1
00:00:01,260 --> 00:00:02,790
‫Welcome back.

2
00:00:02,790 --> 00:00:05,270
‫So, we have implemented authentication

3
00:00:05,270 --> 00:00:07,770
‫in our project up until this point.

4
00:00:07,770 --> 00:00:09,930
‫And, it works just fine.

5
00:00:09,930 --> 00:00:12,960
‫However, sometimes, simply authenticating,

6
00:00:12,960 --> 00:00:14,640
‫so, logging a user in,

7
00:00:14,640 --> 00:00:16,150
‫is really not enough.

8
00:00:16,150 --> 00:00:17,490
‫And, so in this video,

9
00:00:17,490 --> 00:00:20,173
‫we're gonna implement authorization as well.

10
00:00:21,730 --> 00:00:24,850
‫So, imagine the act of deleting a tour

11
00:00:24,850 --> 00:00:26,440
‫from our database.

12
00:00:26,440 --> 00:00:28,890
‫So, not every user should, of course,

13
00:00:28,890 --> 00:00:30,530
‫be allowed to do that.

14
00:00:30,530 --> 00:00:33,306
‫Even if the user is logged in, right?

15
00:00:33,306 --> 00:00:36,055
‫So, we basically need to authorize

16
00:00:36,055 --> 00:00:38,510
‫only certain types of users,

17
00:00:38,510 --> 00:00:40,720
‫to perform certain actions.

18
00:00:40,720 --> 00:00:43,550
‫And so that's exactly what authorization is.

19
00:00:43,550 --> 00:00:46,562
‫It's verifying if a certain user has the rights

20
00:00:46,562 --> 00:00:49,520
‫to interact with a certain resource.

21
00:00:49,520 --> 00:00:53,181
‫So, again, with authorization we basically check

22
00:00:53,181 --> 00:00:58,080
‫if a certain user is allowed to access a certain resource,

23
00:00:58,080 --> 00:00:59,890
‫even if he is logged in.

24
00:00:59,890 --> 00:01:03,150
‫So not all logged in users will be able to perform

25
00:01:03,150 --> 00:01:05,950
‫the same actions in our API, all right?

26
00:01:05,950 --> 00:01:08,119
‫And this is a very common scenario that should

27
00:01:08,119 --> 00:01:10,240
‫be implemented in each and every

28
00:01:10,240 --> 00:01:12,222
‫web application usually, all right?

29
00:01:12,222 --> 00:01:15,163
‫So we're gonna build another middleware function here,

30
00:01:15,163 --> 00:01:18,410
‫this time to restrict certain routes.

31
00:01:18,410 --> 00:01:20,780
‫For example, for deleting tours.

32
00:01:20,780 --> 00:01:23,310
‫So, this means that we're gonna build another

33
00:01:23,310 --> 00:01:24,840
‫middleware function here.

34
00:01:24,840 --> 00:01:27,290
‫This time, to restrict certain routes,

35
00:01:27,290 --> 00:01:29,068
‫like, for example, deleting tours,

36
00:01:29,068 --> 00:01:31,338
‫only to certain user roles.

37
00:01:31,338 --> 00:01:32,630
‫Okay?

38
00:01:32,630 --> 00:01:35,020
‫And so let me actually show you how that would look like

39
00:01:35,020 --> 00:01:36,520
‫in practice.

40
00:01:36,520 --> 00:01:38,410
‫So here, in the tour routes,

41
00:01:38,410 --> 00:01:42,270
‫let's go back to that example of deleting tours,

42
00:01:42,270 --> 00:01:46,770
‫and so let's add some middleware into the stack here.

43
00:01:46,770 --> 00:01:50,670
‫So authController, protect.

44
00:01:50,670 --> 00:01:52,300
‫So first, we always need to check

45
00:01:52,300 --> 00:01:55,490
‫if a user is actually logged in, okay?

46
00:01:55,490 --> 00:01:58,550
‫So if an administrator is trying to delete a tour,

47
00:01:58,550 --> 00:02:00,020
‫they would still need to check

48
00:02:00,020 --> 00:02:02,350
‫if he's actually logged in, right?

49
00:02:02,350 --> 00:02:04,610
‫So the first middleware in the stack here,

50
00:02:04,610 --> 00:02:06,690
‫will always be the protect one.

51
00:02:06,690 --> 00:02:09,130
‫But then, after that one, we will also have the

52
00:02:09,130 --> 00:02:13,113
‫authController.restrict.

53
00:02:14,760 --> 00:02:17,000
‫So restrictTo, okay?

54
00:02:17,000 --> 00:02:20,180
‫And into this function we will then pass some user roles,

55
00:02:20,180 --> 00:02:23,220
‫which will be authorized to interact with this resource.

56
00:02:23,220 --> 00:02:27,030
‫In this case, with deleting a tour, okay?

57
00:02:27,030 --> 00:02:29,390
‫So let's set this one to admin.

58
00:02:29,390 --> 00:02:31,650
‫So, only to administrators.

59
00:02:31,650 --> 00:02:35,120
‫Okay, and so now we are dealing with user roles here.

60
00:02:35,120 --> 00:02:36,650
‫So just like admin.

61
00:02:36,650 --> 00:02:39,584
‫And right now, we don't have that in our user model.

62
00:02:39,584 --> 00:02:42,642
‫And so let's quickly implement that here.

63
00:02:42,642 --> 00:02:43,633
‫All right.

64
00:02:44,470 --> 00:02:48,160
‫So, let's do that.

65
00:02:48,160 --> 00:02:52,323
‫Actually, before the password stuff, so like here.

66
00:02:56,170 --> 00:02:59,730
‫And down here you can actually see how our uncaught

67
00:02:59,730 --> 00:03:02,070
‫exception handler is working just fine,

68
00:03:02,070 --> 00:03:05,130
‫because restrictTo is not yet a function, right?

69
00:03:05,130 --> 00:03:06,610
‫We didn't implement it yet.

70
00:03:06,610 --> 00:03:08,810
‫I simply used it in order to show

71
00:03:08,810 --> 00:03:10,410
‫what exactly we're gonna build.

72
00:03:10,410 --> 00:03:12,280
‫And so of course there's an error,

73
00:03:12,280 --> 00:03:13,510
‫and so nodemon is now waiting

74
00:03:13,510 --> 00:03:17,490
‫for us to restart the server, okay?

75
00:03:17,490 --> 00:03:20,323
‫Anyway, the role here should be of the type String,

76
00:03:26,240 --> 00:03:30,110
‫and now I'm gonna use the enum validator in order to only

77
00:03:30,110 --> 00:03:33,310
‫allow certain types of roles here to be specified.

78
00:03:33,310 --> 00:03:37,410
‫And these are the general, so the normal users,

79
00:03:37,410 --> 00:03:38,860
‫so let's just call them user.

80
00:03:41,170 --> 00:03:42,823
‫Then, we have the tour guide,

81
00:03:44,120 --> 00:03:45,823
‫we have the lead tour guide,

82
00:03:47,240 --> 00:03:49,043
‫and we have the administrator.

83
00:03:50,410 --> 00:03:53,250
‫So, I'm just calling that admin, all right?

84
00:03:53,250 --> 00:03:56,359
‫And these user roles that we have here will of course

85
00:03:56,359 --> 00:03:59,450
‫be specific to the application's domain.

86
00:03:59,450 --> 00:04:02,260
‫So, for example, when you're running a community site,

87
00:04:02,260 --> 00:04:03,840
‫it's not gonna make much sense to

88
00:04:03,840 --> 00:04:05,940
‫have a guide and a lead guide.

89
00:04:05,940 --> 00:04:08,570
‫Instead you will probably have, like, moderators

90
00:04:08,570 --> 00:04:11,700
‫or contributors, or members.

91
00:04:11,700 --> 00:04:13,740
‫So, you will always have different names,

92
00:04:13,740 --> 00:04:16,680
‫depending on the type of application that you're writing.

93
00:04:16,680 --> 00:04:19,023
‫But in our case, this is what makes sense.

94
00:04:21,290 --> 00:04:24,170
‫Then, we also want to set a default here,

95
00:04:24,170 --> 00:04:26,540
‫so we actually don't have to specify always

96
00:04:26,540 --> 00:04:29,080
‫which type of user we're creating.

97
00:04:29,080 --> 00:04:32,320
‫And so user, the normal user, let's say,

98
00:04:32,320 --> 00:04:35,220
‫is the one that's gonna be created by default.

99
00:04:35,220 --> 00:04:36,990
‫So let's now actually go ahead

100
00:04:36,990 --> 00:04:39,340
‫and delete the users that we already have,

101
00:04:39,340 --> 00:04:41,021
‫because they don't have any roles,

102
00:04:41,021 --> 00:04:45,713
‫and so we don't need them like this anymore.

103
00:04:47,780 --> 00:04:48,810
‫All right.

104
00:04:48,810 --> 00:04:50,260
‫And so let's actually also go

105
00:04:50,260 --> 00:04:52,630
‫ahead and create some new ones.

106
00:04:52,630 --> 00:04:55,980
‫So, I'm gonna sign up here as

107
00:04:58,610 --> 00:05:03,610
‫as hello@jonas, and so that's now gonna be a normal user,

108
00:05:04,180 --> 00:05:06,060
‫and now we could not get any response,

109
00:05:06,060 --> 00:05:09,320
‫and that's of course because we have this error here,

110
00:05:09,320 --> 00:05:13,083
‫and so, let's very quickly take out this line of code.

111
00:05:14,750 --> 00:05:16,050
‫And now the error is gone.

112
00:05:17,326 --> 00:05:19,400
‫And so now it should run,

113
00:05:19,400 --> 00:05:22,000
‫and indeed we now have this user,

114
00:05:22,000 --> 00:05:25,120
‫with the role of user, okay?

115
00:05:25,120 --> 00:05:26,293
‫So that's our default,

116
00:05:27,920 --> 00:05:29,883
‫but now let's create an admin here.

117
00:05:30,860 --> 00:05:32,330
‫And to make that really clear,

118
00:05:32,330 --> 00:05:34,630
‫let's put it here in the email as well,

119
00:05:34,630 --> 00:05:36,780
‫and now we need to really specify the role,

120
00:05:40,100 --> 00:05:41,603
‫and set that one to admin.

121
00:05:42,860 --> 00:05:47,360
‫Send that, and so now we got here our system administrator.

122
00:05:47,360 --> 00:05:48,193
‫Cool.

123
00:05:48,193 --> 00:05:52,930
‫So, let's go back here, actually put this code back on,

124
00:05:52,930 --> 00:05:55,210
‫and we will now make it so that we can actually pass

125
00:05:55,210 --> 00:05:58,360
‫multiple arguments into this restrictTo.

126
00:05:58,360 --> 00:06:01,220
‫So, I want the admin to be able to delete tours,

127
00:06:01,220 --> 00:06:02,974
‫but also delete a guide.

128
00:06:02,974 --> 00:06:04,000
‫All right?

129
00:06:04,000 --> 00:06:05,750
‫And so let's add that here as well.

130
00:06:08,070 --> 00:06:09,130
‫Okay?

131
00:06:09,130 --> 00:06:12,210
‫So the admin and the lead guide can now delete tours,

132
00:06:12,210 --> 00:06:16,200
‫but not the normal guides, and also not the normal users.

133
00:06:16,200 --> 00:06:17,140
‫All right?

134
00:06:17,140 --> 00:06:20,220
‫So this is how restrictTo is gonna work,

135
00:06:20,220 --> 00:06:22,423
‫let's now go ahead and implement it.

136
00:06:25,270 --> 00:06:28,563
‫So exports.restrictTo,

137
00:06:30,470 --> 00:06:34,120
‫and now, how are we actually going to implement this?

138
00:06:34,120 --> 00:06:36,510
‫Because usually, we cannot pass arguments

139
00:06:36,510 --> 00:06:38,910
‫into a middleware function, right?

140
00:06:38,910 --> 00:06:41,010
‫But in this case, we really want to.

141
00:06:41,010 --> 00:06:42,640
‫We want to pass in the roles,

142
00:06:42,640 --> 00:06:46,100
‫who are allowed to access the resource, right?

143
00:06:46,100 --> 00:06:48,800
‫So this case, the admin and the lead guide.

144
00:06:48,800 --> 00:06:51,940
‫So we need a way of basically passing in arguments

145
00:06:51,940 --> 00:06:54,050
‫into the middleware function in a way

146
00:06:54,050 --> 00:06:55,830
‫that usually does not work.

147
00:06:55,830 --> 00:06:57,658
‫So, how are we going to do that?

148
00:06:57,658 --> 00:07:00,600
‫Well, in here, we will actually create like a

149
00:07:00,600 --> 00:07:03,410
‫wrapper function, which will then return the

150
00:07:03,410 --> 00:07:07,033
‫middleware function that we actually want to create, okay?

151
00:07:08,070 --> 00:07:10,540
‫So, this is the restrictTo function,

152
00:07:10,540 --> 00:07:12,160
‫and in here we want to pass an

153
00:07:12,160 --> 00:07:14,150
‫arbitrary number of arguments.

154
00:07:14,150 --> 00:07:15,870
‫So, basically, of roles.

155
00:07:15,870 --> 00:07:18,196
‫And so we can use the rest parameter syntax,

156
00:07:18,196 --> 00:07:20,793
‫which is again new in ES6,

157
00:07:21,950 --> 00:07:23,240
‫and this will then create an array

158
00:07:23,240 --> 00:07:26,053
‫of all the arguments that were specified, okay?

159
00:07:28,740 --> 00:07:30,350
‫So we're creating this function,

160
00:07:30,350 --> 00:07:33,960
‫and right away we will then return a new function.

161
00:07:33,960 --> 00:07:36,730
‫And this is the middleware function itself.

162
00:07:36,730 --> 00:07:40,573
‫So, request, response, and next.

163
00:07:43,000 --> 00:07:43,833
‫Okay?

164
00:07:43,833 --> 00:07:44,890
‫Make sense?

165
00:07:44,890 --> 00:07:47,190
‫And so this function here will then basically

166
00:07:47,190 --> 00:07:49,643
‫get access to this role's parameter here,

167
00:07:49,643 --> 00:07:53,310
‫because there is a closure, okay?

168
00:07:53,310 --> 00:07:55,780
‫So, just as a comment here to explain,

169
00:07:55,780 --> 00:07:58,160
‫roles is an array.

170
00:07:58,160 --> 00:08:01,338
‫So, for example, it might be, in this case,

171
00:08:01,338 --> 00:08:06,338
‫admin, and lead guide, okay?

172
00:08:08,670 --> 00:08:12,490
‫So when will we give a user access to a certain route?

173
00:08:12,490 --> 00:08:15,410
‫Well, basically, when its user role is

174
00:08:15,410 --> 00:08:19,900
‫inside of this roles array that we passed in right?

175
00:08:19,900 --> 00:08:21,930
‫So let's say we have the normal user now,

176
00:08:21,930 --> 00:08:24,930
‫which has a role of simply user,

177
00:08:24,930 --> 00:08:26,300
‫so let's write it here.

178
00:08:26,300 --> 00:08:29,397
‫Role is now just user.

179
00:08:29,397 --> 00:08:32,520
‫And so basically it's not contained in this array,

180
00:08:32,520 --> 00:08:36,490
‫and so therefore, that user does not have permission, okay?

181
00:08:36,490 --> 00:08:38,320
‫And so, let's write that in code.

182
00:08:38,320 --> 00:08:39,670
‫It's actually quite simple.

183
00:08:40,650 --> 00:08:45,650
‫So, if not roles.includes, and okay,

184
00:08:47,072 --> 00:08:50,660
‫once more includes is a very nice array method

185
00:08:50,660 --> 00:08:54,850
‫that is in Java Script available on all arrays, okay?

186
00:08:54,850 --> 00:08:57,010
‫So, if this roles array does not include

187
00:08:57,010 --> 00:08:58,900
‫the role of the current user,

188
00:08:58,900 --> 00:09:01,800
‫then we do not give permission to that user.

189
00:09:01,800 --> 00:09:04,740
‫And where is the role of the current user stored?

190
00:09:04,740 --> 00:09:07,247
‫Well, let's remember the line of code

191
00:09:07,247 --> 00:09:09,394
‫that we actually put up here,

192
00:09:09,394 --> 00:09:11,620
‫right in the end where we grant access

193
00:09:11,620 --> 00:09:12,900
‫to the protected route,

194
00:09:12,900 --> 00:09:16,460
‫we store the current user in request.user.

195
00:09:16,460 --> 00:09:18,520
‫And remember how this protect middleware

196
00:09:18,520 --> 00:09:21,929
‫always runs before restrictTo, right?

197
00:09:21,929 --> 00:09:25,330
‫So, here, we first have protect,

198
00:09:25,330 --> 00:09:27,391
‫and then we have restrictTo.

199
00:09:27,391 --> 00:09:30,600
‫And so by the time this middleware function here runs,

200
00:09:30,600 --> 00:09:32,660
‫this one has already completed,

201
00:09:32,660 --> 00:09:35,830
‫and has put the current user on the request object.

202
00:09:35,830 --> 00:09:38,740
‫And so now, we can use that here.

203
00:09:38,740 --> 00:09:42,480
‫So request.user.role.

204
00:09:42,480 --> 00:09:45,050
‫So that's where the role is stored.

205
00:09:45,050 --> 00:09:45,953
‫So, simple.

206
00:09:46,950 --> 00:09:50,993
‫In this case, we create a new error.

207
00:09:52,970 --> 00:09:55,932
‫So just like before, and now we say

208
00:09:55,932 --> 00:10:00,932
‫you do not have permission to perform this action.

209
00:10:03,680 --> 00:10:07,000
‫And now a new status code, which is 403.

210
00:10:07,000 --> 00:10:09,790
‫And this one means forbidden, okay?

211
00:10:09,790 --> 00:10:11,400
‫So there really is a specific

212
00:10:11,400 --> 00:10:14,480
‫http status code just for this case,

213
00:10:14,480 --> 00:10:18,180
‫so for authorization basically, all right?

214
00:10:18,180 --> 00:10:22,423
‫And, well, otherwise, we simply call next.

215
00:10:24,090 --> 00:10:25,580
‫And that's really it.

216
00:10:25,580 --> 00:10:27,910
‫So that's as simple as it is.

217
00:10:27,910 --> 00:10:30,160
‫So let's quickly recap what we just did here.

218
00:10:31,650 --> 00:10:35,140
‫So, in here, we first run the protect middleware.

219
00:10:35,140 --> 00:10:36,770
‫Then, restrictTo middleware,

220
00:10:36,770 --> 00:10:39,410
‫and only if these two middlewares pass to the next one,

221
00:10:39,410 --> 00:10:41,100
‫we go to the lead tour.

222
00:10:41,100 --> 00:10:42,830
‫And so basically this route handler,

223
00:10:42,830 --> 00:10:45,419
‫or this route controller, is protected,

224
00:10:45,419 --> 00:10:47,790
‫and is also restricted by this

225
00:10:47,790 --> 00:10:49,750
‫middleware that we just created.

226
00:10:49,750 --> 00:10:50,800
‫Then into this function,

227
00:10:50,800 --> 00:10:52,650
‫we pass all of the roles that are

228
00:10:52,650 --> 00:10:55,730
‫allowed to interact with this resource.

229
00:10:55,730 --> 00:10:57,794
‫So, basically, which are allowed to run

230
00:10:57,794 --> 00:11:00,310
‫this handler function, okay?

231
00:11:00,310 --> 00:11:03,370
‫And so, this restrictTo function will then run,

232
00:11:03,370 --> 00:11:06,910
‫and return the middleware function itself, okay?

233
00:11:06,910 --> 00:11:11,140
‫And that middleware function itself is actually this one.

234
00:11:11,140 --> 00:11:13,010
‫It will then, because of the closure,

235
00:11:13,010 --> 00:11:16,500
‫have access to roles, okay?

236
00:11:16,500 --> 00:11:19,350
‫And so, let's say that the role of the current user,

237
00:11:19,350 --> 00:11:24,180
‫which is, remember, stored in req.user.role, right?

238
00:11:24,180 --> 00:11:27,020
‫So, let's say that his role is user,

239
00:11:27,020 --> 00:11:29,970
‫and since that role is not in this role's array,

240
00:11:29,970 --> 00:11:32,920
‫well, we then get this error, okay?

241
00:11:32,920 --> 00:11:37,583
‫And so that's what this roles.includes tests here for, okay?

242
00:11:38,450 --> 00:11:40,410
‫But of course, if it is included,

243
00:11:40,410 --> 00:11:42,860
‫then we pass to the next middleware.

244
00:11:42,860 --> 00:11:46,130
‫Which again, is then the route handler itself.

245
00:11:46,130 --> 00:11:46,963
‫Cool.

246
00:11:46,963 --> 00:11:48,120
‫So, I hope that makes sense.

247
00:11:48,120 --> 00:11:50,453
‫Let's now go ahead and quickly test it.

248
00:11:51,390 --> 00:11:52,580
‫Okay?

249
00:11:52,580 --> 00:11:54,340
‫So right now, we have this token here,

250
00:11:54,340 --> 00:11:58,420
‫stored into the JTW variable, right?

251
00:11:58,420 --> 00:12:00,890
‫So remember that from the last lecture.

252
00:12:00,890 --> 00:12:03,233
‫So, we are in this dev environment,

253
00:12:03,233 --> 00:12:06,230
‫and so here is that variable.

254
00:12:06,230 --> 00:12:08,080
‫So exactly the one that is down here.

255
00:12:09,540 --> 00:12:10,373
‫All right?

256
00:12:10,373 --> 00:12:12,600
‫So if we were now to delete a tour,

257
00:12:12,600 --> 00:12:16,914
‫we would then have to specify that variable in there, right?

258
00:12:16,914 --> 00:12:19,936
‫So let's go to authorization,

259
00:12:19,936 --> 00:12:21,970
‫the bearer token,

260
00:12:21,970 --> 00:12:24,470
‫and then it actually already puts it here for us.

261
00:12:24,470 --> 00:12:25,980
‫So it already knows that this is the

262
00:12:25,980 --> 00:12:28,480
‫one that we want to use, because, well,

263
00:12:28,480 --> 00:12:30,544
‫we used it before, okay?

264
00:12:30,544 --> 00:12:32,960
‫Now, I want to start by showing you that

265
00:12:32,960 --> 00:12:36,710
‫a regular user cannot delete a tour now, okay?

266
00:12:36,710 --> 00:12:40,183
‫And so let's start by logging in as a regular user.

267
00:12:41,300 --> 00:12:44,253
‫And so that's hello, right?

268
00:12:45,530 --> 00:12:50,530
‫Remember, right now we have hello@jonas.io,

269
00:12:50,670 --> 00:12:54,410
‫which is a normal user, and we have admin@jonas.io.

270
00:12:54,410 --> 00:12:58,350
‫And we still have this old one here, let's get rid of it.

271
00:12:58,350 --> 00:12:59,183
‫All right.

272
00:12:59,183 --> 00:13:01,803
‫And so I'm gonna start with hello@jonas.io.

273
00:13:03,630 --> 00:13:04,650
‫Okay?

274
00:13:04,650 --> 00:13:08,470
‫So, logging in, then that token is gonna be stored

275
00:13:08,470 --> 00:13:10,770
‫into the environment variable,

276
00:13:10,770 --> 00:13:12,670
‫and now we are ready to delete a tour.

277
00:13:13,530 --> 00:13:16,440
‫We actually also need to get an ID now,

278
00:13:16,440 --> 00:13:18,940
‫so let's quickly get one from here,

279
00:13:18,940 --> 00:13:22,063
‫so we're basically gonna delete one of our tours here.

280
00:13:25,450 --> 00:13:27,420
‫So let's just use the last one here.

281
00:13:27,420 --> 00:13:28,683
‫So, the stargazer.

282
00:13:31,356 --> 00:13:32,189
‫Okay?

283
00:13:32,189 --> 00:13:35,570
‫And let's see if we get our error message.

284
00:13:35,570 --> 00:13:38,290
‫And, indeed, you do not have permission

285
00:13:38,290 --> 00:13:39,620
‫to perform this action.

286
00:13:39,620 --> 00:13:41,610
‫So, 403.

287
00:13:41,610 --> 00:13:44,823
‫So, indeed, it's kind of working, right?

288
00:13:46,150 --> 00:13:47,630
‫But, to make this complete now,

289
00:13:47,630 --> 00:13:50,433
‫let's of course login as the admin.

290
00:13:52,830 --> 00:13:53,823
‫So, admin.

291
00:13:55,480 --> 00:13:56,540
‫Login.

292
00:13:56,540 --> 00:14:00,000
‫And so this token is now stored into this variable.

293
00:14:00,000 --> 00:14:01,500
‫And so if you run this now,

294
00:14:01,500 --> 00:14:04,910
‫we should be able to effectively delete the tour.

295
00:14:04,910 --> 00:14:05,743
‫Wanna see?

296
00:14:07,720 --> 00:14:09,240
‫And, it's gone.

297
00:14:09,240 --> 00:14:11,920
‫So we have a code of 204, no content,

298
00:14:11,920 --> 00:14:13,999
‫which is the standard when deleting,

299
00:14:13,999 --> 00:14:16,259
‫but now if we get all our tours,

300
00:14:16,259 --> 00:14:19,090
‫we should now see a number eight here,

301
00:14:19,090 --> 00:14:20,460
‫so only eight results,

302
00:14:20,460 --> 00:14:24,350
‫and that means that the last one is now gone, okay?

303
00:14:24,350 --> 00:14:26,520
‫And so right now, as we just proved,

304
00:14:26,520 --> 00:14:28,496
‫an administrator has the permission

305
00:14:28,496 --> 00:14:31,671
‫to effectively delete tours, okay?

306
00:14:31,671 --> 00:14:34,372
‫And, I really cannot stress enough

307
00:14:34,372 --> 00:14:38,060
‫how important this piece of code here is.

308
00:14:38,060 --> 00:14:40,980
‫So basically, where we get the role from the current user

309
00:14:40,980 --> 00:14:43,550
‫from the middleware before, okay?

310
00:14:43,550 --> 00:14:46,804
‫So, storing the user onto the request as we did here,

311
00:14:46,804 --> 00:14:48,770
‫is really crucial in order for

312
00:14:48,770 --> 00:14:52,170
‫this next step to actually work, okay?

313
00:14:52,170 --> 00:14:55,760
‫So, the ID that is encoded into the Jason web token

314
00:14:55,760 --> 00:14:57,990
‫is what makes our code then know whether

315
00:14:57,990 --> 00:15:01,470
‫the user that's trying to perform the action is a user,

316
00:15:01,470 --> 00:15:04,900
‫or if it's an admin, or if it's a lead guide, or whatever.

317
00:15:04,900 --> 00:15:06,790
‫Again, because that data is coming

318
00:15:06,790 --> 00:15:09,730
‫from this protect middleware.

319
00:15:09,730 --> 00:15:10,563
‫Great.

320
00:15:10,563 --> 00:15:13,790
‫This was yet another important piece of the puzzle

321
00:15:13,790 --> 00:15:17,040
‫in implementing our authentication workflow here.

322
00:15:17,040 --> 00:15:19,821
‫And of course, you want to restrict a lot of other routes,

323
00:15:19,821 --> 00:15:23,479
‫for example, like updating here, okay?

324
00:15:23,479 --> 00:15:25,300
‫But I'm gonna leave that for a

325
00:15:25,300 --> 00:15:27,320
‫later point of the course, okay?

326
00:15:27,320 --> 00:15:29,420
‫Right here, I just wanted to show you

327
00:15:29,420 --> 00:15:31,663
‫how all of this works, okay?

328
00:15:32,730 --> 00:15:35,600
‫So, I think I did that successfully.

329
00:15:35,600 --> 00:15:38,620
‫I hope you understood how this worked,

330
00:15:38,620 --> 00:15:41,668
‫and of course, if not, you can always ask a question

331
00:15:41,668 --> 00:15:44,300
‫in the official Q and A section.

332
00:15:44,300 --> 00:15:47,840
‫Anyway, there's some more great content coming up right now

333
00:15:47,840 --> 00:15:49,483
‫and so, let's move on.