1
00:00:00,290 --> 00:00:05,270
Okay, so we have a way to validate the user's email and password.

2
00:00:05,270 --> 00:00:08,570
And now we want to start getting into Json web tokens.

3
00:00:08,570 --> 00:00:11,360
So I just want to briefly talk about how they work.

4
00:00:11,360 --> 00:00:15,860
So in web development, there's many different ways to authenticate users.

5
00:00:15,860 --> 00:00:23,300
You can use cookies, sessions, Json, web tokens or a combination, and there's other services like

6
00:00:23,330 --> 00:00:31,040
OAuth and there's third party services like Auth0 In this course we're going to we're going to go with

7
00:00:31,040 --> 00:00:36,290
using Json web tokens because I want to keep this as barebones as possible.

8
00:00:36,290 --> 00:00:40,100
I don't want to go and use any third party services or anything like that.

9
00:00:40,100 --> 00:00:44,570
I want you guys to to know how to do this pretty much from scratch.

10
00:00:44,570 --> 00:00:50,960
So a Json web token is a secure way to share information between two parties, such as a web server

11
00:00:50,960 --> 00:00:51,950
and a client.

12
00:00:51,950 --> 00:00:56,510
And it consists of three parts a header, a payload and a signature.

13
00:00:56,510 --> 00:01:01,920
And the payload contains information like the user's ID or the user's role.

14
00:01:01,920 --> 00:01:07,460
And the signature is used to verify the information hasn't been tampered with in any way.

15
00:01:07,470 --> 00:01:14,910
So JWT s are commonly used for authentication, which is the process of verifying a user's identity.

16
00:01:14,940 --> 00:01:21,870
Now, traditionally, Json web tokens often get stored in the browser on the client.

17
00:01:21,870 --> 00:01:27,270
So basically we would log in, we would have we would validate just like we did in the last video,

18
00:01:27,300 --> 00:01:33,660
we would send a token and then we'd store that token in our local storage on the client and then send

19
00:01:33,660 --> 00:01:39,420
that token to any protected routes where we had to be logged in, where we had to authenticate.

20
00:01:39,450 --> 00:01:42,060
Now that's not the best way to do things.

21
00:01:42,060 --> 00:01:48,870
It can be insecure because you are storing it on the client, so you open yourself up to cross-site

22
00:01:48,870 --> 00:01:51,390
scripting attacks and all kinds of stuff.

23
00:01:51,390 --> 00:01:53,760
So we're not going to do it that way.

24
00:01:53,760 --> 00:01:57,290
What we're going to do is we're going to generate a Json web token.

25
00:01:57,300 --> 00:02:02,530
However, we're going to store it in an Http only cookie on the server.

26
00:02:02,540 --> 00:02:09,259
So we're going to write some middleware that will basically, once we authenticate or we register,

27
00:02:09,259 --> 00:02:16,430
it'll create the token, store it in an Http only cookie, and then that will get sent with every request

28
00:02:16,430 --> 00:02:17,570
from then on.

29
00:02:17,630 --> 00:02:17,920
Okay.

30
00:02:17,930 --> 00:02:24,680
So it's not actually going to be stored in our browser in local storage, which makes it much safer.

31
00:02:25,040 --> 00:02:30,560
In the first version of this course, we did store it in local storage and I think that's fine for some

32
00:02:30,560 --> 00:02:31,490
cases.

33
00:02:31,730 --> 00:02:36,560
If you're going to have a large production app, you're going to have a lot of users and stuff, then

34
00:02:36,560 --> 00:02:38,420
you probably shouldn't do it that way.

35
00:02:38,420 --> 00:02:41,570
So this is a better option in my opinion.

36
00:02:41,960 --> 00:02:42,290
All right.

37
00:02:42,290 --> 00:02:46,370
But like I said, there's so many different ways to authenticate these days.

38
00:02:46,760 --> 00:02:53,540
Now this is jwt.io, and you can actually paste any Json web token in this box here.

39
00:02:53,540 --> 00:02:55,220
So this is what it will look like.

40
00:02:55,220 --> 00:02:57,170
And like I said, there's three parts.

41
00:02:57,170 --> 00:02:59,390
There's the header which you can see in red.

42
00:02:59,390 --> 00:03:05,040
So it just has the algorithm and the type and then the payload, which you can pretty much put whatever

43
00:03:05,040 --> 00:03:06,120
you want in here.

44
00:03:06,120 --> 00:03:13,020
In our case, we're going to want to put the user ID because when we when we are logged in with a specific

45
00:03:13,050 --> 00:03:19,530
user and we want to do something that requires us to be authenticated, we want to we want the system

46
00:03:19,530 --> 00:03:25,800
to get our ID from the payload, from the Json web token, and then we just have the signature to make

47
00:03:25,800 --> 00:03:29,190
sure that everything is valid, make sure nothing has been tampered with.

48
00:03:29,370 --> 00:03:29,730
All right.

49
00:03:29,730 --> 00:03:30,930
So that's what it looks like.

50
00:03:30,930 --> 00:03:36,030
And I'll keep this open so that when we do actually generate a token, we can paste it in here and see

51
00:03:36,030 --> 00:03:37,440
exactly what we get.

52
00:03:37,710 --> 00:03:38,100
All right.

53
00:03:38,100 --> 00:03:43,230
So in the next video, what we're going to do is make it so we generate a token.

54
00:03:43,230 --> 00:03:49,590
So this is a package we're going to install called Json Web token, and we're going to use that to both

55
00:03:49,590 --> 00:03:52,110
generate and verify the token.

56
00:03:52,110 --> 00:03:52,410
All right.

57
00:03:52,410 --> 00:03:53,610
So we'll get to that next.