Check out a free preview of the full API Design in Node.js (using Express & Mongo) course:
The "Exercise 12" Lesson is part of the full, API Design in Node.js (using Express & Mongo) course featured in this preview video. Here's what you'd learn in this lesson:

In this exercise, you will secure the routes that create a new blog post. This way, only logged in users will be able to create posts. You will also need to enable CORS so the UI application can communicate with the API.

Get Unlimited Access Now

Transcript from the "Exercise 12" Lesson

[00:00:00]
>> [MUSIC]

[00:00:03]
>> Scott Moss: All right so your objective, now that we have all of this stuff signed in. Is I want to the ability to, so once I'm signed in, actually let's make a new one.
>> Scott Moss: Sara and 123, so once I'm signed in, I need to be able to come in here and make a blog post.

[00:00:22] So I am like this is my new post. And I start to typing in some stuff for my post. And I click done, it does work. Did to do that.
>> Scott Moss: I thought I stopped that. Hold on, one second, am I on the fix branch? I am on the fix branch, I'm like, why is all that working, that should not be working.

[00:00:51] Okay, so this is what it should look like when you're done, okay? I just showed you all the answers. I'm like wait, this stuff should not be working, what are they gonna do now, because I'm pretty sure, yeah. I'm on a fixed branch. It seems like a lot of you do that too, so.

[00:01:04]
>> Speaker 2: [LAUGH].
>> Scott Moss: But that's good. I found some errors on the fixed branch. So if you want, just pull this one down in like five seconds. That's great. I was like, whoa. I don't know what you're gonna do now, cause I was, [LAUGH],
>> Speaker 2: [LAUGH]
>> Scott Moss: What you're supposed to do.

[00:01:21] This was origin step,
>> Scott Moss: fix. Yeah pull that one down cuz I just made some changes. Let's do a get pull, it'll pull down all the branches. You don't have to specify the branch if you're not a git person. Great, so now, let's look at what you will be doing, if you haven't seen the answers already.

[00:01:50]
>> Scott Moss: Bam okay, so this is what you will be doing now, okay? First things first is this posting is still already here. That should be taken off too. What you will be doing is if we go into these prospective routes here. Remember we talked about ten minutes ago about the different routes we need to lock down?

[00:02:16] That's what you're gonna do. You're gonna use the middleware that we created in alt.js, the getFreshUser and the decodeToken to first lock down the route that we need locked down. So you put decodeToken on any route, it'll lock it down. And then immediately after, if you put getFreshUser, it'll attach the user to the req.user.

[00:02:37]
>> Scott Moss: Let's see how that works again. So if you call decodeToken, which is a middleware, if you put that in front of any route or any middleware stack, anywhere middleware can go, it will try to find a token. And if it finds it, it will attach the object that the token decodes to, to req.user.

[00:02:54] If it doesn't find it, it will error out. And immediately after that, the next middleware that comes in that series, wherever you put decodeToken, if you put rec.user, I'm sorry, if you put getfresh.user, it will then grab the user ID that the decode token just made and look for that real user in the database, not just the ID.

[00:03:16] And attach that to rec.user, so it'll override rec.user with the full user object and then it will call next. So if you put those two in that order, you're guaranteed to have the token decoded and the full user already there before you get to your controller. And remember, we can put any number of middleware we want on a route.

[00:03:36] We can put an array of middleware, we can put comma separated middleware, whatever we want. If you put them in that order, decode token followed by getFreshUser, I can guarantee that's how it's gonna work. So knowing that, go into the appropriate resource route files and add that middleware stack I was just talking about, one or both, or none, depending on what you think.

[00:04:03] We just talked about which ones we should lock down, and do that. Just remember, it can take an array of middleware. It can also take common separated middleware. But we just have to make sure we put it before the controller. So for instance, if I had a middleware, I would put it here.

[00:04:18] So if I wanted to put a middleware on get request to /API/category, I would put the middleware here. And then I put a comma. If I want to put another middleware, I put another one here and I put a comma. If I wanted to put three in here, I put three middleware in here.

[00:04:36] And I put a comma. All right, so that's how you would put the middleware on the specific routes.
>> Scott Moss: Does anybody not follow me there?
>> Scott Moss: So this is where I put middleware, I'll just make one right now so you can see. So if I said, all right let's do it on post.

[00:05:02] So I got to the post routes. I'm gonna put rare. So that is gonna make an inline middleware with anonymous function, and we'll put a comma here.
>> Scott Moss: So just by doing this, I now have middleware. Now I just next, some I'm just gonna say logger.log. Hey in middleware.

[00:05:26] All right, then we're gonna call it next. So this is gonna happen before I get all the posts. So let's check that out. So let's go to the terminal output, cool. And if I refresh this page, I should see that. And I didn't see it. Wait, something broke, let's see.

[00:05:52] Let me see, I broke something.
>> Scott Moss: The leaf chorus is off. It looks like I left chorus off of something. Yeah, chorus isn't enabled because you have to do it, that's why it's not working. Sorry, yeah, I already told you how to do that so now you know how to do that, but I'm just gonna do it right quick so I can show you what I'm talking about.

[00:06:23] If you don't have this, just empty and install it, empty and install course, it should be in the package with JSON so you should be good.
>> Scott Moss: Cool, all right, so I'll refresh that.
>> Speaker 2: Maybe override?
>> Scott Moss: Yeah, we should totally do override, but I don't need it for what I'm trying to show you, but yes.

[00:06:47]
>> Scott Moss: There we go, okay. Let's check it now. Server error 500. Aw, these typos, man, those typos.
>> Scott Moss: See the error log, though? It's pretty cool. It's easy to spot them [LAUGH]. All right now, okay, there you go, hey in middleware. All right, patched some of your code together that worked.

[00:07:26] Y'all are pulling my teeth, no. But yeah, just put any middle that you want right here. If I wanted another before the controller works, I put another one here. So using those two middleware that we talked about in auth.js. Line them up so that we protect the resources.

[00:07:40] So like if I try, for instance, one particular resource we know we wanna protect. You should never be able to make a post if you're not logged in, right. So there's no way I should be able to do that. So we know for sure decode token should be there.

[00:07:53] So that means we should be expecting the token to be on that request before you make a post.
>> Scott Moss: Do we actually need to refresh the user there? Maybe not, maybe we don't need an extra database query just to create a post. Depends on what you're doing at controller method, but at the very least, we definitely need to verify that.

[00:08:14] So let's do that for, what is it, two now? Let's do that for 30 minutes, and we'll come back at 2:30.