1
00:00:01,210 --> 00:00:04,650
‫And now let's finally create the last part

2
00:00:04,650 --> 00:00:07,010
‫of the Password Reset Functionality,

3
00:00:07,010 --> 00:00:10,593
‫where we actually set the new password for the user.

4
00:00:12,250 --> 00:00:15,900
‫And so, just like before, let's start by defining the steps

5
00:00:15,900 --> 00:00:19,713
‫that we're gonna take for this resetPassword flow.

6
00:00:21,240 --> 00:00:26,240
‫So, first off, get user based on the token.

7
00:00:30,350 --> 00:00:35,350
‫Then as the second step, we will set the new password

8
00:00:35,890 --> 00:00:40,153
‫but only if token has not expired,

9
00:00:42,070 --> 00:00:44,040
‫and there is a user.

10
00:00:44,040 --> 00:00:48,633
‫So in that case, set the new password.

11
00:00:51,580 --> 00:00:55,250
‫Then after that, we need to update

12
00:00:57,210 --> 00:01:01,000
‫the changedPasswordAt property

13
00:01:04,080 --> 00:01:05,403
‫for the current user,

14
00:01:07,320 --> 00:01:10,533
‫and then finally, as is usual in this functionality,

15
00:01:11,680 --> 00:01:12,853
‫is to log the user in.

16
00:01:14,010 --> 00:01:18,840
‫Basically, send the JSON Web Token to the client.

17
00:01:18,840 --> 00:01:22,733
‫Okay, so a lot of work to do, and so let's get started.

18
00:01:23,950 --> 00:01:27,493
‫And so, remember from the last video, that the reset token

19
00:01:27,493 --> 00:01:30,450
‫that is actually sent in the URL

20
00:01:30,450 --> 00:01:33,110
‫is this non-encrypted token here.

21
00:01:33,110 --> 00:01:34,723
‫So, actually this one.

22
00:01:35,570 --> 00:01:37,810
‫But the one that we have in the database

23
00:01:37,810 --> 00:01:39,680
‫is the encrypted one.

24
00:01:39,680 --> 00:01:42,580
‫So we talked about that before, and so what we now

25
00:01:42,580 --> 00:01:44,910
‫need to do, is to basically encrypt

26
00:01:44,910 --> 00:01:46,630
‫the original token again,

27
00:01:46,630 --> 00:01:49,240
‫so we can then compare it with the one that is stored,

28
00:01:49,240 --> 00:01:51,433
‫so the encrypted one in the database.

29
00:01:52,870 --> 00:01:55,110
‫So, we actually did something similar before

30
00:01:55,110 --> 00:01:57,890
‫with the password, but with the password,

31
00:01:57,890 --> 00:02:01,010
‫we couldn't compare it as easily as we can with this one,

32
00:02:01,010 --> 00:02:02,650
‫again because for the password

33
00:02:02,650 --> 00:02:05,770
‫we used the quite complex bcrypt algorithm,

34
00:02:05,770 --> 00:02:07,490
‫which in this case, we didn't.

35
00:02:07,490 --> 00:02:09,750
‫So, here it's very straightforward.

36
00:02:09,750 --> 00:02:13,040
‫All we need to do again, is to encrypt the token

37
00:02:13,040 --> 00:02:17,390
‫and compare it with the encrypted one in the database.

38
00:02:17,390 --> 00:02:22,390
‫So, let's say hashedToken, and so we will actually now

39
00:02:23,670 --> 00:02:26,813
‫need the crypto package here as well.

40
00:02:31,730 --> 00:02:36,167
‫Const crypto and then require('crypto').

41
00:02:41,280 --> 00:02:42,123
‫Now right.

42
00:02:43,780 --> 00:02:47,593
‫Then let's go back, and so,

43
00:02:48,750 --> 00:02:51,610
‫we use crypto.createHash.

44
00:02:53,070 --> 00:02:57,973
‫Remember, then the name of the algorithm again, sha256,

45
00:02:58,910 --> 00:03:03,910
‫then .update, basically for the place, for the string

46
00:03:04,140 --> 00:03:06,040
‫that we want to hash.

47
00:03:06,040 --> 00:03:10,110
‫And so, that one is, remember in req.params.

48
00:03:10,110 --> 00:03:14,083
‫So we then use this one for a long time .token.

49
00:03:15,060 --> 00:03:17,950
‫And so again, it is a parameter,

50
00:03:17,950 --> 00:03:22,233
‫because we specified so here in the URL, so like this.

51
00:03:23,250 --> 00:03:26,470
‫So, it's now a parameter called token.

52
00:03:26,470 --> 00:03:31,470
‫And so, of course, here it's req.params.token.

53
00:03:31,804 --> 00:03:34,790
‫And then, finally, we also need to say digest

54
00:03:36,840 --> 00:03:38,633
‫and convert it to hexadecimal.

55
00:03:40,380 --> 00:03:42,760
‫Now this is basically the same

56
00:03:42,760 --> 00:03:46,180
‫as we had before, where we encrypted the original one,

57
00:03:46,180 --> 00:03:49,520
‫and so we could refactor this into its own function,

58
00:03:49,520 --> 00:03:51,693
‫but let's just keep it simple here.

59
00:03:54,240 --> 00:03:58,930
‫So, now let's actually get the user based on this token.

60
00:03:58,930 --> 00:04:01,060
‫Because that is actually, the only thing

61
00:04:01,060 --> 00:04:03,530
‫that we know about the user right now.

62
00:04:03,530 --> 00:04:07,080
‫We have no email, we have nothing, so this token

63
00:04:07,080 --> 00:04:10,130
‫is the only thing that can identify the user.

64
00:04:10,130 --> 00:04:12,520
‫And so we can now, basically, query the database

65
00:04:12,520 --> 00:04:14,170
‫for this token.

66
00:04:14,170 --> 00:04:17,303
‫And it will then find the user which has this token.

67
00:04:19,230 --> 00:04:24,230
‫So, await, as we already know, and then User.findOne.

68
00:04:27,790 --> 00:04:31,213
‫So, that property is called passwordResetToken

69
00:04:32,090 --> 00:04:36,117
‫and we are looking for the hashedToken.

70
00:04:37,940 --> 00:04:42,220
‫And now of course, we need to declare it as async

71
00:04:43,150 --> 00:04:44,643
‫and prep it into catchAsync.

72
00:04:48,557 --> 00:04:51,810
‫Give it a save, that should fix this bug,

73
00:04:51,810 --> 00:04:53,950
‫and indeed it does.

74
00:04:53,950 --> 00:04:56,950
‫So, this will find user who has the token

75
00:04:56,950 --> 00:04:59,100
‫that will send via URL.

76
00:04:59,100 --> 00:05:00,910
‫But, right now, we're not taking

77
00:05:00,910 --> 00:05:04,090
‫the token expiration date into consideration.

78
00:05:04,090 --> 00:05:06,000
‫And so how could we do that?

79
00:05:06,000 --> 00:05:09,020
‫Well, basically, what we want is to check

80
00:05:09,020 --> 00:05:11,860
‫if the passwordResetExpires property

81
00:05:11,860 --> 00:05:13,723
‫is greater than right now.

82
00:05:14,890 --> 00:05:17,350
‫Because if the expires date is greater than now,

83
00:05:17,350 --> 00:05:20,420
‫it means it's in the future, which in turn means,

84
00:05:20,420 --> 00:05:22,313
‫that it hasn't yet expired.

85
00:05:23,180 --> 00:05:24,850
‫And so, that's a very easy way

86
00:05:24,850 --> 00:05:28,343
‫in which we can actually do this right with this query.

87
00:05:30,619 --> 00:05:32,702
‫So, passwordResetExpires,

88
00:05:35,170 --> 00:05:37,460
‫which is where that date is stored,

89
00:05:37,460 --> 00:05:38,840
‫and now all we need to check

90
00:05:38,840 --> 00:05:41,470
‫if it is actually greater than right now.

91
00:05:41,470 --> 00:05:45,440
‫And so we know how to do that already with MongoDB, right?

92
00:05:45,440 --> 00:05:50,110
‫So, new object and then the greater operator

93
00:05:50,110 --> 00:05:53,737
‫and then what we want to compare it with is Date.now,

94
00:05:56,310 --> 00:05:59,410
‫and this will actually be a timestamp of right now,

95
00:05:59,410 --> 00:06:02,900
‫but behind the scenes, MongoDB will then convert everything

96
00:06:02,900 --> 00:06:05,170
‫to the same, and therefore be able

97
00:06:05,170 --> 00:06:06,520
‫to compare them accurately.

98
00:06:08,070 --> 00:06:10,440
‫And so with this we can, at the same time,

99
00:06:10,440 --> 00:06:14,120
‫find the user for the token and also check if the token

100
00:06:14,120 --> 00:06:16,370
‫has not yet expired.

101
00:06:16,370 --> 00:06:18,190
‫So, great.

102
00:06:18,190 --> 00:06:21,190
‫So, next up we want to, of course, send an error

103
00:06:21,190 --> 00:06:25,530
‫if there is no user, or basically, if the token has expired.

104
00:06:25,530 --> 00:06:27,230
‫But that's, in this case, the same,

105
00:06:27,230 --> 00:06:30,500
‫because if the token has expired, well then it will simply

106
00:06:30,500 --> 00:06:32,513
‫not return any user.

107
00:06:33,956 --> 00:06:37,730
‫And so all we need to do is to say, if no user,

108
00:06:38,970 --> 00:06:43,970
‫well then, as always, return next, that's not mext.

109
00:06:47,920 --> 00:06:51,910
‫So new AppError, and let's say

110
00:06:51,910 --> 00:06:56,793
‫Token is invalid or has expired.

111
00:06:59,850 --> 00:07:02,853
‫And then 400, so bad request.

112
00:07:04,140 --> 00:07:07,050
‫And so then, if there is no error,

113
00:07:07,050 --> 00:07:09,400
‫and if next is not called,

114
00:07:09,400 --> 00:07:12,160
‫well then let's actually set the password.

115
00:07:12,160 --> 00:07:15,550
‫So, we already got the user and now it's very simple:

116
00:07:15,550 --> 00:07:20,550
‫user.password is equal to req.body.password.

117
00:07:24,880 --> 00:07:28,140
‫And that's because we will of course, send the password

118
00:07:28,140 --> 00:07:31,713
‫and also passwordConfirm via the body.

119
00:07:33,551 --> 00:07:34,701
‫So let's duplicate that

120
00:07:37,870 --> 00:07:39,553
‫and passwordConfirm as well.

121
00:07:41,425 --> 00:07:44,630
‫And then also, let's basically delete the reset token

122
00:07:44,630 --> 00:07:45,733
‫and the expired.

123
00:07:46,800 --> 00:07:51,800
‫So passwordResetToken, so just like we did before,

124
00:07:52,040 --> 00:07:57,037
‫we set it to undefined, and now user.password expires

125
00:07:59,510 --> 00:08:01,160
‫equals to undefined.

126
00:08:01,160 --> 00:08:02,220
‫All right.

127
00:08:02,220 --> 00:08:04,350
‫And again, of course, we now need to save it,

128
00:08:04,350 --> 00:08:07,000
‫because this only modifies the document,

129
00:08:07,000 --> 00:08:08,410
‫it doesn't really update.

130
00:08:08,410 --> 00:08:09,973
‫So it doesn't really save it.

131
00:08:11,200 --> 00:08:15,503
‫So, await user.save.

132
00:08:17,500 --> 00:08:20,350
‫And in this case, we actually don't have to turn off

133
00:08:20,350 --> 00:08:24,340
‫the validators, because indeed we want to validate.

134
00:08:24,340 --> 00:08:27,620
‫For example, we want the validator to confirm

135
00:08:27,620 --> 00:08:31,440
‫if the password is equal to passwordConfirm.

136
00:08:31,440 --> 00:08:33,380
‫And so that validator automatically

137
00:08:33,380 --> 00:08:35,033
‫does all that work for us.

138
00:08:36,800 --> 00:08:39,390
‫Then the third step, what we're gonna do actually

139
00:08:39,390 --> 00:08:42,030
‫in the end, and so what we're gonna do next

140
00:08:42,030 --> 00:08:43,990
‫is to basically lock the user in.

141
00:08:43,990 --> 00:08:47,400
‫So in other words, send the JSON Web Token.

142
00:08:47,400 --> 00:08:51,930
‫And let's get that code from here, so this one.

143
00:08:51,930 --> 00:08:53,770
‫And again, we're already doing this here

144
00:08:53,770 --> 00:08:55,700
‫in three different places.

145
00:08:55,700 --> 00:08:59,280
‫So here in the login, also in signup,

146
00:08:59,280 --> 00:09:01,400
‫and now for the third time, down here.

147
00:09:01,400 --> 00:09:05,170
‫And so, sometime in the future, we will refactor that

148
00:09:05,170 --> 00:09:06,383
‫into its own function.

149
00:09:07,230 --> 00:09:09,673
‫But for now, we're good like this.

150
00:09:11,180 --> 00:09:14,743
‫And so, let's actually now go ahead and test this.

151
00:09:16,710 --> 00:09:19,020
‫So this reset token that we had before

152
00:09:19,020 --> 00:09:22,080
‫has already expired, and so we need to ask

153
00:09:22,080 --> 00:09:24,640
‫for a new one, basically.

154
00:09:24,640 --> 00:09:29,490
‫So let's come to Postman and hit our forget password route.

155
00:09:29,490 --> 00:09:32,120
‫Let's just reduce the clutter here

156
00:09:32,120 --> 00:09:36,350
‫and get rid of all of these open tabs

157
00:09:36,350 --> 00:09:37,500
‫that we no longer need.

158
00:09:38,910 --> 00:09:41,150
‫Actually here we're gonna need this test

159
00:09:43,480 --> 00:09:45,270
‫for this Reset Password,

160
00:09:45,270 --> 00:09:48,210
‫because remember, that this one actually gets back

161
00:09:48,210 --> 00:09:51,540
‫a JSON Web Token, and so we want to save that

162
00:09:51,540 --> 00:09:52,890
‫into the environment variable,

163
00:09:52,890 --> 00:09:54,830
‫just like we did with all the others.

164
00:09:54,830 --> 00:09:58,373
‫So I'm doing that now, just so that I don't forget it.

165
00:10:00,550 --> 00:10:04,100
‫All right, anyway, let's start with, basically,

166
00:10:04,100 --> 00:10:05,690
‫forgetting the password.

167
00:10:05,690 --> 00:10:08,620
‫So sending that request out, which again,

168
00:10:08,620 --> 00:10:10,750
‫takes some times because of sending the email,

169
00:10:10,750 --> 00:10:14,947
‫but here we go, and let's now go to our email,

170
00:10:16,880 --> 00:10:19,463
‫and so that just arrived a few seconds ago.

171
00:10:20,670 --> 00:10:24,890
‫So, it is this, of course, this token.

172
00:10:24,890 --> 00:10:29,890
‫So let's grab it, copy it and now back to Postman,

173
00:10:31,060 --> 00:10:34,303
‫we use it in the Reset Password, as the URL.

174
00:10:35,750 --> 00:10:37,253
‫Okay, make sense?

175
00:10:38,250 --> 00:10:41,603
‫So again, we're sending that token right in the URL.

176
00:10:43,600 --> 00:10:45,730
‫Then here, let's specify the body,

177
00:10:45,730 --> 00:10:49,453
‫because now, we need to actually specify our new password.

178
00:10:53,720 --> 00:10:57,843
‫So password and let's say newpass.

179
00:11:01,650 --> 00:11:03,050
‫And then...

180
00:11:05,950 --> 00:11:07,450
‫And here let's call it something else,

181
00:11:07,450 --> 00:11:10,263
‫because for now, I actually want to see an error.

182
00:11:11,480 --> 00:11:14,727
‫And of course, this is called passwordConfirm.

183
00:11:17,360 --> 00:11:20,393
‫So let's see what happens when we try to do this.

184
00:11:23,240 --> 00:11:27,080
‫Let's wait for it, and we get password is shorter

185
00:11:27,080 --> 00:11:29,640
‫than the minimum allowed length.

186
00:11:29,640 --> 00:11:34,480
‫Okay, so let's change that, 123, and here let's say 1234.

187
00:11:36,090 --> 00:11:37,740
‫So I want them to be different.

188
00:11:37,740 --> 00:11:40,630
‫But you see that the validation here worked just fine,

189
00:11:40,630 --> 00:11:43,273
‫even when updating the password with save.

190
00:11:45,610 --> 00:11:48,800
‫So, and now we get Passwords are not the same!

191
00:11:48,800 --> 00:11:50,960
‫So again, that's a validation error.

192
00:11:50,960 --> 00:11:53,430
‫And remember, actually, that this is the whole reason

193
00:11:53,430 --> 00:11:56,213
‫why we need to use save and not update.

194
00:11:57,206 --> 00:11:59,090
‫So before, for updating tours,

195
00:11:59,090 --> 00:12:03,220
‫we used to use findOneAndUpdate, but now,

196
00:12:03,220 --> 00:12:06,820
‫for everything related to passwords and to the user,

197
00:12:06,820 --> 00:12:10,110
‫we always use save, because we always want to run

198
00:12:10,110 --> 00:12:12,580
‫all the validators, and above all,

199
00:12:12,580 --> 00:12:14,450
‫the save middleware functions.

200
00:12:14,450 --> 00:12:18,293
‫So, for example, the ones where the passwords are encrypted.

201
00:12:20,400 --> 00:12:21,610
‫So let's end it now.

202
00:12:21,610 --> 00:12:25,030
‫Oh, I didn't actually correct it, sorry for that.

203
00:12:25,030 --> 00:12:28,230
‫And but now it should actually work.

204
00:12:28,230 --> 00:12:32,870
‫And indeed, we get success, and we get a new token.

205
00:12:32,870 --> 00:12:36,600
‫So great, let's see if this token is actually valid.

206
00:12:36,600 --> 00:12:40,973
‫So if we can, get all the tours using this brand new token.

207
00:12:43,870 --> 00:12:46,210
‫And here we go.

208
00:12:46,210 --> 00:12:51,000
‫So, our new token actually works, and now for this user,

209
00:12:51,000 --> 00:12:53,990
‫so for hello@jonas, these two properties

210
00:12:53,990 --> 00:12:56,190
‫should actually be gone.

211
00:12:56,190 --> 00:12:59,760
‫So the password expires and the token should be gone,

212
00:12:59,760 --> 00:13:03,550
‫since, well, since that's what we did in our code.

213
00:13:03,550 --> 00:13:06,760
‫And so, yeah, they are no longer here.

214
00:13:06,760 --> 00:13:10,210
‫Now all we need to do actually, is this missing step here,

215
00:13:10,210 --> 00:13:12,690
‫which is to update the passwordAt property

216
00:13:13,610 --> 00:13:14,773
‫for this current user.

217
00:13:15,680 --> 00:13:17,260
‫But that shouldn't be all too hard,

218
00:13:17,260 --> 00:13:20,690
‫and so let's quickly go back to the userModel,

219
00:13:20,690 --> 00:13:24,550
‫which is where we are gonna do that using middleware.

220
00:13:24,550 --> 00:13:26,800
‫And let's actually put all the middleware

221
00:13:26,800 --> 00:13:29,023
‫together here at the top.

222
00:13:32,241 --> 00:13:35,408
‫So, userSchema.pre and again dot save,

223
00:13:38,830 --> 00:13:42,763
‫and then a function with next.

224
00:13:44,850 --> 00:13:47,010
‫Again, this function here is gonna run

225
00:13:47,010 --> 00:13:50,890
‫right before a new document is actually saved.

226
00:13:50,890 --> 00:13:52,220
‫And so, it's the perfect place

227
00:13:52,220 --> 00:13:54,880
‫for actually specifying this property.

228
00:13:54,880 --> 00:13:57,480
‫And I could, of course, have done it in a controller

229
00:13:58,820 --> 00:14:01,133
‫right next to here to this code, for example.

230
00:14:02,310 --> 00:14:05,853
‫But I really want this to happen, kind of, automatically.

231
00:14:06,740 --> 00:14:08,700
‫So, kind of behind the scenes.

232
00:14:08,700 --> 00:14:11,350
‫Because later on, we will have another place

233
00:14:11,350 --> 00:14:15,290
‫where we update the password and then we would make sure

234
00:14:15,290 --> 00:14:17,410
‫that we're including the same code there.

235
00:14:17,410 --> 00:14:19,300
‫And like this, again, it happens,

236
00:14:19,300 --> 00:14:20,640
‫kind of, behind the scenes,

237
00:14:20,640 --> 00:14:23,810
‫without us having to worry about it at all.

238
00:14:23,810 --> 00:14:26,600
‫Now, when exactly do we actually want to set the

239
00:14:26,600 --> 00:14:30,630
‫passwordChangedAt property to right now?

240
00:14:30,630 --> 00:14:33,450
‫Well we only want it when we actually modified

241
00:14:33,450 --> 00:14:34,660
‫the password property.

242
00:14:34,660 --> 00:14:37,290
‫And I'm not sure if we used this trick before,

243
00:14:37,290 --> 00:14:39,660
‫but anyway, let's use it now.

244
00:14:39,660 --> 00:14:44,660
‫So if we have not modified, so if not this.isModified,

245
00:14:47,620 --> 00:14:49,100
‫so just like this,

246
00:14:49,100 --> 00:14:53,070
‫and then the name of the property, so password.

247
00:14:53,070 --> 00:14:56,380
‫So in that case, return right away

248
00:14:57,270 --> 00:14:59,360
‫and run the next middleware.

249
00:14:59,360 --> 00:15:02,823
‫Okay, not like this, but like this.

250
00:15:04,380 --> 00:15:07,770
‫So again, if we didn't modify the password property,

251
00:15:07,770 --> 00:15:08,770
‫well then of course,

252
00:15:08,770 --> 00:15:12,970
‫do not manipulate the passwordChangedAt.

253
00:15:12,970 --> 00:15:15,860
‫But what about creating new document?

254
00:15:15,860 --> 00:15:18,010
‫Well, when we create a new document,

255
00:15:18,010 --> 00:15:20,150
‫then we did actually modify the password,

256
00:15:20,150 --> 00:15:24,350
‫and then we would set the passwordChangedAt property, right?

257
00:15:24,350 --> 00:15:27,260
‫Well, in the current implementation we actually would.

258
00:15:27,260 --> 00:15:29,860
‫But there is something else that we can use here.

259
00:15:29,860 --> 00:15:32,950
‫So, basically, we want to exit this middleware function

260
00:15:32,950 --> 00:15:36,630
‫right away, if the password has not been modified

261
00:15:36,630 --> 00:15:40,274
‫or if the document is new, and so we can use

262
00:15:40,274 --> 00:15:41,633
‫the isNew property.

263
00:15:42,700 --> 00:15:46,210
‫And again, this is one of these very nice things

264
00:15:46,210 --> 00:15:48,290
‫that are learned by reading your documentation.

265
00:15:48,290 --> 00:15:52,010
‫And so, I cannot stress enough how important it is

266
00:15:52,010 --> 00:15:55,160
‫to really read the documentations when you need something

267
00:15:55,160 --> 00:15:56,870
‫that you cannot find anywhere.

268
00:15:56,870 --> 00:15:59,010
‫Because, there really is so much stuff in there

269
00:15:59,010 --> 00:16:02,983
‫that is completely impossible to teach in one course.

270
00:16:04,810 --> 00:16:08,500
‫Anyway, if the code passes this verification here,

271
00:16:08,500 --> 00:16:10,830
‫well, then let's very simply say,

272
00:16:10,830 --> 00:16:14,217
‫this.passwordChangedAt = Date.now.

273
00:16:18,660 --> 00:16:22,303
‫And then, we call next.

274
00:16:23,640 --> 00:16:26,300
‫Now, in theory, this should work just fine,

275
00:16:26,300 --> 00:16:27,590
‫but actually, in practice,

276
00:16:27,590 --> 00:16:30,160
‫sometimes a small problem happens.

277
00:16:30,160 --> 00:16:33,580
‫And that problem is that sometimes saving to the database

278
00:16:33,580 --> 00:16:37,440
‫is a bit slower than issuing the JSON Web Token,

279
00:16:37,440 --> 00:16:40,460
‫making it so that the changed password timestamp

280
00:16:40,460 --> 00:16:42,560
‫is sometimes set a bit after

281
00:16:42,560 --> 00:16:45,280
‫the JSON Web Token has been created.

282
00:16:45,280 --> 00:16:48,000
‫And so that will then make it so that the user

283
00:16:48,000 --> 00:16:51,120
‫will not be able to log in using the new token.

284
00:16:51,120 --> 00:16:54,570
‫Because, remember, the whole reason this timestamp here

285
00:16:54,570 --> 00:16:57,660
‫actually exists, is so that we can compare it

286
00:16:57,660 --> 00:17:01,200
‫with the timestamp on the JSON Web Token, right?

287
00:17:01,200 --> 00:17:04,353
‫So, just to remember,

288
00:17:05,930 --> 00:17:10,930
‫it is, well, so right here, where we check if the user

289
00:17:11,560 --> 00:17:15,170
‫has changed the password after the token was issued.

290
00:17:15,170 --> 00:17:18,920
‫And so, down here, where we then created this new token

291
00:17:18,920 --> 00:17:21,010
‫in reset password.

292
00:17:21,010 --> 00:17:24,170
‫So right here, remember, we create this new token,

293
00:17:24,170 --> 00:17:27,770
‫and so again, sometimes it happens that this token

294
00:17:27,770 --> 00:17:31,500
‫is created a bit before the changed password timestamp

295
00:17:31,500 --> 00:17:33,960
‫has actually been created.

296
00:17:33,960 --> 00:17:38,960
‫And so, we just need to fix that by subtracting one second.

297
00:17:39,610 --> 00:17:42,733
‫So, basically, a thousand milliseconds.

298
00:17:43,750 --> 00:17:47,670
‫And so that then will put the passwordChangedAt one second

299
00:17:47,670 --> 00:17:50,840
‫in the past, okay, which will then of course,

300
00:17:50,840 --> 00:17:54,500
‫not be 100% accurate, but that's not a problem at all,

301
00:17:54,500 --> 00:17:58,000
‫because one second here doesn't make any difference at all.

302
00:17:58,000 --> 00:18:01,213
‫It's a small hack, but again, it's no problem.

303
00:18:02,190 --> 00:18:06,190
‫So putting this passwordChanged one second in the past,

304
00:18:06,190 --> 00:18:08,920
‫will then ensure that the token is always created

305
00:18:08,920 --> 00:18:11,433
‫after the password has been changed.

306
00:18:13,290 --> 00:18:15,800
‫So, this works now, but as always,

307
00:18:15,800 --> 00:18:18,380
‫let's also quickly test it.

308
00:18:18,380 --> 00:18:21,060
‫Okay, so back to Postman.

309
00:18:21,060 --> 00:18:23,990
‫Let's do a new Reset Password,

310
00:18:23,990 --> 00:18:26,060
‫or actually, that's not what I wanted at all,

311
00:18:26,060 --> 00:18:28,400
‫but it's a great thing to see

312
00:18:28,400 --> 00:18:30,200
‫that the code is actually working.

313
00:18:30,200 --> 00:18:33,610
‫So, The token is invalid or has expired,

314
00:18:33,610 --> 00:18:35,999
‫and that's because, well, 10 minutes have passed

315
00:18:35,999 --> 00:18:38,640
‫since I actually created that token.

316
00:18:38,640 --> 00:18:41,240
‫And I think we hadn't yet tested this,

317
00:18:41,240 --> 00:18:45,043
‫and so it's great that it now accidentally, actually did it.

318
00:18:46,370 --> 00:18:50,160
‫So again, this comes, in case you're wondering

319
00:18:50,160 --> 00:18:51,493
‫what the hell happened,

320
00:18:53,840 --> 00:18:56,500
‫so that's of course this error message here.

321
00:18:56,500 --> 00:18:59,450
‫And so it means, that it didn't find any user

322
00:18:59,450 --> 00:19:03,216
‫which has this token or which has a token that is

323
00:19:03,216 --> 00:19:05,163
‫more than 10 minutes in the past.

324
00:19:06,600 --> 00:19:10,393
‫And so, indeed what I wanted to do, is forget password.

325
00:19:12,700 --> 00:19:14,073
‫So, let's wait for it.

326
00:19:18,000 --> 00:19:19,980
‫So 8.6 seconds,

327
00:19:19,980 --> 00:19:22,820
‫but that might be because of my internet connection.

328
00:19:22,820 --> 00:19:24,520
‫So if you run this on a server,

329
00:19:24,520 --> 00:19:26,373
‫it's probably gonna be a lot faster.

330
00:19:27,440 --> 00:19:31,900
‫So let's grab that here, back to Postman, and now

331
00:19:31,900 --> 00:19:36,740
‫we reset the password, again with this password,

332
00:19:36,740 --> 00:19:39,823
‫doesn't really matter if it's the same as the old one.

333
00:19:40,690 --> 00:19:43,580
‫And, so now we have our success here.

334
00:19:43,580 --> 00:19:45,193
‫And now back to Compass.

335
00:19:46,680 --> 00:19:51,210
‫Let's reload, and indeed, we get the passwordChangedAt.

336
00:19:51,210 --> 00:19:53,290
‫And so that is actually right now.

337
00:19:53,290 --> 00:19:57,220
‫And so, if we now tried to actually use this token,

338
00:19:57,220 --> 00:19:59,870
‫for example, to access this protected route,

339
00:19:59,870 --> 00:20:02,130
‫well then that should work because of that small,

340
00:20:02,130 --> 00:20:04,633
‫one second tag that we did.

341
00:20:06,090 --> 00:20:10,205
‫So, it did and so just like this, we actually now finished

342
00:20:10,205 --> 00:20:12,840
‫our Password Reset Functionality.

343
00:20:12,840 --> 00:20:16,400
‫So that was quite a bit of code, but of course,

344
00:20:16,400 --> 00:20:18,100
‫it's totally worth it.

345
00:20:18,100 --> 00:20:20,470
‫So, you should always offer this functionality

346
00:20:20,470 --> 00:20:22,874
‫in your web application, because otherwise,

347
00:20:22,874 --> 00:20:26,750
‫a user that forgets his password is completely screwed,

348
00:20:26,750 --> 00:20:29,140
‫they can non longer use your application,

349
00:20:29,140 --> 00:20:31,940
‫and so, that's of course a terrible practice.

350
00:20:31,940 --> 00:20:34,020
‫Anyway, this kind of finishes, already,

351
00:20:34,020 --> 00:20:38,520
‫the authentication and authorization part of this section.

352
00:20:38,520 --> 00:20:40,510
‫So again, it's quite complete

353
00:20:40,510 --> 00:20:43,250
‫and I had a lot of fun implementing this.

354
00:20:43,250 --> 00:20:46,341
‫So, this part for me is where web applications

355
00:20:46,341 --> 00:20:48,560
‫really start coming to life.

356
00:20:48,560 --> 00:20:51,280
‫I know that it's not really visible at this point,

357
00:20:51,280 --> 00:20:54,280
‫with all these, just tokens and copying tokens

358
00:20:54,280 --> 00:20:56,300
‫and paste them somewhere else.

359
00:20:56,300 --> 00:20:59,630
‫That's not the usual idea that we have of logging in,

360
00:20:59,630 --> 00:21:02,410
‫I know, but of course again, a bit later,

361
00:21:02,410 --> 00:21:05,430
‫when we finally start building the dynamic website,

362
00:21:05,430 --> 00:21:06,580
‫then we will of course,

363
00:21:06,580 --> 00:21:09,220
‫keep using this authentication that we just built

364
00:21:09,220 --> 00:21:13,350
‫and then it will also become visual on that dynamic website.

365
00:21:13,350 --> 00:21:16,833
‫Next up, we will implement functionality for updating

366
00:21:16,833 --> 00:21:19,620
‫the user and also deleting it,

367
00:21:19,620 --> 00:21:22,990
‫and after that, we will then also talk about security.

368
00:21:22,990 --> 00:21:25,800
‫So that's what's ahead for the rest of the section,

369
00:21:25,800 --> 00:21:28,323
‫so make sure not to miss that.