1
00:00:00,470 --> 00:00:00,950
All right, guys.

2
00:00:00,950 --> 00:00:07,010
So up to this point, we can make a request to our login or our auth route.

3
00:00:07,010 --> 00:00:14,420
And when that happens, if our email and password is validated, then it's going to go ahead and create

4
00:00:14,420 --> 00:00:21,800
a Json web token and it's going to set it as an Http only cookie and then that can get sent with every

5
00:00:21,800 --> 00:00:23,330
request after that.

6
00:00:23,360 --> 00:00:30,170
Now we need a way to take that cookie and use it and we need to get the user ID from it.

7
00:00:30,440 --> 00:00:30,860
All right.

8
00:00:30,860 --> 00:00:39,050
So what we're going to do first is install another package called cookie parser that will allow us to

9
00:00:39,050 --> 00:00:42,170
easily parse the cookie from the request object.

10
00:00:42,170 --> 00:00:46,070
So I'm going to stop the server and make sure you're in the root directory, not the front end.

11
00:00:46,070 --> 00:00:49,670
And let's install cookie dash parser.

12
00:00:50,600 --> 00:00:50,960
Okay.

13
00:00:50,960 --> 00:00:53,660
Once we do that, we can start up the server again.

14
00:00:54,720 --> 00:01:03,360
Now to enable this middleware, we do have to go into the server.js and from here we want to import

15
00:01:03,390 --> 00:01:04,349
cookie parser.

16
00:01:04,379 --> 00:01:06,480
Let's do it right here.

17
00:01:06,480 --> 00:01:07,950
We'll say import.

18
00:01:09,020 --> 00:01:16,730
Cookie parser from cookie dash parser and then we just need to pass it into app dot use.

19
00:01:16,730 --> 00:01:18,080
So we'll put that.

20
00:01:18,700 --> 00:01:25,720
Right here, let's say cookie parser middleware and it's just app.use and then pass in the cookie parser

21
00:01:25,720 --> 00:01:26,560
function.

22
00:01:26,980 --> 00:01:27,280
Okay.

23
00:01:27,280 --> 00:01:28,900
So now that should be all set.

24
00:01:28,930 --> 00:01:37,480
What that will do is allow us to access request dot cookies and since our cookie is called JWT, we'll

25
00:01:37,480 --> 00:01:40,750
be able to access request dot cookies, dot JWT.

26
00:01:41,650 --> 00:01:45,060
Now where we want to do this is in middleware.

27
00:01:45,070 --> 00:01:51,730
So in the middleware folder let's create an auth middleware dot JS file.

28
00:01:51,880 --> 00:01:58,750
And in here we're going to import JWT because we need to verify the token.

29
00:01:58,750 --> 00:02:01,750
So we're going to import that from Json web token.

30
00:02:01,780 --> 00:02:07,690
We're also oops, we're also going to import that should be lowercase.

31
00:02:08,389 --> 00:02:10,280
And we don't need.

32
00:02:11,400 --> 00:02:13,650
Curly braces around it either.

33
00:02:13,950 --> 00:02:19,230
So we also want our async handler, which isn't coming from Express.

34
00:02:19,260 --> 00:02:20,250
Async handler.

35
00:02:20,250 --> 00:02:25,770
It's our custom one that we created, which is going to be at dot slash async.

36
00:02:26,770 --> 00:02:29,230
Handler JS.

37
00:02:30,070 --> 00:02:30,490
Okay.

38
00:02:30,490 --> 00:02:32,500
And then we also want the user model.

39
00:02:32,500 --> 00:02:36,850
So we're going to bring that in from our models folder and then user model.

40
00:02:36,970 --> 00:02:39,400
So we'll have two functions in this.

41
00:02:39,550 --> 00:02:46,570
In this file we're going to have protect, which is going to allow us to protect routes for users that

42
00:02:46,570 --> 00:02:47,890
are registered.

43
00:02:47,890 --> 00:02:52,570
And then we'll also have an admin middleware function for users that are admins.

44
00:02:52,570 --> 00:02:56,800
So like for instance, to get all orders you have to be an admin for that.

45
00:02:56,800 --> 00:02:58,720
So let's start with the protect.

46
00:02:58,960 --> 00:03:04,360
So we'll just say protect routes and I'm going to use copilot for some of this.

47
00:03:05,830 --> 00:03:09,030
So as you can see, we're using our async handler.

48
00:03:09,040 --> 00:03:15,520
We're wrapping the function here and in middleware, with any middleware function, we have access to

49
00:03:15,520 --> 00:03:19,710
the request and response object and we can do what we want with those.

50
00:03:19,720 --> 00:03:26,200
And you just need to make sure that at the end of your middleware function you call next because that

51
00:03:26,200 --> 00:03:30,160
will just say, okay, we're done here, move on to the next middleware.

52
00:03:30,550 --> 00:03:35,440
So let's go ahead and just initialize a variable called token.

53
00:03:35,860 --> 00:03:40,630
And we're going to read, let's say read the.

54
00:03:41,520 --> 00:03:50,520
JWT from the cookie and we can do that by let's take the token variable we just created and we can access

55
00:03:50,520 --> 00:03:53,190
request dot cookies, dot JWT.

56
00:03:53,910 --> 00:03:55,770
Okay, not token JWT.

57
00:03:55,770 --> 00:04:03,540
And the reason for that is because if we go back to our controller, we go to our auth route.

58
00:04:04,690 --> 00:04:06,040
See right here.

59
00:04:06,040 --> 00:04:10,120
So this is where I set the token and I called it JWT.

60
00:04:10,330 --> 00:04:15,730
If I called it token here, then I would be accessing request cookies dot token.

61
00:04:16,690 --> 00:04:16,920
Okay.

62
00:04:16,959 --> 00:04:22,510
But I'm putting whatever that is that JWT into a variable called token now.

63
00:04:22,510 --> 00:04:24,250
So then we just want to check for that.

64
00:04:24,250 --> 00:04:25,480
Let's say if.

65
00:04:26,320 --> 00:04:27,310
Token.

66
00:04:30,380 --> 00:04:33,650
So if token, then whoops, what did I do here?

67
00:04:34,310 --> 00:04:37,760
So if token, then we're going to do something else.

68
00:04:39,700 --> 00:04:45,850
So if there's no token, then we're going to say res dot status 401 and we're going to throw an error.

69
00:04:45,970 --> 00:04:46,330
Okay.

70
00:04:46,330 --> 00:04:49,450
And we're able to do this because of our error handler.

71
00:04:49,630 --> 00:04:53,950
Now, if there is a token, what we'll do is have a try.

72
00:04:53,950 --> 00:04:54,880
Catch.

73
00:04:55,330 --> 00:05:01,210
And in the try, we're going to decode the token to get the user ID because remember when we created

74
00:05:01,210 --> 00:05:05,140
the token, we passed in the user ID as the payload.

75
00:05:05,140 --> 00:05:07,420
So we want to extract that from it.

76
00:05:07,420 --> 00:05:10,420
So let's say const decoded.

77
00:05:10,540 --> 00:05:19,630
And the way we decode it is with JWT dot verify and verify takes in the token and then also takes in

78
00:05:19,630 --> 00:05:22,690
the secret which we have in our dot env file.

79
00:05:23,080 --> 00:05:28,810
Now we want to get the user from the database that matches that that user ID.

80
00:05:28,810 --> 00:05:33,760
So this is now an object that has a user ID field.

81
00:05:33,760 --> 00:05:36,760
So we can say decoded dot user ID.

82
00:05:36,760 --> 00:05:42,440
So let's go ahead and just await on and then we'll use the user model.

83
00:05:43,120 --> 00:05:48,310
And we want to find by ID the decoded user ID.

84
00:05:48,850 --> 00:05:53,290
Now, I don't want the password because this will return all the fields.

85
00:05:53,290 --> 00:05:54,520
I don't want the password.

86
00:05:54,520 --> 00:05:57,010
Even though it's hashed, there's no reason to get that.

87
00:05:57,010 --> 00:06:03,100
So we can actually add on to that dot select and then just pass in minus password.

88
00:06:03,550 --> 00:06:03,880
Okay.

89
00:06:03,880 --> 00:06:08,950
Now what I want to do with that is then add that user to the request object.

90
00:06:08,950 --> 00:06:14,410
So let's say request dot user equals that user.

91
00:06:14,410 --> 00:06:20,950
And then this, this user object will be on the request object in all of our routes.

92
00:06:20,950 --> 00:06:27,540
So for instance, if we're looking in or if we're working in the profile route, we'll be able to take

93
00:06:27,550 --> 00:06:33,580
get the user from this request object and do what we want with it and it will be the user that's logged

94
00:06:33,580 --> 00:06:34,060
in.

95
00:06:34,670 --> 00:06:36,440
So hopefully that makes sense.

96
00:06:36,440 --> 00:06:40,880
And then we just want to call next to move on to the next piece of middleware.

97
00:06:41,240 --> 00:06:46,970
Now, if there's an error here, then let's go ahead and just set the status to 401.

98
00:06:47,120 --> 00:06:50,840
And then for a message, we'll just say not authorized.

99
00:06:50,840 --> 00:06:58,430
Instead of no token, though, we'll say token failed because if this is firing off, then it means

100
00:06:58,430 --> 00:06:59,900
we have the token.

101
00:06:59,900 --> 00:07:00,980
It's there, right?

102
00:07:00,980 --> 00:07:02,630
Because we're saying if token.

103
00:07:02,630 --> 00:07:08,660
But it's not, it's not the right token, it's not authorized.

104
00:07:08,990 --> 00:07:11,360
And then let's just do a console.

105
00:07:11,870 --> 00:07:18,110
We'll do a console log here of error as well, just so we know what's going on, if that does happen.

106
00:07:19,170 --> 00:07:21,010
So that's our protect middleware.

107
00:07:21,030 --> 00:07:21,870
Now.

108
00:07:22,660 --> 00:07:28,640
I, we might as well just create the admin middleware while we're in this file because it's pretty easy.

109
00:07:28,660 --> 00:07:30,430
So let's say.

110
00:07:31,370 --> 00:07:31,970
Um.

111
00:07:33,040 --> 00:07:38,980
I'll just say admin middleware and we want to I'm not going to export it from here.

112
00:07:38,980 --> 00:07:40,600
We'll export it at the bottom.

113
00:07:40,600 --> 00:07:42,730
But let's say const admin.

114
00:07:43,810 --> 00:07:47,860
And any middleware function is going to take in request response.

115
00:07:47,860 --> 00:07:49,060
And next.

116
00:07:50,140 --> 00:07:57,780
And all we want to do is check the users is admin field and see if that's true.

117
00:07:57,790 --> 00:07:59,980
So let's say if.

118
00:08:01,810 --> 00:08:10,660
So we'll say if the request dot user because we'll have access to that and the request dot user dot

119
00:08:10,690 --> 00:08:12,340
is admin.

120
00:08:12,430 --> 00:08:18,640
So it was just saying if this is true, if if it is an admin, then we're going to just move on to the

121
00:08:18,640 --> 00:08:20,110
next middleware.

122
00:08:20,140 --> 00:08:21,070
Else.

123
00:08:22,100 --> 00:08:25,640
Then we're going to send a an error.

124
00:08:27,670 --> 00:08:28,870
So 401.

125
00:08:28,870 --> 00:08:32,020
And we'll say not not authorized.

126
00:08:33,299 --> 00:08:35,039
As admin.

127
00:08:36,120 --> 00:08:36,840
And that's it.

128
00:08:36,840 --> 00:08:37,799
Very simple.

129
00:08:37,799 --> 00:08:44,320
And then when we want to use these middlewares, we can just pass it into the route in the route file.

130
00:08:44,340 --> 00:08:46,210
I'll show you how we can do that in a minute.

131
00:08:46,230 --> 00:08:49,020
So now let's just export.

132
00:08:49,050 --> 00:08:50,700
Both Protect.

133
00:08:53,510 --> 00:08:54,890
Protect and admin.

134
00:08:54,890 --> 00:08:56,330
Did I export that up here?

135
00:08:56,330 --> 00:08:56,830
I did.

136
00:08:56,840 --> 00:08:58,550
So you can do it this way if you want.

137
00:08:58,550 --> 00:08:59,360
Just have export.

138
00:08:59,360 --> 00:09:02,900
But I like to do it at the bottom in this case.

139
00:09:04,420 --> 00:09:04,720
Okay.

140
00:09:04,720 --> 00:09:10,060
And now we can just bring these in to our roots or wherever we want to use them so we can close this

141
00:09:10,060 --> 00:09:14,860
middleware file up and let's go into our user routes.

142
00:09:15,160 --> 00:09:18,940
So right here and we need to figure out which of these routes.

143
00:09:19,990 --> 00:09:24,400
Should be protected just for registered users and which ones for admin.

144
00:09:24,580 --> 00:09:31,960
So first off, let's import protect and admin from dot dot slash middleware and auth middleware.

145
00:09:31,960 --> 00:09:39,490
And then as far as the routes I want to protect, let's see, we have our profile, right?

146
00:09:39,490 --> 00:09:45,730
So obviously to get the user profile or to update, we need to be registered.

147
00:09:45,730 --> 00:09:47,320
So we want to protect those.

148
00:09:47,320 --> 00:09:52,570
So what we can do is before the function name, we're just going to put in the protect middleware.

149
00:09:52,570 --> 00:09:54,580
So that's to get user profile.

150
00:09:54,580 --> 00:10:03,490
And then here when we have a dot put and update user profile, also going to add in protect there as

151
00:10:03,490 --> 00:10:04,180
well.

152
00:10:05,420 --> 00:10:05,900
All right.

153
00:10:05,900 --> 00:10:09,800
So we can actually save that and we can try that out.

154
00:10:09,800 --> 00:10:16,280
So if I go to my route to get a user profile and I click send.

155
00:10:17,940 --> 00:10:18,570
Let's see.

156
00:10:18,570 --> 00:10:19,980
So that's working.

157
00:10:19,980 --> 00:10:24,060
And the reason for that is because the cookie is is here, right?

158
00:10:24,060 --> 00:10:25,800
Because I had already logged in.

159
00:10:25,800 --> 00:10:33,060
So basically what I can do is if I click right here on cookies and then I get rid of that.

160
00:10:33,720 --> 00:10:37,020
And then let's go back to the body and let's send.

161
00:10:37,050 --> 00:10:39,240
Now you can see not authorized.

162
00:10:39,270 --> 00:10:43,590
No token because I implemented that protect middleware.

163
00:10:43,830 --> 00:10:50,220
If I authenticate again and I have that cookie and I'm sending that, then then it will let me through.

164
00:10:50,970 --> 00:10:58,170
So and it should be the same for the update user profile if I try that, I also get the message, but

165
00:10:58,170 --> 00:11:04,410
I can still go to other routes like, you know, register or whatever that these still work because

166
00:11:04,410 --> 00:11:06,360
I didn't add the protect middleware.

167
00:11:07,230 --> 00:11:15,270
Now, as far as let's see as far as the get all users.

168
00:11:15,980 --> 00:11:19,870
That needs to be protected, but it's also only for admins.

169
00:11:19,880 --> 00:11:26,420
So what I'm going to do is add in front of it, let's say protect, but we're also going to add in the

170
00:11:26,420 --> 00:11:27,710
admin middleware.

171
00:11:28,970 --> 00:11:35,150
So now you can't just be logged in, but you also have to be an admin and we're going to do the same

172
00:11:35,150 --> 00:11:35,540
thing.

173
00:11:35,540 --> 00:11:42,220
We're just going to copy these two down here for delete for get user by ID and for update user.

174
00:11:42,230 --> 00:11:43,700
These are all admin.

175
00:11:43,700 --> 00:11:48,830
So let's go into this delete and add our protect admin.

176
00:11:48,830 --> 00:11:55,880
We'll go into here where we have get user by ID and add, protect and admin and also with update user.

177
00:11:58,520 --> 00:11:58,970
All right.

178
00:11:58,970 --> 00:12:01,180
And the rest looks okay.

179
00:12:01,190 --> 00:12:04,280
Now, this route here, I have slash login.

180
00:12:05,660 --> 00:12:08,780
So to auth the user, we're going to slash login.

181
00:12:08,780 --> 00:12:10,790
I'm actually going to change that.

182
00:12:11,540 --> 00:12:15,260
I'm going to change that to slash auth instead of login.

183
00:12:15,500 --> 00:12:16,700
It's just preference.

184
00:12:16,700 --> 00:12:21,170
If you want to keep it as login, that's fine, but I'm going to change that to auth.

185
00:12:21,170 --> 00:12:24,530
And then over here I'll change it to.

186
00:12:25,860 --> 00:12:28,380
Off, and I'm just going to save.

187
00:12:28,950 --> 00:12:31,950
Okay, Now let's just test this out.

188
00:12:31,950 --> 00:12:37,830
If I log in as John, remember, John is not an admin, so I'm going to go ahead and send with this,

189
00:12:37,830 --> 00:12:39,690
this, this in the body.

190
00:12:40,480 --> 00:12:42,100
Okay, so now the cookie is there.

191
00:12:42,100 --> 00:12:43,690
You can see it just has a one.

192
00:12:43,690 --> 00:12:47,530
So that cookie is now there and it's going to get sent with every request.

193
00:12:47,560 --> 00:12:51,020
If I go to get user profile, that will now work.

194
00:12:51,040 --> 00:12:54,370
However, if I go to one of the admin routes.

195
00:12:55,370 --> 00:12:57,330
Why is this called new request?

196
00:12:57,350 --> 00:12:59,090
That's to get all users.

197
00:12:59,090 --> 00:13:03,140
Let me just say get all users.

198
00:13:05,230 --> 00:13:06,310
And.

199
00:13:07,760 --> 00:13:08,120
What's.

200
00:13:08,960 --> 00:13:10,150
Try that.

201
00:13:10,220 --> 00:13:10,580
All right.

202
00:13:10,580 --> 00:13:14,570
So you can see, even though I have my cookie, right.

203
00:13:14,570 --> 00:13:16,790
So I'm essentially logged in.

204
00:13:16,820 --> 00:13:21,170
It says not authorized as admin because John Doe is not an admin.

205
00:13:21,920 --> 00:13:28,160
Now if I delete that cookie, so if I click right here and I get rid of the JWT cookie.

206
00:13:29,220 --> 00:13:32,550
That's not going to work at all because I'm not logged in whatsoever.

207
00:13:32,550 --> 00:13:39,390
But if I go back to my auth so auth user and instead I log in as admin.

208
00:13:42,490 --> 00:13:43,390
Okay, let's do that.

209
00:13:43,390 --> 00:13:45,790
Now we have a cookie and we're logged in as admin.

210
00:13:45,790 --> 00:13:53,770
If I go back to get all users and I send now it works because I'm logged in as an admin.

211
00:13:53,770 --> 00:13:59,860
So you can see we have our back end authentication workflow working just fine.

212
00:14:00,760 --> 00:14:08,440
So what we'll do next is create our log out so that we can clear the cookie without actually having

213
00:14:08,470 --> 00:14:11,050
to do this in Postman.