1
00:00:01,190 --> 00:00:03,320
‫In this video and the next ones,

2
00:00:03,320 --> 00:00:05,380
‫we are going to implement a user-friendly

3
00:00:05,380 --> 00:00:08,670
‫password reset functionality, which is kind of

4
00:00:08,670 --> 00:00:11,253
‫standard in most web applications.

5
00:00:12,750 --> 00:00:15,390
‫And probably, you have used the password reset

6
00:00:15,390 --> 00:00:17,720
‫on some website before and usually,

7
00:00:17,720 --> 00:00:19,140
‫it works like this.

8
00:00:19,140 --> 00:00:21,280
‫You just have to provide your email address

9
00:00:21,280 --> 00:00:23,490
‫and you will then get an email with a link

10
00:00:23,490 --> 00:00:25,950
‫where you can click and then that's gonna take you

11
00:00:25,950 --> 00:00:29,410
‫to a page where you can put in a new password.

12
00:00:29,410 --> 00:00:32,270
‫This is a very standard procedure and so

13
00:00:32,270 --> 00:00:34,160
‫this is also how we're going to implement it

14
00:00:34,160 --> 00:00:35,890
‫here in this application.

15
00:00:35,890 --> 00:00:37,700
‫Basically there are two steps.

16
00:00:37,700 --> 00:00:40,930
‫For the first one is that the user sends a post request

17
00:00:40,930 --> 00:00:45,260
‫to a forgot password route, only with this email address.

18
00:00:45,260 --> 00:00:47,510
‫This will then create a reset token

19
00:00:47,510 --> 00:00:50,830
‫and sent that to the email address that was provided.

20
00:00:50,830 --> 00:00:54,930
‫Just a simple, random token, not a JSON Web Token.

21
00:00:54,930 --> 00:00:56,610
‫That's a difference here.

22
00:00:56,610 --> 00:00:59,507
‫Then in the second part, which is gonna be the next video,

23
00:00:59,507 --> 00:01:02,800
‫the user then sends that token from his email

24
00:01:02,800 --> 00:01:06,553
‫along with a new password in order to update his password.

25
00:01:08,040 --> 00:01:13,040
‫Basically, we will have exports dot forgot password

26
00:01:14,810 --> 00:01:16,173
‫which is the first step.

27
00:01:17,930 --> 00:01:22,930
‫So request, response and next

28
00:01:25,560 --> 00:01:28,703
‫and then as a second step, we have reset password.

29
00:01:33,480 --> 00:01:37,260
‫Then let's also go ahead and implement these two routes.

30
00:01:37,260 --> 00:01:40,520
‫Okay, and that's, of course, in their user router

31
00:01:40,520 --> 00:01:42,053
‫or user routes file.

32
00:01:43,190 --> 00:01:45,640
‫Let's put them also right up here

33
00:01:45,640 --> 00:01:48,793
‫and actually I can just duplicate these lines here.

34
00:01:51,131 --> 00:01:54,593
‫So we have again forgot password,

35
00:01:55,820 --> 00:01:58,170
‫which will only receive the email address

36
00:01:58,170 --> 00:02:03,170
‫and then reset password,

37
00:02:03,260 --> 00:02:06,983
‫which will receive the token as well as the new password.

38
00:02:09,360 --> 00:02:10,530
‫This is the one that we're gonna start

39
00:02:10,530 --> 00:02:13,220
‫implementing in this lecture.

40
00:02:13,220 --> 00:02:17,570
‫Let's just like before specify our steps here.

41
00:02:17,570 --> 00:02:20,510
‫So first, get user

42
00:02:23,180 --> 00:02:25,890
‫based on posted email

43
00:02:29,590 --> 00:02:32,383
‫then generate the random token.

44
00:02:37,090 --> 00:02:40,043
‫And then basically send it back as an email.

45
00:02:45,910 --> 00:02:48,793
‫This stuff is pretty common for us at this point.

46
00:02:49,680 --> 00:02:54,397
‫So user, so let's await user dot find

47
00:02:55,330 --> 00:02:57,650
‫and now it's find one,

48
00:02:57,650 --> 00:03:00,920
‫not find by id because we don't know the user's id.

49
00:03:00,920 --> 00:03:04,240
‫And user, of course, also doesn't know his own id

50
00:03:04,240 --> 00:03:06,733
‫and so we specified the email address.

51
00:03:08,390 --> 00:03:11,363
‫Basically it's the only piece of data that is known.

52
00:03:12,230 --> 00:03:16,823
‫And that is stand on request dot body dot email address.

53
00:03:18,723 --> 00:03:20,580
‫And of course now we need to say that

54
00:03:20,580 --> 00:03:25,390
‫we're in an async function and then just like before,

55
00:03:25,390 --> 00:03:27,183
‫let's wrap it in catch async.

56
00:03:30,690 --> 00:03:33,263
‫Give it a save and the error should be gone.

57
00:03:35,280 --> 00:03:36,710
‫Then next step, let's verify

58
00:03:36,710 --> 00:03:38,103
‫if the user does exist.

59
00:03:39,160 --> 00:03:44,160
‫So if no user, then return to the next middleware

60
00:03:48,950 --> 00:03:51,790
‫along of course with a new error.

61
00:03:51,790 --> 00:03:56,790
‫Is no user with that email address.

62
00:03:59,190 --> 00:04:02,510
‫And then we can put a 404, which as you already know,

63
00:04:02,510 --> 00:04:04,023
‫means not found.

64
00:04:05,567 --> 00:04:09,310
‫Next up, let's then generate the random token

65
00:04:09,310 --> 00:04:11,600
‫and for that, once more, we're actually gonna create

66
00:04:11,600 --> 00:04:14,610
‫an instant method on the user.

67
00:04:14,610 --> 00:04:17,430
‫Because once more, this really has to do with

68
00:04:17,430 --> 00:04:19,183
‫the user data itself.

69
00:04:20,280 --> 00:04:22,660
‫And we're gonna write a bit of code really,

70
00:04:22,660 --> 00:04:25,160
‫and so, if it was only one line of code,

71
00:04:25,160 --> 00:04:27,600
‫then of course we could just put it right here.

72
00:04:27,600 --> 00:04:29,540
‫But we need a couple of lines of code

73
00:04:29,540 --> 00:04:31,830
‫and so again, it's a bit cleaner

74
00:04:31,830 --> 00:04:34,080
‫to separate it into its own function.

75
00:04:34,080 --> 00:04:37,823
‫And that usually with Mongoose is best as an instant method.

76
00:04:40,500 --> 00:04:45,490
‫So down here, let's just edit here at the end.

77
00:04:45,490 --> 00:04:50,490
‫So user schema dot methods dot create password reset token.

78
00:04:57,900 --> 00:04:59,950
‫Quite a long and descriptive name.

79
00:04:59,950 --> 00:05:02,020
‫I like to do it like that,

80
00:05:02,020 --> 00:05:05,253
‫so that I know exactly what I'm dealing with.

81
00:05:07,600 --> 00:05:11,690
‫The password reset token should basically be a random string

82
00:05:11,690 --> 00:05:13,650
‫but at the same time, it doesn't need

83
00:05:13,650 --> 00:05:17,250
‫to be as cryptographically strong as the password hash

84
00:05:17,250 --> 00:05:18,433
‫that we created before.

85
00:05:19,640 --> 00:05:22,720
‫We can just use the very simple, random bytes function

86
00:05:22,720 --> 00:05:25,083
‫from the built-in crypto module.

87
00:05:27,350 --> 00:05:30,173
‫Let's go ahead and actually add that.

88
00:05:35,620 --> 00:05:40,620
‫Crypto require and again, it is a built-in a node module

89
00:05:40,870 --> 00:05:43,203
‫so no need to install anything.

90
00:05:44,700 --> 00:05:45,800
‫Cool.

91
00:05:45,800 --> 00:05:50,800
‫Now, let's then actually generate our token.

92
00:05:56,576 --> 00:05:59,913
‫And for that, we use crypto dot random bytes

93
00:06:02,440 --> 00:06:04,750
‫and then here we need to specify the number of

94
00:06:04,750 --> 00:06:05,893
‫characters basically.

95
00:06:07,490 --> 00:06:09,530
‫And then we also in the end,

96
00:06:09,530 --> 00:06:11,823
‫convert it to a hexadecimal string.

97
00:06:14,045 --> 00:06:14,910
‫Two string

98
00:06:17,020 --> 00:06:20,723
‫and then we can specify the hex option here.

99
00:06:22,060 --> 00:06:23,690
‫Now if you're wondering why we are

100
00:06:23,690 --> 00:06:25,360
‫actually creating this token,

101
00:06:25,360 --> 00:06:28,710
‫I guess I didn't really explain it just yet.

102
00:06:28,710 --> 00:06:31,170
‫Basically this token is what we're gonna send

103
00:06:31,170 --> 00:06:34,660
‫to the user and so it's like a reset password really

104
00:06:34,660 --> 00:06:38,610
‫that the user can then use to create a new real password.

105
00:06:38,610 --> 00:06:41,690
‫And of course, only the user will have access to this token.

106
00:06:41,690 --> 00:06:45,363
‫And so in fact, it really behaves kind of like a password.

107
00:06:45,363 --> 00:06:48,380
‫Since essentially it is just a password,

108
00:06:48,380 --> 00:06:52,210
‫it means that if a hacker can get access to our database,

109
00:06:52,210 --> 00:06:55,000
‫well then that's gonna allow the hacker to gain access

110
00:06:55,000 --> 00:06:57,483
‫to the account by setting a new password.

111
00:06:59,474 --> 00:07:01,740
‫If we would just simply store this reset token

112
00:07:01,740 --> 00:07:05,160
‫in our database now, then if some attacker gains access

113
00:07:05,160 --> 00:07:07,200
‫to the database, they could then use

114
00:07:07,200 --> 00:07:10,090
‫that token and create a new password using that token

115
00:07:10,090 --> 00:07:11,690
‫instead of you doing it.

116
00:07:11,690 --> 00:07:14,120
‫They would then effectively control your account

117
00:07:14,120 --> 00:07:15,563
‫instead of you doing it.

118
00:07:16,810 --> 00:07:19,150
‫Just like a password, we should never store

119
00:07:19,150 --> 00:07:21,933
‫a plain reset token in the database.

120
00:07:23,030 --> 00:07:24,670
‫Let's actually encrypt it,

121
00:07:24,670 --> 00:07:26,880
‫but such as before with the password,

122
00:07:26,880 --> 00:07:29,670
‫it doesn't need such a cryptographically strong

123
00:07:29,670 --> 00:07:30,803
‫encryption method.

124
00:07:31,640 --> 00:07:34,653
‫Because these reset tokens are a way less dangerous

125
00:07:34,653 --> 00:07:35,993
‫attack vector.

126
00:07:37,050 --> 00:07:39,230
‫Again, we're just gonna use the built-in

127
00:07:39,230 --> 00:07:40,233
‫crypto module.

128
00:07:41,610 --> 00:07:44,213
‫It works in this kind of weird-looking way.

129
00:07:45,420 --> 00:07:48,740
‫We say crypto then create hash

130
00:07:51,170 --> 00:07:54,550
‫with the sha 256 algorithm

131
00:07:55,750 --> 00:07:57,560
‫then we need to say update

132
00:07:57,560 --> 00:08:00,593
‫and then variable where the token is stored.

133
00:08:01,840 --> 00:08:04,340
‫Whatever string we want to encrypt basically.

134
00:08:04,340 --> 00:08:08,570
‫And then we need to say digest and then again

135
00:08:08,570 --> 00:08:10,433
‫store it as a hexadecimal.

136
00:08:12,950 --> 00:08:16,660
‫And now where are we actually gonna save this reset token?

137
00:08:16,660 --> 00:08:19,883
‫Well, we're gonna create a new field in our database schema.

138
00:08:20,886 --> 00:08:23,340
‫'Cause of course, we want to save it in the database,

139
00:08:23,340 --> 00:08:24,940
‫so that we can then compare it

140
00:08:24,940 --> 00:08:27,003
‫with the token that the user provides.

141
00:08:30,037 --> 00:08:30,870
‫Let's do that here at the end.

142
00:08:34,599 --> 00:08:36,349
‫Password reset token,

143
00:08:39,884 --> 00:08:41,248
‫that's the string.

144
00:08:41,248 --> 00:08:44,331
‫And then also password reset expires.

145
00:08:49,890 --> 00:08:51,780
‫Because this reset will actually expire

146
00:08:51,780 --> 00:08:56,100
‫after a certain amount of time as a security measure.

147
00:08:56,100 --> 00:08:58,820
‫You will only have 10 minutes in order to actually

148
00:08:58,820 --> 00:09:00,133
‫reset your password.

149
00:09:03,850 --> 00:09:05,500
‫Let's now go ahead and use these.

150
00:09:06,950 --> 00:09:11,950
‫This dot password reset token is then equal

151
00:09:13,440 --> 00:09:14,843
‫to this encryption.

152
00:09:19,270 --> 00:09:23,720
‫Next up, let's then set password reset expires

153
00:09:24,570 --> 00:09:29,400
‫and let's set that to date dot now

154
00:09:29,400 --> 00:09:32,193
‫and then simply add a couple of seconds to that.

155
00:09:33,510 --> 00:09:35,910
‫We want it to work for 10 minutes

156
00:09:35,910 --> 00:09:40,093
‫and so that's 10 and then we need it in milliseconds.

157
00:09:41,270 --> 00:09:46,270
‫Times 60 for seconds and then times 1000 for milliseconds.

158
00:09:49,124 --> 00:09:52,320
‫And then I also want to return the plain text token

159
00:09:52,320 --> 00:09:54,770
‫because that's actually the one that we're gonna send

160
00:09:54,770 --> 00:09:55,783
‫through the email.

161
00:09:58,080 --> 00:10:01,863
‫Return reset token.

162
00:10:06,345 --> 00:10:08,860
‫We need to send via email

163
00:10:08,860 --> 00:10:11,660
‫the unencrypted reset token because otherwise

164
00:10:11,660 --> 00:10:14,503
‫it wouldn't make much sense to encrypt it at all.

165
00:10:15,430 --> 00:10:17,090
‫If the token that was in the database

166
00:10:17,090 --> 00:10:19,290
‫was the exact same that we could use

167
00:10:19,290 --> 00:10:20,980
‫to actually change the password,

168
00:10:20,980 --> 00:10:23,643
‫well then that wouldn't be any encryption at all.

169
00:10:24,640 --> 00:10:26,417
‫We sent one token via email

170
00:10:26,417 --> 00:10:29,420
‫and then we have the encrypted version in our database.

171
00:10:29,420 --> 00:10:32,210
‫And that encrypted one is then basically useless

172
00:10:32,210 --> 00:10:34,050
‫to change the password.

173
00:10:34,050 --> 00:10:36,250
‫It's just like when we're saving only the

174
00:10:36,250 --> 00:10:39,470
‫encrypted password itself to the database,

175
00:10:39,470 --> 00:10:43,230
‫just like we did up here,

176
00:10:43,230 --> 00:10:46,967
‫So where we encrypted the password using bcrypt.

177
00:10:48,439 --> 00:10:51,100
‫Keep in mind that the only ever save

178
00:10:51,100 --> 00:10:53,680
‫sensitive data in an encrypted form

179
00:10:53,680 --> 00:10:56,620
‫and then compare it with the encrypted version

180
00:10:56,620 --> 00:10:57,770
‫that's in the database.

181
00:11:00,385 --> 00:11:02,500
‫That's just log these two to the console

182
00:11:02,500 --> 00:11:06,730
‫that will make our lives a bit easier down the road.

183
00:11:06,730 --> 00:11:09,630
‫Let's say reset token

184
00:11:10,470 --> 00:11:11,440
‫and I'm logging in here

185
00:11:11,440 --> 00:11:14,930
‫as an object because this way, it will then actually

186
00:11:14,930 --> 00:11:17,803
‫tell me the variable name along with its value.

187
00:11:20,210 --> 00:11:25,153
‫And then the same with this dot password reset token.

188
00:11:28,030 --> 00:11:29,880
‫This one doesn't really work

189
00:11:29,880 --> 00:11:32,340
‫with writing object, this new ES6 way

190
00:11:32,340 --> 00:11:34,140
‫and let's just leave it at this.

191
00:11:36,550 --> 00:11:38,080
‫Anyway, let's just come back here

192
00:11:38,080 --> 00:11:40,153
‫and then use that function.

193
00:11:41,660 --> 00:11:44,930
‫So remember how we returned the reset token,

194
00:11:44,930 --> 00:11:46,653
‫and let's store that here.

195
00:11:48,040 --> 00:11:52,873
‫So reset token is equal to user dot set

196
00:11:54,370 --> 00:11:56,373
‫and I'm not sure of the name anymore.

197
00:11:58,500 --> 00:12:00,560
‫Create password reset token,

198
00:12:00,560 --> 00:12:01,633
‫so that's a long one.

199
00:12:03,430 --> 00:12:06,240
‫All right and so that is done,

200
00:12:06,240 --> 00:12:09,460
‫but actually what we did was just to modify

201
00:12:09,460 --> 00:12:10,943
‫the data in here.

202
00:12:12,780 --> 00:12:16,580
‫When we set this dot password expires for example

203
00:12:16,580 --> 00:12:19,040
‫to this value, we did in fact

204
00:12:19,040 --> 00:12:20,880
‫not really update the document.

205
00:12:20,880 --> 00:12:22,063
‫We did not save it.

206
00:12:23,100 --> 00:12:24,880
‫We really just modify it,

207
00:12:24,880 --> 00:12:27,563
‫but now we then need to save it.

208
00:12:29,950 --> 00:12:34,653
‫Let's say await user dot save.

209
00:12:36,750 --> 00:12:39,583
‫But watch what happens as we now use this.

210
00:12:43,910 --> 00:12:46,463
‫Let's just grab this one here.

211
00:12:50,980 --> 00:12:53,080
‫This is the route that we did find before.

212
00:12:54,440 --> 00:12:57,750
‫And now we get this route is not yet defined.

213
00:12:57,750 --> 00:12:59,413
‫Let's see why that is.

214
00:13:00,290 --> 00:13:04,740
‫In the user route, we clearly have the same url here,

215
00:13:04,740 --> 00:13:08,463
‫but I see that we actually need to do a post request.

216
00:13:09,390 --> 00:13:13,380
‫All right, okay, but now we get an error

217
00:13:13,380 --> 00:13:16,200
‫saying please provide email and password.

218
00:13:16,200 --> 00:13:18,320
‫And so that's what I meant when I said

219
00:13:18,320 --> 00:13:20,343
‫watch what happens when you try this.

220
00:13:21,990 --> 00:13:25,330
‫That happens because we're trying to save a document,

221
00:13:25,330 --> 00:13:28,860
‫but we do not specify all of the mandatory data,

222
00:13:28,860 --> 00:13:31,453
‫so the fields that we marked as required.

223
00:13:32,502 --> 00:13:34,683
‫Let's quickly fix that.

224
00:13:35,848 --> 00:13:38,888
‫All we need to do is to actually pass a special option

225
00:13:38,888 --> 00:13:41,643
‫into this user dot save method.

226
00:13:43,140 --> 00:13:43,973
‫We say

227
00:13:47,210 --> 00:13:48,720
‫validate before save

228
00:13:49,890 --> 00:13:51,293
‫set to false.

229
00:13:52,332 --> 00:13:55,260
‫This will then deactivate all the validaters

230
00:13:55,260 --> 00:13:56,993
‫that we specified in our schema.

231
00:13:58,540 --> 00:14:01,100
‫It's these small things that you need to know

232
00:14:01,100 --> 00:14:02,800
‫that will make all the difference.

233
00:14:03,790 --> 00:14:06,570
‫Now I also didn't actually know that this existed

234
00:14:06,570 --> 00:14:09,170
‫because no one really knows all of the stuff.

235
00:14:09,170 --> 00:14:10,260
‫It's impossible.

236
00:14:10,260 --> 00:14:13,010
‫A library like Mongoose is simply way too big

237
00:14:13,010 --> 00:14:14,833
‫for you to know everything there is.

238
00:14:16,010 --> 00:14:19,020
‫I went ahead and read the Mongoose documentation

239
00:14:19,020 --> 00:14:22,710
‫and so that's where I found this extremely helpful option.

240
00:14:22,710 --> 00:14:25,050
‫All of this just to say that again,

241
00:14:25,050 --> 00:14:26,520
‫no one knows everything

242
00:14:26,520 --> 00:14:28,520
‫and so it's really a good habit to

243
00:14:28,520 --> 00:14:29,960
‫if you run into some problems

244
00:14:29,960 --> 00:14:31,830
‫to take a look at the documentation

245
00:14:31,830 --> 00:14:34,210
‫for the library that you're using.

246
00:14:34,210 --> 00:14:35,963
‫Let's take a look at this now.

247
00:14:39,410 --> 00:14:42,260
‫And we still get the same error here,

248
00:14:42,260 --> 00:14:43,890
‫but I see down here that it's actually

249
00:14:43,890 --> 00:14:45,883
‫coming from the login function.

250
00:14:48,210 --> 00:14:50,573
‫Let's take a look at what's going on here.

251
00:14:51,490 --> 00:14:54,550
‫Let's take a look at the routes also.

252
00:14:54,550 --> 00:14:56,343
‫Ah, okay, so here's the problem.

253
00:14:57,610 --> 00:14:59,420
‫We are now trying to call

254
00:14:59,420 --> 00:15:02,170
‫the login handler, which of course, doesn't make sense.

255
00:15:03,660 --> 00:15:05,790
‫Here it's forgot password.

256
00:15:05,790 --> 00:15:07,633
‫Here it's reset password.

257
00:15:08,850 --> 00:15:12,290
‫And so the error that we got before was actually not because

258
00:15:12,290 --> 00:15:13,463
‫of the validation.

259
00:15:16,312 --> 00:15:17,980
‫Let's send this again

260
00:15:17,980 --> 00:15:20,100
‫and now we get the error that there is no user

261
00:15:20,100 --> 00:15:21,420
‫with this email address

262
00:15:21,420 --> 00:15:24,140
‫and so that's because we didn't specify

263
00:15:24,140 --> 00:15:26,103
‫any email address in the body.

264
00:15:28,390 --> 00:15:29,680
‫We tested that

265
00:15:29,680 --> 00:15:32,300
‫and so now it's time to actually test it

266
00:15:32,300 --> 00:15:34,093
‫with a user email.

267
00:15:43,409 --> 00:15:44,440
‫All right.

268
00:15:44,440 --> 00:15:46,380
‫And so now it shouldn't actually do anything

269
00:15:46,380 --> 00:15:49,320
‫because we're not sending back any response.

270
00:15:49,320 --> 00:15:50,700
‫Let's just cancel this

271
00:15:50,700 --> 00:15:52,540
‫because all I was really interested in

272
00:15:52,540 --> 00:15:55,227
‫is to see these tokens here

273
00:15:55,227 --> 00:15:57,830
‫and then also to take a look at the user object.

274
00:15:57,830 --> 00:16:01,050
‫This here is the original reset token,

275
00:16:01,050 --> 00:16:04,150
‫so you see it's a random hexadecimal string

276
00:16:04,150 --> 00:16:06,593
‫and then we got the encrypted one in here.

277
00:16:07,840 --> 00:16:11,330
‫This remember is the one that should not be in the database,

278
00:16:11,330 --> 00:16:13,663
‫so ending in a901.

279
00:16:14,930 --> 00:16:16,230
‫Let's take a look at that.

280
00:16:18,410 --> 00:16:20,460
‫And indeed, here it is,

281
00:16:20,460 --> 00:16:24,740
‫password reset token ending in this a901.

282
00:16:24,740 --> 00:16:28,960
‫And also the date, which is in fact 10 minutes from now.

283
00:16:28,960 --> 00:16:31,753
‫Now you know at what time I'm recording this video.

284
00:16:33,130 --> 00:16:35,340
‫Anyway, but this worked just fine.

285
00:16:35,340 --> 00:16:37,890
‫And so this is actually the first part

286
00:16:37,890 --> 00:16:41,561
‫of creating this password reset functionality.

287
00:16:41,561 --> 00:16:43,140
‫In the next video, we will then

288
00:16:43,140 --> 00:16:46,840
‫send this token here via email to the user

289
00:16:46,840 --> 00:16:49,500
‫and so actually prepared a separate video

290
00:16:49,500 --> 00:16:52,370
‫only for learning how to actually send email with

291
00:16:52,370 --> 00:16:53,470
‫node to js.

292
00:16:53,470 --> 00:16:55,100
‫That's a very fun one

293
00:16:55,100 --> 00:16:58,363
‫so don't wait to move there right away.