Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,260 --> 00:00:02,790 Welcome back. 2 00:00:02,790 --> 00:00:05,270 So, we have implemented authentication 3 00:00:05,270 --> 00:00:07,770 in our project up until this point. 4 00:00:07,770 --> 00:00:09,930 And, it works just fine. 5 00:00:09,930 --> 00:00:12,960 However, sometimes, simply authenticating, 6 00:00:12,960 --> 00:00:14,640 so, logging a user in, 7 00:00:14,640 --> 00:00:16,149 is really not enough. 8 00:00:16,149 --> 00:00:17,490 And, so in this video, 9 00:00:17,490 --> 00:00:20,173 we're gonna implement authorization as well. 10 00:00:21,730 --> 00:00:24,850 So, imagine the act of deleting a tour 11 00:00:24,850 --> 00:00:26,440 from our database. 12 00:00:26,440 --> 00:00:28,890 So, not every user should, of course, 13 00:00:28,890 --> 00:00:30,530 be allowed to do that. 14 00:00:30,530 --> 00:00:33,306 Even if the user is logged in, right? 15 00:00:33,306 --> 00:00:36,055 So, we basically need to authorize 16 00:00:36,055 --> 00:00:38,510 only certain types of users, 17 00:00:38,510 --> 00:00:40,720 to perform certain actions. 18 00:00:40,720 --> 00:00:43,550 And so that's exactly what authorization is. 19 00:00:43,550 --> 00:00:46,562 It's verifying if a certain user has the rights 20 00:00:46,562 --> 00:00:49,520 to interact with a certain resource. 21 00:00:49,520 --> 00:00:53,181 So, again, with authorization we basically check 22 00:00:53,181 --> 00:00:58,080 if a certain user is allowed to access a certain resource, 23 00:00:58,080 --> 00:00:59,890 even if he is logged in. 24 00:00:59,890 --> 00:01:03,150 So not all logged in users will be able to perform 25 00:01:03,150 --> 00:01:05,950 the same actions in our API, all right? 26 00:01:05,950 --> 00:01:08,119 And this is a very common scenario that should 27 00:01:08,119 --> 00:01:10,240 be implemented in each and every 28 00:01:10,240 --> 00:01:12,222 web application usually, all right? 29 00:01:12,222 --> 00:01:15,163 So we're gonna build another middleware function here, 30 00:01:15,163 --> 00:01:18,410 this time to restrict certain routes. 31 00:01:18,410 --> 00:01:20,780 For example, for deleting tours. 32 00:01:20,780 --> 00:01:23,310 So, this means that we're gonna build another 33 00:01:23,310 --> 00:01:24,840 middleware function here. 34 00:01:24,840 --> 00:01:27,290 This time, to restrict certain routes, 35 00:01:27,290 --> 00:01:29,068 like, for example, deleting tours, 36 00:01:29,068 --> 00:01:31,338 only to certain user roles. 37 00:01:31,338 --> 00:01:32,630 Okay? 38 00:01:32,630 --> 00:01:35,020 And so let me actually show you how that would look like 39 00:01:35,020 --> 00:01:36,520 in practice. 40 00:01:36,520 --> 00:01:38,410 So here, in the tour routes, 41 00:01:38,410 --> 00:01:42,270 let's go back to that example of deleting tours, 42 00:01:42,270 --> 00:01:46,770 and so let's add some middleware into the stack here. 43 00:01:46,770 --> 00:01:50,670 So authController, protect. 44 00:01:50,670 --> 00:01:52,300 So first, we always need to check 45 00:01:52,300 --> 00:01:55,490 if a user is actually logged in, okay? 46 00:01:55,490 --> 00:01:58,550 So if an administrator is trying to delete a tour, 47 00:01:58,550 --> 00:02:00,020 they would still need to check 48 00:02:00,020 --> 00:02:02,350 if he's actually logged in, right? 49 00:02:02,350 --> 00:02:04,610 So the first middleware in the stack here, 50 00:02:04,610 --> 00:02:06,690 will always be the protect one. 51 00:02:06,690 --> 00:02:09,130 But then, after that one, we will also have the 52 00:02:09,130 --> 00:02:13,113 authController.restrict. 53 00:02:14,760 --> 00:02:17,000 So restrictTo, okay? 54 00:02:17,000 --> 00:02:20,180 And into this function we will then pass some user roles, 55 00:02:20,180 --> 00:02:23,220 which will be authorized to interact with this resource. 56 00:02:23,220 --> 00:02:27,030 In this case, with deleting a tour, okay? 57 00:02:27,030 --> 00:02:29,390 So let's set this one to admin. 58 00:02:29,390 --> 00:02:31,650 So, only to administrators. 59 00:02:31,650 --> 00:02:35,120 Okay, and so now we are dealing with user roles here. 60 00:02:35,120 --> 00:02:36,650 So just like admin. 61 00:02:36,650 --> 00:02:39,584 And right now, we don't have that in our user model. 62 00:02:39,584 --> 00:02:42,642 And so let's quickly implement that here. 63 00:02:42,642 --> 00:02:43,633 All right. 64 00:02:44,470 --> 00:02:48,160 So, let's do that. 65 00:02:48,160 --> 00:02:52,323 Actually, before the password stuff, so like here. 66 00:02:56,170 --> 00:02:59,730 And down here you can actually see how our uncaught 67 00:02:59,730 --> 00:03:02,070 exception handler is working just fine, 68 00:03:02,070 --> 00:03:05,130 because restrictTo is not yet a function, right? 69 00:03:05,130 --> 00:03:06,610 We didn't implement it yet. 70 00:03:06,610 --> 00:03:08,810 I simply used it in order to show 71 00:03:08,810 --> 00:03:10,410 what exactly we're gonna build. 72 00:03:10,410 --> 00:03:12,280 And so of course there's an error, 73 00:03:12,280 --> 00:03:13,510 and so nodemon is now waiting 74 00:03:13,510 --> 00:03:17,490 for us to restart the server, okay? 75 00:03:17,490 --> 00:03:20,323 Anyway, the role here should be of the type String, 76 00:03:26,240 --> 00:03:30,110 and now I'm gonna use the enum validator in order to only 77 00:03:30,110 --> 00:03:33,310 allow certain types of roles here to be specified. 78 00:03:33,310 --> 00:03:37,410 And these are the general, so the normal users, 79 00:03:37,410 --> 00:03:38,860 so let's just call them user. 80 00:03:41,170 --> 00:03:42,823 Then, we have the tour guide, 81 00:03:44,120 --> 00:03:45,823 we have the lead tour guide, 82 00:03:47,240 --> 00:03:49,043 and we have the administrator. 83 00:03:50,410 --> 00:03:53,250 So, I'm just calling that admin, all right? 84 00:03:53,250 --> 00:03:56,359 And these user roles that we have here will of course 85 00:03:56,359 --> 00:03:59,450 be specific to the application's domain. 86 00:03:59,450 --> 00:04:02,260 So, for example, when you're running a community site, 87 00:04:02,260 --> 00:04:03,840 it's not gonna make much sense to 88 00:04:03,840 --> 00:04:05,940 have a guide and a lead guide. 89 00:04:05,940 --> 00:04:08,570 Instead you will probably have, like, moderators 90 00:04:08,570 --> 00:04:11,700 or contributors, or members. 91 00:04:11,700 --> 00:04:13,740 So, you will always have different names, 92 00:04:13,740 --> 00:04:16,680 depending on the type of application that you're writing. 93 00:04:16,680 --> 00:04:19,023 But in our case, this is what makes sense. 94 00:04:21,290 --> 00:04:24,170 Then, we also want to set a default here, 95 00:04:24,170 --> 00:04:26,540 so we actually don't have to specify always 96 00:04:26,540 --> 00:04:29,080 which type of user we're creating. 97 00:04:29,080 --> 00:04:32,320 And so user, the normal user, let's say, 98 00:04:32,320 --> 00:04:35,220 is the one that's gonna be created by default. 99 00:04:35,220 --> 00:04:36,990 So let's now actually go ahead 100 00:04:36,990 --> 00:04:39,340 and delete the users that we already have, 101 00:04:39,340 --> 00:04:41,021 because they don't have any roles, 102 00:04:41,021 --> 00:04:45,713 and so we don't need them like this anymore. 103 00:04:47,780 --> 00:04:48,810 All right. 104 00:04:48,810 --> 00:04:50,260 And so let's actually also go 105 00:04:50,260 --> 00:04:52,630 ahead and create some new ones. 106 00:04:52,630 --> 00:04:55,980 So, I'm gonna sign up here as 107 00:04:58,610 --> 00:05:03,610 as hello@jonas, and so that's now gonna be a normal user, 108 00:05:04,180 --> 00:05:06,060 and now we could not get any response, 109 00:05:06,060 --> 00:05:09,320 and that's of course because we have this error here, 110 00:05:09,320 --> 00:05:13,083 and so, let's very quickly take out this line of code. 111 00:05:14,750 --> 00:05:16,050 And now the error is gone. 112 00:05:17,326 --> 00:05:19,400 And so now it should run, 113 00:05:19,400 --> 00:05:22,000 and indeed we now have this user, 114 00:05:22,000 --> 00:05:25,120 with the role of user, okay? 115 00:05:25,120 --> 00:05:26,293 So that's our default, 116 00:05:27,920 --> 00:05:29,883 but now let's create an admin here. 117 00:05:30,860 --> 00:05:32,330 And to make that really clear, 118 00:05:32,330 --> 00:05:34,630 let's put it here in the email as well, 119 00:05:34,630 --> 00:05:36,780 and now we need to really specify the role, 120 00:05:40,100 --> 00:05:41,603 and set that one to admin. 121 00:05:42,860 --> 00:05:47,360 Send that, and so now we got here our system administrator. 122 00:05:47,360 --> 00:05:48,193 Cool. 123 00:05:48,193 --> 00:05:52,930 So, let's go back here, actually put this code back on, 124 00:05:52,930 --> 00:05:55,210 and we will now make it so that we can actually pass 125 00:05:55,210 --> 00:05:58,360 multiple arguments into this restrictTo. 126 00:05:58,360 --> 00:06:01,220 So, I want the admin to be able to delete tours, 127 00:06:01,220 --> 00:06:02,974 but also delete a guide. 128 00:06:02,974 --> 00:06:04,000 All right? 129 00:06:04,000 --> 00:06:05,750 And so let's add that here as well. 130 00:06:08,070 --> 00:06:09,130 Okay? 131 00:06:09,130 --> 00:06:12,210 So the admin and the lead guide can now delete tours, 132 00:06:12,210 --> 00:06:16,200 but not the normal guides, and also not the normal users. 133 00:06:16,200 --> 00:06:17,140 All right? 134 00:06:17,140 --> 00:06:20,220 So this is how restrictTo is gonna work, 135 00:06:20,220 --> 00:06:22,423 let's now go ahead and implement it. 136 00:06:25,270 --> 00:06:28,563 So exports.restrictTo, 137 00:06:30,470 --> 00:06:34,120 and now, how are we actually going to implement this? 138 00:06:34,120 --> 00:06:36,510 Because usually, we cannot pass arguments 139 00:06:36,510 --> 00:06:38,910 into a middleware function, right? 140 00:06:38,910 --> 00:06:41,010 But in this case, we really want to. 141 00:06:41,010 --> 00:06:42,640 We want to pass in the roles, 142 00:06:42,640 --> 00:06:46,100 who are allowed to access the resource, right? 143 00:06:46,100 --> 00:06:48,800 So this case, the admin and the lead guide. 144 00:06:48,800 --> 00:06:51,940 So we need a way of basically passing in arguments 145 00:06:51,940 --> 00:06:54,050 into the middleware function in a way 146 00:06:54,050 --> 00:06:55,830 that usually does not work. 147 00:06:55,830 --> 00:06:57,658 So, how are we going to do that? 148 00:06:57,658 --> 00:07:00,600 Well, in here, we will actually create like a 149 00:07:00,600 --> 00:07:03,410 wrapper function, which will then return the 150 00:07:03,410 --> 00:07:07,033 middleware function that we actually want to create, okay? 151 00:07:08,070 --> 00:07:10,540 So, this is the restrictTo function, 152 00:07:10,540 --> 00:07:12,160 and in here we want to pass an 153 00:07:12,160 --> 00:07:14,150 arbitrary number of arguments. 154 00:07:14,150 --> 00:07:15,870 So, basically, of roles. 155 00:07:15,870 --> 00:07:18,196 And so we can use the rest parameter syntax, 156 00:07:18,196 --> 00:07:20,793 which is again new in ES6, 157 00:07:21,950 --> 00:07:23,240 and this will then create an array 158 00:07:23,240 --> 00:07:26,053 of all the arguments that were specified, okay? 159 00:07:28,740 --> 00:07:30,350 So we're creating this function, 160 00:07:30,350 --> 00:07:33,960 and right away we will then return a new function. 161 00:07:33,960 --> 00:07:36,730 And this is the middleware function itself. 162 00:07:36,730 --> 00:07:40,573 So, request, response, and next. 163 00:07:43,000 --> 00:07:43,833 Okay? 164 00:07:43,833 --> 00:07:44,890 Make sense? 165 00:07:44,890 --> 00:07:47,190 And so this function here will then basically 166 00:07:47,190 --> 00:07:49,643 get access to this role's parameter here, 167 00:07:49,643 --> 00:07:53,310 because there is a closure, okay? 168 00:07:53,310 --> 00:07:55,780 So, just as a comment here to explain, 169 00:07:55,780 --> 00:07:58,160 roles is an array. 170 00:07:58,160 --> 00:08:01,338 So, for example, it might be, in this case, 171 00:08:01,338 --> 00:08:06,338 admin, and lead guide, okay? 172 00:08:08,670 --> 00:08:12,490 So when will we give a user access to a certain route? 173 00:08:12,490 --> 00:08:15,410 Well, basically, when its user role is 174 00:08:15,410 --> 00:08:19,900 inside of this roles array that we passed in right? 175 00:08:19,900 --> 00:08:21,930 So let's say we have the normal user now, 176 00:08:21,930 --> 00:08:24,930 which has a role of simply user, 177 00:08:24,930 --> 00:08:26,300 so let's write it here. 178 00:08:26,300 --> 00:08:29,397 Role is now just user. 179 00:08:29,397 --> 00:08:32,520 And so basically it's not contained in this array, 180 00:08:32,520 --> 00:08:36,490 and so therefore, that user does not have permission, okay? 181 00:08:36,490 --> 00:08:38,320 And so, let's write that in code. 182 00:08:38,320 --> 00:08:39,669 It's actually quite simple. 183 00:08:40,650 --> 00:08:45,650 So, if not roles.includes, and okay, 184 00:08:47,072 --> 00:08:50,660 once more includes is a very nice array method 185 00:08:50,660 --> 00:08:54,850 that is in Java Script available on all arrays, okay? 186 00:08:54,850 --> 00:08:57,010 So, if this roles array does not include 187 00:08:57,010 --> 00:08:58,900 the role of the current user, 188 00:08:58,900 --> 00:09:01,800 then we do not give permission to that user. 189 00:09:01,800 --> 00:09:04,740 And where is the role of the current user stored? 190 00:09:04,740 --> 00:09:07,247 Well, let's remember the line of code 191 00:09:07,247 --> 00:09:09,394 that we actually put up here, 192 00:09:09,394 --> 00:09:11,620 right in the end where we grant access 193 00:09:11,620 --> 00:09:12,900 to the protected route, 194 00:09:12,900 --> 00:09:16,460 we store the current user in request.user. 195 00:09:16,460 --> 00:09:18,520 And remember how this protect middleware 196 00:09:18,520 --> 00:09:21,929 always runs before restrictTo, right? 197 00:09:21,929 --> 00:09:25,330 So, here, we first have protect, 198 00:09:25,330 --> 00:09:27,391 and then we have restrictTo. 199 00:09:27,391 --> 00:09:30,600 And so by the time this middleware function here runs, 200 00:09:30,600 --> 00:09:32,660 this one has already completed, 201 00:09:32,660 --> 00:09:35,830 and has put the current user on the request object. 202 00:09:35,830 --> 00:09:38,740 And so now, we can use that here. 203 00:09:38,740 --> 00:09:42,480 So request.user.role. 204 00:09:42,480 --> 00:09:45,050 So that's where the role is stored. 205 00:09:45,050 --> 00:09:45,953 So, simple. 206 00:09:46,950 --> 00:09:50,993 In this case, we create a new error. 207 00:09:52,970 --> 00:09:55,932 So just like before, and now we say 208 00:09:55,932 --> 00:10:00,932 you do not have permission to perform this action. 209 00:10:03,680 --> 00:10:07,000 And now a new status code, which is 403. 210 00:10:07,000 --> 00:10:09,790 And this one means forbidden, okay? 211 00:10:09,790 --> 00:10:11,400 So there really is a specific 212 00:10:11,400 --> 00:10:14,480 http status code just for this case, 213 00:10:14,480 --> 00:10:18,180 so for authorization basically, all right? 214 00:10:18,180 --> 00:10:22,423 And, well, otherwise, we simply call next. 215 00:10:24,090 --> 00:10:25,580 And that's really it. 216 00:10:25,580 --> 00:10:27,910 So that's as simple as it is. 217 00:10:27,910 --> 00:10:30,160 So let's quickly recap what we just did here. 218 00:10:31,650 --> 00:10:35,140 So, in here, we first run the protect middleware. 219 00:10:35,140 --> 00:10:36,770 Then, restrictTo middleware, 220 00:10:36,770 --> 00:10:39,410 and only if these two middlewares pass to the next one, 221 00:10:39,410 --> 00:10:41,100 we go to the lead tour. 222 00:10:41,100 --> 00:10:42,830 And so basically this route handler, 223 00:10:42,830 --> 00:10:45,419 or this route controller, is protected, 224 00:10:45,419 --> 00:10:47,790 and is also restricted by this 225 00:10:47,790 --> 00:10:49,750 middleware that we just created. 226 00:10:49,750 --> 00:10:50,800 Then into this function, 227 00:10:50,800 --> 00:10:52,650 we pass all of the roles that are 228 00:10:52,650 --> 00:10:55,730 allowed to interact with this resource. 229 00:10:55,730 --> 00:10:57,794 So, basically, which are allowed to run 230 00:10:57,794 --> 00:11:00,310 this handler function, okay? 231 00:11:00,310 --> 00:11:03,370 And so, this restrictTo function will then run, 232 00:11:03,370 --> 00:11:06,910 and return the middleware function itself, okay? 233 00:11:06,910 --> 00:11:11,140 And that middleware function itself is actually this one. 234 00:11:11,140 --> 00:11:13,010 It will then, because of the closure, 235 00:11:13,010 --> 00:11:16,500 have access to roles, okay? 236 00:11:16,500 --> 00:11:19,350 And so, let's say that the role of the current user, 237 00:11:19,350 --> 00:11:24,180 which is, remember, stored in req.user.role, right? 238 00:11:24,180 --> 00:11:27,020 So, let's say that his role is user, 239 00:11:27,020 --> 00:11:29,970 and since that role is not in this role's array, 240 00:11:29,970 --> 00:11:32,920 well, we then get this error, okay? 241 00:11:32,920 --> 00:11:37,583 And so that's what this roles.includes tests here for, okay? 242 00:11:38,450 --> 00:11:40,410 But of course, if it is included, 243 00:11:40,410 --> 00:11:42,860 then we pass to the next middleware. 244 00:11:42,860 --> 00:11:46,130 Which again, is then the route handler itself. 245 00:11:46,130 --> 00:11:46,963 Cool. 246 00:11:46,963 --> 00:11:48,120 So, I hope that makes sense. 247 00:11:48,120 --> 00:11:50,453 Let's now go ahead and quickly test it. 248 00:11:51,390 --> 00:11:52,580 Okay? 249 00:11:52,580 --> 00:11:54,340 So right now, we have this token here, 250 00:11:54,340 --> 00:11:58,420 stored into the JTW variable, right? 251 00:11:58,420 --> 00:12:00,890 So remember that from the last lecture. 252 00:12:00,890 --> 00:12:03,233 So, we are in this dev environment, 253 00:12:03,233 --> 00:12:06,230 and so here is that variable. 254 00:12:06,230 --> 00:12:08,080 So exactly the one that is down here. 255 00:12:09,540 --> 00:12:10,373 All right? 256 00:12:10,373 --> 00:12:12,600 So if we were now to delete a tour, 257 00:12:12,600 --> 00:12:16,914 we would then have to specify that variable in there, right? 258 00:12:16,914 --> 00:12:19,936 So let's go to authorization, 259 00:12:19,936 --> 00:12:21,970 the bearer token, 260 00:12:21,970 --> 00:12:24,470 and then it actually already puts it here for us. 261 00:12:24,470 --> 00:12:25,980 So it already knows that this is the 262 00:12:25,980 --> 00:12:28,480 one that we want to use, because, well, 263 00:12:28,480 --> 00:12:30,544 we used it before, okay? 264 00:12:30,544 --> 00:12:32,960 Now, I want to start by showing you that 265 00:12:32,960 --> 00:12:36,710 a regular user cannot delete a tour now, okay? 266 00:12:36,710 --> 00:12:40,183 And so let's start by logging in as a regular user. 267 00:12:41,300 --> 00:12:44,253 And so that's hello, right? 268 00:12:45,530 --> 00:12:50,530 Remember, right now we have hello@jonas.io, 269 00:12:50,670 --> 00:12:54,410 which is a normal user, and we have admin@jonas.io. 270 00:12:54,410 --> 00:12:58,350 And we still have this old one here, let's get rid of it. 271 00:12:58,350 --> 00:12:59,183 All right. 272 00:12:59,183 --> 00:13:01,803 And so I'm gonna start with hello@jonas.io. 273 00:13:03,630 --> 00:13:04,650 Okay? 274 00:13:04,650 --> 00:13:08,470 So, logging in, then that token is gonna be stored 275 00:13:08,470 --> 00:13:10,770 into the environment variable, 276 00:13:10,770 --> 00:13:12,670 and now we are ready to delete a tour. 277 00:13:13,530 --> 00:13:16,440 We actually also need to get an ID now, 278 00:13:16,440 --> 00:13:18,940 so let's quickly get one from here, 279 00:13:18,940 --> 00:13:22,063 so we're basically gonna delete one of our tours here. 280 00:13:25,450 --> 00:13:27,420 So let's just use the last one here. 281 00:13:27,420 --> 00:13:28,683 So, the stargazer. 282 00:13:31,356 --> 00:13:32,189 Okay? 283 00:13:32,189 --> 00:13:35,570 And let's see if we get our error message. 284 00:13:35,570 --> 00:13:38,290 And, indeed, you do not have permission 285 00:13:38,290 --> 00:13:39,620 to perform this action. 286 00:13:39,620 --> 00:13:41,610 So, 403. 287 00:13:41,610 --> 00:13:44,823 So, indeed, it's kind of working, right? 288 00:13:46,150 --> 00:13:47,630 But, to make this complete now, 289 00:13:47,630 --> 00:13:50,433 let's of course login as the admin. 290 00:13:52,830 --> 00:13:53,823 So, admin. 291 00:13:55,480 --> 00:13:56,540 Login. 292 00:13:56,540 --> 00:14:00,000 And so this token is now stored into this variable. 293 00:14:00,000 --> 00:14:01,500 And so if you run this now, 294 00:14:01,500 --> 00:14:04,910 we should be able to effectively delete the tour. 295 00:14:04,910 --> 00:14:05,743 Wanna see? 296 00:14:07,720 --> 00:14:09,240 And, it's gone. 297 00:14:09,240 --> 00:14:11,920 So we have a code of 204, no content, 298 00:14:11,920 --> 00:14:13,999 which is the standard when deleting, 299 00:14:13,999 --> 00:14:16,259 but now if we get all our tours, 300 00:14:16,259 --> 00:14:19,090 we should now see a number eight here, 301 00:14:19,090 --> 00:14:20,460 so only eight results, 302 00:14:20,460 --> 00:14:24,350 and that means that the last one is now gone, okay? 303 00:14:24,350 --> 00:14:26,520 And so right now, as we just proved, 304 00:14:26,520 --> 00:14:28,496 an administrator has the permission 305 00:14:28,496 --> 00:14:31,671 to effectively delete tours, okay? 306 00:14:31,671 --> 00:14:34,372 And, I really cannot stress enough 307 00:14:34,372 --> 00:14:38,060 how important this piece of code here is. 308 00:14:38,060 --> 00:14:40,980 So basically, where we get the role from the current user 309 00:14:40,980 --> 00:14:43,550 from the middleware before, okay? 310 00:14:43,550 --> 00:14:46,804 So, storing the user onto the request as we did here, 311 00:14:46,804 --> 00:14:48,770 is really crucial in order for 312 00:14:48,770 --> 00:14:52,170 this next step to actually work, okay? 313 00:14:52,170 --> 00:14:55,760 So, the ID that is encoded into the Jason web token 314 00:14:55,760 --> 00:14:57,990 is what makes our code then know whether 315 00:14:57,990 --> 00:15:01,470 the user that's trying to perform the action is a user, 316 00:15:01,470 --> 00:15:04,900 or if it's an admin, or if it's a lead guide, or whatever. 317 00:15:04,900 --> 00:15:06,790 Again, because that data is coming 318 00:15:06,790 --> 00:15:09,730 from this protect middleware. 319 00:15:09,730 --> 00:15:10,563 Great. 320 00:15:10,563 --> 00:15:13,790 This was yet another important piece of the puzzle 321 00:15:13,790 --> 00:15:17,040 in implementing our authentication workflow here. 322 00:15:17,040 --> 00:15:19,821 And of course, you want to restrict a lot of other routes, 323 00:15:19,821 --> 00:15:23,479 for example, like updating here, okay? 324 00:15:23,479 --> 00:15:25,300 But I'm gonna leave that for a 325 00:15:25,300 --> 00:15:27,320 later point of the course, okay? 326 00:15:27,320 --> 00:15:29,420 Right here, I just wanted to show you 327 00:15:29,420 --> 00:15:31,663 how all of this works, okay? 328 00:15:32,730 --> 00:15:35,600 So, I think I did that successfully. 329 00:15:35,600 --> 00:15:38,620 I hope you understood how this worked, 330 00:15:38,620 --> 00:15:41,668 and of course, if not, you can always ask a question 331 00:15:41,668 --> 00:15:44,300 in the official Q and A section. 332 00:15:44,300 --> 00:15:47,840 Anyway, there's some more great content coming up right now 333 00:15:47,840 --> 00:15:49,483 and so, let's move on. 25265