API Design in Node.js (using Express & Mongo) Authentication Configuration
This course has been updated! We now recommend you take the API Design in Node.js, v4 course.
Transcript from the "Authentication Configuration" Lesson
>> Scott Moss: Just to recap cuz we're gonna hop right into authentication. Let's go over what we're gonna do for authentication. So what I wanna do is I wanna just out this refactor or this abstraction that we made on step-100-fix just in case anybody wants to see it. Well, as you can see, there's so much more room to do these abstractions.
[00:00:20] I mean, so much more. I mean you could even, if you go look at the controllers themselves, all these can be abstracted, too. They're literally all doing the same thing. There's only one method in here that's doing something different, and that's the post, cuz it's populating, right here.
[00:00:38] That's the only thing it's doing different, but that's just an option away. Just passing an option, it's just like populating stuff. So you can even abstract this stuff out so, hey, create routes also create controller methods, done. It's the same thing.
>> Scott Moss: So I'm gonna check this stuff in.
>> Scott Moss: It's really hard for me to type cuz I'm so tall that there's an angle, so that's why I'm messing up. push origin step-10-fix. So that's up there if you want to pull it down, and check it out. So now, this is where it gets kind of hard and tricky and like, a lot of stuff is really going on here, so get checked out step-11.
[00:01:36] Man, there's 11 steps, that's crazy. So there's a lot of new things happening in here.
>> Scott Moss: So I'm just gonna walk through, cuz I added tons of stuff in here. So I'm gonna walk through all the stuff I just added. So if you restart the server, first of all do an NPM install.
[00:01:57] I added tons of stuff, so just make sure you do an NPM install. Cuz I'm 100% sure that you wanna have the stuff that's in here.
>> Scott Moss: So that's the first thing you do. Make it a good habit, is when you start switching branches, or pulling from GitHub, or forking and cloning.
[00:02:12] And there's a package that JSON, just run npm install.
>> Scott Moss: Cool. So once again, you have that if you don't NPM start I'm not sure if this will actually start up or not. I don't know if the code that you have to fix is actually breaking this. But let's see.
[00:02:28] So one thing you notice is that I put these log tags in here so you'll see you'll have better clear visibility on what's being logged or not. So there's like some emojis or something in there. So if you do logger.log now you start it'll always have this tag on it that says log.
[00:02:42] And it's blue now, not purple. And if you did logger.error you'll see like a thing that, it's red and have Xs on it. That tell you it's an error. So it's easy to spot out. So I added that to the logger that could be conditionally turned on and off.
[00:02:57] I also added the ability to seed the database. So when you start the database up, it will seed it. It will tell you what it's seeded with. Seeded database with three posts, three users, and three categories. But before it does that, it will delete the database. It will drop the database first, then it will seed the database with three things, so if I stop it, and start over again, there will still only ever be three in there at a given time.
>> Scott Moss: That also can be conditionally turned on or off in our config file, and I'll show you that. So that's there. Again if you wanna see some advanced uses of promises and stuff, if you go look in util/c.js the file that I've actually seeded in the database is a hundred lines of promises.
[00:03:46] So you could check this stuff out if you wanna see I'm doing stuff here.
>> Scott Moss: But that's just if you wanna look at it and then also
>> Scott Moss: If you go to config.js, I added some filter for our JSON web tokens. So I'm adding how long I want them to expire, in this case it's like ten days in minutes, so it's like what, 14,000 minutes?
[00:04:16] I don't know, something like that. Maybe more, but ten days in minutes. And then, I'm adding a JSON web token secret, so either pass it into the environment, or I'm just gonna default to gumball, for now. You should not do this in production, you should just put this in your file.
[00:04:33] It's just not something you should do. But we're not running production right now. So I'm just gonna leave that there.
>> Scott Moss: And then, in development, there is a new file. This is actually out of a couple sets ago, but there's a new for DB, and this is where we restore.
[00:04:48] We're just like, for development we're gonna connect to this database. And then for testing, we're gonna connect to the testing database, it's a different database. So this is why the config file is awesome, cuz we can change this stuff off based on the environment. And we know these files get loaded in depending on what environment we're running in, so we don't gotta think about it.
[00:05:05] So when we run our tests, if we just say, processing your V equals test and then we run the server, we know for sure this file will get loaded up and merge in with the config file. And if we go to server.js you'll notice it's using config.db.url which could either be that testing one or the development one, we don't really care.
[00:05:21] It will do it depending on the environment. So it's great. And right underneath it, if config.seed so if you said yes seed the database, it'll seed the database. And that also is part of config so that's you've got development it says seed: true. So in development seed the database.
>> Scott Moss: So all that stuff is there. That stuff you will not be dealing with. That's the stuff that I added. So if you start looking at it and you're wondering what's going on, that's the stuff that I added that you don't have to work with right now. What we're gonna be focusing on
>> Scott Moss: Is authentication. So now there's a new folder called auth, and there's just a lot of stuff going on in here. So let's start at the beginning, auth.js, so here's what we're gonna do authorization web token stuff. Anything relates to authentication is gonna happen in here. Where we gonna use it elsewhere in the application.
[00:06:10] What the creation and the definition of is gonna happen in this file. As far as like the middleware, the functions, the signing, the checking, all this stuff is gonna happen here. So let's walkthrough some of the packages. jsonwebtoken that's this package, right here. It's not the official JSON web token.
[00:06:31] I don't think if there's an official one but it's the one that you should use for the node. It's called JSON web token and this is the one we're gonna use to sign and verify our JSON web tokens. expressJwt is a rapper around jsomwebtoken and all it does is it just verifies your tokens for you.
[00:06:52] We can just call jsomwebtoken.verify ourself but express jwt, it makes it work really great with Express Middleware so we know how to do it. And it's build by the same two people. So of zero bill jwt, they also built expressJwt, so they built both of them so they work well with each other.
[00:07:09] Always getting our config. And then, here, over here, we have this check config right here. This returns in Middleware function for us, this is why expressJwt is awesome. They pass in the secret and it returns the middleware function that can look on the request of authorization and determine if the token is valid or not.
[00:07:28] And then, we just get our user model here. Cuz we're gonna need our user model for authentication purposes, of course. So if you scroll to, there's like a couple of function that is not built out. Some halfway built out, the word is fully built out as this signToken one.
[00:07:42] So this is what a signToken looks like. You can say jwt.sign. And all we do is we create an object with an _id property. I use _id because Mango uses _id. That's all the reason I put _id there. I mean it's just an object. You can put whatever you want here.
[00:07:59] But I just put _id. Although I rather have it just be id, but if the database is gonna say _id, I'm gonna make sure it's the same. I ran into so many problems, where I'm like, I hate using _id, I'm gonna use id. Then I get errors because of mismatched things, so I just keep it uniform.
[00:08:16] When I refer to id I'm talking about _id. So I hit that, and then we also need to pass in this secret, which is config.secrets.jwt, we've said that in our config. And then, here's the option to where we can expire this thing, I also put this in the config, remember I had the expire time.
[00:08:32] So expires in minutes, I put like ten days in minutes right there. So that, it's called a return to sign token. If it signs, it will return the string. So we'll use that as a utility method.