JWT Route Protection | Creating a REST API with Node.js

Подписаться 918 тыс.

Просмотров 142 тыс.

50% 1

Users can sign up and sign in - let's now use that to ensure that certain routes are only accessible by authenticated users. Time for more JWT action in our Node.js REST API.
----------
Learn Node.js in our comprehensive 30h+ course: acad.link/nodejs
Source Code: github.com/aca...
----------
• You can follow Max on Twitter (@maxedapps).
• You can also find us on Facebook.( / academindchannel )
• Or visit our Website (www.academind.com) and subscribe to our newsletter!
See you in the videos!

Опубликовано:

22 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 252

@TheSergauntBY 5 лет назад

Many tutorials and articles were digged, but this series eventually made basic node authentication clear for me. Never stop teaching .

@academind 5 лет назад

Thank you very much for this amazing feedback! I'll try my best to keep it going :)

@Battery64121 4 года назад

Max really is a cut above the rest. Thanks as always for being an amazing teacher.

@RobertWildling 5 лет назад

"The Birth of an API. A Node.js Adventure." - Wow! Awesome just following along and watching, how something gets created, how code grows, how structure is established. Highly recommended series, I would say. Even in 2019!

@academind 5 лет назад

Thank you very much for this great feedback Robert!

@smithkt894 4 года назад

This dude remains my favorite tutor. Thanks max

@maximos118 5 лет назад

Max, thank you so much for this series. I've learnt SO much.

@jamesdoyle7888 2 года назад

Still watching in 2022, this is an awesome walkthrough!

@nicot2895 6 лет назад

Personally, so happy to have found your channel, and so thankful that you're willing to go that extra mile of explaining the diff routes (pardon the pun) and its caveats, I take a long while to watch each of your videos, thinking everything through and learning tons. Once again, THANK YOU!

@academind 6 лет назад

And I'm so happy to have you on board of the channel Nico! Thank you so much for your absolutely amazing feedback, it really means a lot to me to get such a support, thank YOU :)

@ronald6561 3 года назад

Using this series in 2021, so glad I got here because I definitely got a feeling for what MIDDLEWARE is! Awesome!

@victorjozwicki8179 5 лет назад

You made me understand middleware while others couldn't. Thanks.

@scigama71 6 лет назад

Hey brother, this could have been a full course in itself and is easily the best, cleanest explanation on this subject. Thank you so much.

@academind 6 лет назад

Wow, getting such a feedback for a RU-vid series is simply awesome, thanks a lot James!

@Andrey-il8rh 6 лет назад

Nice! Thanks for another great part, Max. One suggestion for improvement: Postman actually has a separate tab called Authorization where you can specify the type of authorization you would like to have on the request. Once you'll specify an option Postman will generate needed headers automatically. Just a bit cleaner way to specify auth, imho

@academind 6 лет назад

That's true - I'm so used to setting headers manually, I never even had a closer look at that option :D

@Andrey-il8rh 6 лет назад

Academind :)

@devanshnigam5172 2 года назад

if you use that Authorization, how to read the token in our code then?

@yashdave8971 5 лет назад

bro your videos are just awesome..... because of you i am able to build api properly... may you live a long life happily throught your life................... thanks a lotttttt for your contribution to the begginers........:):):):):)

@arunodasamarasinghe9464 6 лет назад

I wanted to develop a web API for my project within a day. I started from your first video and watch them all within about 6 hours. However i developed my web API. Thank you very much sir for the tutorial

@simonbedard5065 3 года назад

One simple thing, you need to validate req.headers.authorization. Otherwise it will return ...split(" ") is undefined. Great tuto, loved it. Keep up the good work.

@joelkafesu6757 3 года назад

how do i do that mine is doing the same

@UBERDHOKER 5 лет назад

Just a warning for everyone, this only checks if any user is logged in, it does not check which one. In case you want some users to only have access to their own orders you will need to check if they are the correct user

@nicklasost5842 5 лет назад

no shit :P

@R6502A 5 лет назад

@Adeshpal Singh You have the user ID in the verified and decoded token. Therefore use that to restrict which data elements can be affected.

@Harsh-rm1tp 4 года назад

damn :D i was thinking the same thing during the entire video and was confused as hell like as "what if there are many users"?.. thanks man

@timothysturm8837 11 месяцев назад

welcome back to this serious

@codinginflow 3 года назад

Why send "Bearer" at all if we remove it server-side?

@y_y6153 3 года назад

I have another question (related) - isn't the "Bearer" part handled by JWT package if it's the way to go? Splitting it manually doesn't look good.

@harshiii 6 лет назад

Academind is my favorite coding youtube channel! Keep up the great work!

@academind 6 лет назад

Thanks so much Harshil, that's really awesome to hear! :)

@timharris72 6 лет назад

Thanks for posting this. You make learning authentication a lot easier.

@academind 6 лет назад

It's really great to read that the video was helpful Tim, thanks so much for sharing this!

@solmazk7418 6 лет назад

Please make a video about implementing refresh token with nodejs app. Thank you

@QuiqueFlowers 4 года назад

New token will be created if you call login route again

@SachinSharma-kk6kn 6 лет назад

why your channel is not verified , you have such awesome videos .

@academind 6 лет назад

We requested it already, thank you for the hint and for your great feedback Sachin :)

@trajcemonkey 6 лет назад

Happy New Year Max. I've been following you for a while. Keep up the good work. Just some ideas - about authentication, you can also expand it with oAuth(fb/google etc - with passportjs or whatever). Then some sample tests, maybe even some typechecking etc with typescript.

@academind 6 лет назад

Thanks for the suggestions! I can't promise anything, I might look into these things in future series though

@lucasmallmann2411 6 лет назад

Woooow this series was amazing!! Thanks from Brazil. You are the best Academind !!!!

@academind 6 лет назад

So cool to read that Lucas, thanks so much! YOU are the best, greetings from Germany :)

@jojojawjaw 5 лет назад

Thank you so much, you're honestly a life-saver.

@LaughPlanet 4 года назад

Can we use Flash messages with JWT token?

@israelruas948 7 месяцев назад

This course is f0ck1ng beautiful, I have learned a lot

@camilosilva1010 5 лет назад

One of the bests explanations that I ever seeing

@academind 5 лет назад

Just fantastic to read that Camilo, thank you very much for sharing this!

@eshaalraani1903 2 года назад

I was having an error "cannot read properties of undefined "reading path", it was because I was passing an image with a mimetype .png and in my code I was allowing only images with mimetype jpeg,when I selected a file with correct mimetype this error was resolved. Hope this helps, excuse my english.

@yooscripts5947 6 лет назад

Thank you so much, best videos ever

@academind 6 лет назад

Very cool to read that Imad, thank you very much for your comment :)

@VishalPatel-uz6gc 4 года назад

bro your all videos are mind blowing..superb..awesome...fabulous

@luiscardenas4467 4 года назад

your videos are the best, thankyou

@scoop6322 4 года назад

I got an error saying cannot read Property paths of undefined It shows the product Being made in the console but doesn't save it to the database

@Ruben-nc6es 4 года назад

I am getting that error as well, did you find out the answer?

@AnshulKumarak 6 лет назад

Awesome resource...very helpful for MEAN stack Development also....may good bless you.i always assume you are my mentor

@academind 6 лет назад

Wow, thank you so much for your absolutely amazing feedback Anshul. What more can I say but THANK YOU, it really means a lot to me to read that :)

@mingmingtv8403 2 года назад

I know this is kinda late but anyways Thank You soo Much for the learner-friendly approach! I've learn a lot from this course! :))

@bibekshrestha3614 5 лет назад

These videos are really helpfull. Will you please make a front end as continution of this series in angular or react?

5 лет назад

Thank you so much for everything !!! Best teacher I've ever had !

@academind 5 лет назад

Thank YOU for your awesome feedback, so happy to read that you like what I'm doing here :)

@AbhishekKumar-mq1tt 6 лет назад

Thank u for this awesome video and happy new year max and also do front end with this api

@academind 6 лет назад

Thanks for the very nice feedback and the suggestion! I might add a frontend, we'll see :)

@bravogolfalfa 4 года назад

wonderful serie of videos, really helped a lot! thanks so much @academind

@listonsssurfer 6 лет назад

This is awesome, thank you Max for all your informative videos, have learnt a lot.

@academind 6 лет назад

Thanks so much for sharing this Liston. It really means a lot to me to read that the videos are helpful :)

@TheFallinforyou 6 лет назад

In terms of a real world application, would this be a safe method to use? Or do you recommend implementing passport with the JWT tokens for protected routes? Love your videos, you explain concepts really well! :)

@rahmanrio7194 3 года назад

it shows an error at server as Cannot read property 'split' of undefined in check-auth.js , then how can i access the token

@sebastiancristicastillo479 6 лет назад

Great tutorial! i now understand a lot more of nodejs and feel more confident. But i have a question. When we are protecting a whole route (orders in this case) its not better to put the authentication in the app.js, in the "app.use('/orders',CheckAuth, ordersRoutes);"? because i used it like this and work like a charm

@SchwadoGaming 6 лет назад

I also implemented my solution like that. It is very good in terms of avoiding redundancy. Nevertheless, sometimes you want protect a route, in which also the login method is located. So you may have to protect each specific subroute individually because otherwise you will not be able to access the login method anymore.

@miamiviceclips 6 лет назад

Great, could you talk about how to store authentication informations from social networks (in database) ?

@utsavsharma2979 3 года назад

Is there any to put checkauth on top of the product.js file so that we need to add the method just once for all routes of /products/

@kl8786 5 лет назад

Your videos are awesome. Thank you Max

@academind 5 лет назад

YOU are awesome, thanks so much for your comment!

@mdjahidulislam9205 3 года назад

how to protect api from csrf & xxs attck? if you store the token on local storage then its xxs vulnerable but if store it on cookie then its csrf vulnerable.

@Onyecode Год назад

how do we verfy if the product exist before uploading the image

@SachinSharma-kk6kn 6 лет назад

you have to use Product.findByIdAndRemove({ _id: id }) instead of Product.remove({ _id: id }) .

@panosp5711 3 года назад

Hello Max and thank your for your great work. In the related videos you show us how to work with JSON web tokens. My question is how can we save this token and use it after we make a successfull login to access the resources of our site . Thanks in advance

@dawnious 6 лет назад

Hi Max! In general speaking, how can I prevent users from changing other users data? I mean this token gives access to all data sources, not just to the data that belongs to the user who owns the token.

@sukritkapil9816 4 года назад

Wonderful Series! Thanks a lot.

@doraemonkumar5607 2 года назад

how can we use " req.userData = decoded; " from other file to get decoded data

@reikoleci4689 4 года назад

this is the way to protect a route

@lindermannla 6 лет назад

Thnxz Max! Very helpful for my project!

@academind 6 лет назад

So happy to read that the video is helpful Leonardo! Wish you all the best for your project :)

@protimpal4858 4 года назад

Thank you sir! You are a life saver!

@gearedcorp 6 лет назад

My only question is regarding the "Bearer" key in the authorization. We do not perform any validation to make sure that it is of Bearer type or whatever. Does this matter? We could pass anything we want since we are not validating it. Is there any negative consequence to not validating this Bearer key / auth type?

@phamuyen9827 2 года назад

Someone can share me link of the docs that Maxmilan talks in the begginning of the video?

@federicomoya4918 5 лет назад

Thanks men !! Really helped me wit an academic project !!!

@academind 5 лет назад

So cool to read that Federico, thanks a lot for sharing this!

@mesdourmohamednassim5934 6 лет назад

how and where to save token in client side in real project? i'm realy confused

@davidmabbley9924 3 года назад

hi, help please lol, im currently pulling my hair out, every example i see of this they are using postman and manually setting the Authorization header to one token string, how do we set the header when someone logs in without having to set this manually (with no postman) So someone logs in and the server knows they are authenticated by their token , thanks

@jfojw21dfs9 5 лет назад

Where do you store the token though? In a cookie or as a query string? I don't know for sure but I'd imagine if you go from page to page you might lose that token in the header if you don't store it. I might be wrong...

@jumbo999614 3 года назад

12:31 My code doesn't work with Authorization header. I don't know why. It works only with body.req.token and checkAuth must be placed last.

@murtujakavantwala5135 4 года назад

i almost completed this course but the one thing i hate, which is i am still getting one problem that is "cant read property of "path" of undefined". Can anyone help me with it

@masterman4953 4 года назад

Same problem here, Did you find the solution yet?

@masterman4953 4 года назад

Well, Found a solution I guess. Just add an image with the ProductImage parameter, with the name and the price and it works

@eshaalraani1903 2 года назад

@@masterman4953 It doesnot work,

@alexstar1408 3 месяца назад

For me the issue was that I had two next() calls in the check-auth.js when there should only be one after the catch block

@aurelianspodarec2629 5 лет назад

What is the last video?

@TheAnandshukla 6 лет назад

Happy New Year.Thanks for new video :).

@academind 6 лет назад

Thank you, I also wish you a happy new year Anand :)

@kennyendowed9814 2 года назад

pls I have a challenge after setting up jwt and auth route I am trying to get user details without having to get it from d front end or having to decode the token all d time on all request . am trying to get user details from req.userData in any contoller

@vincentmusangu807 5 лет назад

how do i show the data fetched from that in react its not showing the images but the rest of the data is showing?

@edisonordonezgiraldo 6 лет назад

Thanks for the video, i've really need it!!

@academind 6 лет назад

So great to read that Edison, thank you for sharing this!

@AfeezBabatunde 5 лет назад

please I am getting this error "error": { "name": "JsonWebTokenError", "message": "jwt must be provided" }

@dawnious 6 лет назад

Hi Max! First of all, thank you very much for this great tutorial series bu I have a problem. On Windows 8.1 Pro, when uploading file, nodejs server throws an error saying "No file or directory" even if I created "uploads" directory.

@vinibp 6 лет назад

Max I would like to know what is your point about WebAssembly ? How It can be used in webapps and if it can be really worth for a webdeveloper to learn it. Thanks Greatings from your best Brazilian fan Vinicius

@osamahafez1232 5 лет назад

but the user who gets the token will have full access to other users' products and orders, so how to let the user access only his products and orders ??

@dharmenderbishnoi 4 года назад

thank you so much

@NemeZEmpire 6 лет назад

awesome, i got some of your courses on Udemy. You have been a great inspiration

@academind 6 лет назад

Thank you very much for your support Ulises, so happy to have you on board of the courses and to read that you like my explanations :)

@shameekagarwal4872 3 года назад

what is the way to ensure that the token is sent on subsequent requests by client...i use cookie...maybe localStorage can be used...is there a better way?

@akhilkumar8430 3 года назад

I guess you can't store cookies when accessing API using a mobile client.

@javascript_developer 6 лет назад

This security seems only to log in and signup. What about other websites which don't have login features? Like some information portal which simply displays the information from API. Is it necessary to add authentication for get request ? Please suggest. Will there be a security issues ?

@Hadoitz 6 лет назад

Thank you very much for your great explanation.

@academind 6 лет назад

Very happy to read that you like it Hadyan, thank you for your comment!

@tugrulbayrak4469 5 лет назад

Nice tutorial, thanks!

@codebytom 5 лет назад

Great videos & explanation!

@academind 5 лет назад

Thank you Tom!

@jamalyarali9485 6 лет назад

very nice, thank you for your great videos, but many people belive that JWT is not really safe. because if we send data from an insecure connection using http, somebody can easily get the token and decode it and use other users info. is there any way to make JWT safe (encrypt it)?

@knightonhd1144 5 лет назад

You crushed it Max, du hast es getötet!

@ameenreda9509 3 года назад

Thank you very much you are awesome

@jes6239 4 года назад

Thanks a lot you been helping me a lot with your videos,, Do you have a video about role authentication, I believe that would help a lot as well

@nicolaszumpano7647 6 лет назад

Hi Max, thanks a lot for this great Tutorial. It was very helpful for me. Maybe you can help me with one last question (I' ve been searching on internet but I feel like I only trust in your advices after this tutorial haha): in your opinion, what are the best node js libraries for authentication/authorization? I heard about passport and oauth2orize but I don't know if those are the best

@academind 6 лет назад

Happy to hear you liked it! I only worked with Passport and found it to be quite good :)

@nicolaszumpano7647 6 лет назад

Academind Great! Thank you again!

@Yoruking189 4 года назад

Can someone explain what the point is to have"req.userData = decoded" at 6:53

@kevin4194 4 года назад

The token contains encoded payload data. In the previous video you can see he put the email and userId in the payload data. So when he verifies the token, the decoded payload data will return. In his case it is the email and userId, which is user data. To be able to easily access this user data in the endpoints that use authentication he puts it in the req variable.

@rizas3006 6 лет назад

Hi max, thanks for the course, i have a question, that means if we use this api for instance with axios, in the header value we have to type the "bearer" also? or just input the token? thanks!

@academind 6 лет назад

You should add the bearer, too

@jivanmainali1742 4 года назад

How to save jwt token to browser.

@nikhilsharma5233 4 года назад

sent post request and set the authorization and there was a response that auth failed please help

@vaibhav1180 5 лет назад

I think you should use Authorization header for this token thing

@ismoilshifoev4801 6 лет назад

You are the best master that ever heard. Your tutorial help me become a web developer. Thank you !!! Can you provide any new video with laravel?

@academind 6 лет назад

I'll certainly dive into Laravel again in the future, yes :)

@ismoilshifoev4801 6 лет назад

Thank you ver much Max)) You are inspired me to coding!!!

@pleasesuggest5610 3 года назад

I am geetung these error , anyone can help ?????? { "error": { "message": "Cannot read property 'path' of undefined" } }

@I_hu85ghjo 3 года назад

use this website to post the code: hasteb.in then post the link witht the code in under your youtube comment. Tag me, so i get notified

@I_hu85ghjo 3 года назад

@RANDOM.mp4

@pleasesuggest5610 3 года назад

@@I_hu85ghjo hasteb.in/epufojep.js

@theleonsaurio 3 года назад

I've got the same problem

@alexstar1408 3 месяца назад

For me the issue was that I had two next() calls in the check-auth.js when there should only be one after the catch block

@aomo5293 6 лет назад

Waiting for this Tutorial, Thank you a lot; This is a good Tutorial, YOU are always the best of best. Thank Morocco.

@academind 6 лет назад

YOU are the best, thank you very much for your amazing feedback, so happy to read that :)

@mylastore 6 лет назад

Does anyone know how to send the jwt token on the headers from the client?

@SachinSharma-kk6kn 6 лет назад

in the full video series you have used const instead of var , can you please specify why ??

@academind 6 лет назад

Node.js supports next-gen JS - that's why I use it. let and const are part of that

@noonhe 6 лет назад

Hi, thanks for these wonderful course. I have a question. how can I add Authorization : Bearer token from my code to the request?

@RobertWildling 5 лет назад

I googled for "ajax" and "send token" (and "Vue") and found some good instructions.

@sarasherif7834 6 лет назад

That's awesome max ☺ Please need tutorial for loopback.js beside documentation, any recommendations

@academind 6 лет назад

Thanks for the very nice feedback and the suggestion! It's on the "idea list", can't promise if/ when I'll get around doing it though

@QuiqueFlowers 4 года назад

Thank you for share this info

@mrpatel2327 5 лет назад

Hello sir, Where i can found JWT_KEY ? please reply me

@cesarsc971 6 лет назад

Great tutorial as always, Max. A question. Do you know some tutorial for setting the authorization header without usin Postman? I know how to send it in Javascript, but I don't know the way to change the route while sending the header. Thanks

@academind 6 лет назад

What exactly do you mean with "change the route"? Normally you would of course connect via JS

@cesarsc971 6 лет назад

Thanks for the answer, Max. app.post('/verifyheader', (req, res)=>{ console.log(req.headers); if(req.headers['my-token'] === "abcdefghijklmnopqrstuvwxyz"){ res.send("Token verified"); }else{ res.send("error"); } }); At console.log(req.headers) the token arrives, but then It doesn't execute res.send("Token Verified") to change the page var btn = document.getElementById('butx'); btn.addEventListener('click', function(e){ e.preventDefault(); var XHR = new XMLHttpRequest(); XHR.open("post", "/verifyheader"); XHR.setRequestHeader('my-token', 'abcdefghijklmnopqrstuvwxyz'); XHR.send(); });

@anuragtiwari6659 6 лет назад

Hey please do something for graphql.. as per you said.. I have an ongoing project going on which uses graphql.. I am having really hard time and please include something like nested object while taking an example. Please.

@academind 6 лет назад

Thanks for the suggestion Anurag! GraphQL is something I might cover but I can't tell when I'll be able to release some content on it