Validate & Test Authentication

[00:00:00]
>> Speaker 1: OK, so then what we can do is go to our author routes, we have this register here, right You can just get rid of that register And we can say, all right, let's go ahead and add the register control that we just made like that The last thing we want to do before we do this is remember this register thing that we wrote is making a lot of assumptions about the input We need to validate that input Luckily, we already created that middleware yesterday that allows us to validate stuff, so we can just go ahead and import that from our middleware

[00:00:00]
It's called, in this case, this is gonna be on the body, so we want to validate the body We'll come here and say validate body and then we need to pass in a schema We can make a schema from scratch using Zod here That's totally fine, but we can also just get the ones from our database schema that we can create down here So for instance, if you're going to insert a user already, this right here creates a Zod schema from the users table based off insert, so I don't have to make it

[00:00:00]
This already is it right here I could just use this The difference would be though is I might still want to make my own if I want validations beyond what the database is doing, like for instance I have a link here that's fine I have a link on the username that's fine, a link on the password, but what if I wanted like a regex check for a password and I wanted to check that the email was actually an email with the at and a domain and all that stuff

[00:00:00]
I couldn't do that on the database level Database, at least PostgreSQL and Drizzle, it's not that granular where you can be checking it that would be too inefficient for a database to check that on every insert It would be too slow, but Zod can do that at runtime So in that case, I probably wouldn't use this because that would not check for those additional validations, and then I would make my own Zod schema that followed this schema plus those additional checks

[00:00:00]
You can make that from scratch I also believe if I'm not mistaken, you could do something like extend And extend those yourself, although I've never done that, but I think you can do that I'm pretty sure I might even have that in the docs somewhere But I'm just gonna use the one that we have I'm gonna say insert user schema here as our validation And then validate the body So, let's try to run this and see what breaks

[00:00:00]
NPM run dev That's always good when nothing breaks on startup It's a good sign go to Postman I'm gonna go to API slash auth slash register I'm gonna change that to a post I'm gonna go to, well, I'm not gonna send anything up just to see if it hits the validation And it does, so our validation is there It says you don't even have an object, OK, cool I'll add an object and then we'll keep going So now I'll add an object, let's see what it says now

[00:00:00]
OK, cool You did add an object, but you need an email, you need a username and you need a password That's helpful That's perfect These are errors that I can show in my app to my user on the form if they came back from the server Super useful OK, cool, let's try that I'll do an email, I'll just say user@app.com, and then it says I need a username I'll do that too, just call myself user I need a password

[00:00:00]
I'll do that as well I'll just say this is my admin password Super Sec Let's see what happens, so I'll do that And boom, user created So user was created, here's the user, here's their ID Here's all the other things And here's that JSON Web Token that I can use And to visualize, to visually see that user, I can go back into Drizzle Studio Let this load up I'll click on users, and now I have 2 I have the one that I did when I ran my seed, then I have the one I just signed up with right here

[00:00:00]
Cool Any other questions about the input validations, decrypts, JSON Web Tokens Each one of those topics individually is worth years of research So, I'm just giving you enough to be productive There's one word I can describe myself as – I'm productive I wouldn't say I am what most people would consider the most talented engineer on the planet, but I know a lot of engineers that have way more talent and knowledge than me

[00:00:00]
And that usually is why some of them aren't as productive because they like to go really deep, really deep dives on stuff that really matter, but a lot of that research can lead to less productivity and not finding that balance is where it's hard I knew out the gate that I wasn't that smart, so I focused on just being productive So for me, I'm just focused on getting things done I'm only gonna learn the thing that I need to do to answer a question

[00:00:00]
So I get really good at understanding what it is that I need to do and breaking those questions down as small as I can And only learning the thing that I need to do to answer that question It's very equivalent to like taking an open book test and looking in the glossary after you already read the question Whereas I think most people when they think of a super talented engineer, they think of someone who knows the whole book

[00:00:00]
I don't know the whole book I just know how to look at a question and go to the glossary and look through the book to find the answer and then move on to the next question and not get distracted by everything else in the book So that's just my way of telling you Everything that I taught you might be surface level, but that's just because I've only ever had to stay there There are things that I'm very knowledgeable and deep on that I can talk about sometimes, but that's because I had to get very deep on those things because I was doing something with an expected outcome

[00:00:00]
Do you have any insights on refreshing tokens or the best way to implement that We have like these giga chats in the chat that I swear like know this stuff and they just like taking the course cause I think they just want to hear it Who's talking about refresh tokens Like, uh, yes, great question So refresh tokens, that's a concept of, hey, what happens when this JSON Web Token expires A really bad experience would be for someone to log in again

[00:00:00]
A really good experience would just auto log them in in the first place So yeah, you could make refresh tokens There are many ways to do that When you go and validate a JSON Web Token, which we're gonna do next, and you can see that the validation failed for the only reason of it being expired and not because it's an invalid JSON Web Token from another service, but it is a valid JSON Web Token, it's just expired

[00:00:00]
You can ignore that expiration as long as you send me a refresh token as well, which basically does not have the expiration date on it I'll use that refresh token to then just generate you a new token and just sign you back in and send you that new one, and then your client can just update their local storage with that new token, and that way you're not forced on the client-side to go through another form and sign in

[00:00:00]
So yeah, refresh tokens is basically just another JSON Web Token that doesn't expire OAuth also does something similar to refresh tokens.