1
00:00:02,100 --> 00:00:03,466
- [Maximilian] So now to find out

2
00:00:03,466 --> 00:00:05,366
whether we want to grant access or not,

3
00:00:05,366 --> 00:00:06,766
in this admin get route,

4
00:00:06,766 --> 00:00:08,566
we have to look into the session

5
00:00:08,566 --> 00:00:10,300
of an incoming request,

6
00:00:10,300 --> 00:00:12,533
and see whether that request

7
00:00:12,533 --> 00:00:15,000
does have a session to begin with,

8
00:00:15,000 --> 00:00:17,633
and then B, if in the session data

9
00:00:17,633 --> 00:00:20,400
for this client, so for that session ID

10
00:00:20,400 --> 00:00:22,266
that's submitted by the client,

11
00:00:22,266 --> 00:00:26,333
we actually do have this
authentication data.

12
00:00:26,333 --> 00:00:28,833
Because if we only got some other data

13
00:00:28,833 --> 00:00:30,800
in the session, that's nice to have,

14
00:00:30,800 --> 00:00:33,500
but that still won't grant access here.

15
00:00:33,500 --> 00:00:36,333
So the existence of a
session alone is not enough

16
00:00:36,333 --> 00:00:37,966
because, as mentioned before,

17
00:00:37,966 --> 00:00:39,633
sessions are also created

18
00:00:39,633 --> 00:00:41,600
for unauthenticated users.

19
00:00:41,600 --> 00:00:44,566
So it's really the authentication
data in the session

20
00:00:44,566 --> 00:00:46,033
that matters to us here.

21
00:00:46,033 --> 00:00:47,766
That's the actual ticket.

22
00:00:47,766 --> 00:00:49,800
Or to stay in the analogy,

23
00:00:49,800 --> 00:00:51,666
that's the content of the ticket

24
00:00:51,666 --> 00:00:52,933
that matters to us.

25
00:00:54,100 --> 00:00:57,566
So here, in this get route,
in this get admin route,

26
00:00:57,566 --> 00:00:59,933
I will simply check if not

27
00:00:59,933 --> 00:01:02,800
request.session.isAuthenticated,

28
00:01:02,800 --> 00:01:05,166
if that is false or falsy.

29
00:01:06,033 --> 00:01:10,200
Because remember, I'm setting
isAuthenticated here to true

30
00:01:10,200 --> 00:01:13,766
and therefore, if this is
false or doesn't exist,

31
00:01:13,766 --> 00:01:16,933
in which case it's treated
as falsy statement,

32
00:01:16,933 --> 00:01:19,600
so if this is not true or truthy,

33
00:01:19,600 --> 00:01:22,766
then we know the user
is not authenticated.

34
00:01:23,866 --> 00:01:26,500
Alternatively, if we didn't store

35
00:01:26,500 --> 00:01:29,000
this extra isAuthenticated flag,

36
00:01:29,000 --> 00:01:32,866
we could also check if
not request.session.user,

37
00:01:32,866 --> 00:01:35,800
if this user object doesn't exist.

38
00:01:35,800 --> 00:01:37,900
Because we know this will only exist

39
00:01:37,900 --> 00:01:39,533
if the user did log in,

40
00:01:39,533 --> 00:01:41,400
because that's the only place

41
00:01:41,400 --> 00:01:43,300
where we set it.

42
00:01:43,300 --> 00:01:45,066
And we will soon delete it

43
00:01:45,066 --> 00:01:47,966
whenever our user logs out, for example.

44
00:01:47,966 --> 00:01:50,400
We haven't added that functionality yet,

45
00:01:50,400 --> 00:01:51,933
but we will soon do so.

46
00:01:53,233 --> 00:01:55,333
So if the user is not authenticated here,

47
00:01:55,333 --> 00:01:57,100
then I will return

48
00:01:57,100 --> 00:01:59,200
so that this code down there

49
00:01:59,200 --> 00:02:00,333
doesn't execute.

50
00:02:01,400 --> 00:02:05,833
And I'll return the rendered 401 template,

51
00:02:05,833 --> 00:02:07,800
which is that template I prepared

52
00:02:07,800 --> 00:02:11,466
for the "You are not authenticated" case.

53
00:02:11,466 --> 00:02:13,100
And I'll not just render that.

54
00:02:13,100 --> 00:02:16,466
I'll also set the status code to 401,

55
00:02:16,466 --> 00:02:18,866
because that is the typical status code

56
00:02:18,866 --> 00:02:23,500
you do use for signaling
that access was denied.

57
00:02:24,666 --> 00:02:27,466
It's not technically
necessary to set this code,

58
00:02:27,466 --> 00:02:29,233
but it's a bit more correct

59
00:02:29,233 --> 00:02:32,300
to not just show the user this error page,

60
00:02:32,300 --> 00:02:34,433
but to also make it clear to the browser

61
00:02:34,433 --> 00:02:36,966
and so on that this page is shown

62
00:02:36,966 --> 00:02:39,266
because the user tried to access

63
00:02:39,266 --> 00:02:42,533
some page where authentication was denied.

64
00:02:43,433 --> 00:02:45,333
So that's what we do if we don't find

65
00:02:45,333 --> 00:02:47,300
the isAuthenticated flag.

66
00:02:48,633 --> 00:02:51,933
And hence now, if we save all that code

67
00:02:51,933 --> 00:02:54,066
and we go back to our website,

68
00:02:54,066 --> 00:02:56,900
if I now try to go to admin,

69
00:02:56,900 --> 00:02:58,000
I'm not authenticated.

70
00:02:58,000 --> 00:03:00,300
I see this "Not authenticated" page,

71
00:03:00,300 --> 00:03:03,166
because at this point I
don't have this session

72
00:03:03,166 --> 00:03:05,166
with the auth-data yet.

73
00:03:05,166 --> 00:03:06,900
I didn't log in yet

74
00:03:06,900 --> 00:03:08,866
since we added this session code.

75
00:03:10,133 --> 00:03:13,566
I also want to show you one
other interesting thing.

76
00:03:13,566 --> 00:03:15,733
If you open the developer tools,

77
00:03:15,733 --> 00:03:18,866
you can go to the application tab there,

78
00:03:18,866 --> 00:03:21,566
and there you have a cookies area.

79
00:03:21,566 --> 00:03:22,400
Here.

80
00:03:22,400 --> 00:03:23,866
Here you can see all the cookies

81
00:03:23,866 --> 00:03:27,166
the browser is storing
for a given website.

82
00:03:27,166 --> 00:03:28,633
And for most websites,

83
00:03:28,633 --> 00:03:30,600
you will see a lot of cookies there

84
00:03:30,600 --> 00:03:32,533
because they have tracking cookies

85
00:03:32,533 --> 00:03:34,366
or advertisement cookies,

86
00:03:34,366 --> 00:03:37,700
or because they're using
some integrated services

87
00:03:37,700 --> 00:03:40,100
that might set their own cookies.

88
00:03:40,100 --> 00:03:41,600
Here for this page,

89
00:03:41,600 --> 00:03:44,966
if you navigate around
on the different pages,

90
00:03:44,966 --> 00:03:47,633
you typically shouldn't see a cookie

91
00:03:47,633 --> 00:03:48,900
at this point here.

92
00:03:48,900 --> 00:03:52,966
You shouldn't have a
cookie here for this page.

93
00:03:52,966 --> 00:03:54,766
If you do have some cookies here,

94
00:03:54,766 --> 00:03:58,600
try visiting this page
in an incognito tab.

95
00:03:58,600 --> 00:04:00,666
So you shouldn't have any cookies yet,

96
00:04:00,666 --> 00:04:02,300
and you especially shouldn't have

97
00:04:02,300 --> 00:04:05,033
any session-related cookie yet.

98
00:04:05,033 --> 00:04:06,800
Because we haven't done anything

99
00:04:06,800 --> 00:04:09,400
that would add data to the session,

100
00:04:09,400 --> 00:04:11,833
and we did configure our session

101
00:04:11,833 --> 00:04:14,066
to only be saved to the database

102
00:04:14,066 --> 00:04:15,933
if data was added,

103
00:04:15,933 --> 00:04:19,433
because saveUninitialized
was set to false,

104
00:04:19,433 --> 00:04:22,400
so an empty session with no data inside

105
00:04:22,400 --> 00:04:24,366
won't be stored to the database,

106
00:04:24,366 --> 00:04:27,133
and hence no session
cookie will be generated.

107
00:04:28,266 --> 00:04:31,166
But if I now go to the login page here

108
00:04:31,166 --> 00:04:33,966
and there, I do log in

109
00:04:33,966 --> 00:04:35,800
with my valid credentials

110
00:04:35,800 --> 00:04:38,500
and I click Login here,

111
00:04:38,500 --> 00:04:41,233
you will notice a couple of things.

112
00:04:41,233 --> 00:04:43,400
You will notice that we were redirected

113
00:04:43,400 --> 00:04:44,666
to the admin page,

114
00:04:44,666 --> 00:04:46,266
and now we don't see this

115
00:04:46,266 --> 00:04:48,533
"You are not authenticated" content,

116
00:04:48,533 --> 00:04:51,233
but instead we see the
real admin page content.

117
00:04:52,200 --> 00:04:55,800
So we make it past this if-check here,

118
00:04:55,800 --> 00:04:59,300
and the rendered admin
template was returned.

119
00:04:59,300 --> 00:05:02,500
So this proves that this
user is now considered

120
00:05:02,500 --> 00:05:03,800
to be authenticated.

121
00:05:05,066 --> 00:05:06,600
And the other thing that changed this

122
00:05:06,600 --> 00:05:08,400
if we now have a cookie here,

123
00:05:08,400 --> 00:05:10,766
and that's our session cookie.

124
00:05:10,766 --> 00:05:12,200
And this cookie,

125
00:05:12,200 --> 00:05:14,100
if you have a look at the cookie value,

126
00:05:14,100 --> 00:05:17,233
in the end stores a cryptic string here,

127
00:05:17,233 --> 00:05:20,433
which includes the ID of the session.

128
00:05:20,566 --> 00:05:22,866
And we can see that, on the other hand,

129
00:05:22,866 --> 00:05:25,000
if we got back to the terminal

130
00:05:25,000 --> 00:05:26,800
or command prompt.

131
00:05:26,800 --> 00:05:29,333
And we connect to the Mongo DB database

132
00:05:29,333 --> 00:05:30,833
with the Mongo shell.

133
00:05:31,866 --> 00:05:36,866
In there, if I use my auth-demo database,

134
00:05:37,033 --> 00:05:41,766
and I then access these
sessions collection

135
00:05:41,766 --> 00:05:44,033
and find all entries in there,

136
00:05:44,033 --> 00:05:46,600
I find one entry in there at the moment

137
00:05:46,600 --> 00:05:48,633
because I only logged in once here

138
00:05:48,633 --> 00:05:50,666
and at the moment, that's
all the session data

139
00:05:50,666 --> 00:05:54,000
that is then created by my website.

140
00:05:54,000 --> 00:05:56,266
And here you see how
such a session looks like

141
00:05:56,266 --> 00:05:57,866
in the database.

142
00:05:57,866 --> 00:06:00,200
This entry was generated automatically

143
00:06:00,200 --> 00:06:01,733
by the session package

144
00:06:01,733 --> 00:06:04,433
with help of the Mongo DB session store.

145
00:06:05,400 --> 00:06:07,533
There is a bunch of metadata stored here.

146
00:06:07,533 --> 00:06:09,933
For example, some data about the cookie,

147
00:06:09,933 --> 00:06:12,700
when it expires, if it does expire.

148
00:06:12,700 --> 00:06:15,366
Here no special setting was chosen.

149
00:06:15,366 --> 00:06:18,000
And here we also see an expiration date

150
00:06:18,000 --> 00:06:20,100
for the session overall.

151
00:06:20,100 --> 00:06:22,000
Though that's a bit deceiving.

152
00:06:22,000 --> 00:06:25,200
This means that the session
would expire on this date

153
00:06:25,200 --> 00:06:29,633
if it wouldn't be used and
updated at all until then.

154
00:06:29,633 --> 00:06:32,700
If you do update the session in any way,

155
00:06:32,700 --> 00:06:34,766
if any other data is written to it

156
00:06:34,766 --> 00:06:37,800
or your session store
automatically updates it

157
00:06:37,800 --> 00:06:39,833
whenever the session is being used,

158
00:06:39,833 --> 00:06:42,100
which most stores do,

159
00:06:42,100 --> 00:06:45,733
then this session will prolong.

160
00:06:45,733 --> 00:06:48,333
And then it's really
that cookie expiration,

161
00:06:48,333 --> 00:06:50,300
which by default is not set,

162
00:06:50,300 --> 00:06:53,366
which does determine when
the session should expire

163
00:06:53,366 --> 00:06:55,600
no matter if it's being used or not.

164
00:06:56,500 --> 00:06:59,933
By default, no expiration
date is set on the cookie

165
00:06:59,933 --> 00:07:03,066
and therefore the session
actually won't expire.

166
00:07:03,066 --> 00:07:05,133
It will keep on running.

167
00:07:05,133 --> 00:07:07,100
But if you would want to set one,

168
00:07:07,100 --> 00:07:10,200
you can go to your session
configuration options

169
00:07:10,200 --> 00:07:12,366
and there set the cookie option,

170
00:07:12,366 --> 00:07:16,300
and then for the cookie,
the maxAge option.

171
00:07:16,300 --> 00:07:19,400
And this one's a maximum
age for the cookie

172
00:07:19,400 --> 00:07:22,133
and therefore then also for the session

173
00:07:22,133 --> 00:07:24,833
after which this session will expire

174
00:07:24,833 --> 00:07:28,033
and the user would, for
example, need to log in again

175
00:07:28,033 --> 00:07:30,866
if the session is being
used for authentication,

176
00:07:30,866 --> 00:07:33,166
as we are doing it here.

177
00:07:33,166 --> 00:07:36,766
Now, maxAge wants a value in milliseconds

178
00:07:36,766 --> 00:07:39,466
and you can set it to a fixed value.

179
00:07:39,466 --> 00:07:41,500
Or what you'll do very often

180
00:07:41,500 --> 00:07:43,933
is that you calculate it just in time

181
00:07:43,933 --> 00:07:46,233
as this will simply be more readable.

182
00:07:47,100 --> 00:07:49,400
A thousand milliseconds are a second,

183
00:07:49,400 --> 00:07:52,133
so you could write 60 times 1000,

184
00:07:52,133 --> 00:07:56,166
to calculate a duration of one minute.

185
00:07:56,166 --> 00:07:58,900
And then you could multiply this by 60

186
00:07:58,900 --> 00:08:00,300
to have an hour.

187
00:08:00,300 --> 00:08:03,200
Multiply it with 24, to have a day.

188
00:08:03,200 --> 00:08:05,900
And then maybe multiply it with 30.

189
00:08:05,900 --> 00:08:08,566
And that is how you could
set an expiration date

190
00:08:08,566 --> 00:08:11,200
of 30 days after which your session

191
00:08:11,200 --> 00:08:14,233
would definitely expire if you want that.

192
00:08:15,100 --> 00:08:18,233
Or you don't set the
value as it's by default,

193
00:08:18,233 --> 00:08:20,400
so there is no value set initially.

194
00:08:20,400 --> 00:08:22,833
And then as mentioned,
this cookie and therefore

195
00:08:22,833 --> 00:08:25,733
also the session won't expire at all,

196
00:08:25,733 --> 00:08:27,433
it comes down to what you need

197
00:08:27,433 --> 00:08:29,233
and want for your website.

198
00:08:30,100 --> 00:08:32,732
Now, if no expiration is set,

199
00:08:32,732 --> 00:08:34,500
then indeed the cookie in the session

200
00:08:34,500 --> 00:08:36,600
doesn't expire by default,

201
00:08:36,600 --> 00:08:40,332
but most browsers will still
actually clear the cookie,

202
00:08:40,332 --> 00:08:43,400
and therefore also the
session since a session,

203
00:08:43,400 --> 00:08:45,466
without a cookie won't work,

204
00:08:45,466 --> 00:08:47,500
if the browser shuts down.

205
00:08:47,500 --> 00:08:50,266
So if you entirely close a browser.

206
00:08:50,266 --> 00:08:52,266
So that's just something to be aware of

207
00:08:52,266 --> 00:08:55,100
that the session will
close then effectively

208
00:08:55,100 --> 00:08:58,000
if a user would entirely close a browser.

209
00:08:59,800 --> 00:09:01,766
So that is what influences
when the session

210
00:09:01,766 --> 00:09:03,300
will die in the end,

211
00:09:03,300 --> 00:09:05,566
and when it will be reset automatically.

212
00:09:05,566 --> 00:09:09,000
And then we here also see
the extra data we stored.

213
00:09:09,000 --> 00:09:13,066
The user object and the
isAuthenticated data.

214
00:09:13,066 --> 00:09:14,833
Here we've got the user ID and email

215
00:09:14,833 --> 00:09:16,866
and our isAuthenticated flag.

216
00:09:17,833 --> 00:09:20,900
And then this session also has an ID.

217
00:09:20,900 --> 00:09:23,433
And this ID, which we see here,

218
00:09:23,433 --> 00:09:27,933
Q_v4, and so on in my case,

219
00:09:27,933 --> 00:09:29,733
that's the ID you also see

220
00:09:29,733 --> 00:09:32,400
somewhere here in your cookie.

221
00:09:32,400 --> 00:09:34,633
Not from the very start,
but somewhere in there,

222
00:09:34,633 --> 00:09:36,933
you have this session ID.

223
00:09:36,933 --> 00:09:38,333
And that's how this cookie

224
00:09:38,333 --> 00:09:40,100
is mapped to the session.

225
00:09:40,100 --> 00:09:42,800
And this cookie is automatically sent

226
00:09:42,800 --> 00:09:45,200
to the server with every request

227
00:09:45,200 --> 00:09:47,533
that's generated on your page.

228
00:09:47,533 --> 00:09:50,566
The browser will do this
automatically for you.

229
00:09:50,566 --> 00:09:53,233
Also for Ajax requests, by the way.

230
00:09:53,233 --> 00:09:56,200
Their cookies are also sent along.

231
00:09:56,200 --> 00:09:59,133
So whenever you send a
request to this domain now,

232
00:09:59,133 --> 00:10:01,233
for which the cookie was registered.

233
00:10:01,233 --> 00:10:03,666
So our local host domain, in this case,

234
00:10:03,666 --> 00:10:05,500
all those cookies are sent along

235
00:10:05,500 --> 00:10:07,900
with the request
automatically by the browser.

236
00:10:07,900 --> 00:10:09,700
And therefore, on the server,

237
00:10:09,700 --> 00:10:11,466
they can be parsed,

238
00:10:11,466 --> 00:10:13,300
and they will be parsed automatically

239
00:10:13,300 --> 00:10:15,333
by the session package here in the end.

240
00:10:15,333 --> 00:10:18,200
And the session package will
look for its session cookie,

241
00:10:18,200 --> 00:10:21,300
automatically extract
the ID from that cookie,

242
00:10:21,300 --> 00:10:22,666
the session ID, I mean,

243
00:10:22,666 --> 00:10:24,900
and then look for a session with that ID

244
00:10:24,900 --> 00:10:27,700
in the database so that
it finds this session

245
00:10:27,700 --> 00:10:28,966
for this user here.

246
00:10:28,966 --> 00:10:31,266
And then it's able to see that this user

247
00:10:31,266 --> 00:10:32,533
is authenticated.

248
00:10:34,200 --> 00:10:35,400
And for example here,

249
00:10:35,400 --> 00:10:37,800
if I open a new incognito tab,

250
00:10:37,800 --> 00:10:40,666
so that's a new tab, a new incognito tap.

251
00:10:40,666 --> 00:10:42,900
There I'm not authenticated

252
00:10:42,900 --> 00:10:46,300
because this is like a
new user to the server.

253
00:10:46,300 --> 00:10:47,833
Sure it's on the same computer,

254
00:10:47,833 --> 00:10:49,000
the same machine.

255
00:10:49,000 --> 00:10:51,266
But as I mentioned before,
this doesn't matter,

256
00:10:51,266 --> 00:10:52,766
the IP doesn't matter.

257
00:10:52,766 --> 00:10:55,066
But since it's a new incognito tab,

258
00:10:55,066 --> 00:10:57,366
it didn't keep any of the cookies

259
00:10:57,366 --> 00:10:59,133
set for the other tab

260
00:10:59,133 --> 00:11:02,000
and therefore here If we
have a look at the cookies,

261
00:11:02,000 --> 00:11:03,566
I have no cookies.

262
00:11:03,566 --> 00:11:07,533
So therefore this year is
a new visitor to my server,

263
00:11:07,533 --> 00:11:10,000
a new visitor without a session

264
00:11:10,000 --> 00:11:11,533
and therefore of course also

265
00:11:11,533 --> 00:11:13,833
without any authentication data.

266
00:11:13,833 --> 00:11:16,233
And hence this visitor in this tab

267
00:11:16,233 --> 00:11:17,800
is not granted access,

268
00:11:17,800 --> 00:11:20,433
whereas this visitor here

269
00:11:20,433 --> 00:11:22,766
can access the admin page just fine.

270
00:11:23,666 --> 00:11:25,666
So that is how this all works.

271
00:11:25,666 --> 00:11:28,700
Sessions are connected
to different visitors

272
00:11:28,700 --> 00:11:32,100
and incognito tabs act as new visitors

273
00:11:32,100 --> 00:11:33,933
because they don't take any cookies

274
00:11:33,933 --> 00:11:36,533
from other taps and therefore

275
00:11:36,533 --> 00:11:37,966
this is now how we can implement

276
00:11:37,966 --> 00:11:41,066
authentication with cookies and sessions.