1
00:00:00,050 --> 00:00:00,410
All right.

2
00:00:00,410 --> 00:00:06,230
And like I already mentioned quite a few times, in order to send the token back to our user, I'm going

3
00:00:06,230 --> 00:00:09,810
to use the Http only cookie approach.

4
00:00:09,830 --> 00:00:16,850
Now, if you're interested in learning more about the difference between the Http only cookie approach

5
00:00:16,850 --> 00:00:21,260
and local storage, essentially I left some info in the Readme.

6
00:00:21,290 --> 00:00:24,530
Again, the local storage approach is following.

7
00:00:25,040 --> 00:00:33,260
Effectively we send back the token in the request and then the front end is responsible for storing

8
00:00:33,260 --> 00:00:37,670
the value and then sending it back to the server.

9
00:00:37,700 --> 00:00:40,820
Now when we use the http only cookie.

10
00:00:41,630 --> 00:00:45,740
Essentially these cookies are sent back by default.

11
00:00:45,950 --> 00:00:48,510
So on the front end, we don't need to do anything.

12
00:00:48,530 --> 00:00:51,260
The moment we log in, we get back the cookie.

13
00:00:51,260 --> 00:00:54,890
And then with every request, we'll send back that cookie.

14
00:00:55,040 --> 00:01:02,420
And then on the server first we will grab the Json web token from that cookie.

15
00:01:02,450 --> 00:01:03,730
Then we'll decode it.

16
00:01:03,740 --> 00:01:08,270
Then we'll take a look at the user and then we'll access the resources.

17
00:01:08,300 --> 00:01:11,720
Now, as far as the functionality, here's what we want to do.

18
00:01:11,750 --> 00:01:18,230
We're going to go to auth controller and like I mentioned, we're not going to send back the token here

19
00:01:18,230 --> 00:01:19,130
in the request.

20
00:01:19,130 --> 00:01:22,190
Instead, we're going to set up a cookie.

21
00:01:22,220 --> 00:01:27,650
And what's really, really awesome when it comes to express, it's actually very easy.

22
00:01:27,680 --> 00:01:30,620
Now, before we set up that functionality, you know what?

23
00:01:30,680 --> 00:01:32,030
Let's just set up the.

24
00:01:32,780 --> 00:01:33,590
Response.

25
00:01:33,620 --> 00:01:40,090
We are going to have so first of all, we're going to go with status codes and we'll go with okay,

26
00:01:40,100 --> 00:01:42,290
so essentially we're sending back 200.

27
00:01:42,290 --> 00:01:47,120
And then when it comes to Json, again, the token is not going to be located over here.

28
00:01:47,120 --> 00:01:49,460
We just want to send back the message.

29
00:01:49,460 --> 00:01:53,240
We're going to go with user logged in.

30
00:01:53,240 --> 00:01:57,500
And in order to create the cookie, we go here with arrays.

31
00:01:57,500 --> 00:01:59,510
So that's the response again.

32
00:01:59,510 --> 00:02:05,210
And yes, essentially we have two instances right now and we are going to go with Cookie.

33
00:02:05,210 --> 00:02:07,490
So that's the special method.

34
00:02:07,490 --> 00:02:09,590
And in here we need to provide a few values.

35
00:02:09,590 --> 00:02:15,680
First of all, what is going to be the name of our cookie and sky's the limit, but I'm just going to

36
00:02:15,680 --> 00:02:17,210
go with Token.

37
00:02:17,310 --> 00:02:23,420
Then we want to provide the value and the value is going to be actually equal to my JWT.

38
00:02:23,690 --> 00:02:27,890
So whatever I'm getting back from create JWT.

39
00:02:28,220 --> 00:02:30,890
And then again we have the options.

40
00:02:31,410 --> 00:02:33,390
So one by one, let's set them up.

41
00:02:33,420 --> 00:02:39,420
And yes, the first thing we'll do is Http only and we'll set it equal to true.

42
00:02:39,600 --> 00:02:47,610
So essentially now this cookie cannot be accessed with JavaScript and of course as a result it's more

43
00:02:47,610 --> 00:02:50,430
secure then we need to go with expires.

44
00:02:50,430 --> 00:02:57,750
So just like our JWT, our cookies are going to expire and yes, it does make sense to have the same

45
00:02:57,750 --> 00:02:58,590
expiration.

46
00:02:58,590 --> 00:03:06,660
So if our JWT expires in one day, we want to set up the same value for our cookie.

47
00:03:06,660 --> 00:03:08,010
But here's the gotcha.

48
00:03:08,010 --> 00:03:14,790
When it comes to cookies, we're not providing here a string like one day, seven hours or anything

49
00:03:14,790 --> 00:03:15,390
like that.

50
00:03:15,420 --> 00:03:21,060
We need to go with milliseconds and that's why we'll add a bit more logic.

51
00:03:21,090 --> 00:03:25,380
First of all, I want to create one day in milliseconds.

52
00:03:25,380 --> 00:03:27,060
How is that going to look like?

53
00:03:27,060 --> 00:03:31,230
Well, let's start with a variable first and we'll go with 1000.

54
00:03:31,260 --> 00:03:32,130
Remember?

55
00:03:32,730 --> 00:03:35,670
Each second is 1000 milliseconds.

56
00:03:35,670 --> 00:03:37,890
We'll multiply this by 60.

57
00:03:38,010 --> 00:03:41,310
So this is going to give us one minute.

58
00:03:41,340 --> 00:03:41,790
Correct.

59
00:03:41,790 --> 00:03:48,570
Then we'll multiply this by 60, which is going to give us one hour and then we'll multiply this by

60
00:03:48,570 --> 00:03:49,820
24.

61
00:03:49,830 --> 00:03:54,240
So this is going to be one day in milliseconds.

62
00:03:54,720 --> 00:03:55,880
Okay, good.

63
00:03:55,890 --> 00:04:03,720
And when it comes to expires, we want to create a new date instance exactly one day from now in order

64
00:04:03,720 --> 00:04:04,500
to set it up.

65
00:04:04,500 --> 00:04:10,320
We're going to go with date Dot now, which essentially is going to return the number of milliseconds

66
00:04:10,380 --> 00:04:11,850
elapsed since.

67
00:04:12,390 --> 00:04:15,360
January 1st, 1970.

68
00:04:15,360 --> 00:04:22,770
And we just want to add that one day and effectively it means that our cookie is going to expire in

69
00:04:22,770 --> 00:04:23,850
one day.

70
00:04:23,940 --> 00:04:26,520
And also we have the secure property.

71
00:04:26,640 --> 00:04:33,540
And if we set it equal to true, then this cookie can be only transmitted over Https.

72
00:04:33,570 --> 00:04:34,980
Now here's the gotcha.

73
00:04:34,980 --> 00:04:37,590
While we're developing, it's going to be Http.

74
00:04:38,430 --> 00:04:42,600
And in order to fix it, we want to go over here with process.

75
00:04:43,520 --> 00:04:44,510
Dot env.

76
00:04:45,610 --> 00:04:53,580
And effectively you will go here with node underscore environment and set it equal to production.

77
00:04:53,590 --> 00:05:00,970
So if we are in production environment, then yes, the secure property is going to be true.

78
00:05:01,000 --> 00:05:06,880
If not, then we'll still be able to access it using Http protocol.

79
00:05:07,150 --> 00:05:11,980
And with this in place now let's navigate to the login user.

80
00:05:12,840 --> 00:05:14,130
Now let's send it.

81
00:05:14,160 --> 00:05:16,850
Notice we only get the message.

82
00:05:16,860 --> 00:05:22,080
But what's really interesting, we also have here this cookies tab.

83
00:05:22,140 --> 00:05:24,120
So that's the one that we're looking at.

84
00:05:24,570 --> 00:05:31,740
And if we click on it, notice I have my token and here I have the actual value.

85
00:05:31,770 --> 00:05:34,500
So this is my cookie.

86
00:05:34,620 --> 00:05:42,330
So again, unlike the previous approach when we were sending back the token in response, now we're

87
00:05:42,330 --> 00:05:43,890
sending back the cookie.

88
00:05:43,950 --> 00:05:48,160
Now, why is this so, so, so, so powerful?

89
00:05:48,180 --> 00:05:50,010
Well, let me showcase.

90
00:05:50,100 --> 00:05:52,560
I'm going to go first to.

91
00:05:52,590 --> 00:05:53,260
You know what?

92
00:05:54,120 --> 00:06:01,980
Let me navigate, first of all to the router or no, sorry, the controller, and I'm going to showcase

93
00:06:01,980 --> 00:06:03,240
that with get all jobs.

94
00:06:03,240 --> 00:06:08,190
Please keep in mind that of course the same is going to work with all of the requests.

95
00:06:08,190 --> 00:06:11,730
And yes, we won't be able to access the cookie.

96
00:06:11,880 --> 00:06:17,760
We need a specific library for that, but we are already moving in the right direction because if you'll

97
00:06:17,760 --> 00:06:24,230
take a look at the request, you'll see that automatically browser is going to send back the cookie.

98
00:06:24,240 --> 00:06:25,680
So what am I talking about?

99
00:06:26,220 --> 00:06:27,060
Notice over here.

100
00:06:27,060 --> 00:06:30,270
I'm logging the request in Get all jobs.

101
00:06:30,270 --> 00:06:32,640
So now let's navigate to.

102
00:06:33,350 --> 00:06:34,520
Our thunder client.

103
00:06:34,520 --> 00:06:39,080
Let's look for job routes since we have successfully logged in.

104
00:06:39,080 --> 00:06:43,550
Let's take a look at get all jobs request.

105
00:06:43,910 --> 00:06:46,280
Let's send it now.

106
00:06:46,280 --> 00:06:48,050
It's going to return nothing.

107
00:06:48,230 --> 00:06:49,160
That's fine.

108
00:06:49,160 --> 00:06:50,720
We don't have any jobs.

109
00:06:51,410 --> 00:06:53,960
What we're interested is the request.

110
00:06:53,960 --> 00:06:57,310
So let's scroll up over here and notice this one.

111
00:06:57,320 --> 00:07:04,490
So automatically, with every request, once we have that http only cookie.

112
00:07:05,170 --> 00:07:05,890
Set.

113
00:07:06,070 --> 00:07:06,880
That's it.

114
00:07:06,910 --> 00:07:12,640
It comes back with every request, which is, again, super, super awesome because we'll use this to

115
00:07:12,640 --> 00:07:14,710
authenticate the user.

116
00:07:14,770 --> 00:07:22,360
And essentially, if the token is there, if it's valid, then of course we'll allow the user to create

117
00:07:22,360 --> 00:07:25,990
the resource, access, the resource and all of that cool stuff.

118
00:07:26,020 --> 00:07:31,840
If not, then of course we'll kick back the user with some kind of error response.

119
00:07:31,870 --> 00:07:40,270
Now before we connect the user and the job, because again, the jobs are going to belong to the users,

120
00:07:40,270 --> 00:07:46,000
I want you to navigate back to your database and essentially remove both of them.

121
00:07:46,240 --> 00:07:53,410
And this is definitely something I suggest doing because that way you won't run into some weird bugs.

122
00:07:53,440 --> 00:07:59,880
Again, we'll connect the two in a second, but before we do that, let's start from the scratch.

123
00:07:59,890 --> 00:08:02,740
Otherwise you'll have some old instances.

124
00:08:03,490 --> 00:08:06,310
That might trigger some bugs a little bit later on.

125
00:08:06,310 --> 00:08:08,980
So again, let's start from the very scratch.

126
00:08:08,980 --> 00:08:11,290
So let's remove both of the collections.

127
00:08:11,290 --> 00:08:17,920
And up next, we're going to connect the user and the job and we'll set up the auth middleware.