Managing User Roles - NodeJS Authorization

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys how's it going i'm back here with another video and today i decided to bring this video which is actually pretty simple pretty quick um in which i'll teach you guys how to create a kind of a user role system when you're building an api in express so basically a lot of people run into these problems where they have an api and they they don't want all users to have access to every single um endpoint right and that makes sense so the name for this is authorization you you want to make sure that the user trying to reach an endpoint or trying to make an api call is authorized however there's many very secure ways of handling authorization mainly with like tokens and all the kind of stuff however um today i'm going to just present a very simple um example which would be by using middlewares in each api endpoint which requires some sort of permission or role and that mirrorwear will basically check to see if whoever is making this api call satisfies that condition and uh based on that they will authorize the person to to make the request right and before we actually get into the video just because i always forget this if you guys can leave a like down below i would really appreciate it because it 100 helped the algorithm i know all youtubers say this but i never felt it this way until i actually started posting videos it will definitely help the channel grow and help me continue posting this video so i would really appreciate if you guys could like the video right now and subscribe if you're not subscribed so you can see right here i have a very simple express api very simple example i just basically created an express api told it to accept to parse every json that we receive through the body and then we also tell it to listen to the server on part 3001 and we created three basic npi endpoints over here you can see we have a very simple app.get which returns a json saying home page and you can see that i i opened up insomnia here by the way if you want to download insomnia it is basically a software which allows you to test your api endpoints so let's test this if i run this api endpoint which is the route that we defined here home you can see that it works it returns a json saying home page and the other ones work too i created two more endpoints one of them you can access a specific course and see all the grades of all the students in the course so you can see that right here i create this is just fake data but it returns a json with like four people and their specific grades for that course right so you can see there's pedro got who obviously got a hundred and there's the other people as well and this will be very important for our example and you guys will see later why and then finally we have here our final endpoint which just basically um it just returns information about a course right now we're just returning a message saying you have permission to see the course and you can grab the course number um through this parameters over here and you can see that we can access whatever we put in these parameters by saying rack.params.number which is what we defined over here and this is basically it for defining our our routes you can see that right now if i run um either course slash grades and the other and course and a course number it will correctly show um whatever we are whatever we put inside of the routes you'll see it returns the data and if i say course i'm slash like i don't know 220 it should return you have permission to see course to 20. um this will be the example we'll be handling because think about this um if this was actually a website or an api which handles um like school courses right university courses then and obviously not everyone should be able to make an api call to the course grades right because that's just a completely like it wouldn't that shouldn't be possible we want to define certain permissions and user roles so that whoever is making this api call is authorized to make this api call and further see the like the grades of the students same thing goes with the course number if i'm taking course um to 20 and course 420 i don't know i i shouldn't have access to a course which has a number three five two that makes sense right so this are the two middlewares we're going to be creating to basically authorize the users who are trying to make this api calls so in order to make those middlewares we're going to create an external file over here which will be called middlewares and by the way if you're not that familiar with middlewares in in node.js and express i have a video specifically on this however i will also go over them um very simply um in this video as well so what we're going to do here is we're going to create two functions which should run before each request and basically to do that we're going to create over here const and one of them will be called authorize page this will be the function which authorizes if you are able to see like the student grades and then we're going to create another function or another middleware called auth course basically just checking if you have access to a specific course and at the bottom we want to be able to export both of this middleware so we can access them in every single file that we have so we're going to say module.exports we're going to pass here off page off page and auth course so that's basically it and a middleware basically just a function where you can take arguments like um let me say something like like rec res and next which basically allows you to have access to um information about the request and you will use this function over here you call this next function whenever you want to say that um this user or whoever's making this api call should move forward with the request so imagine we are here and we try to reach the course grades endpoint we're going to check to see if i have access to this if i have i'll call this function called next i'll say something like next and this means it will completely ignore the rest and move forward with the api with a request and just run whatever is here however if i don't um call this next if i call something like rest.json um you're not permitted you are not permitted something like this right then it won't move forward with the request and basically not authorize the user to make this api call and this is important because this is how we're going to basically authorize our users so let's think about this each user right here obviously this is just an example so i'll simplify this as possible um let's think about this each user should probably have like um a name imagine i'll just write this right here so you can see we have a name like pedro and they should probably have like a field called courses which represents all the courses they're taking and those are numbers like 220 213 i'm just making up numbers 185 or 87 and i don't know 287 something like that right so a list of courses they're taking and also their row so a pedro let's say le pedro is a student so we're gonna say student right and this is a very simple simplified example of what i mean this is what we're going to be passing on our body but you can obviously store this in a database and authorize it based on that but this is we're going to be passing in our body so that we know the role for the student and the courses that they're taking so now that we have this let's just delete this and since we are accessing we're authorizing the user and our in our auth page right here based on our our role you have to basically determine who are the people who are able to access this um endpoint so what happens is we can come over over here at the top and let's first import the middlewares that we just created so require we obviously haven't written the the the middlewares yet but we'll do that later i just want to show you guys what i mean um let's call auth page and off course over here and with for example off page what happens is right over here between the the the route and the function we're going to call this function this middleware by saying off page and we're going to pass an argument to it so we can actually pass an argument to this function and this argument will be an array containing all the users or all the roles that are able to access this endpoint so for example to be able to see the the grades let's say that the only people who have a row of teacher or i don't know um admin something like that right we won't allow students to access this this endpoint so you can see that our off page middleware over here takes an argument which is a bit different from what usually mirrors do which they usually don't take an argument from whenever you call them so to do to make this work what we can do is inside of this auth page we can say permissions we're going to call the this will basically represent the array we passed inside of this so all the users that are are permitted to access this endpoint and inside of here we can return a function which takes rec resin next so basically it's just a simple middleware but since we're taking here an argument to this function we have to do it this format right here and actually access rec resin next inside of it so now that we have access to recognize the next what we want to do is we just want to first of all get the row so let's say user row is equal to rack dot body dot um row remember we said that our users should be defined like this they should have a property um called row which defines their row so we're just gonna grab that from the body and this will be passed through the body right so we're gonna grab that through the body and now what we can do is we can ask okay if permissions which is an array includes which is a function in javascript which basically checks to see if whatever we put inside of here exists in this array so we're going to say if this if this endpoint if the permissions in this endpoint includes the user role who is trying to make the request then we can just call next so we're saying move forward with the request this person is authorized but if it doesn't include if we try to enter as a student and the permission is only for teachers then we can just return a res dot status and let's pass a status like 401 which means unauthorized dot jason and let's pass it jason saying like um you don't have permission something like this and basically what this will do is it will obviously get the permissions that we passed over here for each endpoint so for this one we said that only teachers and admins can can and can make this request it will get the permissions then it's going to return a function and we get the request information through this function and with that we can access the user role then we can ask okay if permissions include the cur the user role of the user who's making the request then move forward else let's just say that the user isn't permitted and not move forward with the request so for now let's actually try this i'm going to copy this fake user that i created over here i'm going to pass that in the request let me see if everything is working you can see we are running on port 3001 and we have access to the we we put the middleware in this endpoint so let's make this request if we try to run the course grades request right now we should give an error and the reason why it gives us you don't have permission is because we actually haven't passed a user over here but if we want to have permission to this we can pass a user and um why is it not oh because this is jason so we have to pass it like this so we're going to pass a json inside of here containing all the information for the user and the role as student so it should still say you don't have permission as you can see right here give us a 401 on unauthorized and it says you don't have permission but if i change this to teacher now it should return the information if i change this to admin it should return the information because those are the two authorized roles that we passed in our middleware as you can see right here so this is very basic and this is actually um similar to what you would usually do when you're trying to manage user roles in an api right however let's now work on how can we authorize users for like based on courses right because currently we haven't created that middleware so i can do this and it will say you have permission to access course to 20 but if i put something like that doesn't even make sense over here it was just say this right it doesn't even um it doesn't even check to see if what we put here is a letter like is a number so that's something that we have to do right um so how do we do that let's come here to middlewares and let's look at the off course middleware since we're not grabbing any arguments from our middleware over here we can just say something like auth auth course and not even pass any arguments inside of here we're just going to say off course and because of that we can just grab break resin next directly from here and instead of this function what we can do is we need to first of all get the course number so we need to get the number that we are currently passing over here at the top so if i try to access course 345 we should um get that number by saying something you're like rec dot params dot dot number and why is it dot number because that's how i called it over here in our route so this is how we access um this rectang the course number however there's something important we obviously want to make this into a number because that's how we defined it over here we said that courses are numbers and not strings so we just need to convert this to an integer we can say something like parse end or just use the number function as well but i'll use parseint and this will be converted into an integer so that we know which course number we we are actually trying to access and then we can do something very similar to what we did before we can ask okay if and then like if um rec.body dot courses dot includes the course number because remember each user has a list of courses so we're just accessing that list and saying if that list includes the course number then we want to say next and move forward with the request else we want to do something exactly the same as we did before so just return this message but i'll just change it a bit like you don't have access to the to the course or yeah access to this course something like that like this and now that this is basically done um we can just try to access this over here now we should try to see if this is working let's try to come over here you can see that we're passing a list of courses that includes 220 to 13 187 and 287 so let's try to access the the course 345. it should say you don't have access to this course but now let's try to access the course um to 20 something like that to 20. um you should say you have permission to see the course to twin so that's basically it um as i mentioned before there are more advanced ways of doing this however this is the basic implementation if you're trying to build a large scale application this is kind of like the approach however you would have to like handle it um with more security that if you know what i mean basically i would definitely use tokens i would definitely um not pass them directly like this however this is great for beginner projects this is great for understanding how to manage user roles in an api so that's basically it i really hope you guys enjoyed this video if you enjoyed it leave a like down below and comment what you want to see next subscribe because i'm posting um three times a week during university and it's and it's been like um a lot of work and i would really appreciate if you guys could leave a like so um we can grow the channel so that i can continue posting to you guys so that's basically it hope you guys enjoyed it and i see you guys next time
Info
Channel: PedroTech
Views: 14,299
Rating: 4.9690523 out of 5
Keywords: computer science, css, databases, javascript, mysql, nodejs, programming, react tutorial, reactjs, reactjs tutorial, typescript, react js, node js, express js, pedrotech, traversy media, traversymedia, clever programmer, programming with mosh, tech with tim, freecodecamp, deved, pedro tech, user roles, nodejs roles, nodejs roles and permissions, node js permissions system, nodejs user roles, nodejs authorization, express js user roles, user roles nodejs, roles nodejs, rest api
Id: bgk1mI2pak4
Channel Id: undefined
Length: 16min 33sec (993 seconds)
Published: Fri Mar 05 2021
Related Videos
I built the same app 10 times // Which JS Framework is best?
Fireship
439K
Billionaire Mathematician - Numberphile
Numberphile
3.3M
How I Prepared for My Coding Interviews (And Got the Job) #shorts
PedroTech
1.7K
Steve Jobs Insult Response - Highest Quality
Jonathan Field
10M
What Is JWT and Why Should You Use JWT
Web Dev Simplified
445K
What Are APIs? - Simply Explained
Simply Explained
466K
Protected Routes in React using React Router
freeCodeCamp.org
249K
How To Manage User Roles In Node.js
Web Dev Simplified
138K
TypeScript Crash Course 2021
Traversy Media
83K
I Challenged The CSS King To A CSS Battle
Web Dev Simplified
745K
JavaScript Pro Tips - Code This, NOT That
Fireship
1.8M
TypeScript - The Basics
Fireship
848K
133 Authorization User Roles and Permissions - NodeJS - Express - Mongodb - bootcamp
Begin Tech
2.5K
Protected Routes in ReactJS - React Router Dom
PedroTech
27K
Build A Node.js API Authentication With JWT Tutorial
Dev Ed
545K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.