1
00:00:00,110 --> 00:00:06,470
Now we also want to install a few packages which are going to be super useful to keep our app secure.

2
00:00:06,860 --> 00:00:15,740
A package called helmet to add security related headers express mongo sanitize to sanitize user supplied

3
00:00:15,740 --> 00:00:20,630
data and express rate limit to limit the amount of requests.

4
00:00:20,690 --> 00:00:26,450
Now the good news is that basically we just need to install the packages, set them up as middleware

5
00:00:26,450 --> 00:00:29,090
and we're pretty much good to go.

6
00:00:29,240 --> 00:00:35,960
So if you want to install in your own project, just go with NPM install and then these are the packages

7
00:00:35,960 --> 00:00:36,890
you want to install.

8
00:00:36,890 --> 00:00:43,130
And in the Readme you can actually find a more detailed description what they're doing and then two

9
00:00:43,130 --> 00:00:44,840
of them will set up in a server.

10
00:00:44,840 --> 00:00:51,650
And then when it comes to rate limiter, technically we can also set it up in a server and as a result

11
00:00:51,680 --> 00:00:55,130
will limit the requests for the entire application.

12
00:00:55,130 --> 00:01:01,320
But in my case we'll just add it to login and the register route.

13
00:01:01,350 --> 00:01:05,489
If you remember, those are the only two public routes we have.

14
00:01:05,980 --> 00:01:07,580
And then rest of requests.

15
00:01:07,600 --> 00:01:09,640
Only the users can make.

16
00:01:09,670 --> 00:01:18,840
So I guess let's just go to a server, grab helmet and mongo sanitize and let's invoke them as middleware.

17
00:01:18,850 --> 00:01:26,370
So let me navigate to a server and I guess right after the cloudinary I'll start with the helmet.

18
00:01:26,380 --> 00:01:27,730
So import.

19
00:01:28,270 --> 00:01:28,990
Helmut.

20
00:01:29,550 --> 00:01:30,510
From.

21
00:01:30,600 --> 00:01:32,280
And that's my package.

22
00:01:32,370 --> 00:01:35,490
And I also want to grab the mongo, sanitize.

23
00:01:36,490 --> 00:01:37,030
And you know what?

24
00:01:37,030 --> 00:01:39,070
Let me actually just double check first.

25
00:01:39,100 --> 00:01:39,760
Yep.

26
00:01:39,950 --> 00:01:41,590
I have installed them already.

27
00:01:41,920 --> 00:01:44,030
So pretty much I'm good to go.

28
00:01:44,050 --> 00:01:45,670
Now I just need to set up a second one.

29
00:01:45,670 --> 00:01:46,810
So, Mongo.

30
00:01:47,650 --> 00:01:49,000
Sanitize.

31
00:01:50,160 --> 00:01:53,850
And the package name is Express Mongo Sanitize.

32
00:01:54,300 --> 00:02:00,990
And essentially, since we're pretty much done with the project, I can remove these two routes.

33
00:02:00,990 --> 00:02:02,970
So one is just Hello world.

34
00:02:02,970 --> 00:02:05,040
And the second one is that test one.

35
00:02:05,310 --> 00:02:06,870
I don't think we'll need them.

36
00:02:07,380 --> 00:02:10,440
I'm pretty much right after the express Json.

37
00:02:10,440 --> 00:02:14,500
We want to invoke both of the packages as middleware.

38
00:02:14,520 --> 00:02:19,230
So I'm just going to go here with helmet and the same deal with the Mongo sanitize.

39
00:02:19,500 --> 00:02:25,950
So essentially, yes, we don't need to do much, install the package, set it up in a server.

40
00:02:25,950 --> 00:02:30,660
So import and then of course invoke it as a middleware.

41
00:02:30,690 --> 00:02:36,120
Now when it comes to rate limiter, we want to navigate to auth routes.

42
00:02:36,790 --> 00:02:40,810
So for starters, let's grab again the package.

43
00:02:41,570 --> 00:02:49,540
In my case, I'm going to go with rate limiter and that is coming from express rate limit.

44
00:02:49,550 --> 00:02:50,870
That's the package name.

45
00:02:50,870 --> 00:02:53,030
And then we want to set up the instance.

46
00:02:53,030 --> 00:02:55,310
Basically we'll provide some options.

47
00:02:55,310 --> 00:03:02,570
In my case, I'll call this API limiter and that is equal to rate limiter.

48
00:03:02,660 --> 00:03:09,170
We want to invoke it and inside of the object first we want to provide time.

49
00:03:09,260 --> 00:03:12,260
So essentially what is going to be the time limit?

50
00:03:12,650 --> 00:03:14,360
We need to provide that in a millisecond.

51
00:03:14,360 --> 00:03:17,990
So again, we do this math where we go with whatever minutes.

52
00:03:17,990 --> 00:03:22,190
In my case, it's going to be 15 times 60.

53
00:03:22,190 --> 00:03:25,610
And then remember one second is 1000 milliseconds.

54
00:03:25,610 --> 00:03:27,530
So we multiply this by 1000.

55
00:03:27,530 --> 00:03:31,490
So this is going to give us one second multiplied by 60.

56
00:03:31,520 --> 00:03:32,420
That's one minute.

57
00:03:32,420 --> 00:03:39,440
And then, of course, whatever value we pick over here is going to be the minute value.

58
00:03:39,440 --> 00:03:43,830
And then we also want to provide how many requests we can make.

59
00:03:43,980 --> 00:03:48,750
And just so I can showcase how everything works, I'm going to go with one.

60
00:03:48,750 --> 00:03:53,490
But please keep in mind that of course normally we'll go with something more reasonable.

61
00:03:53,490 --> 00:03:56,910
And lastly, we want to go with message if there is an error.

62
00:03:56,910 --> 00:04:02,430
And remember, our front end is looking for the object with the message property.

63
00:04:02,430 --> 00:04:08,010
And effectively, if you just provide a string over here, then it's not going to show up nicely in

64
00:04:08,010 --> 00:04:08,880
our toast.

65
00:04:08,970 --> 00:04:14,280
And therefore I'm going to set this one up as an object and I'll go with message.

66
00:04:14,280 --> 00:04:21,209
And again, we're just doing this way since it has been our approach all throughout the application.

67
00:04:21,510 --> 00:04:28,830
And as far as the string value here for the message, I'm just going to go with IP rate limit exceeded.

68
00:04:30,010 --> 00:04:35,430
And then I'm just going to go with try in 15 minutes.

69
00:04:35,440 --> 00:04:36,430
Let's save it.

70
00:04:36,430 --> 00:04:43,060
And now effectively we just need to decide where do we want to implement this rate limiter?

71
00:04:43,150 --> 00:04:49,480
Like I said, I'm going to do it before the register as well as the login one.

72
00:04:49,480 --> 00:04:56,170
So now let me navigate to my login one and let me try to log in with whatever value.

73
00:04:56,200 --> 00:05:03,760
So I'm going to go here with my email and then I'm just going to provide some wrong password.

74
00:05:03,910 --> 00:05:04,930
We click on Submit.

75
00:05:04,930 --> 00:05:11,890
So the first time it's invalid credentials, but then the second time I click notice I have IP rate

76
00:05:11,890 --> 00:05:14,380
limit exceeded and try and 15 minutes.

77
00:05:14,380 --> 00:05:21,520
So essentially I'm not going to be able to make requests for next 15 minutes and we can effectively

78
00:05:21,520 --> 00:05:23,320
see that in the network tab.

79
00:05:23,320 --> 00:05:29,710
Notice the status is not 401, it's actually 429.

80
00:05:30,390 --> 00:05:36,450
And therefore, we know that of course, the response is coming from express rate limit package.

81
00:05:36,480 --> 00:05:39,150
Now, let me set this to something more reasonable.

82
00:05:39,150 --> 00:05:40,650
For example, 15.

83
00:05:40,770 --> 00:05:48,060
And with this in place, we have successfully installed and configured our security packages.