Check out a free preview of the full API Design in Node.js, v4 course:
The "Adding User Routes" Lesson is part of the full, API Design in Node.js, v4 course featured in this preview video. Here's what you'd learn in this lesson:

Scott adds the routes for creating a user and signing in a user. Both routes result in a JWT being returned if the request is completed successfully. The JWT can then be passed as a bearer token to the protected API routes.

Get Unlimited Access Now

Transcript from the "Adding User Routes" Lesson

>> Now, we need to actually create some routes and hook them up and see if they work. So let's head over to our, Server, let's do this as server. So in server, we'll just add this after our API. You can do before your API, it actually doesn't matter, because they don't collide.

[00:00:20] You know what that means when I say they don't collide? As in they don't have the same URL, so it's not like one's gonna run instead of the other one. They're never going to interact with each other. So it's totally fine, so I'm gonna make one for /, what did I call it here, your user.

[00:00:39] So app dot post, doesn't make a post request to user. So I'm creating a new user, I'm gonna put createnew, NewUser like that, and if you do to /signin/. I'm going to sign in like that. And you can see now, this is cool, because this whole router over here has this protective middleware that prevents you from accessing it without a JSON Web Token, but it doesn't apply to these two things.

[00:01:17] It only applies to this stack, this sub router, because that would suck to or you can't sign in until you already signed in. Or sorry, you can't make a new account, because you're not signed in, that wouldn't make any sense at all. Because if we put protect down here, that's what will happen.

[00:01:33] It's like, no, sorry, 401, you didn't send us a JSON Web Token. He's like, I never even signed up before. How would I have a JSON Web Token, right? That's literally what would happen. So let's see if we did this right or broke something. Stop my server, start my server.

[00:01:51] Didn't break on bootup, that's always a good sign. Then I'm going to go into Thunder Client, I'm going to make a post request to user. I'm gonna give it a name, username. I'll call the username scott, and password is admin. No one's gonna guessed that one. And I'm going to make sure, let me get rid of this odd stuff in here that I was playing around with earlier.

[00:02:25] I got some test stuff in there, okay, I think we're good here. So usually, make sure if you're using Thunder Client that you click on Body, you click on Json, and then you add your Json. So we know we need a username, because our request is looking for a wreck dot Body dot username racked up body dot password.

[00:02:46] So I added a username and a password, because that's what our API is asking for. Because that's the code that we wrote in our API, we're assuming you're passing us a username and a password on the body. Okay, I'm going to meet that assumption and I'm going to try to send this and see what breaks.

[00:03:05] Okay, it didn't break, it worked, cool. So we got back a token, and this is what a JSON Web Token looks like, that's a token. It's just weird string. This worked, we signed in. Another way to verify this, I'm gonna show you something really cool. If you open up a new terminal tab, and you type out npx prisma studio, hit Enter, and it's gonna open up this app.

[00:03:38] This app is a visual way for you to explore your database. So you can see here's all the models that I have, and user has one in there. Look at that, so if I go click on it, I can see that I have one user in here. And look, it's me, it's Scott and there's my hash password.

[00:03:57] And I have no products and that was created at this time. There's my ID, so this worked. I was able to sign in or sign up. Now, let us check that this JSON Web Token can get past the protect middleware on the API routes. Let's give it a try.

[00:04:18] So now, what I am gonna do is I am gonna copy to JSON Web Token, Like so, just a part in the string, it's multi line. I'm gonna make another request to API product. Which by the way, if I tried to make this request now, it's gonna break, right?

[00:04:37] Not valid token, because I didn't sit at JSON Web Token. So what I'm gonna do now is I'm gonna click on Off, and we have a Bearer Token here. I'm just gonna type in that. It's gonna drop in my JSON Web Token. I think Thunder Client by default, if you click on bearer, automatically puts the word bear in front of it.

[00:04:55] So you don't have to, but if you click on Headers yourself and add it, you will probably have to add the word bearer by default. I think it does this already. So now, we're try to make this request with a JSON Web Token. And if we did it right, it should allow me to get something back.

[00:05:11] So let's see, and it does. I get a 200. Message success, right, and just to show you, if I just get rid of this K, it's not a valid token. It's gonna break, but at the K back, wait, was it uppercase? I don't remember, it works. There it goes, Okay, so pretty secure API at this point.

[00:05:38] Okay, let's just check one more thing, let's make sure we can sign in, okay? So I signed up with these credentials, I'm just gonna copy them. And then am going to make a new request to http://localhost:3001/signin, click on Body, make sure JSON is selected. Paste in those same credentials I signed up with, and I'm gonna send a request.

[00:06:05] And I get 404s, I think I misspelled something on the server side. I'm pretty sure I did, let's just check that out. Sign in, wait, I hadn't get didn't? I yeah I believe I had it at GET request. Yeah, it's a GET request, so I need to change that to a post.

[00:06:30] So now, let's try to post that and, voila, we get a JSON Web Token. So signin works, sign up works, everything's good. And just to test one more thing, username must be unique. So I should not be able to sign up, With the same pass, the same username.

[00:06:55] So I'm gonna say, post to user, and I'm gonna try to sign up with the same thing. I should get an error here, so let's see. And I do, we don't handle errors on the server, so it died, but that's what I expected to happen if I go look at this.

[00:07:14] It'll probably say something like, yeah, here we go, invalid prisma.user.create() invocation. It's basically saying, where's the exact one? Yeah, unique constraint filled on the fields username, aka someone already has that username. So sorry, right, this is why we have to catch our errors. My host server just died, because someone typed in someone's username, that would suck.

[00:07:39] So we wanna make sure we handle those errors, and we'll do that next time. Any questions on this? Yes.
>> How would you handle authenticating different tiers of users?
>> Authenticating different tiers of users, it's a good question. So I guess it depends on what that would look like.

[00:08:00] You can get really sophisticated with that. I think one of you would have to create a system that knew what data was on what tier? I'm guessing you don't want people accessing certain things based off what certain tiers they have. So then the data needs to know what tiers it's available to, so you'd have to figure that out.

[00:08:24] Maybe you just throw that in a database, like, someone wants this, this is a tier three or whatever. So that's one thing, and then the second thing is it's just a filter on a query right? You would just make sure you would put their tier and their JSON Web Token along with their email, or their username, or their ID.

[00:08:40] And then when you query the database. You just make sure you got that tier filter on there. I'm looking for this information that is tier one. Well, if that information isn't terrible, and it's not gonna return anything, cuz in the database, it's tier three. So that's one way, you can also do a little more manual per single row per query.

[00:09:00] And just do your if checks their, query the database as normal, and then before you send it back. You can well, now let me check the tiers and we have this. Configuration object over here that tells me that these tiers only have access to this, so I can delete these properties before I send them back.

[00:09:16] But that's wasteful, cuz you had to quit the database for it. So I mean, there's an unlimited amount of ways to do that, it's not as complicated as it sounds, though. How does everybody feel about authentication, routes, middleware, methods, headers, requests, response, it's covered a lot. How's everyone feeling about that right now?

[00:09:38] I wanna know, what was your expectation of learning node and API verses reality.
>> I'll say, I'm glad that we're dipping into TypeScript, because it always seems like the scary thing out there and it really doesn't have to be.
>> It doesn't have to be, TypeScript is optional types.

[00:10:04] It's always optional types, right? You don't have these types, I encourage you to use them, but progressively start as you build out more stuff. Add a type here there, right, just try to figure it out. Eventually, you'll just be like a TypeScript got one day, especially if you use angular, you have no choice.

[00:10:22] But yeah, it's not hard, it just takes time.
>> It seems like the IDs are getting good at just knowing what type you're going for anyway.
>> Yeah, the IDs are super smart, they just know everything. I mean, yeah, VS Code is just on another level. Go for them, but yeah, I mean, they're owned by the same company now, right?

[00:10:41] TypeScript was created in Microsoft and VS Code was created in Microsoft. So [LAUGH] yeah, they just get it now.