1
00:00:00,170 --> 00:00:03,650
All right, so our functionality works like Peaches.

2
00:00:03,650 --> 00:00:06,530
However, there is a tiny gotcha.

3
00:00:06,560 --> 00:00:11,520
You see, if we take a look at our validation middleware over here.

4
00:00:11,540 --> 00:00:15,800
More specifically, I'm looking for validate ID param.

5
00:00:15,830 --> 00:00:19,580
Notice how we're only checking for two things.

6
00:00:19,700 --> 00:00:27,140
We're checking whether the mongo id coming from the params is a valid one.

7
00:00:27,380 --> 00:00:34,760
And also we're checking whether the job exists, but we're not checking whether.

8
00:00:35,670 --> 00:00:40,780
The user who is making the request is the actual owner of the job.

9
00:00:40,800 --> 00:00:42,180
So what am I talking about?

10
00:00:42,210 --> 00:00:49,320
Well, if we navigate back to a thunder client again, I'm going to look for get all jobs.

11
00:00:49,590 --> 00:00:51,540
I'm assuming that this is going to be John.

12
00:00:51,540 --> 00:00:55,200
So this is the ID, Let me grab it over here.

13
00:00:55,200 --> 00:00:59,070
And then if I go to a single job, everything should be correct.

14
00:00:59,490 --> 00:01:02,040
We'll still have access to this one single job.

15
00:01:02,040 --> 00:01:08,160
But the problem is that Peter, with the same ID, can access the job.

16
00:01:08,880 --> 00:01:13,140
Not only he can access the job, but he can also modify it.

17
00:01:13,170 --> 00:01:14,870
He can also delete.

18
00:01:15,280 --> 00:01:17,470
And that's probably not the best setup.

19
00:01:17,490 --> 00:01:19,140
So let me just showcase that.

20
00:01:19,170 --> 00:01:21,300
Let me go back to login.

21
00:01:22,290 --> 00:01:23,880
And here I'm going to go with Peter.

22
00:01:23,910 --> 00:01:26,540
And now I'm logged in as Peter.

23
00:01:26,550 --> 00:01:30,330
I clearly can see that if I take a look at the jobs, this is the Facebook one.

24
00:01:30,330 --> 00:01:33,270
So the owner, of course, is Peter.

25
00:01:33,300 --> 00:01:34,320
However.

26
00:01:35,190 --> 00:01:41,490
If we take a look at the single job and notice I'm still keeping the same ID, the created by value

27
00:01:41,490 --> 00:01:42,870
is going to be different.

28
00:01:42,870 --> 00:01:44,400
So that means that.

29
00:01:45,060 --> 00:01:48,120
I can still access someone else's job.

30
00:01:48,360 --> 00:01:52,110
And that's not the behavior we want in our application.

31
00:01:52,110 --> 00:01:59,010
So we also want to check whether the user is the actual owner of that job.

32
00:01:59,400 --> 00:02:02,880
And in the process, we'll also check whether our user is admin.

33
00:02:02,880 --> 00:02:09,110
And if that's the case, then of course we'll still allow access to the specific resource.

34
00:02:09,120 --> 00:02:17,040
So we want to go back over here to validation middleware, more specifically validate ID param and I

35
00:02:17,040 --> 00:02:20,130
just want to showcase something pretty, pretty cool.

36
00:02:20,130 --> 00:02:27,510
So if we go with value, then add comma and then object, we actually have access to the request.

37
00:02:27,510 --> 00:02:33,930
So again, for now let's just log and you know, yeah, let's go with the entire request.

38
00:02:33,930 --> 00:02:34,530
So.

39
00:02:35,310 --> 00:02:36,660
It doesn't really matter.

40
00:02:37,190 --> 00:02:41,500
Which user we're using for now, let me just go back to single job.

41
00:02:41,510 --> 00:02:47,600
And again, I'm looking for the console and notice I have access, of course, to the entire object.

42
00:02:47,630 --> 00:02:49,240
Now, what am I looking for?

43
00:02:49,250 --> 00:02:55,520
Well, first of all, I want to grab this user ID and also I want to grab the role.

44
00:02:55,520 --> 00:03:03,440
And then remember, if we get to this point in this middleware, basically if the job exists, then

45
00:03:03,440 --> 00:03:07,160
also if we log we'll see the created by.

46
00:03:07,190 --> 00:03:09,260
So let me just do it.

47
00:03:09,880 --> 00:03:11,950
Just so you don't think that I'm messing with you again.

48
00:03:11,950 --> 00:03:15,970
We're looking for get a single job and check it out.

49
00:03:15,970 --> 00:03:21,220
If I scroll down, I have a bunch of properties over here, but the one that I'm looking for is created

50
00:03:21,220 --> 00:03:22,540
by now one.

51
00:03:22,540 --> 00:03:22,930
Gotcha.

52
00:03:22,960 --> 00:03:26,760
This is not a string, so we'll have to turn this into a string.

53
00:03:26,770 --> 00:03:28,330
Now, why am I mentioning that?

54
00:03:28,330 --> 00:03:33,580
Well, because if you remember, when it comes to a user, this is right away string.

55
00:03:33,580 --> 00:03:35,980
And we can clearly see that in the console.

56
00:03:35,980 --> 00:03:41,200
So effectively I want to compare these values and only if they match.

57
00:03:41,200 --> 00:03:47,140
Basically, if the job belongs to the specific user, then we want to proceed.

58
00:03:47,170 --> 00:03:48,520
Hopefully that is clear.

59
00:03:48,520 --> 00:03:52,690
So now let's remove all of the logs and let's set up the logic.

60
00:03:52,690 --> 00:03:58,750
So first of all, I want to check whether the user who's making this request is an admin.

61
00:03:59,530 --> 00:04:03,190
If he or she is an admin, then of course there is no issue.

62
00:04:03,220 --> 00:04:06,020
The way we'll do that, we'll just set up a property.

63
00:04:06,040 --> 00:04:07,250
I'll say is admin.

64
00:04:07,270 --> 00:04:10,450
Then it's located in rec dot user.

65
00:04:10,480 --> 00:04:16,420
Again, we have access to entire object and in there we have the user object.

66
00:04:16,420 --> 00:04:19,329
And in here I'll just check if it's an admin.

67
00:04:19,329 --> 00:04:21,930
So if it's an admin, no issues.

68
00:04:21,940 --> 00:04:28,030
And also we want to check if the user is an owner of the specific resource.

69
00:04:28,030 --> 00:04:35,350
In this case, of course job and the way we can check that is rec dot user user id remember it's a string

70
00:04:35,350 --> 00:04:42,720
and we want to compare it to job created by, but we want to turn this into a string as well.

71
00:04:42,730 --> 00:04:44,050
Otherwise it's going to be false.

72
00:04:44,050 --> 00:04:45,450
I can tell you that right away.

73
00:04:45,460 --> 00:04:47,500
So let's set up these two variables.

74
00:04:47,500 --> 00:04:50,310
And now I just want to set up a condition.

75
00:04:50,320 --> 00:04:58,900
I'll say if the user who's making a request is not an admin or not an owner, this is where we want

76
00:04:58,900 --> 00:05:00,650
to throw another error.

77
00:05:00,650 --> 00:05:07,130
So I'll say if not admin and if not owner now what error do we want to throw?

78
00:05:07,160 --> 00:05:12,380
Well, we want to go with unauthorized error, which is 403.

79
00:05:12,380 --> 00:05:14,390
So let's go over here with throw.

80
00:05:15,260 --> 00:05:21,040
A new and we want to import on authorized error.

81
00:05:21,050 --> 00:05:27,110
And as far as the string we'll just go with not authorized to access this route.

82
00:05:27,230 --> 00:05:28,330
Okay, good.

83
00:05:28,340 --> 00:05:36,200
But if you remember from the previous errors, essentially you will be sending back 400 unless we add

84
00:05:36,200 --> 00:05:41,240
a condition here in the with valid errors.

85
00:05:41,240 --> 00:05:48,680
So let's navigate back over here and essentially right after no job we want to go with if and again,

86
00:05:48,680 --> 00:05:50,240
we're looking for error messages.

87
00:05:50,240 --> 00:05:56,180
The first one over here and let's just go again with starts with and let's pick.

88
00:05:57,020 --> 00:05:57,380
August.

89
00:05:57,380 --> 00:05:59,420
The first two words over here.

90
00:06:01,000 --> 00:06:04,060
Let me set up over here as a string.

91
00:06:04,240 --> 00:06:06,880
And as far as the actual condition.

92
00:06:07,460 --> 00:06:10,910
We want to take the same thing pretty much again.

93
00:06:10,910 --> 00:06:14,630
Keep in mind that you can just throw regular JavaScript error.

94
00:06:14,660 --> 00:06:16,920
The result is going to be exactly the same.

95
00:06:16,940 --> 00:06:20,300
So now we have one for node job and not authorized.

96
00:06:20,300 --> 00:06:22,490
So now if everything is correct.

97
00:06:23,150 --> 00:06:25,550
I shouldn't be able to see the job.

98
00:06:25,550 --> 00:06:31,130
So notice now I'm getting back 403 and I'm not authorized to access this route.

99
00:06:31,160 --> 00:06:35,510
Now, of course, if I'm going to go back and if I'm going to log in.

100
00:06:36,280 --> 00:06:37,060
As John.

101
00:06:37,540 --> 00:06:39,940
Then we should have no issues, correct?

102
00:06:40,240 --> 00:06:42,160
We're going to get single job.

103
00:06:42,160 --> 00:06:46,300
And of course, we can modify the job, delete the job and all that cool stuff.

104
00:06:46,360 --> 00:06:49,750
And with this in place, we can move on to the next step.

105
00:06:50,230 --> 00:06:51,010
A quick update.

106
00:06:51,010 --> 00:06:59,170
While I was recording a video, I made a tiny mistake in the condition we want to use and operator not

107
00:06:59,170 --> 00:06:59,800
or.

108
00:07:00,010 --> 00:07:01,570
So we throw an error.

109
00:07:01,570 --> 00:07:07,270
If the user is not an admin user and not an owner of the job.

110
00:07:07,300 --> 00:07:12,040
So again, we want to use and operator in this condition.