1 00:00:00,191 --> 00:00:02,870 ‫In this lecture, we're very quickly 2 00:00:02,870 --> 00:00:07,210 ‫gonna learn how to test for secure https connections, 3 00:00:07,210 --> 00:00:08,730 ‫with a Heroku, 4 00:00:08,730 --> 00:00:11,041 ‫because we actually need that, at one point, 5 00:00:11,041 --> 00:00:12,983 ‫in our application. 6 00:00:14,540 --> 00:00:18,560 ‫So, let's go here to our authentication controller. 7 00:00:18,560 --> 00:00:21,060 ‫And right here at the top, 8 00:00:21,060 --> 00:00:24,049 ‫in this create sent token function, 9 00:00:24,049 --> 00:00:26,840 ‫here is the place where we set 10 00:00:26,840 --> 00:00:30,240 ‫the adjacent web cookie to secure, 11 00:00:30,240 --> 00:00:32,343 ‫if we are currently in production. 12 00:00:33,300 --> 00:00:34,661 ‫Remember that. 13 00:00:34,661 --> 00:00:37,630 ‫So, remember that we created this function 14 00:00:37,630 --> 00:00:39,270 ‫with adjacent response, 15 00:00:39,270 --> 00:00:41,255 ‫it also sends a cookie, 16 00:00:41,255 --> 00:00:44,670 ‫which also contains the adjacent web token. 17 00:00:44,670 --> 00:00:47,090 ‫And that cookie has a couple of options. 18 00:00:47,090 --> 00:00:49,260 ‫The first one, when it expires. 19 00:00:49,260 --> 00:00:50,093 ‫The second one, 20 00:00:50,093 --> 00:00:54,490 ‫that it can only be accessed via http basically. 21 00:00:54,490 --> 00:00:56,570 ‫And then, when we're in production, 22 00:00:56,570 --> 00:00:59,344 ‫we said that this cookie can only be sent 23 00:00:59,344 --> 00:01:01,480 ‫on a secure connection. 24 00:01:01,480 --> 00:01:04,770 ‫So, basically, on an https connection. 25 00:01:04,770 --> 00:01:05,810 ‫All right. 26 00:01:05,810 --> 00:01:08,117 ‫Now, the problem with that is that actually, 27 00:01:08,117 --> 00:01:10,810 ‫the fact that we are in production, 28 00:01:10,810 --> 00:01:14,370 ‫does not mean that connection is actually secure. 29 00:01:14,370 --> 00:01:15,340 ‫Right? 30 00:01:15,340 --> 00:01:18,200 ‫Because of course, not all deployed applications 31 00:01:18,200 --> 00:01:21,470 ‫are automatically set to https. 32 00:01:21,470 --> 00:01:25,021 ‫And so we need to change this if that we have here. 33 00:01:25,021 --> 00:01:25,892 ‫All right. 34 00:01:25,892 --> 00:01:29,700 ‫Now, in express we actually have a secure property 35 00:01:29,700 --> 00:01:31,860 ‫that is on the request. 36 00:01:31,860 --> 00:01:33,682 ‫And only when the connection is secure, 37 00:01:33,682 --> 00:01:38,630 ‫then this request dot secure is true. 38 00:01:38,630 --> 00:01:39,463 ‫Okay? 39 00:01:39,463 --> 00:01:41,090 ‫Makes sense, right? 40 00:01:41,090 --> 00:01:43,790 ‫Now the problem is, that actually in Heroku, 41 00:01:43,790 --> 00:01:45,370 ‫this doesn't work. 42 00:01:45,370 --> 00:01:47,107 ‫And that's because Heroku proxy's, 43 00:01:47,107 --> 00:01:52,107 ‫so basically redirect or modifies all incoming requests 44 00:01:52,290 --> 00:01:56,170 ‫into our application before they actually reach the app. 45 00:01:56,170 --> 00:01:57,003 ‫All right. 46 00:01:57,003 --> 00:02:00,682 ‫So, in order to make this also work on Heroku 47 00:02:00,682 --> 00:02:04,200 ‫we need to also test if the x forward proto 48 00:02:04,200 --> 00:02:06,952 ‫header is set to https. 49 00:02:06,952 --> 00:02:07,785 ‫All right. 50 00:02:07,785 --> 00:02:09,204 ‫So, that sounds a bit confusing, 51 00:02:09,204 --> 00:02:13,170 ‫but again, this is something Heroku does internally. 52 00:02:13,170 --> 00:02:16,549 ‫So, let's test here if req.secure is true, 53 00:02:16,549 --> 00:02:21,549 ‫or if req.headers. 54 00:02:22,134 --> 00:02:27,134 ‫And the header that we're looking for is x forwarded proto. 55 00:02:29,820 --> 00:02:33,830 ‫And this header is set to https 56 00:02:33,830 --> 00:02:36,210 ‫if we are on a secure connection. 57 00:02:36,210 --> 00:02:37,050 ‫All right? 58 00:02:37,050 --> 00:02:40,190 ‫So, this is something very Heroku specific. 59 00:02:40,190 --> 00:02:43,870 ‫And that's why I left this here for the last section, 60 00:02:43,870 --> 00:02:46,113 ‫after we already deployed the application. 61 00:02:46,950 --> 00:02:50,700 ‫So, if either req.secure is true, 62 00:02:50,700 --> 00:02:55,150 ‫or if this header here is set to https, 63 00:02:55,150 --> 00:02:58,660 ‫then we want the secure options here set to true. 64 00:02:58,660 --> 00:03:01,213 ‫And, so, we can actually refactor this. 65 00:03:02,680 --> 00:03:04,500 ‫So, basically we can take this, 66 00:03:04,500 --> 00:03:06,180 ‫because this will be true. 67 00:03:06,180 --> 00:03:08,186 ‫And, so, I say if this is true, 68 00:03:08,186 --> 00:03:10,860 ‫then let's say equal true here. 69 00:03:10,860 --> 00:03:12,041 ‫So, that doesn't make sense. 70 00:03:12,041 --> 00:03:15,023 ‫We can instead simply do it like this. 71 00:03:16,590 --> 00:03:18,110 ‫All right? 72 00:03:18,110 --> 00:03:20,820 ‫And, actually, we can take it even further. 73 00:03:20,820 --> 00:03:23,883 ‫And put the secure option right here. 74 00:03:25,350 --> 00:03:28,313 ‫So, why have it outside if we can just put it here? 75 00:03:29,150 --> 00:03:33,823 ‫So, secure equals this, okay? 76 00:03:35,550 --> 00:03:37,723 ‫And then we no longer need this. 77 00:03:38,910 --> 00:03:41,370 ‫And, since we're refactoring, 78 00:03:41,370 --> 00:03:46,173 ‫we actually no longer need this variable here at all. 79 00:03:48,130 --> 00:03:50,946 ‫So, let's just put it here, give it a safe, 80 00:03:50,946 --> 00:03:53,520 ‫and there's something wrong there. 81 00:03:53,520 --> 00:03:55,950 ‫Okay, and so, now the problem is that 82 00:03:55,950 --> 00:03:59,190 ‫do not have access currently to the request 83 00:03:59,190 --> 00:04:00,680 ‫in this function. 84 00:04:00,680 --> 00:04:03,103 ‫Okay, so, we need to add it here. 85 00:04:04,050 --> 00:04:09,050 ‫Request and then wherever we have create sent token, 86 00:04:09,120 --> 00:04:11,693 ‫we of course need to pass in the request in there. 87 00:04:13,020 --> 00:04:14,063 ‫So, that's here. 88 00:04:17,000 --> 00:04:19,763 ‫So, use command D to find the next one basically. 89 00:04:21,150 --> 00:04:22,353 ‫Request here. 90 00:04:27,740 --> 00:04:31,193 ‫And then finally here as well. 91 00:04:33,010 --> 00:04:36,352 ‫Okay, so, that looks much nicer 92 00:04:36,352 --> 00:04:40,940 ‫and it should also work a lot nicer than before. 93 00:04:40,940 --> 00:04:44,480 ‫However, right now, this is still not going to be working, 94 00:04:44,480 --> 00:04:47,460 ‫because there's just one more thing that we need to do, 95 00:04:47,460 --> 00:04:51,350 ‫which is basically to make our application trust proxy's. 96 00:04:51,350 --> 00:04:54,180 ‫So, again, request dot secure doesn't work 97 00:04:54,180 --> 00:04:57,550 ‫in the first place because Heroku acts as a proxy, 98 00:04:57,550 --> 00:05:01,500 ‫which kind of redirects and modifies incoming requests. 99 00:05:01,500 --> 00:05:04,819 ‫And, so, we need to go to app dot JS 100 00:05:04,819 --> 00:05:08,010 ‫and then right after this one here, 101 00:05:08,010 --> 00:05:10,640 ‫let's now trust proxy's. 102 00:05:10,640 --> 00:05:15,033 ‫And we do that by saying app dot enable trust proxy. 103 00:05:20,680 --> 00:05:21,513 ‫Okay? 104 00:05:21,513 --> 00:05:24,498 ‫So, this is something that is built into express 105 00:05:24,498 --> 00:05:26,980 ‫for this kind of situations. 106 00:05:26,980 --> 00:05:27,813 ‫All right? 107 00:05:27,813 --> 00:05:31,400 ‫And so, only if we have this setting here correctly set up, 108 00:05:31,400 --> 00:05:35,210 ‫then this header here will be correctly set, 109 00:05:35,210 --> 00:05:38,483 ‫and we will be able to read its value. 110 00:05:39,450 --> 00:05:40,410 ‫All right? 111 00:05:40,410 --> 00:05:44,470 ‫So, this is how you test if a connection is secure or not, 112 00:05:44,470 --> 00:05:47,363 ‫when you have your application deployed to Heroku.