1
00:00:01,260 --> 00:00:02,480
‫So in this lecture

2
00:00:02,480 --> 00:00:04,560
‫we're gonna implement the functionality

3
00:00:04,560 --> 00:00:08,010
‫of logging users in based on a given password

4
00:00:08,010 --> 00:00:09,363
‫and email address.

5
00:00:10,920 --> 00:00:14,520
‫And just like before, the concept of logging a user in

6
00:00:14,520 --> 00:00:17,400
‫basically means to sign a JSON web token

7
00:00:17,400 --> 00:00:19,760
‫and send it back to the client.

8
00:00:19,760 --> 00:00:22,390
‫But in this case we only issue the token

9
00:00:22,390 --> 00:00:24,860
‫in case that the user actually exists,

10
00:00:24,860 --> 00:00:27,310
‫and that the password is correct.

11
00:00:27,310 --> 00:00:29,773
‫So, let's start to implement that.

12
00:00:31,480 --> 00:00:36,260
‫Exports.login is...

13
00:00:39,090 --> 00:00:42,253
‫request, responds, and next.

14
00:00:44,370 --> 00:00:47,060
‫And the first thing is we is to actually read the email

15
00:00:47,060 --> 00:00:50,020
‫and the password from the body.

16
00:00:50,020 --> 00:00:54,740
‫So let's say const email equals req.body.email.

17
00:00:58,920 --> 00:01:02,070
‫Okay, and now eslint gives us this warning,

18
00:01:02,070 --> 00:01:04,160
‫or this error actually, and it says

19
00:01:04,160 --> 00:01:07,080
‫that we should use object destructuring, okay?

20
00:01:07,080 --> 00:01:09,620
‫And so I let this happen here on purpose

21
00:01:09,620 --> 00:01:12,620
‫just so that I can show you how we can do it

22
00:01:12,620 --> 00:01:14,950
‫with ES6 destructuring.

23
00:01:14,950 --> 00:01:18,490
‫And I think I talked about this before in the course,

24
00:01:18,490 --> 00:01:20,930
‫and I also hope that you're already familiar

25
00:01:20,930 --> 00:01:23,330
‫with the concept, but anyway,

26
00:01:23,330 --> 00:01:25,430
‫since the name of this property here

27
00:01:25,430 --> 00:01:27,920
‫is the same as the variable name,

28
00:01:27,920 --> 00:01:30,260
‫we can simply do it like this

29
00:01:30,260 --> 00:01:34,150
‫and get rid of the property name here, okay?

30
00:01:34,150 --> 00:01:36,520
‫And also we want to get the password.

31
00:01:36,520 --> 00:01:37,930
‫And so that would be the same,

32
00:01:37,930 --> 00:01:42,470
‫so basically password equals to a request.body.password.

33
00:01:42,470 --> 00:01:43,647
‫And instead of doing that,

34
00:01:43,647 --> 00:01:47,940
‫we can simply do email and password.

35
00:01:47,940 --> 00:01:50,250
‫And so just like this, we basically create

36
00:01:50,250 --> 00:01:54,480
‫these two variables of the body object, okay?

37
00:01:54,480 --> 00:01:56,380
‫So basically this is how the user

38
00:01:56,380 --> 00:02:00,223
‫is gonna send in the login credentials for us to check.

39
00:02:01,070 --> 00:02:04,130
‫Okay, and that check process has a couple of steps,

40
00:02:04,130 --> 00:02:05,830
‫and so let's actually lay them out here

41
00:02:05,830 --> 00:02:07,750
‫before we start coding.

42
00:02:07,750 --> 00:02:12,030
‫So first we need to check if email

43
00:02:12,030 --> 00:02:17,030
‫and passwords actually exist, all right?

44
00:02:17,900 --> 00:02:22,900
‫Then number two, check if the user exists,

45
00:02:24,440 --> 00:02:29,440
‫and at the same time if the password is correct.

46
00:02:31,960 --> 00:02:33,943
‫And then third, if everything is okay,

47
00:02:39,440 --> 00:02:44,440
‫send the token, so the JSON web token back to the client.

48
00:02:45,800 --> 00:02:48,490
‫Okay, so the first one is very easy.

49
00:02:48,490 --> 00:02:53,490
‫So if there is no email or no password,

50
00:02:56,810 --> 00:03:00,370
‫then we want to send an error message to our client.

51
00:03:00,370 --> 00:03:02,600
‫Now how are we gonna do that?

52
00:03:02,600 --> 00:03:04,490
‫Well we're gonna do that using the tools

53
00:03:04,490 --> 00:03:07,490
‫that we implemented right in the last section.

54
00:03:07,490 --> 00:03:10,730
‫So basically our app error, remember that?

55
00:03:10,730 --> 00:03:12,977
‫So we will simply create a new error here,

56
00:03:12,977 --> 00:03:15,060
‫and our global error handling middleware

57
00:03:15,060 --> 00:03:19,190
‫will then pick it up and send that error back to the client.

58
00:03:19,190 --> 00:03:22,483
‫And so let's actually start by importing that error.

59
00:03:23,350 --> 00:03:25,260
‫So remember it's this one here

60
00:03:25,260 --> 00:03:28,463
‫from our AppError class, right?

61
00:03:29,620 --> 00:03:34,620
‫So let's say AppError, and then require.

62
00:03:40,860 --> 00:03:44,150
‫So one level up from here, then in the utilities,

63
00:03:44,150 --> 00:03:45,050
‫and then appError.

64
00:03:48,990 --> 00:03:52,430
‫Okay, and so we need to call the next middleware,

65
00:03:52,430 --> 00:03:56,403
‫and then this is where we pass in the error, remember that?

66
00:03:57,260 --> 00:04:00,363
‫So new AppError, and the message is:

67
00:04:02,510 --> 00:04:07,510
‫please provide email and password.

68
00:04:07,530 --> 00:04:12,530
‫And the HTTP error code is 400 for bad request, okay?

69
00:04:12,720 --> 00:04:14,340
‫And now I've got some errors here,

70
00:04:14,340 --> 00:04:19,090
‫and so that again is eslint helping me to fix some bugs.

71
00:04:19,090 --> 00:04:20,710
‫So I see that up here, again,

72
00:04:20,710 --> 00:04:24,010
‫I used it with a T instead of D,

73
00:04:24,010 --> 00:04:27,740
‫and if I save it now, everything is correct.

74
00:04:27,740 --> 00:04:32,393
‫Okay, and so let's actually start testing this right away.

75
00:04:33,330 --> 00:04:34,700
‫And for that I will simply start

76
00:04:34,700 --> 00:04:39,700
‫by creating a fake token here for now, okay.

77
00:04:39,930 --> 00:04:43,287
‫And so then let's say res.status 200 for okay.

78
00:04:51,202 --> 00:04:53,573
‫JSON, and then of course, as always,

79
00:04:56,540 --> 00:05:01,010
‫the status set to success, and then also our token.

80
00:05:01,010 --> 00:05:02,870
‫And that's actually all that we're gonna send

81
00:05:02,870 --> 00:05:05,130
‫as a response to the login, okay?

82
00:05:05,130 --> 00:05:08,290
‫So no user object because that's not necessary at all.

83
00:05:08,290 --> 00:05:10,800
‫All we want as a response for logging in

84
00:05:10,800 --> 00:05:12,140
‫is actually the token.

85
00:05:12,140 --> 00:05:15,033
‫That's all that matters when the user logs in.

86
00:05:16,210 --> 00:05:18,960
‫Next up, we need to implement the route,

87
00:05:18,960 --> 00:05:23,600
‫so let's do that again in our user router, okay?

88
00:05:23,600 --> 00:05:27,000
‫And this one is actually pretty similar to this one.

89
00:05:27,000 --> 00:05:30,310
‫Let's just duplicate it and then replace signup

90
00:05:30,310 --> 00:05:34,780
‫in both instances here with login, okay?

91
00:05:34,780 --> 00:05:38,220
‫And again, this is only valid for a post request,

92
00:05:38,220 --> 00:05:40,360
‫because of course we want to send in

93
00:05:40,360 --> 00:05:43,200
‫the login credentials in the body.

94
00:05:43,200 --> 00:05:44,630
‫And so again it's a post,

95
00:05:44,630 --> 00:05:47,610
‫but not a get, not a patch, and not a delete,

96
00:05:47,610 --> 00:05:50,393
‫because that doesn't make any sense in this case.

97
00:05:51,590 --> 00:05:54,033
‫So let's test it right away.

98
00:05:54,970 --> 00:05:57,033
‫I'll copy this URL here as well.

99
00:05:58,050 --> 00:06:03,050
‫It's gonna be post, login,

100
00:06:03,570 --> 00:06:05,140
‫and then the body of course.

101
00:06:05,140 --> 00:06:08,700
‫So again, raw and JSON.

102
00:06:08,700 --> 00:06:11,443
‫So let's create a simple body here.

103
00:06:17,680 --> 00:06:19,960
‫All right, and so let's try to send this

104
00:06:19,960 --> 00:06:22,993
‫without any password, and see what happens.

105
00:06:24,460 --> 00:06:27,470
‫And indeed it works, so we get our message here:

106
00:06:27,470 --> 00:06:30,030
‫please provide email and password.

107
00:06:30,030 --> 00:06:31,820
‫And again, since we're in development,

108
00:06:31,820 --> 00:06:34,110
‫we're getting all of this error stack here,

109
00:06:34,110 --> 00:06:36,910
‫and the complete error with our status code,

110
00:06:36,910 --> 00:06:39,350
‫the status, and also of course saying

111
00:06:39,350 --> 00:06:41,330
‫that it is an operational error.

112
00:06:41,330 --> 00:06:45,840
‫So just like we defined in the previous section, okay?

113
00:06:45,840 --> 00:06:48,433
‫Now let's try the same with the password.

114
00:06:50,750 --> 00:06:55,750
‫So password, set it to I think this was the one,

115
00:06:56,400 --> 00:06:58,893
‫and then get rid of the email.

116
00:07:00,590 --> 00:07:02,950
‫And that of course triggers the same.

117
00:07:02,950 --> 00:07:06,000
‫Okay, and with everything correct that should then work,

118
00:07:06,000 --> 00:07:08,803
‫and indeed we get our fake token here.

119
00:07:10,300 --> 00:07:12,890
‫Now just one thing that we should do here

120
00:07:12,890 --> 00:07:14,880
‫is to also return.

121
00:07:14,880 --> 00:07:16,790
‫So we did that many times before,

122
00:07:16,790 --> 00:07:18,680
‫and let me explain it again.

123
00:07:18,680 --> 00:07:21,610
‫It's simply because after calling the next middleware,

124
00:07:21,610 --> 00:07:24,380
‫we want to make sure that this login function here

125
00:07:24,380 --> 00:07:27,873
‫finishes right away, all right?

126
00:07:30,260 --> 00:07:32,080
‫And since we didn't have that before,

127
00:07:32,080 --> 00:07:34,560
‫you now see this error here again.

128
00:07:34,560 --> 00:07:38,060
‫So this is already kind of familiar at this point, right?

129
00:07:38,060 --> 00:07:40,940
‫So cannot set headers after they are send to the client,

130
00:07:40,940 --> 00:07:43,360
‫because again, we sent two responses.

131
00:07:43,360 --> 00:07:47,840
‫First the error response, and then also this code here run,

132
00:07:47,840 --> 00:07:50,040
‫which of course shouldn't have done.

133
00:07:50,040 --> 00:07:52,933
‫And so again we use return here to fix that.

134
00:07:53,790 --> 00:07:57,430
‫Okay, next up, let's check if there actually is a user

135
00:07:57,430 --> 00:07:59,870
‫for the email that was posted.

136
00:07:59,870 --> 00:08:04,870
‫So const user, and so let's now use the findOne actually,

137
00:08:09,940 --> 00:08:13,400
‫because this time we're not selecting a user by the ID,

138
00:08:13,400 --> 00:08:16,650
‫but instead by its email, right?

139
00:08:16,650 --> 00:08:19,460
‫And so we need to pass in that filter object

140
00:08:19,460 --> 00:08:24,190
‫where we can say email equal to email, okay?

141
00:08:24,190 --> 00:08:25,940
‫So the field is called email,

142
00:08:25,940 --> 00:08:28,270
‫and the variable is also called email.

143
00:08:28,270 --> 00:08:32,163
‫And so in ES6 we can abbreviate that simply as this.

144
00:08:33,060 --> 00:08:34,490
‫Now before we move on here,

145
00:08:34,490 --> 00:08:36,110
‫there's actually something important

146
00:08:36,110 --> 00:08:38,520
‫that I need to do for security.

147
00:08:38,520 --> 00:08:41,220
‫So let me show that to you in Postman,

148
00:08:41,220 --> 00:08:43,970
‫where we signed up for a new account.

149
00:08:43,970 --> 00:08:46,540
‫And so you see here that in the user output,

150
00:08:46,540 --> 00:08:49,810
‫we actually get the password, okay?

151
00:08:49,810 --> 00:08:52,010
‫It is encrypted actually, but still,

152
00:08:52,010 --> 00:08:55,010
‫it's not a good practice to leak the password data

153
00:08:55,010 --> 00:08:57,710
‫out to the client, okay?

154
00:08:57,710 --> 00:09:01,090
‫For example, if we had our get all users here,

155
00:09:01,090 --> 00:09:03,480
‫and this route is not yet implemented,

156
00:09:03,480 --> 00:09:07,170
‫but if we were to get all the users from the collection,

157
00:09:07,170 --> 00:09:09,440
‫then all of them would have the password visible,

158
00:09:09,440 --> 00:09:12,720
‫and we don't want that, okay?

159
00:09:12,720 --> 00:09:15,790
‫And so fixing it is actually quite easy,

160
00:09:15,790 --> 00:09:17,850
‫because we did it before.

161
00:09:17,850 --> 00:09:19,973
‫All we have to do is to say password,

162
00:09:20,820 --> 00:09:25,270
‫and then select and set it to false.

163
00:09:25,270 --> 00:09:28,100
‫And so like this it will automatically never show up

164
00:09:28,100 --> 00:09:29,123
‫in any output.

165
00:09:30,520 --> 00:09:32,520
‫And to let me actually prove that to you

166
00:09:32,520 --> 00:09:37,023
‫by signing up as something else, so like this.

167
00:09:39,070 --> 00:09:41,920
‫And let's see, oh, actually we already have a user

168
00:09:41,920 --> 00:09:45,833
‫with that email, so let's just do test3.

169
00:09:47,300 --> 00:09:50,830
‫And now the password is actually still here,

170
00:09:50,830 --> 00:09:54,100
‫but I guess that is simply because we could just create it,

171
00:09:54,100 --> 00:09:55,610
‫this new document here,

172
00:09:55,610 --> 00:09:58,030
‫and so therefore it's not really selecting it

173
00:09:58,030 --> 00:10:01,460
‫because we're not actually reading it from the database.

174
00:10:01,460 --> 00:10:03,250
‫So let's just very quickly

175
00:10:03,250 --> 00:10:05,100
‫actually implement this route here,

176
00:10:05,100 --> 00:10:07,690
‫that's only gonna take a minute.

177
00:10:07,690 --> 00:10:10,300
‫So just to see if this here actually works.

178
00:10:10,300 --> 00:10:12,230
‫Because this step is actually important

179
00:10:12,230 --> 00:10:15,170
‫for what we're gonna do next, okay?

180
00:10:15,170 --> 00:10:18,820
‫So let's actually go ahead and copy this code

181
00:10:18,820 --> 00:10:22,000
‫from the getAllTours, and not really copy,

182
00:10:22,000 --> 00:10:25,133
‫but what we're gonna do is quite similar to this of course.

183
00:10:26,750 --> 00:10:28,590
‫So I'm simply gonna copy this,

184
00:10:28,590 --> 00:10:30,450
‫but without the API features.

185
00:10:30,450 --> 00:10:33,700
‫So I'm not really interested in that, okay?

186
00:10:33,700 --> 00:10:35,500
‫And so this one I'm actually gonna do

187
00:10:35,500 --> 00:10:39,170
‫in the user controller, because getting all the users

188
00:10:39,170 --> 00:10:41,350
‫has nothing to do with authentication.

189
00:10:41,350 --> 00:10:43,570
‫And so in this case the user controller

190
00:10:43,570 --> 00:10:47,020
‫is the perfect place for doing this.

191
00:10:47,020 --> 00:10:49,440
‫Now of course I also need to quickly import

192
00:10:49,440 --> 00:10:51,990
‫the user model here, and so let's also copy that

193
00:10:51,990 --> 00:10:56,580
‫from the tourController, which is not the same but similar.

194
00:10:56,580 --> 00:11:00,550
‫So let's grab actually all of this

195
00:11:04,200 --> 00:11:06,370
‫into our user controller.

196
00:11:06,370 --> 00:11:09,683
‫This one we don't need, but we also need to catchAsync.

197
00:11:10,520 --> 00:11:13,640
‫Okay, so tour is gonna be user,

198
00:11:13,640 --> 00:11:18,400
‫and here it will be userModel, all right?

199
00:11:18,400 --> 00:11:21,420
‫Then here we have tours, and down here and down here,

200
00:11:21,420 --> 00:11:23,790
‫so I hit Command + D to select all of them

201
00:11:23,790 --> 00:11:26,033
‫and change it to users.

202
00:11:27,190 --> 00:11:32,190
‫And then here of course what we are awaiting is User.find.

203
00:11:34,870 --> 00:11:36,320
‫Now since we have an await here,

204
00:11:36,320 --> 00:11:41,310
‫we need async, then we also need next,

205
00:11:41,310 --> 00:11:42,810
‫and since we have an async here,

206
00:11:42,810 --> 00:11:46,580
‫we should then wrap the entire thing into a catch async.

207
00:11:46,580 --> 00:11:47,713
‫So let's do that.

208
00:11:50,090 --> 00:11:51,700
‫Okay, and so at this point

209
00:11:51,700 --> 00:11:53,810
‫this is nothing new to you anymore,

210
00:11:53,810 --> 00:11:58,120
‫we're already used to doing this kind of stuff, right?

211
00:11:58,120 --> 00:12:00,670
‫So, this should already work at this point,

212
00:12:00,670 --> 00:12:02,470
‫so let's try it out.

213
00:12:02,470 --> 00:12:06,460
‫So get all users, and now indeed we see

214
00:12:06,460 --> 00:12:10,030
‫that their password is not included in the output.

215
00:12:10,030 --> 00:12:13,853
‫And that is important because actually, in the find,

216
00:12:15,090 --> 00:12:17,093
‫so back here in the AuthController,

217
00:12:18,030 --> 00:12:21,490
‫this here will now also not contain the password, okay?

218
00:12:21,490 --> 00:12:23,060
‫And so the output of this here

219
00:12:23,060 --> 00:12:25,920
‫will now also not contain the password.

220
00:12:25,920 --> 00:12:28,890
‫But we do need the password in order to check

221
00:12:28,890 --> 00:12:30,810
‫if it is correct, right?

222
00:12:30,810 --> 00:12:34,500
‫And so we need to explicitly select it as well.

223
00:12:34,500 --> 00:12:37,460
‫So remember how we used select before

224
00:12:37,460 --> 00:12:40,150
‫to basically simply select a couple of fields

225
00:12:40,150 --> 00:12:43,450
‫from the database, only the ones that we needed?

226
00:12:43,450 --> 00:12:45,460
‫Now in this case, when we want the field

227
00:12:45,460 --> 00:12:47,640
‫that is by default not selected,

228
00:12:47,640 --> 00:12:50,853
‫we need to user plus and then the name of the field.

229
00:12:51,720 --> 00:12:53,610
‫So password in this case.

230
00:12:53,610 --> 00:12:58,220
‫And so like this, it will be back in the output, okay?

231
00:12:58,220 --> 00:13:01,750
‫Of course we need to await this query,

232
00:13:01,750 --> 00:13:06,260
‫and then mark the function as async.

233
00:13:06,260 --> 00:13:08,140
‫And then just like before,

234
00:13:08,140 --> 00:13:12,010
‫in order to avoid that ugly try catch block,

235
00:13:12,010 --> 00:13:16,253
‫wrap this entire function into catchAsync.

236
00:13:18,520 --> 00:13:20,163
‫All right, makes sense?

237
00:13:22,170 --> 00:13:26,770
‫So let's now quickly just log the user to the console,

238
00:13:26,770 --> 00:13:28,353
‫just to see if it works.

239
00:13:32,220 --> 00:13:34,033
‫So this one here.

240
00:13:35,460 --> 00:13:39,600
‫We get our success, and indeed we get the user here.

241
00:13:39,600 --> 00:13:42,650
‫So with exactly the email that I just posted,

242
00:13:42,650 --> 00:13:45,830
‫and then the password is now also back to being included

243
00:13:45,830 --> 00:13:47,890
‫in the output, all right?

244
00:13:47,890 --> 00:13:51,453
‫And so again, that's because we explicitly selected it here.

245
00:13:52,490 --> 00:13:54,950
‫And so now it's time to actually compare

246
00:13:54,950 --> 00:13:57,400
‫the passwords that we have in the database

247
00:13:57,400 --> 00:13:59,830
‫with the one that the user just posted.

248
00:13:59,830 --> 00:14:01,930
‫But how are we gonna do that?

249
00:14:01,930 --> 00:14:05,190
‫Because for example, the password might be,

250
00:14:05,190 --> 00:14:09,169
‫or is in this example, pass1234, but the one

251
00:14:09,169 --> 00:14:13,983
‫that we have stored in the document looks like this.

252
00:14:15,040 --> 00:14:17,220
‫So how are we gonna compare this?

253
00:14:17,220 --> 00:14:19,960
‫There's not really a way of doing it, right?

254
00:14:19,960 --> 00:14:22,300
‫But actually there is, all we have to do

255
00:14:22,300 --> 00:14:25,890
‫is to again use the bcrypt package, okay?

256
00:14:25,890 --> 00:14:29,400
‫So we used bcrypt to generate this hashed password,

257
00:14:29,400 --> 00:14:31,230
‫and we can also use the same package

258
00:14:31,230 --> 00:14:34,930
‫to basically compare an original password like this here

259
00:14:34,930 --> 00:14:36,283
‫with the hashed password.

260
00:14:37,230 --> 00:14:40,700
‫Of course this password here, since it's encrypted,

261
00:14:40,700 --> 00:14:43,350
‫there's no way of getting back the old,

262
00:14:43,350 --> 00:14:46,680
‫so the original password from this string, right?

263
00:14:46,680 --> 00:14:48,150
‫So that's the entire point

264
00:14:48,150 --> 00:14:50,550
‫of actually encrypting a password.

265
00:14:50,550 --> 00:14:52,410
‫And so the only way of doing it

266
00:14:52,410 --> 00:14:54,890
‫is for this package for this algorithm

267
00:14:54,890 --> 00:14:58,100
‫to actually encrypt this password as well,

268
00:14:58,100 --> 00:15:02,210
‫and then compare it with the encrypted one, all right?

269
00:15:02,210 --> 00:15:05,110
‫So let's implement a function that's gonna do that,

270
00:15:05,110 --> 00:15:08,350
‫and for that we will use, again, the bcrypt package.

271
00:15:08,350 --> 00:15:11,280
‫And we will do that in the user model.

272
00:15:11,280 --> 00:15:13,767
‫And you might ask "Why we're doing it in a model

273
00:15:13,767 --> 00:15:16,310
‫"and not just here," but that's, again,

274
00:15:16,310 --> 00:15:19,730
‫because this is really related to the data itself.

275
00:15:19,730 --> 00:15:22,930
‫And also we already have that package in there,

276
00:15:22,930 --> 00:15:26,090
‫and so it's easier to simply do it there.

277
00:15:26,090 --> 00:15:28,663
‫So let's just get rid of this string,

278
00:15:30,600 --> 00:15:32,360
‫and then create a function here,

279
00:15:32,360 --> 00:15:34,580
‫which will check if the given password

280
00:15:34,580 --> 00:15:37,473
‫is the same as the one stored in the document.

281
00:15:38,520 --> 00:15:41,100
‫So for the first time now we're gonna create something

282
00:15:41,100 --> 00:15:43,000
‫called an instance method.

283
00:15:43,000 --> 00:15:46,120
‫So an instance method is basically a method

284
00:15:46,120 --> 00:15:48,500
‫that is gonna be available on all documents

285
00:15:48,500 --> 00:15:50,843
‫of a certain collection, okay?

286
00:15:51,680 --> 00:15:53,320
‫And it works like this.

287
00:15:53,320 --> 00:15:56,120
‫So again, it's defined on a userSchema,

288
00:15:56,120 --> 00:16:01,050
‫and then we say methods, and now in this case

289
00:16:01,050 --> 00:16:05,273
‫we want to call the function correctPassword, all right?

290
00:16:10,340 --> 00:16:12,810
‫So function, now this function is gonna accept

291
00:16:12,810 --> 00:16:14,470
‫a candidatePassword, so the password

292
00:16:17,734 --> 00:16:19,650
‫that the user passes in the body,

293
00:16:19,650 --> 00:16:22,347
‫and then also the userPassword, okay?

294
00:16:26,010 --> 00:16:28,590
‫Now inside of these instanced methods,

295
00:16:28,590 --> 00:16:31,470
‫since they are available on the document,

296
00:16:31,470 --> 00:16:35,430
‫the this keyword actually points to the current document.

297
00:16:35,430 --> 00:16:37,610
‫But in this case, since we have the password

298
00:16:37,610 --> 00:16:42,080
‫set to select false, so this here, remember?

299
00:16:42,080 --> 00:16:43,690
‫Okay, and because of that,

300
00:16:43,690 --> 00:16:47,920
‫this.password will not be available.

301
00:16:47,920 --> 00:16:50,780
‫So ideally we would do it like this,

302
00:16:50,780 --> 00:16:52,360
‫and so this way we would only need

303
00:16:52,360 --> 00:16:56,130
‫to pass in the candidatePassword and not the userPassword.

304
00:16:56,130 --> 00:16:58,690
‫But again, right now that's not possible

305
00:16:58,690 --> 00:17:02,350
‫because the password is not available in the output.

306
00:17:02,350 --> 00:17:03,420
‫And so that's why we actually

307
00:17:03,420 --> 00:17:06,380
‫have to pass in userPassword as well.

308
00:17:06,380 --> 00:17:07,890
‫So the goal of this function

309
00:17:07,890 --> 00:17:11,030
‫is to really only return true or false.

310
00:17:11,030 --> 00:17:14,000
‫So basically true if the passwords are the same,

311
00:17:14,000 --> 00:17:15,663
‫and false if not.

312
00:17:16,560 --> 00:17:21,410
‫So return, and then bcrypt which we already know,

313
00:17:21,410 --> 00:17:26,257
‫and then we are gonna use the compare function, okay?

314
00:17:26,257 --> 00:17:29,190
‫And the compare function is really easy,

315
00:17:29,190 --> 00:17:32,200
‫all we need is to pass in the candidatePassword

316
00:17:32,200 --> 00:17:37,060
‫and the userPassword, not userSchema, userPassword, okay?

317
00:17:39,270 --> 00:17:42,090
‫And just like the hash function up here,

318
00:17:42,090 --> 00:17:45,383
‫this one is also an asynchronous function.

319
00:17:46,270 --> 00:17:50,973
‫And so just like before we use await, and then here async.

320
00:17:53,330 --> 00:17:54,940
‫Okay, make sense?

321
00:17:54,940 --> 00:17:57,630
‫So again, this compare function here

322
00:17:57,630 --> 00:17:59,800
‫will very simply return true

323
00:17:59,800 --> 00:18:04,470
‫if these two passwords here are the same, and false if not.

324
00:18:04,470 --> 00:18:07,030
‫And again, we cannot compare them manually

325
00:18:07,030 --> 00:18:10,020
‫because the candidate password is not hashed,

326
00:18:10,020 --> 00:18:12,800
‫so it's the original password coming from the user,

327
00:18:12,800 --> 00:18:15,580
‫but userPassword is of course hashed,

328
00:18:15,580 --> 00:18:18,230
‫and so without this function here

329
00:18:18,230 --> 00:18:21,830
‫we would have no way of comparing them, okay?

330
00:18:21,830 --> 00:18:23,990
‫So here we return true or false,

331
00:18:23,990 --> 00:18:26,893
‫now all we need to do is to actually call this function

332
00:18:26,893 --> 00:18:28,633
‫in the authController.

333
00:18:29,920 --> 00:18:31,873
‫Let's close a couple of these.

334
00:18:34,080 --> 00:18:38,253
‫All right, so this here was only here for demonstration.

335
00:18:41,400 --> 00:18:43,563
‫So let's simply call this here correct,

336
00:18:44,400 --> 00:18:47,110
‫and now remember that the function that we just defined

337
00:18:47,110 --> 00:18:48,670
‫is an instanced method.

338
00:18:48,670 --> 00:18:52,260
‫And so therefore it is available on all the user documents.

339
00:18:52,260 --> 00:18:54,780
‫And so this variable here right now

340
00:18:54,780 --> 00:18:57,050
‫is a user document, right?

341
00:18:57,050 --> 00:19:00,270
‫Because it's a result of querying the user model.

342
00:19:00,270 --> 00:19:03,637
‫And so we can now say user.correctPassword.

343
00:19:06,760 --> 00:19:10,650
‫Now all we need to do is pass in the candidate password,

344
00:19:10,650 --> 00:19:13,020
‫which is password, remember.

345
00:19:13,020 --> 00:19:17,830
‫So this one here, and then the userPassword.

346
00:19:17,830 --> 00:19:22,830
‫And so that's in user.password, all right?

347
00:19:23,450 --> 00:19:26,373
‫And so this here will now be either true or false.

348
00:19:27,990 --> 00:19:30,810
‫All right, and now let's actually use these two variables

349
00:19:30,810 --> 00:19:33,500
‫in order to figure out if the user exists

350
00:19:33,500 --> 00:19:35,200
‫and the password is correct.

351
00:19:35,200 --> 00:19:36,710
‫So we already figured that out,

352
00:19:36,710 --> 00:19:40,390
‫but now we need to actually write our if statement.

353
00:19:40,390 --> 00:19:45,390
‫So if there is no user, or the password is incorrect,

354
00:19:46,160 --> 00:19:49,853
‫so basically correct is false, which is what this means.

355
00:19:50,860 --> 00:19:54,590
‫In that case, we want to, again,

356
00:19:54,590 --> 00:19:58,640
‫return and go straight to our next middleware

357
00:19:58,640 --> 00:19:59,640
‫with a new AppError.

358
00:20:00,980 --> 00:20:05,973
‫And in this case saying incorrect email or password, okay?

359
00:20:08,990 --> 00:20:11,560
‫And then the status code is 401,

360
00:20:11,560 --> 00:20:14,870
‫which means unauthorized, all right?

361
00:20:14,870 --> 00:20:16,910
‫Now we could've done this separately,

362
00:20:16,910 --> 00:20:18,847
‫so first checking for the user,

363
00:20:18,847 --> 00:20:21,440
‫and then checking for the correct password.

364
00:20:21,440 --> 00:20:24,600
‫But in that case we would then give a potential attacker

365
00:20:24,600 --> 00:20:28,710
‫information whether the email or the password is incorrect.

366
00:20:28,710 --> 00:20:31,550
‫And this way here it's a bit more vague.

367
00:20:31,550 --> 00:20:34,830
‫So we're not really specifying what is incorrect here.

368
00:20:34,830 --> 00:20:37,060
‫So if it's email or if it's the password.

369
00:20:37,060 --> 00:20:38,700
‫And so if there's some attacker

370
00:20:38,700 --> 00:20:41,150
‫trying to put in some random data,

371
00:20:41,150 --> 00:20:43,640
‫then they will not know if the email actually exists,

372
00:20:43,640 --> 00:20:47,143
‫or if it's just the password that's wrong, all right?

373
00:20:47,990 --> 00:20:50,860
‫Now just two things here, and the first one

374
00:20:50,860 --> 00:20:53,140
‫is that we actually need to await

375
00:20:53,140 --> 00:20:55,480
‫this asynchronous function, okay?

376
00:20:55,480 --> 00:20:57,470
‫So remember that correct password

377
00:20:57,470 --> 00:20:59,000
‫is an asynchronous function,

378
00:20:59,000 --> 00:21:01,333
‫and so here we also need to await for that.

379
00:21:02,690 --> 00:21:04,530
‫And then also there's another problem,

380
00:21:04,530 --> 00:21:06,980
‫because of this user doesn't exist here,

381
00:21:06,980 --> 00:21:10,950
‫then this next line of code cannot really run, okay?

382
00:21:10,950 --> 00:21:13,550
‫Because for example, user.password

383
00:21:13,550 --> 00:21:15,400
‫is not gonna be available.

384
00:21:15,400 --> 00:21:18,800
‫And so we actually need to move all of this,

385
00:21:18,800 --> 00:21:20,690
‫or actually only this code,

386
00:21:20,690 --> 00:21:24,343
‫we're gonna move it here into the if else statement.

387
00:21:26,740 --> 00:21:29,000
‫All right, and so this way,

388
00:21:29,000 --> 00:21:32,550
‫if the user does not exist, so if this is true,

389
00:21:32,550 --> 00:21:34,900
‫well then it will not even run this code here,

390
00:21:34,900 --> 00:21:37,070
‫and then there's not gonna be any problem.

391
00:21:37,070 --> 00:21:40,510
‫But if the user exists, then it will also run this code

392
00:21:40,510 --> 00:21:43,600
‫and check if the password is actually right.

393
00:21:43,600 --> 00:21:45,520
‫And so if the password is correct,

394
00:21:45,520 --> 00:21:50,010
‫only in that case we ever reach this piece of code here.

395
00:21:50,010 --> 00:21:52,710
‫So that's the whole idea of this function.

396
00:21:52,710 --> 00:21:55,030
‫So basically we check for the negatives.

397
00:21:55,030 --> 00:21:57,270
‫So if there's no email and no password,

398
00:21:57,270 --> 00:21:58,880
‫then we get this error.

399
00:21:58,880 --> 00:22:01,690
‫If there's no user, or if there's a wrong password,

400
00:22:01,690 --> 00:22:03,540
‫then create this error.

401
00:22:03,540 --> 00:22:05,610
‫But if there was no error at all,

402
00:22:05,610 --> 00:22:09,060
‫well in that case we reach this part of the code,

403
00:22:09,060 --> 00:22:10,820
‫where we now generate a token

404
00:22:10,820 --> 00:22:13,490
‫and then send it back to the user.

405
00:22:13,490 --> 00:22:16,740
‫Now creating this token is gonna be the exact same thing

406
00:22:16,740 --> 00:22:18,500
‫as we did before here.

407
00:22:18,500 --> 00:22:20,780
‫And so instead of repeating all of this code,

408
00:22:20,780 --> 00:22:24,210
‫let's actually create a function for this, okay?

409
00:22:24,210 --> 00:22:25,840
‫So I'm gonna copy this code,

410
00:22:25,840 --> 00:22:29,427
‫and then here very quickly const signToken,

411
00:22:31,900 --> 00:22:36,090
‫which is gonna receive as the only input the user ID.

412
00:22:36,090 --> 00:22:41,090
‫So ID, and it will then return the token, okay?

413
00:22:43,370 --> 00:22:46,793
‫So it will simply sign this and return it right away.

414
00:22:47,700 --> 00:22:50,920
‫All right, and so here what we're gonna do

415
00:22:50,920 --> 00:22:55,920
‫is signToken and pass in this ID.

416
00:23:04,970 --> 00:23:09,330
‫And then of course we also need to change it up here, okay?

417
00:23:09,330 --> 00:23:11,750
‫So set this ID to this ID,

418
00:23:11,750 --> 00:23:14,893
‫which as you already know at this point is the same as this.

419
00:23:15,950 --> 00:23:19,763
‫All right, and so let's now go ahead and do the same here.

420
00:23:22,547 --> 00:23:26,340
‫signToken, and then in this case it is user._id.

421
00:23:31,300 --> 00:23:33,910
‫Phew, that was a long lecture,

422
00:23:33,910 --> 00:23:37,090
‫let's now go ahead and try it out.

423
00:23:37,090 --> 00:23:38,363
‫So it should now work.

424
00:23:39,250 --> 00:23:43,470
‫So remember, well this is now another user,

425
00:23:43,470 --> 00:23:46,030
‫but I know that this is the password that I used.

426
00:23:46,030 --> 00:23:48,580
‫So let's for now let's use another one,

427
00:23:48,580 --> 00:23:52,003
‫so just test12, and let's see what happens.

428
00:23:53,540 --> 00:23:57,450
‫Let's wait, and indeed, incorrect email or password.

429
00:23:57,450 --> 00:24:00,230
‫And so we get of course also our 401,

430
00:24:00,230 --> 00:24:04,600
‫and indeed it means that our code is currently testing

431
00:24:04,600 --> 00:24:05,933
‫for the password already.

432
00:24:06,780 --> 00:24:10,230
‫So if we now choose the correct password,

433
00:24:10,230 --> 00:24:12,793
‫then it should pass, so let's wait for it.

434
00:24:13,760 --> 00:24:16,760
‫But, we still get this error.

435
00:24:16,760 --> 00:24:20,453
‫Well, so let's simply get rid of all of our users here,

436
00:24:22,170 --> 00:24:24,420
‫just to make sure that it doesn't have to do anything

437
00:24:24,420 --> 00:24:28,740
‫with the users, and then create a new one, all right.

438
00:24:33,080 --> 00:24:37,473
‫So hello@jonas, and pass1234.

439
00:24:38,710 --> 00:24:42,373
‫Let's go ahead and copy it, I will send it now.

440
00:24:46,800 --> 00:24:50,070
‫And so these credentials are now correct for sure.

441
00:24:50,070 --> 00:24:52,760
‫So if it doesn't work now there's some kind of bug.

442
00:24:52,760 --> 00:24:55,870
‫But now actually it worked, great.

443
00:24:55,870 --> 00:25:00,090
‫So here is our token, and it looks exactly like before,

444
00:25:00,090 --> 00:25:02,483
‫so we can assume that it is correct.

445
00:25:03,570 --> 00:25:06,333
‫Now let's now try it again, deleting this, okay.

446
00:25:07,810 --> 00:25:10,753
‫And so with the wrong password it does not work.

447
00:25:11,890 --> 00:25:15,423
‫Let's now put the password right and the email wrong,

448
00:25:18,230 --> 00:25:19,730
‫and then we get the same error.

449
00:25:19,730 --> 00:25:21,883
‫So incorrect email or password.

450
00:25:22,930 --> 00:25:25,560
‫And again if we put everything back,

451
00:25:25,560 --> 00:25:27,560
‫then we get a new token.

452
00:25:27,560 --> 00:25:30,810
‫And so we are now really logged into the application.

453
00:25:30,810 --> 00:25:33,580
‫And I know this might look kind of abstract,

454
00:25:33,580 --> 00:25:37,340
‫so all we really get is a token, and then that means

455
00:25:37,340 --> 00:25:40,020
‫we are logged into the application, right?

456
00:25:40,020 --> 00:25:44,720
‫But, well, that's how it works on stateless authentication.

457
00:25:44,720 --> 00:25:47,810
‫Later on when we really build the dynamic website,

458
00:25:47,810 --> 00:25:50,190
‫then of course it's gonna be a lot more visible

459
00:25:50,190 --> 00:25:53,900
‫if the user is either logged in or logged out, right?

460
00:25:53,900 --> 00:25:55,920
‫But it will still work behind the scenes

461
00:25:55,920 --> 00:25:57,670
‫using this same token.

462
00:25:57,670 --> 00:26:01,560
‫So if there's no token, then the website will look one way,

463
00:26:01,560 --> 00:26:03,800
‫and if there is a token then the website's

464
00:26:03,800 --> 00:26:06,630
‫gonna look another way, with the user image

465
00:26:06,630 --> 00:26:11,150
‫and the username right there in the website, for example.

466
00:26:11,150 --> 00:26:13,373
‫Anyway, this was quite a long lecture.

467
00:26:14,370 --> 00:26:17,100
‫Make sure to go back here and really try to understand

468
00:26:17,100 --> 00:26:20,210
‫all of this code that we have here, all right?

469
00:26:20,210 --> 00:26:21,870
‫Because I know that some of this

470
00:26:21,870 --> 00:26:23,660
‫might be a bit confusing.

471
00:26:23,660 --> 00:26:26,963
‫For example, this correctPassword function here.

472
00:26:27,850 --> 00:26:30,933
‫And then I'm sure everything will make sense to you.