Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,910 --> 00:00:02,380 Welcome back. 2 00:00:02,380 --> 00:00:05,510 So in this video, you're gonna learn a super secure way 3 00:00:05,510 --> 00:00:06,983 of logging out users. 4 00:00:08,580 --> 00:00:12,110 So up until this point, when we wanted to delete a user, 5 00:00:12,110 --> 00:00:15,233 we would simply delete the cookie from our browser. 6 00:00:16,640 --> 00:00:17,570 Right? 7 00:00:17,570 --> 00:00:19,600 So something like this, 8 00:00:19,600 --> 00:00:21,190 and then remove it. 9 00:00:21,190 --> 00:00:24,020 However, the thing is that we created this cookie 10 00:00:24,020 --> 00:00:26,490 as an http only cookie. 11 00:00:26,490 --> 00:00:27,580 Remember that, 12 00:00:27,580 --> 00:00:30,420 and so that means that we cannot manipulate this cookie 13 00:00:30,420 --> 00:00:32,729 in any way in our browser. 14 00:00:32,729 --> 00:00:33,930 So we cannot change it, 15 00:00:33,930 --> 00:00:35,903 and we can also not delete it. 16 00:00:36,820 --> 00:00:40,580 So let's just quickly take a look at that place in the code 17 00:00:40,580 --> 00:00:41,643 where we did that. 18 00:00:42,730 --> 00:00:44,170 So in the auth controller 19 00:00:45,316 --> 00:00:48,830 up there where we actually create that cookie 20 00:00:49,930 --> 00:00:52,103 so that is right here. 21 00:00:53,810 --> 00:00:56,910 And so again, remember, that this means that we can not 22 00:00:56,910 --> 00:01:00,350 manipulate the cookie in the browser in any way. 23 00:01:00,350 --> 00:01:01,760 Not even destroy it. 24 00:01:01,760 --> 00:01:03,220 So delete it. 25 00:01:03,220 --> 00:01:07,510 So if we want to keep using this super secure way here 26 00:01:07,510 --> 00:01:09,290 of storing cookies, 27 00:01:09,290 --> 00:01:12,730 then how are we going to be able to actually log out users 28 00:01:12,730 --> 00:01:14,260 on our website? 29 00:01:14,260 --> 00:01:17,300 Because usually with JWT authentication 30 00:01:17,300 --> 00:01:18,820 we just delete the cookie 31 00:01:18,820 --> 00:01:21,000 or the token from local storage. 32 00:01:21,000 --> 00:01:25,400 But well, again, that's not possible when using it this way. 33 00:01:25,400 --> 00:01:28,240 And so what we're gonna do instead is to create a 34 00:01:28,240 --> 00:01:31,940 very simple log out route that will simply send back a new 35 00:01:31,940 --> 00:01:34,340 cookie with the exact same name 36 00:01:34,340 --> 00:01:36,170 but without the token. 37 00:01:36,170 --> 00:01:38,810 And so that will then override the current cookie that we 38 00:01:38,810 --> 00:01:41,970 have in the browser with one that has the same name 39 00:01:41,970 --> 00:01:43,740 but no token. 40 00:01:43,740 --> 00:01:46,440 And so when that cookie is then sent along with 41 00:01:46,440 --> 00:01:49,560 the next request, then we will not be able to identify 42 00:01:49,560 --> 00:01:51,960 the user as being logged in. 43 00:01:51,960 --> 00:01:55,430 And so this will effectively then log out the user. 44 00:01:55,430 --> 00:01:57,140 And also were gonna give this cookie 45 00:01:57,140 --> 00:01:59,580 a very short expiration time. 46 00:01:59,580 --> 00:02:02,300 And so this will effectively be a little bit like 47 00:02:02,300 --> 00:02:03,500 deleting the cookie 48 00:02:03,500 --> 00:02:07,920 but with a very clever workaround like this, okay? 49 00:02:07,920 --> 00:02:11,203 So let's do that here, right after log in. 50 00:02:16,740 --> 00:02:20,480 So again when we're doing token based authentication 51 00:02:20,480 --> 00:02:22,770 we usually never need an end point like this 52 00:02:25,050 --> 00:02:30,020 but when we want to send a super secure cookie like we do 53 00:02:30,020 --> 00:02:31,920 well, then we have to do it like this. 54 00:02:32,770 --> 00:02:36,900 So, again, on the response we set the cookie, 55 00:02:36,900 --> 00:02:40,220 and the secret is to give it the exact same name. 56 00:02:40,220 --> 00:02:41,930 So just as I mentioned before, 57 00:02:41,930 --> 00:02:44,450 and that is jwt. 58 00:02:44,450 --> 00:02:47,800 So just like here, okay? 59 00:02:47,800 --> 00:02:50,700 But here, we then send the token, 60 00:02:50,700 --> 00:02:54,460 but now we will send simply some dummy text. 61 00:02:54,460 --> 00:02:56,113 So let's say logged out, 62 00:02:58,130 --> 00:02:59,530 and then the cookie options. 63 00:03:02,320 --> 00:03:04,280 So an expire date, 64 00:03:04,280 --> 00:03:05,893 like in 10 seconds from now. 65 00:03:07,550 --> 00:03:09,970 So let's create a new date 66 00:03:09,970 --> 00:03:10,900 based on 67 00:03:11,940 --> 00:03:14,210 date.now 68 00:03:15,610 --> 00:03:17,290 plus 10 seconds. 69 00:03:17,290 --> 00:03:20,173 So that's 10 times 1000. 70 00:03:21,660 --> 00:03:26,060 And also I'm going to set it, again, to http only. 71 00:03:26,060 --> 00:03:27,600 Set to true, 72 00:03:27,600 --> 00:03:30,330 but we do not need to set it as secure, 73 00:03:30,330 --> 00:03:32,900 because in this case there is no sensitive data 74 00:03:32,900 --> 00:03:34,833 that anyone can get a hold of. 75 00:03:36,560 --> 00:03:38,083 Here we're missing the comma, 76 00:03:39,560 --> 00:03:42,803 and so now all we need to do is send this response back. 77 00:03:43,660 --> 00:03:46,100 So status 200 78 00:03:50,730 --> 00:03:53,143 and let's simply mark it as success here. 79 00:03:57,000 --> 00:04:00,930 Then in our route we need to add it, of course, as well 80 00:04:00,930 --> 00:04:02,740 so that's at the user route 81 00:04:04,470 --> 00:04:06,853 so let's do it right here after log in, 82 00:04:07,900 --> 00:04:11,220 but this one will actually be a get request 83 00:04:11,220 --> 00:04:13,130 because we're not going to send any data 84 00:04:13,130 --> 00:04:14,660 along with the request 85 00:04:14,660 --> 00:04:16,410 we're not changing anything, 86 00:04:16,410 --> 00:04:19,190 we actually simply get a cookie. 87 00:04:19,190 --> 00:04:21,730 And so that name actually makes sense. 88 00:04:21,730 --> 00:04:23,853 Or that verb actually makes sense. 89 00:04:24,860 --> 00:04:26,580 So log out, 90 00:04:26,580 --> 00:04:31,580 and so now we are good to actually hit that route 91 00:04:31,610 --> 00:04:34,463 just like we did here with our Axios library. 92 00:04:37,420 --> 00:04:39,110 So export, 93 00:04:39,110 --> 00:04:40,590 log out, 94 00:04:40,590 --> 00:04:41,950 or actually const first 95 00:04:47,320 --> 00:04:48,980 and so just like before 96 00:04:48,980 --> 00:04:50,790 we're using a try catch block 97 00:04:53,260 --> 00:04:56,140 which in this case is not really that important 98 00:04:56,140 --> 00:04:59,270 because there can not really be an error while logging out, 99 00:04:59,270 --> 00:05:00,270 right? 100 00:05:00,270 --> 00:05:02,420 But anyway, just in case, for example, 101 00:05:02,420 --> 00:05:04,140 we have no internet connection. 102 00:05:04,140 --> 00:05:07,800 So in that case, we then will get a nice error 103 00:05:07,800 --> 00:05:09,910 and let's actually do that first here. 104 00:05:09,910 --> 00:05:11,060 So show error 105 00:05:16,570 --> 00:05:17,570 logging out 106 00:05:20,010 --> 00:05:21,520 try again. 107 00:05:21,520 --> 00:05:23,730 Okay, but this here, as I said, 108 00:05:23,730 --> 00:05:25,393 should not happen that often. 109 00:05:26,330 --> 00:05:27,170 So instead 110 00:05:28,370 --> 00:05:29,203 let's 111 00:05:30,060 --> 00:05:31,973 do our request with Axios. 112 00:05:33,810 --> 00:05:34,643 All right. 113 00:05:37,760 --> 00:05:39,610 And so the method this time is get 114 00:05:41,980 --> 00:05:43,120 and the URL is 115 00:05:44,030 --> 00:05:45,523 similar to what we have here, 116 00:05:46,950 --> 00:05:48,030 But it is 117 00:05:49,480 --> 00:05:50,313 log out. 118 00:05:52,177 --> 00:05:56,140 And then as the next step, let's also reload the page. 119 00:05:56,140 --> 00:05:58,180 So that's what we always do manually 120 00:05:58,180 --> 00:06:00,400 when we delete a cookie, right? 121 00:06:00,400 --> 00:06:03,500 And so here of course we need to do it programatically. 122 00:06:03,500 --> 00:06:04,333 Right? 123 00:06:04,333 --> 00:06:05,550 And we need to do it here 124 00:06:05,550 --> 00:06:09,780 because since this is an Ajax request we can not do it 125 00:06:09,780 --> 00:06:10,990 on the back end side. 126 00:06:10,990 --> 00:06:13,100 So we can't do it with express. 127 00:06:13,100 --> 00:06:16,420 And so we need to, of course, do it manually here. 128 00:06:16,420 --> 00:06:17,350 Right? 129 00:06:17,350 --> 00:06:20,680 Otherwise we would technically be logged out 130 00:06:20,680 --> 00:06:23,320 but our user menu would still reflect 131 00:06:23,320 --> 00:06:25,950 so it would still show that we are logged in. 132 00:06:25,950 --> 00:06:29,120 And so of course, we simply need to reload the page 133 00:06:29,120 --> 00:06:31,950 which would then send the invalid cookie basically 134 00:06:31,950 --> 00:06:33,150 to the server, 135 00:06:33,150 --> 00:06:36,140 so that one that we just received without a token 136 00:06:36,140 --> 00:06:38,190 and then we are no longer logged in, 137 00:06:38,190 --> 00:06:42,303 and therefore then our user menu will disappear, okay? 138 00:06:43,210 --> 00:06:46,150 So let's do that if there was a success. 139 00:06:46,150 --> 00:06:51,150 So just like before, rest.data.status. 140 00:06:52,720 --> 00:06:56,540 And so in this end point, we also send back 141 00:06:57,430 --> 00:06:59,140 the status set to success, 142 00:06:59,140 --> 00:07:02,040 and so we can once more test for that here. 143 00:07:02,040 --> 00:07:03,800 And so if this is the case 144 00:07:03,800 --> 00:07:06,290 well we actually don't even need this 145 00:07:06,290 --> 00:07:11,180 so in this case widow location.reload. 146 00:07:11,180 --> 00:07:13,520 And then something really important is that we actually 147 00:07:13,520 --> 00:07:16,260 need to set it to true here, 148 00:07:16,260 --> 00:07:19,070 and that will then force a reload from the server 149 00:07:19,070 --> 00:07:22,280 and not from browser cache, all right? 150 00:07:22,280 --> 00:07:24,830 Now and of course we need to mark it here as async, 151 00:07:26,080 --> 00:07:27,710 and okay. 152 00:07:27,710 --> 00:07:30,350 So this part here is really important again 153 00:07:30,350 --> 00:07:32,930 because otherwise it might simply load the same page 154 00:07:32,930 --> 00:07:33,770 from the cache 155 00:07:33,770 --> 00:07:37,070 which would then still have our user menu up there. 156 00:07:37,070 --> 00:07:38,970 But of course that's not what we want, 157 00:07:38,970 --> 00:07:42,243 we really want a fresh page coming down from the server. 158 00:07:43,540 --> 00:07:44,720 All right? 159 00:07:44,720 --> 00:07:47,020 So we have our log out function 160 00:07:47,020 --> 00:07:51,560 and now in the index we basically need to now trigger it 161 00:07:51,560 --> 00:07:53,700 once we hit that button. 162 00:07:53,700 --> 00:07:56,463 So let's create an element here first. 163 00:07:59,470 --> 00:08:00,830 So the log out button 164 00:08:02,080 --> 00:08:04,830 document.querySelector 165 00:08:10,786 --> 00:08:14,203 and remember how we created this element. 166 00:08:15,660 --> 00:08:17,783 So that's here. 167 00:08:19,350 --> 00:08:20,976 So this one. 168 00:08:20,976 --> 00:08:23,110 So we're selecting now by this class. 169 00:08:23,110 --> 00:08:26,910 All right, and we could of course used an id as well here, 170 00:08:26,910 --> 00:08:30,240 but that's not really important, okay? 171 00:08:30,240 --> 00:08:33,760 What matters here is to now say 172 00:08:33,760 --> 00:08:35,712 if there is a log out button, 173 00:08:39,980 --> 00:08:44,980 then logOutButton.addEventListener. 174 00:08:45,720 --> 00:08:48,650 So we want it to listen to all events happening 175 00:08:48,650 --> 00:08:52,330 on that button whenever there is a click. 176 00:08:52,330 --> 00:08:54,370 So we're waiting for the click event 177 00:08:54,370 --> 00:08:57,460 and when that happens we then call the log out function 178 00:08:58,740 --> 00:09:00,800 which we didn't import yet, 179 00:09:00,800 --> 00:09:02,650 so let's add that here. 180 00:09:02,650 --> 00:09:06,023 So log in and log out. 181 00:09:07,680 --> 00:09:10,223 All right, and that should actually be it. 182 00:09:11,290 --> 00:09:14,570 So, let's test it now. 183 00:09:14,570 --> 00:09:17,240 Reload it again just to be sure, 184 00:09:17,240 --> 00:09:18,740 and now 185 00:09:18,740 --> 00:09:20,870 Oh, we get error logging out. 186 00:09:20,870 --> 00:09:22,253 Try again, why is that. 187 00:09:26,650 --> 00:09:30,710 Well, let's try to get a better look at the error. 188 00:09:30,710 --> 00:09:33,130 But what's important is that actually all of this 189 00:09:33,130 --> 00:09:34,283 is already working. 190 00:09:35,480 --> 00:09:36,970 So this event listener here 191 00:09:39,207 --> 00:09:42,407 and also this log out function is kind of doing its job. 192 00:09:44,360 --> 00:09:45,500 So let's just do 193 00:09:46,880 --> 00:09:51,383 console.log error.response. 194 00:09:55,370 --> 00:09:58,310 So let's reload this here. 195 00:09:58,310 --> 00:10:00,223 Should kind of happen automatically. 196 00:10:01,330 --> 00:10:02,343 All right. 197 00:10:03,350 --> 00:10:04,703 So try that again. 198 00:10:06,820 --> 00:10:08,480 So what is happening here 199 00:10:12,500 --> 00:10:16,493 so cast to object id failed for value log out. 200 00:10:17,880 --> 00:10:20,180 So that's very weird. 201 00:10:20,180 --> 00:10:21,523 Take a look at that route. 202 00:10:23,360 --> 00:10:24,523 Oh, of course, 203 00:10:25,910 --> 00:10:27,750 that's a serious mistake. 204 00:10:27,750 --> 00:10:29,223 Should be log in of course. 205 00:10:31,110 --> 00:10:34,933 Okay, but this kind of course, again, happen all the time. 206 00:10:36,490 --> 00:10:38,423 So let's reload this here. 207 00:10:42,240 --> 00:10:43,733 And try this again. 208 00:10:44,680 --> 00:10:46,700 And now we're getting something here. 209 00:10:46,700 --> 00:10:48,200 Now it's still and error, 210 00:10:48,200 --> 00:10:50,160 but that's no problem at all. 211 00:10:50,160 --> 00:10:52,750 So we have a JSON web token error 212 00:10:52,750 --> 00:10:55,810 because our JSON web token is malformed. 213 00:10:55,810 --> 00:10:57,890 And so it's coming, as you can see, 214 00:10:57,890 --> 00:11:00,610 from the is logged in middleware. 215 00:11:00,610 --> 00:11:04,323 And so we can kind of guess why that is, right? 216 00:11:05,530 --> 00:11:09,290 So let's go back add our auth controller. 217 00:11:09,290 --> 00:11:11,410 And so the JSON web token that we're basically 218 00:11:11,410 --> 00:11:14,430 sending now is this here, right? 219 00:11:14,430 --> 00:11:15,960 So this logged out. 220 00:11:15,960 --> 00:11:17,520 And so then here in 221 00:11:18,370 --> 00:11:23,040 the isLoggedIn that will then basically trigger an error. 222 00:11:23,040 --> 00:11:27,170 So here in JSON web token verify, right? 223 00:11:27,170 --> 00:11:29,420 And since this entire function here is wrapped 224 00:11:29,420 --> 00:11:33,070 in this catchASync it will send this error down to all 225 00:11:33,070 --> 00:11:35,100 global error handling middleware. 226 00:11:35,100 --> 00:11:38,290 And that will then create this error which in this case 227 00:11:38,290 --> 00:11:40,240 we do not want, remember? 228 00:11:40,240 --> 00:11:41,368 So in this isLoggedIn middleware we do not want 229 00:11:41,368 --> 00:11:45,220 to cause any errors. 230 00:11:45,220 --> 00:11:47,480 And so, let's actually fix that 231 00:11:47,480 --> 00:11:50,520 and so we're going to remove this catchASync from here 232 00:11:51,490 --> 00:11:55,090 because we do not want to catch any Async errors. 233 00:11:55,090 --> 00:11:57,640 Instead what we want to do is to basically 234 00:11:57,640 --> 00:11:59,200 catch them locally 235 00:11:59,200 --> 00:12:02,083 and then if there's an error simply say next. 236 00:12:03,300 --> 00:12:05,240 Like this, okay? 237 00:12:05,240 --> 00:12:06,363 So let's do that. 238 00:12:08,350 --> 00:12:10,813 So wrap all of this into a try. 239 00:12:14,170 --> 00:12:15,133 Close it here. 240 00:12:18,750 --> 00:12:19,890 Well, something else wrong. 241 00:12:19,890 --> 00:12:23,303 Ah! Probably we are just missing the catch block. 242 00:12:27,520 --> 00:12:32,010 And so in this case we want to go to the next middleware. 243 00:12:32,010 --> 00:12:35,463 So basically saying that there is no logged in user. 244 00:12:36,910 --> 00:12:37,743 Right? 245 00:12:38,970 --> 00:12:41,543 So, let's test it again. 246 00:12:42,510 --> 00:12:45,283 Go back, oh , and now we're no longer logged in. 247 00:12:47,900 --> 00:12:49,590 So log in. 248 00:12:49,590 --> 00:12:51,103 That was successful. 249 00:12:52,160 --> 00:12:54,093 And now straight away let's log out. 250 00:12:55,210 --> 00:12:59,110 Ah! Beautiful! Now it works correctly. 251 00:12:59,110 --> 00:13:02,160 And so this time what happened here is that of course 252 00:13:02,160 --> 00:13:04,160 this verification here failed 253 00:13:04,160 --> 00:13:07,730 because that JSON web token was not in a format that 254 00:13:07,730 --> 00:13:09,560 this algorithm expected. 255 00:13:09,560 --> 00:13:12,380 But what happened in this case is that the error was 256 00:13:12,380 --> 00:13:15,020 not catched using our catchASync function 257 00:13:15,020 --> 00:13:18,470 but instead it then went straight to catch err, 258 00:13:18,470 --> 00:13:21,480 which then went straight to the next middleware. 259 00:13:21,480 --> 00:13:23,790 All right, great! 260 00:13:23,790 --> 00:13:26,800 So if we now take a look at our cookies, 261 00:13:26,800 --> 00:13:30,743 well we have one in use that probably has already expired. 262 00:13:31,840 --> 00:13:35,810 So you see it only has this life of 10 seconds 263 00:13:35,810 --> 00:13:38,050 and so if I reload this page now actually 264 00:13:40,130 --> 00:13:41,680 then is should already be gone. 265 00:13:43,700 --> 00:13:46,350 So you see zero cookies in use. 266 00:13:46,350 --> 00:13:48,800 Okay, and that's actually all we have to do 267 00:13:48,800 --> 00:13:51,583 in order to log out the user from our website. 19563