1
00:00:00,140 --> 00:00:00,620
All right.

2
00:00:00,620 --> 00:00:03,130
So we can successfully create the user.

3
00:00:03,140 --> 00:00:04,510
Everything is beautiful.

4
00:00:04,520 --> 00:00:09,790
But there are two major issues with our current setup.

5
00:00:09,800 --> 00:00:10,970
First one.

6
00:00:11,640 --> 00:00:14,640
Is the fact that we're sending back the password.

7
00:00:15,000 --> 00:00:17,340
And honestly, it's an easy fix.

8
00:00:17,370 --> 00:00:20,730
We just removed that property when we're sending it back.

9
00:00:20,820 --> 00:00:28,590
Now, a much bigger issue is the fact that we're saving the passwords directly in the database as strings.

10
00:00:28,590 --> 00:00:31,410
And this is a major, major issue.

11
00:00:32,290 --> 00:00:39,940
Because keep in mind, if someone is going to get an access to your database, they will right away

12
00:00:39,970 --> 00:00:44,100
be able to get all of the passwords for users.

13
00:00:44,110 --> 00:00:51,670
And also, please keep in mind that quite often people use the same password for tons of platforms.

14
00:00:52,000 --> 00:00:57,340
And if your database is compromised, it's a major, major issue.

15
00:00:57,370 --> 00:01:00,310
So long story short, what do we want to do?

16
00:01:00,340 --> 00:01:01,540
Well, we want to hash this.

17
00:01:01,570 --> 00:01:05,910
We never, ever, ever, ever want to save this as string.

18
00:01:05,920 --> 00:01:09,400
This is a big, big security concern.

19
00:01:09,400 --> 00:01:15,730
And in order to do that, we will use an awesome library by the name of Bcrypt JS.

20
00:01:15,760 --> 00:01:21,490
Now, if you're already familiar with the libraries, you know that there is also a bcrypt.

21
00:01:21,610 --> 00:01:28,810
And essentially if you're interested in the Readme, you can read the points that I laid out, why I

22
00:01:28,840 --> 00:01:30,100
went with Bcrypt.

23
00:01:30,100 --> 00:01:36,140
JS But just to sum it up, what you'll find over here, technically you can use either of them.

24
00:01:36,160 --> 00:01:38,510
And essentially we're looking for a library.

25
00:01:38,540 --> 00:01:45,500
Of course we want to install it, so we go here with NPM install Bcrypt JS and we want to import that

26
00:01:45,500 --> 00:01:47,630
in the auth controller.

27
00:01:47,660 --> 00:01:52,010
We're looking for Jenn Salt, which essentially just.

28
00:01:52,570 --> 00:01:57,130
Creates a random value that is going to be added to the password.

29
00:01:57,160 --> 00:02:00,040
Before hashing and what's really cool.

30
00:02:00,070 --> 00:02:01,720
Hashing is a one way street.

31
00:02:01,720 --> 00:02:04,060
So once we hash it, that's it.

32
00:02:04,060 --> 00:02:04,840
It's done.

33
00:02:05,440 --> 00:02:07,270
You don't see that string anymore.

34
00:02:07,270 --> 00:02:12,880
And if you're wondering, well, how we can compare the passwords later when we log in, we'll actually

35
00:02:12,880 --> 00:02:15,610
compare the hashed versions.

36
00:02:15,610 --> 00:02:16,750
So let's try it out.

37
00:02:16,780 --> 00:02:19,660
We're going to go to auth controller.

38
00:02:20,370 --> 00:02:22,530
We're looking for Bcrypt.

39
00:02:22,530 --> 00:02:26,070
And first I'll set it up in a register in the controller.

40
00:02:26,630 --> 00:02:29,670
And then I'll move it and set it up in a utils.

41
00:02:29,690 --> 00:02:30,450
Why?

42
00:02:30,470 --> 00:02:38,180
Well, because that way it's easier to take it from project to project because maybe your register controller

43
00:02:38,180 --> 00:02:44,900
is different in the next project, but you can always use that utils function to hash the password.

44
00:02:44,930 --> 00:02:47,440
But yes, we'll start together.

45
00:02:47,450 --> 00:02:50,090
So we're going to go here with Bcrypt.

46
00:02:50,640 --> 00:02:54,960
From and script.js then.

47
00:02:55,650 --> 00:03:02,010
Let's go to our register and essentially right after the admin one.

48
00:03:03,150 --> 00:03:05,540
We'll set up over here a salt.

49
00:03:05,550 --> 00:03:12,420
So this is going to be that random value which gets added to the password when we hash it.

50
00:03:12,420 --> 00:03:15,330
And the default one is ten, and that's why I'll stick with it.

51
00:03:15,330 --> 00:03:20,820
Please keep in mind that the bigger the value, of course, the more secure the password, but also

52
00:03:20,820 --> 00:03:24,510
the longer it's going to take to hash it.

53
00:03:24,870 --> 00:03:28,170
Then we want to go with another property.

54
00:03:28,170 --> 00:03:34,410
In this case, we're going to go with hash password and we'll set it equal to await.

55
00:03:34,410 --> 00:03:40,050
And yes, as a side note, both of these methods in this library are asynchronous.

56
00:03:40,080 --> 00:03:42,960
Then let's go with Bcrypt.

57
00:03:43,440 --> 00:03:45,120
The second one is hash.

58
00:03:45,120 --> 00:03:52,950
So now we want to hash the password and let's pass here the req.body password since that's where it's

59
00:03:52,950 --> 00:03:53,460
located.

60
00:03:53,460 --> 00:03:57,510
And notice in here, I just skipped the destructuring part.

61
00:03:57,600 --> 00:04:01,620
And once I have the hashed password, you can definitely log it.

62
00:04:01,620 --> 00:04:08,470
But since we'll see that in response anyway, I'm going to go here with req.body then password and we'll

63
00:04:08,470 --> 00:04:10,990
set it equal to the hash password.

64
00:04:10,990 --> 00:04:13,360
So essentially I'm overriding this value.

65
00:04:13,360 --> 00:04:18,940
So first I grab this value to get the hashed version and then I say, You know what?

66
00:04:18,970 --> 00:04:24,940
In here, instead of whatever the string value I'm getting, it's going to be equal to a hashed password.

67
00:04:25,030 --> 00:04:32,350
And of course, I don't need to change anything in the user dot create since I'm already passing the

68
00:04:32,350 --> 00:04:34,900
entire req dot body.

69
00:04:34,930 --> 00:04:40,630
Now, as far as the response, we still don't want to send back the password even though it's hashed

70
00:04:40,840 --> 00:04:43,480
and the way our setup is going to work.

71
00:04:44,040 --> 00:04:48,750
We'll only send the Json web token when we log in.

72
00:04:48,750 --> 00:04:54,710
So what I'm trying to say is when we register, we definitely don't want to send back that user.

73
00:04:54,720 --> 00:04:56,910
There's really no need on the front end.

74
00:04:56,940 --> 00:04:58,320
We'll just show the message.

75
00:04:58,320 --> 00:05:05,160
Yes, you successfully registered, but in order to get into our application, user will have to log

76
00:05:05,160 --> 00:05:05,280
in.

77
00:05:05,280 --> 00:05:08,100
So long story short, here's what we can do.

78
00:05:08,610 --> 00:05:13,740
I can simply go with message and I'll say user created.

79
00:05:13,830 --> 00:05:19,590
Now I think I'm going to have to do the same deal over here again.

80
00:05:19,740 --> 00:05:22,530
Let's just remove since I don't want to keep.

81
00:05:23,440 --> 00:05:27,370
Changing those emails when I'm sending the request.

82
00:05:28,190 --> 00:05:31,490
Then let's go to the.

83
00:05:32,270 --> 00:05:33,260
Register user.

84
00:05:34,300 --> 00:05:36,970
Let's change it back to John because I like it better.

85
00:05:37,660 --> 00:05:39,970
Then let's send it, like I said, in here.

86
00:05:39,970 --> 00:05:40,960
We'll just see.

87
00:05:41,990 --> 00:05:44,990
And as I note, I have a spelling error there.

88
00:05:46,660 --> 00:05:50,170
In the auth one, it should be message.

89
00:05:50,380 --> 00:05:53,350
And then if we take a look at the database.

90
00:05:54,340 --> 00:05:55,570
We'll see over here.

91
00:05:55,930 --> 00:05:56,890
Users.

92
00:05:58,440 --> 00:06:00,900
And of course, now the value is hashed.

93
00:06:01,320 --> 00:06:04,890
So this is the value we'll save in a database.

94
00:06:04,920 --> 00:06:11,430
And with this in place now, we want to set up a utils function which will allow us to take this functionality

95
00:06:11,460 --> 00:06:13,380
from project to project.