,380 and then from that array we want the second element. 220 00:10:48,380 --> 00:10:49,490 All right? 221 00:10:49,490 --> 00:10:52,760 Now we can't actually define a variable inside 222 00:10:52,760 --> 00:10:53,800 of an if block 223 00:10:53,800 --> 00:10:55,440 because const, and let, 224 00:10:55,440 --> 00:10:58,260 so the new ES6 variable declaratory are 225 00:10:58,260 --> 00:10:59,710 actually block scoped, 226 00:10:59,710 --> 00:11:02,650 and so whatever we define in this block here 227 00:11:02,650 --> 00:11:04,700 will then not be available outside of it. 228 00:11:05,690 --> 00:11:08,643 Okay, and so let's actually do that outside. 229 00:11:11,970 --> 00:11:16,280 And then simply reassign this value to the token. 230 00:11:16,280 --> 00:11:17,113 Okay. 231 00:11:18,670 --> 00:11:21,880 And now, let's log the token to the console 232 00:11:21,880 --> 00:11:23,863 just to see if it works. 233 00:11:25,130 --> 00:11:28,670 Okay, and in fact let's actually get 234 00:11:28,670 --> 00:11:30,373 kind of get a real token here. 235 00:11:31,240 --> 00:11:33,253 So the one that we just logged in with. 236 00:11:35,990 --> 00:11:39,710 And then put that one here, all right. 237 00:11:39,710 --> 00:11:40,723 So send it, 238 00:11:42,360 --> 00:11:43,930 and 239 00:11:43,930 --> 00:11:45,480 ah! Here we go. 240 00:11:45,480 --> 00:11:49,760 So here we have our JSON web token data we just sent along 241 00:11:49,760 --> 00:11:51,110 with the request. 242 00:11:51,110 --> 00:11:55,120 Let's just quickly turn off this console log here. 243 00:11:55,120 --> 00:11:59,590 All right, and then just before we move on 244 00:11:59,590 --> 00:12:03,480 let's then actually check if the token actually exists. 245 00:12:03,480 --> 00:12:04,313 Okay. 246 00:12:05,810 --> 00:12:07,510 So if there is no token 247 00:12:10,360 --> 00:12:14,090 well, then, of course we want to create a new error. 248 00:12:14,090 --> 00:12:16,630 Right, and so just like before 249 00:12:16,630 --> 00:12:19,030 we return from this middleware 250 00:12:19,030 --> 00:12:21,260 and call the next one, okay. 251 00:12:21,260 --> 00:12:24,560 And now in here, we are then going to create an error 252 00:12:24,560 --> 00:12:26,140 and so we will move straight 253 00:12:26,140 --> 00:12:29,403 to our global error handling middleware with this error. 254 00:12:30,487 --> 00:12:33,860 All right, so if there is no token sent with the request, 255 00:12:33,860 --> 00:12:35,913 then that means that we're not logged in. 256 00:12:36,870 --> 00:12:40,310 So let's send to the user you are not 257 00:12:41,530 --> 00:12:42,373 logged in. 258 00:12:45,610 --> 00:12:48,793 Please log in to get access. 259 00:12:50,137 --> 00:12:52,380 All right, and now the status code for this 260 00:12:52,380 --> 00:12:55,090 kind of of situation is 401 261 00:12:55,090 --> 00:12:58,040 which means unauthorized, okay? 262 00:12:58,040 --> 00:13:00,430 Not sure if we've used that one before 263 00:13:00,430 --> 00:13:03,380 and yeah, actually we did it here as well. 264 00:13:03,380 --> 00:13:05,290 Okay, and so this basically means 265 00:13:05,290 --> 00:13:08,890 that the data that was sent in the request is correct, 266 00:13:08,890 --> 00:13:12,110 but they are not enough basically to get the user access 267 00:13:12,110 --> 00:13:15,050 to a resource he is requesting. 268 00:13:15,050 --> 00:13:16,080 All right. 269 00:13:16,080 --> 00:13:17,280 Just give it a save here 270 00:13:18,280 --> 00:13:20,270 and test it out again. 271 00:13:20,270 --> 00:13:24,660 So, if we basically take away this header here, 272 00:13:24,660 --> 00:13:28,090 then we should straight away go into that error, 273 00:13:28,090 --> 00:13:29,120 right? 274 00:13:29,120 --> 00:13:31,910 And indeed, you are not logged in, 275 00:13:31,910 --> 00:13:33,340 please log in to get access. 276 00:13:33,340 --> 00:13:35,600 With 401 unauthorized. 277 00:13:35,600 --> 00:13:38,950 Great! So that part is already working. 278 00:13:38,950 --> 00:13:41,500 All right, and now just to recap, 279 00:13:41,500 --> 00:13:44,590 so right now we are not sending any token along with 280 00:13:44,590 --> 00:13:45,903 the request, right? 281 00:13:47,330 --> 00:13:51,370 And so of that reason, of course, there is no token, okay? 282 00:13:51,370 --> 00:13:53,380 And therefore we create this error, 283 00:13:53,380 --> 00:13:56,680 which will then trigger our error handler middleware to send 284 00:13:56,680 --> 00:13:59,260 that error back to the client, okay? 285 00:13:59,260 --> 00:14:02,690 And then of course we do not get access to all the tours, 286 00:14:02,690 --> 00:14:05,600 because of course this middleware runs 287 00:14:05,600 --> 00:14:08,710 before the getAllTours controller. 288 00:14:08,710 --> 00:14:13,070 And so right now, this really is protected, okay? 289 00:14:13,070 --> 00:14:17,170 So it's really working quite nice already at this point. 290 00:14:17,170 --> 00:14:19,870 But of course, this is far from enough, 291 00:14:19,870 --> 00:14:23,480 because it's not enough to just send a token with a request. 292 00:14:23,480 --> 00:14:26,290 It also need to be a valid token. 293 00:14:26,290 --> 00:14:28,410 So basically a token where no one tried 294 00:14:28,410 --> 00:14:30,270 to change the payload. 295 00:14:30,270 --> 00:14:34,110 Okay, and the payload, remember, in our case is always 296 00:14:34,110 --> 00:14:39,110 the user_id of the user for which the token was issued. 297 00:14:39,210 --> 00:14:41,380 All right, and so next up we need 298 00:14:41,380 --> 00:14:44,200 to implement this verification step. 299 00:14:44,200 --> 00:14:47,160 But this lecture is already running pretty long 300 00:14:47,160 --> 00:14:49,520 and there's still a lot of stuff to do here, 301 00:14:49,520 --> 00:14:52,403 and so let's actually leave that for the next video. 22839