1
00:00:00,888 --> 00:00:01,721
Instructor: In the last section,

2
00:00:01,721 --> 00:00:04,050
we created a JWT strategy,

3
00:00:04,050 --> 00:00:06,240
and then we wired it up to Passport.

4
00:00:06,240 --> 00:00:09,360
Remember, strategies are part of the Passport ecosystem,

5
00:00:09,360 --> 00:00:12,090
and we use them to authenticate our users

6
00:00:12,090 --> 00:00:13,680
in different fashions.

7
00:00:13,680 --> 00:00:15,060
In this very particular case,

8
00:00:15,060 --> 00:00:19,680
because we were using JWT tokens, we used a JWT strategy

9
00:00:19,680 --> 00:00:24,123
provided to us by the passport-jwt library.

10
00:00:25,710 --> 00:00:28,350
So, at this point in time, our strategy is all wired up,

11
00:00:28,350 --> 00:00:30,300
and we've successfully told Passport

12
00:00:30,300 --> 00:00:32,400
that it needs to use this strategy.

13
00:00:32,400 --> 00:00:34,233
So let's look back at our diagram.

14
00:00:35,130 --> 00:00:38,220
So we said that whenever there's an Incoming Request

15
00:00:38,220 --> 00:00:40,170
for some protected route

16
00:00:40,170 --> 00:00:42,720
or some route that requires authentication,

17
00:00:42,720 --> 00:00:45,210
it should first pass through Passport,

18
00:00:45,210 --> 00:00:47,460
and if it successfully gets authenticated,

19
00:00:47,460 --> 00:00:50,280
then it can go onto the actual Route Handler.

20
00:00:50,280 --> 00:00:51,990
So we need to actually wire this thing up.

21
00:00:51,990 --> 00:00:54,630
We need to actually say somewhere in our code,

22
00:00:54,630 --> 00:00:57,240
Hey, for this very particular Route Handler,

23
00:00:57,240 --> 00:01:00,330
make sure this passes through Passport ahead of time.

24
00:01:00,330 --> 00:01:01,860
So that's what we're going to do right now.

25
00:01:01,860 --> 00:01:04,110
We're going to wire up a very particular route

26
00:01:04,110 --> 00:01:05,343
to use Passport.

27
00:01:08,400 --> 00:01:12,633
So I'm gonna go back up into our router file.

28
00:01:13,590 --> 00:01:14,423
Here we go.

29
00:01:15,870 --> 00:01:19,380
And inside of the router file, I'm going to first

30
00:01:19,380 --> 00:01:21,690
import
(typing)

31
00:01:21,690 --> 00:01:25,140
our passportConfig.
(typing)

32
00:01:25,140 --> 00:01:26,797
Actually, let's call it

33
00:01:26,797 --> 00:01:28,260
passportService.
(typing)

34
00:01:28,260 --> 00:01:31,290
That matches the name of our file here, a little bit more.

35
00:01:31,290 --> 00:01:34,893
So we'll look into services passport.

36
00:01:36,870 --> 00:01:40,899
Next, we'll require passport itself, the library.

37
00:01:40,899 --> 00:01:42,982
(typing)

38
00:01:44,850 --> 00:01:46,560
And now we're gonna create an object

39
00:01:46,560 --> 00:01:48,780
that we're going to kind of insert in the middle there.

40
00:01:48,780 --> 00:01:51,870
It's gonna be the part that occurs in the middle,

41
00:01:51,870 --> 00:01:54,750
between our Incoming Request and our Route Handler.

42
00:01:54,750 --> 00:01:56,760
So, this next part is gonna be a line of code

43
00:01:56,760 --> 00:01:58,860
that's gonna create this kind of middleware of sorts,

44
00:01:58,860 --> 00:02:02,280
or this interceptor of sorts.

45
00:02:02,280 --> 00:02:03,430
So we're gonna create an object,

46
00:02:03,430 --> 00:02:05,373
const requireAuth,

47
00:02:06,960 --> 00:02:09,570
passport.authenticate,

48
00:02:09,570 --> 00:02:12,600
using the jwt strategy.

49
00:02:12,600 --> 00:02:14,670
And when a user is authenticated,

50
00:02:14,670 --> 00:02:17,250
don't try to create a session for them.

51
00:02:17,250 --> 00:02:18,480
So by default,

52
00:02:18,480 --> 00:02:21,280
Passport wants to try to make a cookie-based session

53
00:02:22,200 --> 00:02:23,430
for this request.

54
00:02:23,430 --> 00:02:25,410
Since we're using tokens, we don't want that,

55
00:02:25,410 --> 00:02:27,393
so we're gonna say session, false.

56
00:02:29,040 --> 00:02:31,620
So now, this requireAuth object right here

57
00:02:31,620 --> 00:02:32,610
is that middleware,

58
00:02:32,610 --> 00:02:34,050
it's that interceptor of sorts,

59
00:02:34,050 --> 00:02:36,000
it's that part in between.

60
00:02:36,000 --> 00:02:37,830
So, for any very particular route

61
00:02:37,830 --> 00:02:40,350
that we want to require authentication for,

62
00:02:40,350 --> 00:02:43,050
we'll use this requireAuth helper.

63
00:02:43,050 --> 00:02:45,330
Let's see what it looks like in practice.

64
00:02:45,330 --> 00:02:46,830
I'm gonna make a new route,

65
00:02:46,830 --> 00:02:48,630
and it's just gonna be a dummy route of sorts.

66
00:02:48,630 --> 00:02:51,360
So I'll say the root route,

67
00:02:51,360 --> 00:02:55,233
if anyone gets this first, send them through requireAuth.

68
00:02:56,190 --> 00:02:58,410
And then, if they get through that,

69
00:02:58,410 --> 00:03:01,863
then you can can run this function to handle the request.

70
00:03:03,000 --> 00:03:04,500
And for my Route Handler,

71
00:03:04,500 --> 00:03:07,353
I'll just say very simply res.send,

72
00:03:08,520 --> 00:03:11,580
hi there, like so.
(typing)

73
00:03:11,580 --> 00:03:15,240
So we defined a new Route Handler to handle a GET request

74
00:03:15,240 --> 00:03:17,040
to our root route.

75
00:03:17,040 --> 00:03:19,410
We said that any request coming in

76
00:03:19,410 --> 00:03:22,320
must pass this requireAuth step,

77
00:03:22,320 --> 00:03:24,753
and then it could go onto the Request Handler.

78
00:03:25,680 --> 00:03:28,893
So let's save this and give it a shot inside a Postman.

79
00:03:29,790 --> 00:03:31,860
I'm gonna flip Postman back up.

80
00:03:31,860 --> 00:03:34,590
I've got a GET request selected,

81
00:03:34,590 --> 00:03:36,783
and I'm trying to visit the root route.

82
00:03:38,700 --> 00:03:40,290
Let's click "send,"

83
00:03:40,290 --> 00:03:42,780
and I get the error message "unauthorized",

84
00:03:42,780 --> 00:03:44,880
which means I do not have a token

85
00:03:44,880 --> 00:03:46,800
associated with my request right now.

86
00:03:46,800 --> 00:03:48,570
If I wanna get access to this route,

87
00:03:48,570 --> 00:03:51,390
I need to supply a valid token.

88
00:03:51,390 --> 00:03:52,500
So let's do this by hand.

89
00:03:52,500 --> 00:03:54,960
We're going to manually wire up a token.

90
00:03:54,960 --> 00:03:57,270
The first thing we need to do is get a token

91
00:03:57,270 --> 00:03:59,640
by signing up for an account.

92
00:03:59,640 --> 00:04:01,900
So I'm going to make a post request

93
00:04:03,390 --> 00:04:06,240
to /signup.

94
00:04:06,240 --> 00:04:08,760
I'm gonna go to the "Body" tab, and I'm gonna make sure

95
00:04:08,760 --> 00:04:11,463
that I've got an email and a password on here.

96
00:04:12,420 --> 00:04:15,453
I'll send the request, which returns a token.

97
00:04:16,320 --> 00:04:19,350
I'm going to highlight the entire token.

98
00:04:19,350 --> 00:04:23,190
So everything inside of the quotes, I'm gonna copy it.

99
00:04:23,190 --> 00:04:24,843
All right, we're gonna copy it,

100
00:04:26,070 --> 00:04:28,410
and then we'll try making a GET request again.

101
00:04:28,410 --> 00:04:33,150
So I'm gonna go back to a GET request to our root route.

102
00:04:33,150 --> 00:04:35,400
And now the last part that, this is the crazy part,

103
00:04:35,400 --> 00:04:36,233
this is the hard part.

104
00:04:36,233 --> 00:04:37,200
This is what ties it all together.

105
00:04:37,200 --> 00:04:38,700
Where do we put the token?

106
00:04:38,700 --> 00:04:39,570
Right?

107
00:04:39,570 --> 00:04:40,710
We put the token,

108
00:04:40,710 --> 00:04:44,550
we said that whenever we tried to authenticate our user,

109
00:04:44,550 --> 00:04:46,380
we're going to try to get the token

110
00:04:46,380 --> 00:04:49,083
from a header called authorization.

111
00:04:50,700 --> 00:04:53,910
So if we add a header, we can add one very easily

112
00:04:53,910 --> 00:04:56,130
by selecting the Headers tab over here.

113
00:04:56,130 --> 00:04:59,250
And then I'm going to add a header called "authorization",

114
00:04:59,250 --> 00:05:00,333
lowercase a,

115
00:05:01,800 --> 00:05:05,970
and I'm going to paste the token as my value.

116
00:05:05,970 --> 00:05:09,330
So now, I'm gonna make a GET request to my root route,

117
00:05:09,330 --> 00:05:13,560
with an authorization header containing my jwt token.

118
00:05:13,560 --> 00:05:14,790
Let's send it.

119
00:05:14,790 --> 00:05:16,950
And I successfully get "Hi there."

120
00:05:16,950 --> 00:05:18,900
Perfect. Just what we wanted.

121
00:05:18,900 --> 00:05:19,980
Let's see if we can break it.

122
00:05:19,980 --> 00:05:20,813
So I'm gonna,

123
00:05:20,813 --> 00:05:21,646
up here, my token,

124
00:05:21,646 --> 00:05:23,310
I'm just gonna go to the very start of the string,

125
00:05:23,310 --> 00:05:25,170
and I'm gonna add like a 1.

126
00:05:25,170 --> 00:05:26,640
So now, it's not the same token,

127
00:05:26,640 --> 00:05:27,870
I just added another character.

128
00:05:27,870 --> 00:05:29,820
It's not the same token anymore.

129
00:05:29,820 --> 00:05:30,690
I'll send it now,

130
00:05:30,690 --> 00:05:33,450
and I get "unauthorized", just what we want.

131
00:05:33,450 --> 00:05:35,430
If I take it out, I can send it again,

132
00:05:35,430 --> 00:05:36,720
and I get "Hi there" again.

133
00:05:36,720 --> 00:05:37,860
So boom, there we go.

134
00:05:37,860 --> 00:05:40,863
This is our authorization in action.

135
00:05:42,000 --> 00:05:42,900
Fantastic.

136
00:05:42,900 --> 00:05:43,733
I like it a lot.

137
00:05:43,733 --> 00:05:44,583
Looks very good.

138
00:05:46,200 --> 00:05:48,300
The last thing we have to do inside our application now

139
00:05:48,300 --> 00:05:50,160
is implement the sign in route.

140
00:05:50,160 --> 00:05:51,600
So we've only done sign up.

141
00:05:51,600 --> 00:05:53,370
We haven't done anything for signing in.

142
00:05:53,370 --> 00:05:55,420
So let's tackle that in the next section.