User Account Repository

[00:00:00]
>> Maximiliano Firtman: Something similar happened with authenticator, it's kind of the logging. Okay, with first check if you are passing me an email and password, then I'm trying to find users by email. Be very careful here to use SQL variables or arguments, not concatenate. And well, if there are no rows, so over that select, it means the user has not been found.

[00:00:24]
So authentication, validation, there is a problem, and then that means the user does not exist, okay? That means the user does not exist with that email, and then we check the password, so the user exists. Now let's see if the password is the same one. So we hash the password again and we compare that with the password that we have stored in the database, the hashed one.

[00:00:52]
Does it make sense? And just in case we are updating last login, so we registering the database for login purposes the last login for that user, and that's all. That's login, something that typically arrives here, and it's a good idea, is don't create two errors for user doesn't exist and password doesn't match.

[00:01:16]
It doesn't matter which one is the thing, it's just credentials are wrong. This is for privacy reasons. That's why, when you you go to a website, it's pretty common, and you say, I had an account, I don't remember the password. So you go, I forgot my password, it's asking for your email.

[00:01:36]
You type your email and it says, if you have an account, we have already sent you an email. And you don't know, why don't you tell me if you send me the email or not? Because they don't wanna expose their database to the public. Because if not, you can try different email addresses and see if they have an account or not.

[00:01:56]
Does that make sense? So that's why, in this case, if the email is not in the database, you are not going to say your email is wrong or you don't have an account here. You're just saying your credentials are wrong. It can be the password, it can be the email, I don't know.

[00:02:10]
The combination doesn't work together here. Does it make sense? Then GetAccountDetails will just get an account by email to actually bring the fabrics and the watch list. So it's making a select of movies with a join on this intermediate thing, and it's looking for watch list. So it's just a query on the database getting a, in this case, the movies that are powered from that user or are in the watch list for that user.

[00:02:48]
Okay? Does that make sense? And it's just setting the watch list for that user. Nothing really important. And well, SaveCollection is to actually save one movie as actually, we can go save to collection. Maybe that's better, say movie to collection. It will save a movie into watch list or into favorites.

[00:03:11]
It's just actually verifying first, well, it's, I have the email, we'll see why. We get the ID of that user, and then we check if we already have that movie there. Because maybe the user is adding a watch list or a movie that is already in watch list, so I don't want to add the movie twice, so I'm checking if that relation already exists.

[00:03:34]
You can see I'm using variables for everything. So then passing all the values from here, if exists, I'm actually not retaining an error. I'm actually saying true. I mean it works, yeah, it's there. I wanna mark a favorite, yeah, it's there. So yes. And if it's not there, I will insert this into this table and that's all.

[00:03:59]
And that's our repository. Okay, it's a long code, and it's not complicated, but it takes time. Okay, it's always the same actually, pretty similar. You have any question,
>> Speaker 2: Just a security recommendation that it's better to return messages like username and password combination is invalid. Rather than saying user not found just from.

[00:04:22]
>> Maximiliano Firtman: Yeah, exactly. That's what I was saying, that credentials are wrong, it means something's wrong. To be honest, there are still workarounds, because I got trying to register a new account, and if I already have an account, you will recheck me. So, through registration, I can also kind of check in that.

[00:04:44]
And also with passkeys, that's a new standard, with passkeys, also we have a way to log in just by email. And also there are some workarounds. I mean, if you're a bad actor and you want to get that information, you wanna see if a friend of yours has an account, I mean, you wanna see if your partner has a Tinder account, okay?

[00:05:09]
Let's be direct here, that's one possibility. How do you know if your partner has a Tinder account? Or I mean, if she or he has still has a Tinder account because maybe you met him or her on Tinder. Well, that's why, for privacy reasons, we are trying to hide that, that it's not easy for someone that has no credentials to get into a system to know if an email address has an account or not, okay?

[00:05:39]
It's not, I mean, there is no way to be 100% safe on that. We always work around, so most of the time, we also, I mean, on really large projects, you are checking how many login attempts they are trying. After three or four emails you are trying you're blocked, things like that, because you're saying you're doing something wrong.

[00:06:02]
Who is trying different emails in five minutes? You are trying to get more information that you want, and of course, that has a lot of code behind testing that you need to do a lot of work.