1
00:00:00,320 --> 00:00:05,810
Okay, so now that we have all of our controller methods and routes for our users, I want to start

2
00:00:05,810 --> 00:00:11,300
to work on each function and we're going to start with the auth user, which is our login.

3
00:00:11,300 --> 00:00:12,980
So it's this route right here.

4
00:00:13,010 --> 00:00:18,530
API users login and I have that in my postman tab right here.

5
00:00:18,680 --> 00:00:22,070
Let's make that a little smaller if possible or not.

6
00:00:22,070 --> 00:00:25,280
And if I send I just get auth user.

7
00:00:25,280 --> 00:00:31,100
Now when you send your your login, you're going to need to attach some body data.

8
00:00:31,100 --> 00:00:41,150
So if we go to body you can either send raw Json data or this form URL encoded value or key value pairs.

9
00:00:41,150 --> 00:00:49,820
So if I put in like email and I want to use john@email.com and I already have users in my database because

10
00:00:49,820 --> 00:00:52,820
of the cedar data that we created a while back.

11
00:00:52,820 --> 00:01:00,260
So if I look in Compass and you look in users, you'll see I have three users, I have Jane, Jane at

12
00:01:00,270 --> 00:01:07,320
email, John at email and admin at email, and all their passwords are one, two, three, four, five,

13
00:01:07,320 --> 00:01:09,960
six, but of course their hashed in the database.

14
00:01:10,350 --> 00:01:10,830
All right.

15
00:01:10,830 --> 00:01:16,260
And if you don't have that in your database, you can just run the script, which if we look in our

16
00:01:16,260 --> 00:01:23,940
back end Package.json, you can do NPM run data import and it will then seed the data and add it to

17
00:01:23,940 --> 00:01:25,050
your database.

18
00:01:25,110 --> 00:01:25,350
Okay.

19
00:01:25,380 --> 00:01:28,200
So I want to log in with this John account.

20
00:01:28,200 --> 00:01:33,750
So let's also add a password of one, two, three, four, five, six.

21
00:01:33,780 --> 00:01:38,880
Now if I send it at the moment I'm still going to just get auth user because that's all we're doing

22
00:01:38,880 --> 00:01:39,720
here, right?

23
00:01:39,720 --> 00:01:41,250
We're not checking anything.

24
00:01:41,250 --> 00:01:44,790
We're not getting any body data or anything like that.

25
00:01:44,940 --> 00:01:50,100
Now, I'm sure that a lot of you already know this, but to get the data that's sent in the body, we

26
00:01:50,100 --> 00:01:54,000
use this request object which has a body object on it.

27
00:01:54,000 --> 00:01:58,410
So if I say console log request dot body.

28
00:01:59,510 --> 00:02:05,420
And if I send the data here, I send my request, and then I look down in the console, notice that

29
00:02:05,420 --> 00:02:06,890
it says undefined.

30
00:02:06,920 --> 00:02:13,280
Now, the reason for that is because we haven't set up the middleware yet for parsing body data.

31
00:02:13,280 --> 00:02:16,260
So we have to add that in our server.js.

32
00:02:16,280 --> 00:02:21,920
So let's go into Server.js and we're going to go right under where we created the app variable here

33
00:02:21,920 --> 00:02:25,250
and let's say body parser.

34
00:02:25,990 --> 00:02:27,190
Middleware.

35
00:02:28,740 --> 00:02:37,620
And to do that we're going to say app dot use and we're going to pass in here express dot Json.

36
00:02:37,650 --> 00:02:44,880
It used to be a third party body parser that you had to install, but now it comes with it comes out

37
00:02:44,880 --> 00:02:46,330
of the box with Express.

38
00:02:46,350 --> 00:02:48,210
Now that's for just raw Json.

39
00:02:48,210 --> 00:02:50,670
We also want to be able to do the URL encoded.

40
00:02:50,670 --> 00:02:52,650
So let's say app dot use.

41
00:02:53,330 --> 00:03:04,610
And we're going to do express dot URL encoded URL encoded, and we're just going to pass in an object

42
00:03:04,610 --> 00:03:06,110
with extended.

43
00:03:07,570 --> 00:03:10,420
And we're going to set that to false.

44
00:03:10,780 --> 00:03:11,110
I'm sorry.

45
00:03:11,110 --> 00:03:12,430
We're going to set that to true.

46
00:03:13,850 --> 00:03:14,270
Okay.

47
00:03:14,270 --> 00:03:17,900
Now these two lines of middleware should allow us to get that body data.

48
00:03:17,900 --> 00:03:22,730
So once again, I'm going to send with the email and password in the body.

49
00:03:22,970 --> 00:03:28,160
And then if I come back over here, you'll see I have an object with the email and password.

50
00:03:29,120 --> 00:03:31,440
So now we can close up Server.js.

51
00:03:31,460 --> 00:03:35,390
Come back over here and we can proceed with what we want to do here.

52
00:03:35,420 --> 00:03:42,950
So instead of using request dot, body dot, email and request dot body dot password, I'm going to

53
00:03:43,190 --> 00:03:49,660
deconstruct both of those from request dot body.

54
00:03:49,700 --> 00:03:56,120
So I should be able to say const and then in curly braces, take out the email and the password.

55
00:03:56,760 --> 00:03:58,320
So now we have that.

56
00:03:58,320 --> 00:04:03,870
So the first thing we want to do after we we get the email and password is check for the user, make

57
00:04:03,870 --> 00:04:07,620
sure there's a user that has that that email.

58
00:04:07,620 --> 00:04:16,769
So let's say const user, set that to await and then take our user model and we're going to call find

59
00:04:16,769 --> 00:04:20,910
one because that's what we want to do is find one record in the database.

60
00:04:22,040 --> 00:04:29,720
Or one document, I should say, and we want to specify, we want the email to match the email that

61
00:04:29,720 --> 00:04:31,140
is passed in here.

62
00:04:31,160 --> 00:04:35,840
Now, since these are the same, I can get rid of the second one, so we can just do that.

63
00:04:37,050 --> 00:04:37,530
Okay.

64
00:04:37,530 --> 00:04:39,090
And then let's do this.

65
00:04:39,090 --> 00:04:40,490
We'll say if.

66
00:04:42,770 --> 00:04:48,200
If there is a user that matches, then let's respond.

67
00:04:48,200 --> 00:04:50,120
So res.json.

68
00:04:51,460 --> 00:04:59,380
And we're going to pass an object that has the underscore ID, which we'll set to user dot underscore

69
00:04:59,380 --> 00:05:01,840
ID the name.

70
00:05:02,460 --> 00:05:02,970
So.

71
00:05:02,970 --> 00:05:04,830
User dot name.

72
00:05:06,000 --> 00:05:07,350
The email.

73
00:05:07,930 --> 00:05:12,910
So user dot email and the is admin.

74
00:05:13,060 --> 00:05:16,420
So user dot is admin.

75
00:05:16,570 --> 00:05:18,310
So that's what we want to send back.

76
00:05:18,310 --> 00:05:22,660
And ultimately we're going to want to set a token, but I'm not getting to that just yet.

77
00:05:23,330 --> 00:05:26,510
Now if there's not a user.

78
00:05:26,510 --> 00:05:28,490
So we'll just put an else here.

79
00:05:28,820 --> 00:05:33,920
If there's not a user, then I want to first of all, set the status to 401.

80
00:05:33,920 --> 00:05:36,080
Because that means unauthorized.

81
00:05:36,080 --> 00:05:39,710
So status 401.

82
00:05:41,610 --> 00:05:45,150
Status and then we can throw an error.

83
00:05:45,150 --> 00:05:51,450
So say throw new error because remember, we created our own custom error handler.

84
00:05:53,250 --> 00:05:56,400
And we just want that to say invalid.

85
00:05:57,890 --> 00:06:00,080
I will say invalid email.

86
00:06:00,800 --> 00:06:02,030
Or password.

87
00:06:02,030 --> 00:06:06,380
You don't want to let them know which one was invalid because that's a security issue.

88
00:06:07,070 --> 00:06:12,290
That would make it so that people can figure out which emails are actually registered or not.

89
00:06:12,290 --> 00:06:17,720
So whether the email is wrong or the password is wrong, we want the same error message.

90
00:06:17,720 --> 00:06:21,470
And then down here this res.send we can just get rid of that.

91
00:06:22,770 --> 00:06:24,210
So let's see what we get here.

92
00:06:24,210 --> 00:06:30,120
I'm going to go ahead and send with the wrong password, so I'm going to take the six off and then send.

93
00:06:30,360 --> 00:06:33,630
And let's see, why did that?

94
00:06:33,960 --> 00:06:36,000
Oh, we didn't validate the password yet.

95
00:06:36,000 --> 00:06:36,900
That's right.

96
00:06:37,050 --> 00:06:40,830
So let's actually let's do a wrong email.

97
00:06:41,220 --> 00:06:44,400
So I'll do like whatever one email.

98
00:06:44,880 --> 00:06:45,180
Okay.

99
00:06:45,180 --> 00:06:48,390
So now we get invalid email or password.

100
00:06:48,970 --> 00:06:53,590
The password doesn't matter at the moment because we haven't we haven't implemented that yet, but it's

101
00:06:53,590 --> 00:06:55,000
going to check for the user.

102
00:06:55,000 --> 00:06:59,980
And if that user doesn't exist, then we're going to get our message and we're also going to get a stack

103
00:07:00,010 --> 00:07:02,230
trace because we're in development.

104
00:07:02,290 --> 00:07:07,840
Remember, in our error handler, we specified that we want a stack trace if we're in development.

105
00:07:08,140 --> 00:07:15,310
Now, if I search for a user that does exist, like John at email, then I'm going to get the data back.

106
00:07:15,550 --> 00:07:19,350
So the next step is to integrate the password checking.

107
00:07:19,360 --> 00:07:26,770
Now to do that, we have to use Bcrypt because what we're getting as a password when we send our request

108
00:07:26,770 --> 00:07:30,880
is just plain text, but we have to match it to the hash and the database.

109
00:07:30,880 --> 00:07:34,180
So we use Bcrypt for that and we could do it right here.

110
00:07:34,180 --> 00:07:41,470
But I think a cleaner way to do it is to add it to the the model because you can actually do this within

111
00:07:41,470 --> 00:07:42,280
the model.

112
00:07:42,280 --> 00:07:46,420
So let's go to user model and we do want to bring in Bcrypt.

113
00:07:46,420 --> 00:07:52,580
So up at the top we're going to say import Bcrypt and make sure that you don't bring in bring in it

114
00:07:52,580 --> 00:07:53,570
as Bcrypt.

115
00:07:53,630 --> 00:07:59,090
JS It's going to be Bcrypt if I can spell that right from.

116
00:07:59,090 --> 00:08:06,860
And then here we want to put Bcrypt JS and then down here let's go right above where we export the model

117
00:08:06,860 --> 00:08:10,250
and we're going to add on to the user schema.

118
00:08:10,550 --> 00:08:15,980
We can add a method by saying dot methods dot, and then whatever we want to call this, which I'm going

119
00:08:15,980 --> 00:08:24,230
to call it match password, and we're going to set that to an asynchronous function and this is going

120
00:08:24,230 --> 00:08:27,140
to take in an entered password.

121
00:08:27,260 --> 00:08:31,940
So whatever the user enters, which will be plain text.

122
00:08:32,590 --> 00:08:32,799
Okay.

123
00:08:32,799 --> 00:08:34,270
So it's going to take that in.

124
00:08:34,270 --> 00:08:38,350
And then we basically need to compare that to the hashed password.

125
00:08:38,350 --> 00:08:41,740
So we're going to return from here, let's say return.

126
00:08:41,740 --> 00:08:48,760
And then we want to await on Bcrypt dot, and there's a method called compare.

127
00:08:48,880 --> 00:08:54,280
And compare is going to take in the plaintext password, which is entered password, and we're going

128
00:08:54,280 --> 00:09:01,210
to match it to this dot password, which is the password that's currently stored in the user database

129
00:09:01,210 --> 00:09:03,100
in the database for this user.

130
00:09:03,250 --> 00:09:05,650
Now, just doing this doesn't do anything.

131
00:09:05,650 --> 00:09:10,150
We need to actually use this match password in our controller.

132
00:09:10,150 --> 00:09:11,980
So let's go back to our controller.

133
00:09:11,980 --> 00:09:17,320
And we're just going to add here where we're just checking for the user because obviously we don't want

134
00:09:17,320 --> 00:09:18,880
to just see if the user exists.

135
00:09:18,880 --> 00:09:21,040
We want to match the password as well.

136
00:09:21,040 --> 00:09:23,770
So I'm going to say double ampersand.

137
00:09:23,770 --> 00:09:35,000
So and and then in parentheses we'll say we want to await on user now, since I added this method onto

138
00:09:35,000 --> 00:09:39,250
the user schema, I can access that method on the user object.

139
00:09:39,260 --> 00:09:43,310
So let's say user dot match.

140
00:09:44,700 --> 00:09:51,840
Password and we're going to pass into that the entered password.

141
00:09:52,560 --> 00:09:54,210
Which comes from the body.

142
00:09:54,750 --> 00:09:55,010
Okay.

143
00:09:55,050 --> 00:10:00,900
So again, it's getting passed in the entered password and then we're going to compare it to the password

144
00:10:00,900 --> 00:10:03,690
of that user of the hash.

145
00:10:04,610 --> 00:10:06,380
And everything else should be good.

146
00:10:06,380 --> 00:10:07,730
So let's save that.

147
00:10:08,280 --> 00:10:12,000
And now let's try to do it with the wrong password.

148
00:10:12,000 --> 00:10:17,340
So this is the wrong password I'm going to send and you'll see it says invalid email or password.

149
00:10:17,340 --> 00:10:20,910
I have the correct email, but this is not the correct password.

150
00:10:20,910 --> 00:10:23,670
So let's add a six, which is correct.

151
00:10:23,670 --> 00:10:25,440
And now it works.

152
00:10:26,240 --> 00:10:28,790
Okay, Now all we're doing is getting the data back.

153
00:10:28,790 --> 00:10:34,370
We're not actually creating any Json web tokens or storing a cookie or anything like that.

154
00:10:34,640 --> 00:10:36,410
We're going to do that soon.

155
00:10:36,410 --> 00:10:42,920
But I just wanted to get the basic logic down where we're validating the user's email and checking the

156
00:10:42,920 --> 00:10:44,000
password.

157
00:10:44,180 --> 00:10:44,480
Okay.

158
00:10:44,480 --> 00:10:49,070
So in the next video, I'm going to talk a little bit about how Json web tokens work and then we're

159
00:10:49,070 --> 00:10:50,300
going to implement them.