1
00:00:01,160 --> 00:00:03,130
‫So previously, we already implemented

2
00:00:03,130 --> 00:00:05,420
‫a simple signup functionality,

3
00:00:05,420 --> 00:00:06,490
‫but in this lecture,

4
00:00:06,490 --> 00:00:08,760
‫we will actually also log the user in

5
00:00:08,760 --> 00:00:11,700
‫making a more real signup process.

6
00:00:11,700 --> 00:00:13,830
‫So starting from this lecture,

7
00:00:13,830 --> 00:00:16,760
‫we will really start to implement our authentication,

8
00:00:16,760 --> 00:00:19,683
‫and so this where it gets really serious.

9
00:00:21,230 --> 00:00:23,210
‫And so therefore, before we start

10
00:00:23,210 --> 00:00:25,150
‫I want to give you a warning here,

11
00:00:25,150 --> 00:00:28,740
‫so authentication is very hard to get right

12
00:00:28,740 --> 00:00:31,330
‫and many tutorials out there that you're gonna find

13
00:00:31,330 --> 00:00:32,970
‫when you search for authentication

14
00:00:32,970 --> 00:00:35,492
‫with like Node.js and Express,

15
00:00:35,492 --> 00:00:38,480
‫many of these make many serious mistakes

16
00:00:38,480 --> 00:00:42,220
‫and oversimplify things that should not be simplified.

17
00:00:42,220 --> 00:00:45,270
‫All right, this is not to say that all tutorials out there

18
00:00:45,270 --> 00:00:46,740
‫are bad, all right,

19
00:00:46,740 --> 00:00:48,500
‫or that are useless or something,

20
00:00:48,500 --> 00:00:52,400
‫but I really spend weeks researching all the best practices

21
00:00:52,400 --> 00:00:54,670
‫and refining and improving my code,

22
00:00:54,670 --> 00:00:56,410
‫to make this authentication section

23
00:00:56,410 --> 00:00:59,550
‫that we're gonna start implementing now as good as possible,

24
00:00:59,550 --> 00:01:02,000
‫for a beginner like you, all right,

25
00:01:02,000 --> 00:01:05,228
‫and that is because we need to be really really

26
00:01:05,228 --> 00:01:08,950
‫extra careful when writing this part of the application,

27
00:01:08,950 --> 00:01:12,730
‫because remember, our user's data is at stake here,

28
00:01:12,730 --> 00:01:15,650
‫and the trust in the company who runs the application,

29
00:01:15,650 --> 00:01:17,200
‫is at stake as well,

30
00:01:17,200 --> 00:01:19,080
‫and so implementing authentication,

31
00:01:19,080 --> 00:01:21,200
‫is a real responsibility

32
00:01:21,200 --> 00:01:24,360
‫where you should not make any mistakes at all.

33
00:01:24,360 --> 00:01:25,980
‫Now there are some libraries out there

34
00:01:25,980 --> 00:01:28,470
‫that can help us implement authentication

35
00:01:28,470 --> 00:01:31,360
‫and authorization and the most well known one

36
00:01:31,360 --> 00:01:33,130
‫is called Passport,

37
00:01:33,130 --> 00:01:34,740
‫but even a library like that

38
00:01:34,740 --> 00:01:37,470
‫doesn't take all the work and all the responsibility

39
00:01:37,470 --> 00:01:39,510
‫away from you, all right.

40
00:01:39,510 --> 00:01:40,630
‫Now in this case here,

41
00:01:40,630 --> 00:01:42,810
‫we are actually gonna implement the whole login

42
00:01:42,810 --> 00:01:46,380
‫protecting and authorization logic all by ourselves,

43
00:01:46,380 --> 00:01:49,910
‫except of course for the Jason web token implementation

44
00:01:49,910 --> 00:01:52,310
‫that we talked about in the last video itself.

45
00:01:52,310 --> 00:01:54,820
‫Okay, so all the signing and verification

46
00:01:54,820 --> 00:01:58,170
‫all that stuff, we're gonna leave to the WJT library

47
00:01:58,170 --> 00:02:00,450
‫but then the rest, we're gonna implement ourselves

48
00:02:00,450 --> 00:02:02,920
‫over the next couple of lectures.

49
00:02:02,920 --> 00:02:04,430
‫Now as I mentioned earlier,

50
00:02:04,430 --> 00:02:07,830
‫we already have our signup function here, right,

51
00:02:07,830 --> 00:02:09,240
‫but right now, all it does

52
00:02:09,240 --> 00:02:11,500
‫is to simply create a new user

53
00:02:11,500 --> 00:02:14,010
‫and then send it back to the client.

54
00:02:14,010 --> 00:02:17,410
‫Now shortly after finishing recording this course,

55
00:02:17,410 --> 00:02:18,640
‫I actually noticed that

56
00:02:18,640 --> 00:02:21,239
‫there is a very serious security flaw

57
00:02:21,239 --> 00:02:23,920
‫in this way of signing up users,

58
00:02:23,920 --> 00:02:26,630
‫so basically the problem is that right now,

59
00:02:26,630 --> 00:02:30,640
‫we create a new user using all the data that is coming in

60
00:02:30,640 --> 00:02:32,850
‫with the body right,

61
00:02:32,850 --> 00:02:36,350
‫and so the problem here is that like this,

62
00:02:36,350 --> 00:02:40,960
‫anyone can specify the role as an admin right,

63
00:02:40,960 --> 00:02:45,360
‫so basically, everyone can now simply register as an admin

64
00:02:45,360 --> 00:02:46,670
‫into our application,

65
00:02:46,670 --> 00:02:49,620
‫and so that's of course not we need.

66
00:02:49,620 --> 00:02:53,090
‫So again this is a serious security flaw

67
00:02:53,090 --> 00:02:55,860
‫and we of course we'll need to fix that

68
00:02:55,860 --> 00:02:58,420
‫and to fix is actually quite simple.

69
00:02:58,420 --> 00:03:01,150
‫So what you need instead of this line of code,

70
00:03:01,150 --> 00:03:02,670
‫that is selected here

71
00:03:02,670 --> 00:03:06,370
‫is this piece of code that I just put here on the screen.

72
00:03:06,370 --> 00:03:07,460
‫Okay.

73
00:03:07,460 --> 00:03:10,900
‫So again, please go ahead and delete this line of code

74
00:03:10,900 --> 00:03:12,720
‫that is currently selected here

75
00:03:12,720 --> 00:03:15,320
‫and replace it with the code that I just put here

76
00:03:15,320 --> 00:03:16,690
‫on the screen.

77
00:03:16,690 --> 00:03:19,070
‫Now what's actually the big difference here,

78
00:03:19,070 --> 00:03:21,010
‫well, with this new code,

79
00:03:21,010 --> 00:03:24,580
‫basically we only allow the data that we actually need

80
00:03:24,580 --> 00:03:26,550
‫to be put into the new user

81
00:03:26,550 --> 00:03:30,370
‫so just a name, the E-mail and then the passwords.

82
00:03:30,370 --> 00:03:34,370
‫And so now, even if a user tries to manually input a role,

83
00:03:34,370 --> 00:03:37,030
‫we will not store that into the new user,

84
00:03:37,030 --> 00:03:38,750
‫and the same for other stuff,

85
00:03:38,750 --> 00:03:41,170
‫like for example, a photo.

86
00:03:41,170 --> 00:03:45,120
‫So this is the quick and easy fix for that problem.

87
00:03:45,120 --> 00:03:45,983
‫Now what this will do,

88
00:03:45,983 --> 00:03:49,890
‫is that we can actually no longer register as an admin,

89
00:03:49,890 --> 00:03:52,570
‫and so if we need to add a new administrator

90
00:03:52,570 --> 00:03:53,680
‫to our system,

91
00:03:53,680 --> 00:03:57,030
‫we can then very simply just create a new user normally

92
00:03:57,030 --> 00:03:59,610
‫and then go into MongoDB Compass,

93
00:03:59,610 --> 00:04:02,440
‫and basically edit that role in there.

94
00:04:02,440 --> 00:04:03,930
‫So edit it from user

95
00:04:03,930 --> 00:04:06,470
‫to admin manually, okay.

96
00:04:06,470 --> 00:04:09,070
‫Of course we could also define a special route

97
00:04:09,070 --> 00:04:10,910
‫for just creating admins

98
00:04:10,910 --> 00:04:13,610
‫but that would be a bit too much.

99
00:04:13,610 --> 00:04:16,210
‫Okay, so let's now move on.

100
00:04:16,210 --> 00:04:18,820
‫Just notice that the code in the rest of the video

101
00:04:18,820 --> 00:04:20,790
‫and all the videos in this course

102
00:04:20,790 --> 00:04:25,090
‫will of course still be this old wrong version, all right,

103
00:04:25,090 --> 00:04:27,270
‫but actually in the final code

104
00:04:27,270 --> 00:04:29,240
‫that is in the GitHub repository,

105
00:04:29,240 --> 00:04:32,773
‫I already fixed that and we have the correct code in there.

106
00:04:33,610 --> 00:04:37,770
‫Anyway, usually when we sign up for any web application,

107
00:04:37,770 --> 00:04:41,060
‫then you also get automatically logged in, right,

108
00:04:41,060 --> 00:04:43,500
‫and so let's very quickly implement that here.

109
00:04:43,500 --> 00:04:45,350
‫So log the new user in,

110
00:04:45,350 --> 00:04:48,120
‫as soon as he signed up, okay,

111
00:04:48,120 --> 00:04:50,090
‫and remember from the previous lecture,

112
00:04:50,090 --> 00:04:51,680
‫how that works,

113
00:04:51,680 --> 00:04:53,440
‫well all we really need to do,

114
00:04:53,440 --> 00:04:55,350
‫is to sign a Jason web token

115
00:04:55,350 --> 00:04:58,490
‫and then send it back to the user, okay,

116
00:04:58,490 --> 00:05:01,270
‫but let's now first of all install the MPM package

117
00:05:01,270 --> 00:05:03,350
‫that we're gonna use for everything related

118
00:05:03,350 --> 00:05:04,893
‫to Jason web tokens.

119
00:05:06,160 --> 00:05:08,180
‫So in our other terminal,

120
00:05:08,180 --> 00:05:12,660
‫let's say MPM install, Jason web token,

121
00:05:12,660 --> 00:05:14,370
‫so all of this together like this

122
00:05:16,240 --> 00:05:18,630
‫and that should then install this package

123
00:05:18,630 --> 00:05:19,790
‫and let's actually go ahead

124
00:05:19,790 --> 00:05:22,211
‫and take a look at it at GitHub,

125
00:05:22,211 --> 00:05:23,950
‫just to see the documentation

126
00:05:28,000 --> 00:05:29,380
‫and let's do that here,

127
00:05:29,380 --> 00:05:31,830
‫we no longer need this one here for now at least,

128
00:05:33,370 --> 00:05:38,370
‫and so this will take us to the page on MPM,

129
00:05:38,810 --> 00:05:40,300
‫and so you see

130
00:05:40,300 --> 00:05:42,170
‫how popular this package actually is,

131
00:05:42,170 --> 00:05:45,100
‫so we have 2.3 million weekly downloads,

132
00:05:45,100 --> 00:05:47,930
‫so that really is a ton of downloads

133
00:05:47,930 --> 00:05:50,730
‫and we can take a look at the documentation here as well,

134
00:05:50,730 --> 00:05:53,540
‫but I personally prefer to do it on GitHub.

135
00:05:53,540 --> 00:05:56,090
‫I think it looks a lot cleaner here,

136
00:05:56,090 --> 00:05:58,240
‫and I'm so used to it at this point,

137
00:05:58,240 --> 00:06:02,410
‫and so I usually just see it here, okay.

138
00:06:02,410 --> 00:06:04,690
‫Anyway, the first functio that we're gonna use

139
00:06:04,690 --> 00:06:08,070
‫with JWT here is sign, okay,

140
00:06:08,070 --> 00:06:11,320
‫so in order to basically create a new token,

141
00:06:11,320 --> 00:06:13,330
‫and for that of course we need the payload,

142
00:06:13,330 --> 00:06:16,080
‫we need the key so that private secret

143
00:06:16,080 --> 00:06:17,280
‫that I mentioned before

144
00:06:17,280 --> 00:06:19,750
‫that's only stored on our server

145
00:06:19,750 --> 00:06:21,607
‫and that we need to sign the token

146
00:06:21,607 --> 00:06:23,830
‫and then we can pass on some options

147
00:06:23,830 --> 00:06:26,040
‫and we will do all that in a second,

148
00:06:26,040 --> 00:06:29,270
‫I just want to show the other function that we have here,

149
00:06:29,270 --> 00:06:32,040
‫and that we really have a ton of options here,

150
00:06:32,040 --> 00:06:34,149
‫for example the expires in,

151
00:06:34,149 --> 00:06:36,353
‫which we're gonna use to use also,

152
00:06:38,070 --> 00:06:39,830
‫so all of this stuff

153
00:06:39,830 --> 00:06:41,600
‫and then we have verify.

154
00:06:41,600 --> 00:06:44,200
‫So we also talked about the verification process

155
00:06:44,200 --> 00:06:47,700
‫and that's basically implemented in this function, okay,

156
00:06:47,700 --> 00:06:49,490
‫and so this is the one that we're gonna use,

157
00:06:49,490 --> 00:06:52,740
‫when logging in a user, okay,

158
00:06:52,740 --> 00:06:54,610
‫and that's really all there is,

159
00:06:54,610 --> 00:06:56,858
‫so you have all this different options here, okay,

160
00:06:56,858 --> 00:06:58,400
‫you have also decode

161
00:06:58,400 --> 00:07:01,140
‫but that one is not really important, okay,

162
00:07:01,140 --> 00:07:03,990
‫so you see that this package really only includes

163
00:07:03,990 --> 00:07:04,980
‫the two functionalities

164
00:07:04,980 --> 00:07:07,870
‫that we discussed in the previous video.

165
00:07:07,870 --> 00:07:11,683
‫So signing and then verifying, okay.

166
00:07:12,590 --> 00:07:15,060
‫So let's go back here

167
00:07:15,060 --> 00:07:18,193
‫and actually start using the Jason web token package.

168
00:07:19,830 --> 00:07:21,363
‫So let's import it here,

169
00:07:24,380 --> 00:07:26,800
‫and it's usually simply called JWT

170
00:07:31,040 --> 00:07:33,920
‫and require the Jason web token.

171
00:07:33,920 --> 00:07:37,053
‫Okay, so lets create our token here,

172
00:07:39,290 --> 00:07:40,460
‫okay,

173
00:07:40,460 --> 00:07:43,710
‫and I'll like to simply call it like this so just token,

174
00:07:43,710 --> 00:07:48,080
‫okay, then JWT dot sign,

175
00:07:48,080 --> 00:07:50,460
‫and now the first thing is the payload,

176
00:07:50,460 --> 00:07:52,650
‫and this is basically an object for all the data

177
00:07:52,650 --> 00:07:55,260
‫that we're going to store inside of the token,

178
00:07:55,260 --> 00:07:56,093
‫and in this case,

179
00:07:56,093 --> 00:07:59,410
‫we really only want the ID of the user, all right,

180
00:07:59,410 --> 00:08:02,210
‫so nothing crazy here, not a lot of data

181
00:08:02,210 --> 00:08:04,150
‫that's not really important.

182
00:08:04,150 --> 00:08:06,890
‫So we say that the ID is

183
00:08:06,890 --> 00:08:09,550
‫and then we simply get the ID from the new user

184
00:08:09,550 --> 00:08:12,830
‫that was just created, okay,

185
00:08:12,830 --> 00:08:17,530
‫so new user dot and then remember that in MonogoDB,

186
00:08:17,530 --> 00:08:21,460
‫the ID is actually called underscore ID, all right,

187
00:08:21,460 --> 00:08:23,760
‫and so that is the object that's the data,

188
00:08:23,760 --> 00:08:27,083
‫the payload, that we want to put in our JWT.

189
00:08:27,920 --> 00:08:30,820
‫Next up, we need the secret, okay,

190
00:08:30,820 --> 00:08:32,090
‫so basically a string

191
00:08:33,580 --> 00:08:35,350
‫for a secret, all right,

192
00:08:35,350 --> 00:08:38,530
‫of course this is a terrible one, all right,

193
00:08:38,530 --> 00:08:40,340
‫this is just kind of a place holder

194
00:08:40,340 --> 00:08:42,770
‫because actually, our configuration file

195
00:08:42,770 --> 00:08:46,720
‫is a perfect place to store this kind of secret data,

196
00:08:46,720 --> 00:08:49,460
‫so just like password for example,

197
00:08:49,460 --> 00:08:53,633
‫and so let's go add and edit here, okay,

198
00:08:55,720 --> 00:09:00,070
‫so let's call it JWT, secret,

199
00:09:00,070 --> 00:09:02,220
‫and of course the name that we give here,

200
00:09:02,220 --> 00:09:03,430
‫doesn't really matter

201
00:09:03,430 --> 00:09:06,920
‫but what does matter is the secret that we specify here,

202
00:09:06,920 --> 00:09:11,920
‫all right, because using the standard HSA 256 encryption

203
00:09:11,940 --> 00:09:15,320
‫for the signature, the secret should at least be

204
00:09:15,320 --> 00:09:17,880
‫thirty two characters long, all right,

205
00:09:17,880 --> 00:09:19,847
‫but the longer the better actually

206
00:09:19,847 --> 00:09:22,240
‫and this is where many tutorials out there fail,

207
00:09:22,240 --> 00:09:25,280
‫some of them simply put a very short string here,

208
00:09:25,280 --> 00:09:27,010
‫but that's not ideal again,

209
00:09:27,010 --> 00:09:29,290
‫so for best encryption of the signature,

210
00:09:29,290 --> 00:09:32,940
‫again you should at least use thirty two characters,

211
00:09:32,940 --> 00:09:34,584
‫so I'm gonna create my secret here now

212
00:09:34,584 --> 00:09:37,763
‫but you should really really use another one, okay,

213
00:09:37,763 --> 00:09:40,490
‫please don't use the same one as I am doing

214
00:09:40,490 --> 00:09:42,590
‫because that could become a security issue

215
00:09:42,590 --> 00:09:44,180
‫for your application, okay,

216
00:09:44,180 --> 00:09:47,460
‫always use a unique secret for your applications

217
00:09:47,460 --> 00:09:49,400
‫and never the same, all right,

218
00:09:49,400 --> 00:09:52,100
‫and especially not the one from someone else

219
00:09:52,100 --> 00:09:54,883
‫so definitely not the one that I'm typing now.

220
00:09:56,750 --> 00:09:57,820
‫So this can be anything,

221
00:09:57,820 --> 00:10:00,160
‫it doesn't have to be weird characters or stuff,

222
00:10:00,160 --> 00:10:02,390
‫I prefer to use a phrase like this,

223
00:10:02,390 --> 00:10:04,443
‫my ultra secure and

224
00:10:07,860 --> 00:10:10,903
‫ultra long secret,

225
00:10:11,990 --> 00:10:13,363
‫so what happened here,

226
00:10:14,690 --> 00:10:17,670
‫anyway this should be thirty two characters long

227
00:10:17,670 --> 00:10:18,730
‫and so this is the one

228
00:10:18,730 --> 00:10:21,400
‫that we're gonna use for my Jason web tokens,

229
00:10:21,400 --> 00:10:24,193
‫but again please use another one, all right.

230
00:10:25,489 --> 00:10:29,290
‫Anyway, let's go back to the authentication controller here,

231
00:10:29,290 --> 00:10:30,733
‫and now actually use it.

232
00:10:31,810 --> 00:10:34,970
‫So remember a environment variable

233
00:10:34,970 --> 00:10:39,913
‫is process dot end dot JWT secret,

234
00:10:41,100 --> 00:10:42,100
‫okay.

235
00:10:42,100 --> 00:10:44,490
‫So at this point, we have the payload

236
00:10:44,490 --> 00:10:46,320
‫and we have the secret.

237
00:10:46,320 --> 00:10:49,400
‫The token header will actually created automatically

238
00:10:49,400 --> 00:10:50,670
‫but now what we can also do

239
00:10:50,670 --> 00:10:52,390
‫is to pass on some options,

240
00:10:52,390 --> 00:10:54,470
‫and the option that I'm gonna pass in

241
00:10:54,470 --> 00:10:57,390
‫is when the JWT should expire.

242
00:10:57,390 --> 00:10:59,600
‫So this means that after the time

243
00:10:59,600 --> 00:11:01,240
‫that we're gonna pass in here,

244
00:11:01,240 --> 00:11:03,110
‫the Jason web token is no longer

245
00:11:03,110 --> 00:11:04,240
‫gonna be valid,

246
00:11:04,240 --> 00:11:06,890
‫even if it otherwise would be correctly verified,

247
00:11:06,890 --> 00:11:08,060
‫all right,

248
00:11:08,060 --> 00:11:10,570
‫so this is basically for logging out a user

249
00:11:10,570 --> 00:11:12,670
‫after a certain period of time

250
00:11:12,670 --> 00:11:15,320
‫simply as a security measure, okay.

251
00:11:15,320 --> 00:11:19,500
‫So let's actually define that expiration time also

252
00:11:19,500 --> 00:11:21,493
‫as a configuration variable here,

253
00:11:23,320 --> 00:11:28,320
‫so JWT expires in

254
00:11:28,360 --> 00:11:30,536
‫and so here of course , you can use the same time

255
00:11:30,536 --> 00:11:31,950
‫as I am putting.

256
00:11:31,950 --> 00:11:33,630
‫So we can use a special string

257
00:11:33,630 --> 00:11:36,170
‫like for example 90D

258
00:11:36,170 --> 00:11:38,807
‫and the signing algorithm will then automatically figure out

259
00:11:38,807 --> 00:11:42,350
‫that this means ninety days, okay,

260
00:11:42,350 --> 00:11:47,350
‫you could also use like ten hours or five minutes

261
00:11:47,360 --> 00:11:49,720
‫or three seconds or something like this,

262
00:11:49,720 --> 00:11:50,800
‫or just any number,

263
00:11:50,800 --> 00:11:53,330
‫which will then be treated as milliseconds

264
00:11:53,330 --> 00:11:55,820
‫but I think it's best to simply use ninety

265
00:11:55,820 --> 00:11:59,350
‫or something D, so in this case, ninety days, all right,

266
00:11:59,350 --> 00:12:01,120
‫and so again, after ninety days,

267
00:12:01,120 --> 00:12:03,860
‫the JWT will no longer be valid,

268
00:12:03,860 --> 00:12:07,770
‫even if the signature is correct and everything is valid.

269
00:12:07,770 --> 00:12:11,503
‫Okay, so again just like an additional security measure,

270
00:12:12,880 --> 00:12:13,713
‫okay,

271
00:12:13,713 --> 00:12:17,180
‫so these options as always, we passed them in as an object

272
00:12:17,180 --> 00:12:19,820
‫and then let's specify the expires in,

273
00:12:19,820 --> 00:12:24,640
‫so expires in and then process dot end

274
00:12:26,120 --> 00:12:31,120
‫and then JWT expires in, okay,

275
00:12:32,050 --> 00:12:34,190
‫and this here will then add some additional data

276
00:12:34,190 --> 00:12:35,530
‫to the payload,

277
00:12:35,530 --> 00:12:37,480
‫but that's of course no problem at all.

278
00:12:38,410 --> 00:12:40,220
‫So we just created a token,

279
00:12:40,220 --> 00:12:41,500
‫now all we need to do,

280
00:12:41,500 --> 00:12:43,463
‫is to send it to the client.

281
00:12:44,910 --> 00:12:48,240
‫So let's put it here before the user actually

282
00:12:48,240 --> 00:12:50,420
‫and then that's actually it.

283
00:12:50,420 --> 00:12:53,350
‫That's really all we need to do to log in a new user,

284
00:12:53,350 --> 00:12:54,840
‫because right now we're not checking

285
00:12:54,840 --> 00:12:56,250
‫if any password is correct

286
00:12:56,250 --> 00:12:59,530
‫or if the user actually exists in the database

287
00:12:59,530 --> 00:13:00,970
‫because here in this case,

288
00:13:00,970 --> 00:13:02,890
‫the user was really just created,

289
00:13:02,890 --> 00:13:03,840
‫and so right away,

290
00:13:03,840 --> 00:13:05,880
‫we logged user into the application

291
00:13:05,880 --> 00:13:08,070
‫by sending a token, okay,

292
00:13:08,070 --> 00:13:10,010
‫and the use of client should then in some ways

293
00:13:10,010 --> 00:13:12,780
‫store that token, just as we talked about before

294
00:13:12,780 --> 00:13:15,430
‫in the previous lecture, okay,

295
00:13:15,430 --> 00:13:16,760
‫so let's give it a save here,

296
00:13:16,760 --> 00:13:21,370
‫and let's actually try it out, okay,

297
00:13:21,370 --> 00:13:24,160
‫so let's us my old address here,

298
00:13:24,160 --> 00:13:27,040
‫hello@jonas.io, let's send it,

299
00:13:27,040 --> 00:13:29,210
‫and let's wait for it

300
00:13:29,210 --> 00:13:32,910
‫and indeed, here is our Jason web token

301
00:13:32,910 --> 00:13:35,050
‫so congratulations, you just created

302
00:13:35,050 --> 00:13:37,490
‫your very first Jason web token

303
00:13:37,490 --> 00:13:39,760
‫which should look a little bit like this,

304
00:13:39,760 --> 00:13:42,310
‫and of course it's not gonna look exactly the same,

305
00:13:42,310 --> 00:13:45,360
‫because our secret is also not the same, right,

306
00:13:45,360 --> 00:13:46,770
‫and now what I want to show you,

307
00:13:46,770 --> 00:13:48,810
‫is the JWT debugger,

308
00:13:48,810 --> 00:13:50,730
‫that I showed you as a screenshot earlier

309
00:13:50,730 --> 00:13:52,010
‫in the last video.

310
00:13:52,010 --> 00:13:54,140
‫So let's go ahead and copy this token

311
00:13:56,050 --> 00:14:00,453
‫and then let's go to JWT.io,

312
00:14:02,850 --> 00:14:03,683
‫okay,

313
00:14:04,540 --> 00:14:06,790
‫then down here we have the debugger

314
00:14:06,790 --> 00:14:10,683
‫and so let's delete this one here,

315
00:14:12,170 --> 00:14:14,830
‫and put ours and right away

316
00:14:14,830 --> 00:14:17,580
‫you see that our signature is invalid,

317
00:14:17,580 --> 00:14:20,570
‫but that's because the sign function edits

318
00:14:20,570 --> 00:14:22,090
‫these two properties here,

319
00:14:22,090 --> 00:14:25,140
‫because we specified an expiration date basically.

320
00:14:25,140 --> 00:14:27,600
‫So this here is issued at,

321
00:14:27,600 --> 00:14:30,223
‫and this is expiration time, okay,

322
00:14:31,450 --> 00:14:35,050
‫so if we remove these two from here,

323
00:14:35,050 --> 00:14:36,350
‫you will see that now,

324
00:14:36,350 --> 00:14:38,620
‫this signature is actually verified,

325
00:14:38,620 --> 00:14:42,260
‫okay so what's important to notice here,

326
00:14:42,260 --> 00:14:44,815
‫is that of course the header is visible

327
00:14:44,815 --> 00:14:47,840
‫okay it's easily decodable basically,

328
00:14:47,840 --> 00:14:50,820
‫and so you that we did not specify any of this,

329
00:14:50,820 --> 00:14:54,530
‫it was the Jason web token package that did it for us,

330
00:14:54,530 --> 00:14:58,560
‫but that here is actually the payload that we specified,

331
00:14:58,560 --> 00:15:00,800
‫so if we take a look at this ID,

332
00:15:00,800 --> 00:15:03,860
‫it should be exactly the same as we have in postman,

333
00:15:03,860 --> 00:15:06,343
‫so ending on six OF,

334
00:15:07,960 --> 00:15:11,493
‫and so indeed, it is exactly the same right,

335
00:15:13,600 --> 00:15:16,260
‫okay, so these two here are open

336
00:15:16,260 --> 00:15:19,920
‫and then the signature of course, we cannot really see,

337
00:15:19,920 --> 00:15:22,930
‫because of course our secret is just that,

338
00:15:22,930 --> 00:15:26,270
‫it's really secret, all right,

339
00:15:26,270 --> 00:15:29,600
‫so this was just to show you that everything works,

340
00:15:29,600 --> 00:15:31,242
‫and let's close this up,

341
00:15:31,242 --> 00:15:35,550
‫and yeah, we're not able to log users in,

342
00:15:35,550 --> 00:15:38,050
‫but only if the user just signed up,

343
00:15:38,050 --> 00:15:40,980
‫because in that case, we do not need to verify

344
00:15:40,980 --> 00:15:42,290
‫the email in the database,

345
00:15:42,290 --> 00:15:44,490
‫and also not the password, okay.

346
00:15:44,490 --> 00:15:47,400
‫So doing all that is a way more complex process,

347
00:15:47,400 --> 00:15:49,340
‫and so that's actually what we're gonna do

348
00:15:49,340 --> 00:15:50,940
‫in the next lecture,

349
00:15:50,940 --> 00:15:53,660
‫so next up, we will actually log in users,

350
00:15:53,660 --> 00:15:56,543
‫based on their email address and their password.