1
00:00:02,120 --> 00:00:04,500
Now, before we now take a closer look

2
00:00:04,500 --> 00:00:06,710
at cookies and sessions again,

3
00:00:06,710 --> 00:00:09,560
I want to implement the logout functionality,

4
00:00:09,560 --> 00:00:12,320
because at the moment that is not working

5
00:00:12,320 --> 00:00:13,630
and to make it work,

6
00:00:13,630 --> 00:00:16,460
we have to think about what should happen

7
00:00:16,460 --> 00:00:17,743
if we click Logout.

8
00:00:18,660 --> 00:00:20,870
Well, what happens at the moment

9
00:00:20,870 --> 00:00:25,750
is that this logout post route here is reached

10
00:00:25,750 --> 00:00:27,670
or it should be reached,

11
00:00:27,670 --> 00:00:30,010
because if I have a look at my header

12
00:00:30,010 --> 00:00:31,720
for this Logout button,

13
00:00:31,720 --> 00:00:34,870
it's in a form because I want to send a POST request

14
00:00:34,870 --> 00:00:37,660
because since we change something on the server

15
00:00:37,660 --> 00:00:38,600
in the database,

16
00:00:38,600 --> 00:00:41,980
it makes more sense to me to use a POST request.

17
00:00:41,980 --> 00:00:45,043
And it is a POST request send to /logout.

18
00:00:46,640 --> 00:00:49,450
Now to make sure that something happens

19
00:00:49,450 --> 00:00:53,750
in this post logout route here, which already was prepared,

20
00:00:53,750 --> 00:00:57,640
we in the end want to delete that authentication data

21
00:00:57,640 --> 00:01:01,490
from the session because it's the existence of this data

22
00:01:01,490 --> 00:01:04,980
that grants us access to the protected resources.

23
00:01:04,980 --> 00:01:09,850
We check for isAuthenticated and/or the user here.

24
00:01:09,850 --> 00:01:12,760
So if we cleared that data from the session,

25
00:01:12,760 --> 00:01:14,240
the user, the visitor,

26
00:01:14,240 --> 00:01:16,320
who's trying to access a certain page,

27
00:01:16,320 --> 00:01:18,553
won't be able to do so anymore.

28
00:01:19,890 --> 00:01:23,560
We could also delete the entire session object

29
00:01:23,560 --> 00:01:26,860
from the database and therefore clear to cookie,

30
00:01:26,860 --> 00:01:29,430
but you should think twice about

31
00:01:29,430 --> 00:01:31,330
whether you want to do that or not,

32
00:01:31,330 --> 00:01:33,050
because as mentioned before,

33
00:01:33,050 --> 00:01:37,140
sessions can also be used for storing other data.

34
00:01:37,140 --> 00:01:39,130
One of the most prominent examples

35
00:01:39,130 --> 00:01:41,060
would be the shopping cart,

36
00:01:41,060 --> 00:01:43,030
which you might want to store

37
00:01:43,030 --> 00:01:45,770
even for unauthenticated users.

38
00:01:45,770 --> 00:01:48,860
That's a behavior you know from Amazon and so on as well.

39
00:01:48,860 --> 00:01:51,630
There you can add items to your shopping cart

40
00:01:51,630 --> 00:01:53,930
without being authenticated.

41
00:01:53,930 --> 00:01:57,650
So deleting the overall session is something you could do,

42
00:01:57,650 --> 00:02:00,570
but you typically don't want to do that.

43
00:02:00,570 --> 00:02:03,360
Instead, here in the logout route,

44
00:02:03,360 --> 00:02:08,169
I will simply reach out to my session and set user to null.

45
00:02:08,169 --> 00:02:10,930
And with that, I will effectively clear it.

46
00:02:10,930 --> 00:02:14,490
Null is also a built-in value in JavaScript

47
00:02:14,490 --> 00:02:16,800
that will be treated as a falsy

48
00:02:16,800 --> 00:02:19,310
if you would see it in a if check.

49
00:02:19,310 --> 00:02:22,420
So that will clear the user data from there.

50
00:02:22,420 --> 00:02:27,420
And I will set the isAuthenticated key to false

51
00:02:27,560 --> 00:02:30,950
because this user isn't authenticated anymore.

52
00:02:30,950 --> 00:02:33,850
Alternatively, we could also set this to null

53
00:02:33,850 --> 00:02:36,260
because this would also be treated as falsy,

54
00:02:36,260 --> 00:02:38,390
but since it is a Boolean already,

55
00:02:38,390 --> 00:02:40,143
I'll just set it to false.

56
00:02:41,870 --> 00:02:45,030
And then I want to redirect the user

57
00:02:45,030 --> 00:02:46,673
back to the starting page.

58
00:02:47,730 --> 00:02:51,720
Now we could again, save the session as we did it here

59
00:02:51,720 --> 00:02:54,410
when we first logged the user in

60
00:02:54,410 --> 00:02:58,160
and only redirect once we know that saving worked,

61
00:02:58,160 --> 00:03:00,820
but I only to do it like this here

62
00:03:00,820 --> 00:03:04,480
because I wanted to redirect the user to a page

63
00:03:04,480 --> 00:03:08,180
that relied on that session data being stored,

64
00:03:08,180 --> 00:03:10,180
because I redirected to a page

65
00:03:10,180 --> 00:03:13,870
that required that data to be there because it's a page

66
00:03:13,870 --> 00:03:16,543
that required the user to be authenticated.

67
00:03:17,420 --> 00:03:20,120
Here I'm redirecting to the starting page,

68
00:03:20,120 --> 00:03:21,540
which doesn't care about

69
00:03:21,540 --> 00:03:24,100
whether the user is authenticated or not,

70
00:03:24,100 --> 00:03:25,250
and therefore here,

71
00:03:25,250 --> 00:03:28,520
we can rely on the auto-saving mechanism,

72
00:03:28,520 --> 00:03:31,320
which has built into the express session package

73
00:03:31,320 --> 00:03:32,560
because we don't care

74
00:03:32,560 --> 00:03:35,560
whether redirecting or saving finishes first,

75
00:03:35,560 --> 00:03:39,453
since the redirected page doesn't rely on the saved data.

76
00:03:40,810 --> 00:03:43,670
So therefore now with that, if we save this,

77
00:03:43,670 --> 00:03:46,660
if we go back to the page, at the moment,

78
00:03:46,660 --> 00:03:49,520
I can still visit The Admin Page,

79
00:03:49,520 --> 00:03:51,940
but if I now click Logout,

80
00:03:51,940 --> 00:03:53,930
I'm redirected to the starting page.

81
00:03:53,930 --> 00:03:56,240
And if I now try to visit Admin,

82
00:03:56,240 --> 00:03:58,343
I get the Not authenticated page again.

83
00:03:59,380 --> 00:04:01,510
Now, if we have a look at the developer tools,

84
00:04:01,510 --> 00:04:03,530
I still have my session cookie,

85
00:04:03,530 --> 00:04:06,443
because again, I did not delete the session,

86
00:04:07,460 --> 00:04:10,470
but we'll see a difference in the database.

87
00:04:10,470 --> 00:04:14,680
If I query my sessions collection again,

88
00:04:14,680 --> 00:04:17,269
then we see the session is still there,

89
00:04:17,269 --> 00:04:20,673
but user is null and isAuthenticated is false.

90
00:04:21,899 --> 00:04:23,780
And that is the key thing.

91
00:04:23,780 --> 00:04:25,730
We still have our tickets, so to say,

92
00:04:25,730 --> 00:04:29,277
but it's now saying, "You don't get access. Sorry."

93
00:04:30,190 --> 00:04:31,390
This is what we did now,

94
00:04:31,390 --> 00:04:34,293
and that's how we can add this logout functionality.