Validate & Test Authentication

[00:00:00]
>> Scott Moss: OK, so then what we can do. As we can go to our auth routes, we have this register here, right? You can just get rid of that register. And we can say, all right, let's just Go ahead and add.

[00:00:13]
And we can say, all right, let's just Go ahead and add. The register Control that we just made like that. The last thing we wanna do before we do this because remember this register thing that we wrote is making a lot of assumptions about the input we need to validate that input. Luckily we already created that middleware yesterday that allows us to validate stuff so we can just Go ahead and import that from our Middleware.

[00:00:29]
Luckily we already created that middleware yesterday that allows us to validate stuff so we can just Go ahead and import that from our Middleware. It's called, in this case, this is gonna be on the body, so we want to validate the body. So we'll come here and we'll say validate body and then we need to pass in a schema. We can make a schema from scratch using zod here.

[00:00:47]
We can make a schema from scratch using zod here. That's totally fine, but we can also just get the ones from. Our database Schema that we can create down here. So for instance, if you're going to insert a user already this right here creates a Zod schema from the user's table based off insert, so I don't have to make it this already is it right here I could I could just use this The difference would be though is I might still want to make my own if I want validations beyond what the Database is doing like for instance.

[00:01:07]
So for instance, if you're going to insert a user already this right here creates a Zod schema from the user's table based off insert, so I don't have to make it this already is it right here I could I could just use this The difference would be though is I might still want to make my own if I want validations beyond what the Database is doing like for instance. I have a length here that's fine. I have a length on the username that's fine, a length on the password, but what if I wanted like a regex check for a password and I wanted to check that the email was actually an email with the at and a domain and all that stuff. I couldn't do that on the database level.

[00:01:18]
I couldn't do that on the database level. Database at least Postgres and Drizzle, it's not that granular where you can be checking it that would be too inefficient for a database to check that on every insert. It would be too slow, but Zod can do that at runtime. So in that case, I probably wouldn't use this because that would not check for that, and then I would make my own Zod schema that followed this schema plus those additional checks.

[00:01:33]
So in that case, I probably wouldn't use this because that would not check for that, and then I would make my own Zod schema that followed this schema plus those additional checks. You can make that from scratch. I also believe If I'm not mistaken, you could do something like dot extend. And extend those yourself, although I've never done that, but I think you can do that, I'm pretty sure.

[00:01:50]
And extend those yourself, although I've never done that, but I think you can do that, I'm pretty sure. I might even have that in the dock somewhere. But I'm just gonna use the one that we have. I'm gonna say insert user schema here as our validation.

[00:02:11]
I'm gonna say insert user schema here as our validation. And then validate the body. So, let's try to run this and see. What breaks, I guess, so NPM run dev.

[00:02:26]
What breaks, I guess, so NPM run dev. That's always good when nothing breaks on startup. It's a good sign. Go to Postman.

[00:02:46]
Go to Postman. I'm gonna go to API/auth /register. I'm gonna change that to a post. I'm gonna go to, well, I'm not gonna send anything up just to see if it hits the validation.

[00:03:03]
I'm gonna go to, well, I'm not gonna send anything up just to see if it hits the validation. And it does, so our validation is there. It says you don't even have an object, OK, cool. I'll add an object and then we'll keep going.

[00:03:16]
I'll add an object and then we'll keep going. So now I'll add an object, let's see what it says now. OK, cool. You did add an object, but you need an email, you need a username and you need a password.

[00:03:28]
You did add an object, but you need an email, you need a username and you need a password. That's helpful. That's perfect. That's these are errors that I can show in my app to my user on the form if they came back from the server.

[00:03:44]
That's these are errors that I can show in my app to my user on the form if they came back from the server. Super useful. OK, cool, let's try that. I'll do that.

[00:04:01]
I'll do that. So for an email, I'll do that. I'll just say user at app.com, and then it says I need a username. I'll do that too, just call myself user.

[00:04:22]
I'll do that too, just call myself user. This is I need a password. I'll do that as well. And I'll just say this is my admin password.

[00:04:47]
And I'll just say this is my admin password. Super secret. Let's see what happens, so I'll do that. And boom, user created.

[00:05:06]
And boom, user created. So user was created, here's the user, here's their ID. Here's there all the other things. And here's that JSON Web token that I can use.

[00:05:23]
And here's that JSON Web token that I can use. And to visualize, to visually see that user, I can go back into Drizzle Studio. Let this load up. I'll click on users, and now I have 2.

[00:05:38]
I'll click on users, and now I have 2. I have the one that I did when I ran my seed, then I have the one I just signed up with right here. Cool Any other questions? About the input validations, bcrypts, JSON Web tokens.

[00:05:51]
About the input validations, bcrypts, JSON Web tokens. Each one of those topics individually is worth years of research. So, I'm just giving you enough to be, What's the word I'm looking for? I'm giving you enough to be productive.

[00:06:08]
I'm giving you enough to be productive. There's one word I can describe myself as I'm productive. I wouldn't say I am what most people would consider the most talented engineer on the planet but I know a lot of engineers that have way more talent and knowledge than me. And that usually is why some of them aren't as productive because they like to Go really deep, really deep dives on stuff that really matter, but a lot of that research can lead to like less productivity and not finding that balance is where it's hard.

[00:06:23]
And that usually is why some of them aren't as productive because they like to Go really deep, really deep dives on stuff that really matter, but a lot of that research can lead to like less productivity and not finding that balance is where it's hard. I knew out the gate that I wasn't that smart, so I focused on just being productive. So for me, I'm just focused on getting things done. So I'm only gonna learn the thing that I need to do to, I'm only gonna learn what I need to learn to do the thing that I need to do.

[00:06:39]
So I'm only gonna learn the thing that I need to do to, I'm only gonna learn what I need to learn to do the thing that I need to do. So I get really good at understanding what it is that I need to do. And breaking those questions down as small as I can. And only learning the thing that I need to do to answer that question.

[00:06:59]
And only learning the thing that I need to do to answer that question. It's very equivalent to like taking an open book test and looking in the glossary after you already read the question. Whereas I think most people when they think of like a super talented engineer, they think of someone who knows the whole book. I don't know the whole book.

[00:07:15]
I don't know the whole book. I just know how to look at a question and go to the glossary and look through the book to find the answer and then move on to the Next question and not get distracted by everything else in the book. So that's just my way of telling you. Everything that I taught you might be surface level, but that's just because I've only ever had to stay there.

[00:07:35]
Everything that I taught you might be surface level, but that's just because I've only ever had to stay there. There are things that I'm very knowledgeable and deep on. That I can, you'll probably hear me talk about sometimes, but that's because also I had to be get very deep on those things because I was doing something. There was some expected outcome of me to do it, so that's just how I work.

[00:07:49]
There was some expected outcome of me to do it, so that's just how I work. Do you have any insights on refreshing tokens or the best way to implement that? We have like these giga chads in the chat that I swear like know this stuff and they just like taking the course cause I think they just, I don't know, they just they wanna hear it like who's talking about refresh tokkens? Like yes, great question.

[00:08:04]
Like yes, great question. So refresh tokens, that's a concept of, hey, what happens when this JSON Web token expires, a really bad experience would like for someone to log in again, a really good experience would just auto log them in the first place. So yeah, you could make refresh tokens. There's many ways to do that.

[00:08:11]
There's many ways to do that. I think I did have some part of in here where I talked about that, maybe I deleted it, but the way that would work is when you go and validate a JSON Web token, which we're gonna do next, and you can see that the validation failed for the only reason of it being expired and not because it's an invalid JSON Web Token from another service, but it's it it's actually it is a valid JSON Web token, it's just expired. You can ignore that expiration of like, don't worry about it. As long as you send me a Refresh Token as well, which basically does not have the expiration date on it, I'll use that Refresh Token to then just generate you a new token and just sign you back in and send you that new one, and then your client can just update, you know, their local storage with that new token and that way you're not forced on the client-side to like Go through another form and Sign In.

[00:08:11]
As long as you send me a Refresh Token as well, which basically does not have the expiration date on it, I'll use that Refresh Token to then just generate you a new token and just sign you back in and send you that new one, and then your client can just update, you know, their local storage with that new token and that way you're not forced on the client-side to like Go through another form and Sign In. So yeah, refresh tokens is basically just another JSON Web token that doesn't expire. OAuth also does something similar to refresh tokens.