API Design in Node.js, v4 Authorization Headers
Transcript from the "Authorization Headers" Lesson
>> How do you actually get a JSON web token? Well, that's what's next. So now we need to figure out what that is. So just a recap of how all this worked, right? Let's just walk through it one more time before I show you how to connect the dots.
[00:00:17] This protect middleware, Is looking on an authorization header. All right, and I don't know if I've talk too much about headers, but a header is basically, so we know about methods, GET, POST, PUT, PATCH, DELETE, OPTIONS, all that stuff. We know about routes that can be slash, whatever you want.
[00:00:33] A header, it's just another place in a request where you can add another option, headers are key values. The key is the name of the header, the value is the value of the header. There are tons of known headers, like cache control. Issuer, where did this request come from?
[00:00:59] It's just like the metadata of the request. It's like in a HTML page, you have the head tag where you put all the SEO stuff, that's what a header is for a request, it's that part. It's not the part that's important, it's not the actual data like the body tag is.
[00:01:15] It's the information about the page, it's the meta information. It's like the SEO place of your request, that's what headers are, they're just the metadata of the request. One of the ones are called authorization. People who make APIs have preferred for developers to pass along an authorization value on the authorization header that they can use to determine whether or not you can log in.
[00:01:38] You can also put it on the query string. You can add it to the body. You can do whatever you want. You're the developer making the API. But authorization's usually the standard. So that's what headers are. So we're looking for something that exists on the authorization header. If it doesn't, get out of here.
[00:01:53] Okay, let's say it does exist, but can I split it? And it's still something there. If not, get out of here, you're gone. That doesn't work. Okay, let's say you did get past that. Is the token that's there, is it a valid JSON web token that was previously signed by the same secret that we have created here?
[00:02:13] If not, you're toast, 401. If you are, cool, you must be real. Next, proceed to whatever you were trying to do, go. That's what that's saying. So what we're gonna have to do next is we're gonna have to allow users to be able to sign up, so we're gonna create new users.
[00:02:31] And then we need to allow them to sign in so they can come back. Which is just a way of saying, hey, we're gonna make a user in the database, make sure they're unique or whatever, they fulfill the database constraints. And then we've given them a JWT. That's how you know you were signed in.
[00:02:46] And then that's how you know you're welcome to this club to access our API. We gave you a JSON web token. You can just keep it and whenever you come back, you gotta give us your JSON web token, and that's how we know who you are.