Check out a free preview of the full API Design in Node.js, v4 course
The "Protecting Routes" Lesson is part of the full, API Design in Node.js, v4 course featured in this preview video. Here's what you'd learn in this lesson:
Scott begins implementing a middleware to protect the API routes. The middleware first checks to see if a bearer token is present. If not, it returns and 401 not authorized error.
Transcript from the "Protecting Routes" Lesson
[00:00:00]
>> The next thing we wanna do is, we wanna create a middleware that will sit in front of any route that we do not want someone who is not authenticated accessing. Basically you cannot hit this route unless you have signed up, made an account, got a Json Web token sent us a Json Web token.
[00:00:19]
The Json Web token checked out it, gave us back a real ID that matches who you say you are and then you can access this route. So that's what this middleware is gonna do. And we can put it in front of any route that we want that to happen, which basically means everything in the database.
[00:00:35]
You wanna access anything in a database, you got to be signed in, just like any traditional app. So that's what we're gonna do. So let's go back to our auth and we're gonna just sort of say, export const protect, you can call whatever you want. I'm gonna call it protect, it's gonna be a middleware, it doesn't take any options.
[00:00:51]
So I'm not gonna make it a function that returns a function. And if it kind of just walked through, I kind of have the code here. There's a few weird things going on and I just really wanna explain that because even now, they're still very weird to me.
[00:01:05]
But I know why we do them, but they're still just very weird. So but like I said, because you are the one making the server, you're making the rules. You're saying if you want to authenticate with me, you have to pass me something on the authorization header. All right, so let's do that.
[00:01:26]
And I'll talk about what bearer means in a minute. So I'm gonna say const bearer equals, we need the rec and res, request.headers.authorization. Express lowercase is all the headers for us, so we don't have to, but most headers are capitalized but were expressed as lowercase them for us so they're easy to work with.
[00:01:51]
So I wanna get this thing caught bearer. There's an authentication design pattern or a scheme in HTTP, there's so many of them, you got API keys. You got basic all you have, there's just so many things, one of them is called a bearer. Bearer is just basically like, it's a generic way of describing someone having the ability to send up a token.
[00:02:17]
And that token can be of any type of token. It could be a JSON web token, it could be a API key, an access token. But bearer just describes this person sent in a token. So we're gonna use a bearer token. What does that actually mean in practicality?
[00:02:31]
It just means you literally put the word bearer in front of your token. That's it, yeah, it's silly. I guess it's kinda like, do you use a anchor tag in a form? Because it's technically correct or do you use a button? Probably a button even though I guess the anchor tag is semantically correct.
[00:02:52]
It's one of those things is you just this is just for semantic at this point. I bet there's more to it, but I'm not a security expert. So, yeah, we're gonna use a bearer token here. And basically, we're just gonna check every step along the way. If you don't meet a certain requirement, we're just gonna 401 [INAUDIBLE] which means not authorized.
[00:03:12]
401 is the status code for not authorized. So in this case of, bearer token. You didn't send one up, you don't use get access? I don't think so. So I can say res.status 401 res. Whatever I wanna send back. If you want your API, send it back messages that show up on your UI screen and you will send a message back.
[00:03:35]
It depends on what you want. I'm just gonna send a message back and I'm gonna be like, message not authorized, or something like that. And then I need to put a return here, at least in my case. Otherwise, it'll just keep going to whatever's next down here. So I gotta put a return.
[00:03:53]
So I'm gonna just gonna stop here and then we're gonna hook this up and then we're gonna see it run, and then we'll fill out the rest later. So I'm gonna save that, I have protect. What I want to do now is go to index Ts, I'm sorry, server Ts.
[00:04:08]
And right here in front of the router on the slash API. I wanna protect this whole router. I don't want anyone accessing these routes unless they're authenticated. So I'm gonna save protect like that. It's gonna import it for me and I'm gonna hit comma. I'm gonna do that.
[00:04:25]
Mine auto import it like that. So you wanna import your protect from modules off. And then you wanna add it before your router after slash API. So now anyone tries to go to anything slash API. Before we let you access these handlers over here, you gotta get past protect.
[00:04:46]
And right now protect is rejecting anything that doesn't have a barrel token on it. So let's see if we can test that. Stop my server, start my server. That didn't stop it. That did something else, there we go. And then now what I'm gonna do is go to my thunder client and I'm just gonna try to go to slash API product.
[00:05:04]
I don't have anything in the headers, I don't have authorization here, I don't have, this thing is using bearer right here are off too. But I don't have anything here and bear. So I can just send this request and you can see I get back 401, unauthorized, message not authorized.
[00:05:23]
Exactly what I said back. That's our middleware. That's protect doing that. It's like, no, you didn't send anything up.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops