NestJS: JWT Authentication & Password hashing | Blog Project V-03

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi welcome to the third video of the block project with Nestor as an angular this time we will expand the lottery a little bit more than before so one thing that we're doing is we expand the user model with the properties email and password with a hash we pass away for saving it in the database we will enter a WT authentication for login endpoint and add this to the code so now we have the video structure this will be like in the videos before we first have a look at the video outcome what will we do with a look at the postman week first if I are working and what will be created then the check the written user story for the outcome and then be able to implement the user story and close it and right at the end we'll have a short look at video 4 so there will be coming something about role and protecting endpoints with tray WT and with rohit's permission sets so let's have a quick look at video outcome we are expanding our user model or entity here we are that email property the password property we added a new end point for log in we have a new out module which provides us with hashing a password generating into a WT and signing it with a payload and we can have a quick look at our endpoint so we have still our get all users and here you can see it's returning the email but not the password cause we don't want to return the password hash to the user and we can add a new user and you see we also have here the password but in return it's not so the single user is still there we can update one user and there's so trusts updated to be name and username not remonda password because this is a bit more complicated as explained in video later we have a new login method where we get in return an access token and if you can copy this access token past and grey WTI do you see that this is the valid thing and it is we have payload with our user object and we have the time man who it was generated and when it's expiring and you can pass your kwt secret and here when it's verified so I already did it services verified kwt token so let's start this video is a bit different to the last one because I already wrote a story to save us all some time in this video we are going to get our - aw teeth we will check the password we lock in endpoint and then in the next video we will extend it or endpoints with guards with custom has roll annotation and with the trailer mutti guard some end points so in this video we wrote or I wrote here as user I want to be able to authenticate myself so I can perform they don't protect it so like I'm a next story request and the acceptance criteria is we want to have a new endpoint of post clock in and there you want to drink our password and if our user exists we want to expand our user model obviously with email and password we want to expand our create endpoint cause now we have to have the password and we want to always store the email and lower case in our database and the password as a hashed value and we can probably add that we want to add our module for this so we have everything handled in our MacEwan so since we're doing this now we connect this to doing and we can start so we are now back in our project from the last videos and so the first thing that we want to do is since we are using it flow you want to go to a new branch and we can just scare with the command git flow fitra start and now we name the feature like video free and whispered create a new feature branch based on develop so you see it here we are now on feature branch we want to finish it we can just use this command later so now we are here on our block folder and we want to see in our API and then we're going to create our automata here and for this we can use finesse CLI we can just say Ness generate more to it out and what this does for us is we have a automotive on the same path at Lee like we use em to it and it will also be imported here in our dot module so what we want to do now is because from the dead JWT we also need a secret we add missed ordered and fire so you see we have our database URL and here you have to insert your own database URL and we need our tray WT secret I will explain later why we need this and for example we can just scare with like a random string at the beginning this will be enough for this video you can make it a little bit more complicated later next we want to add our array WT functionality or our dependencies for this so we have to import them and for this we can just use like the documentation of Nestor es and here it says we can import an ester astray WT package but types of to create ability manipulation assets here so we can go into it and look at it and you can just stall it we want to save it in our dependencies and now you can use it here in our mod here we have some imports this fabulous and here we want to use our tray WT module and you have to wait a little bit and we want to use some unity in Portage maybe it's and slow so we can do it manually don't we w t and we want to use register a sink and we're going to pass in some options and we will have imports also and there we need our conflict not here from mistress conflict what's saying here next we want to inject our convict service visit which is also from the nest tree s config module on nest Reyes config and then we can make effector e and get a sink and inject here our config service services basically just another way to get it to order and variable so we can do it in two ways I will show both so the way that we are using is we have to provide for our kW team ocular secret and we could do it like before we can use the process at event and we can say like we named it tray WT secret it's like this or what we can do now is we can say config service don't get and we can pass another great WTC so it's basically making a getter around our to the end file properties the second thing that we need our sign options so we can get past and like here what we can need this type you want to expire in let's say 100 seconds so now we are able to generate credibility the next thing that we want to address our service which we can use in our other modules owner user module we will need to have access to our out service so there we can have the password we can use the tradability and so on so what we can do now as we can be used again we'll see an eye from nest Sutan right our service we can be the same as generate this service and we want to get into the out module and then we want to have it like under our out service so we will have to rely on it again the folder but events and problems so we have our odd service and you want to rename this folder to services probably better coming some more you can see now we have it here no more providers already and before we adhere like everything that we need we can just have a quick look at what a great ability to organize really is and for this we can go to the official documentation country WTI oh this is the official site so JWT is an open standard for compact and safe and wait for security transmitting information between parties so you can sign it with a secret like we did a public private key and so on so we can use it for authorization for information exchange and tests especially the specific structure it always has a header pin out in the signature which divided by a dot so the x6 is the header and we have to payload and then we have the signature so we had a it's just says what is it and how is it the algorithm so it's here 206 56 and the type is a tray WT 70 payload we can you pass and everything that we want for example our expiration time or our user or like here our name we are an admin yeah and then this is a base you 64 URL encoded and then last my with our signature and there we verify that all this message or this token that we send was exchanged so what we can do probably as we can you can see you can later do this ourself you can pass another token here and you can see that for this work if you just change one one character of it you will automatically show that it's that way I changed something and it's not valid anymore so this is just like a little introduction and so now we can use it and for this we need here our constructor in our service and we want to pass in our tradability service and we can import this from our nest Reyes JWT so we need some lefferts the first one is you want to generate it radar with your teeth then we also want to have a password later because we don't want to store a plane password in the database and just in base but where we lose some data or someone is stealing data or whatever and at last we also need to compare passwords method so if we use as long in we have to compare the hashes with one with sort of the database and the one that we generate from the password to use a sent and they bear the same then we can longer min and generate betray WT so all of this are observables and this is off the type string cause we will return just betray WT it's which was a string and the same is here the passer we are just returning the password hash and we will turn here also an observer and I we have to look it up or we have to kill it and I don't know what we will reach one here so I'm going in the turn right readability method we want to have a payload that we will use to sign in with so we can say this is an object that we get and we will address return this JWT service dot sign and we want to pass in our pay note services our user basically and so we can make it a little more specific and we can say user I think it's better this I think so now it's same we want to return observable but we are here not returning so can we use fee was the other one sign I think so this is a promise that we can again use this and we have to report this so then we want to hash our password and for this we need something to to to have it and for this I want to use to be crypt and we have here just now we can install it first and then we can use it so what we're going to do is we have we want to return something from the top string and do this answer here and the bcrypt and this should be imported like here [Music] we can say bcrypt don't hash and then we can get an the password so what we will get here is we want to have our password which is a string and then you want to hash it so we pass it in we give it an here the password and the sword rounds is to the second parameter and this will be like 12 round so it will be very fast and then we compare passwords we obviously we get two passwords and we want to compare them or we get a hash and password so we have the new password from type string and the second parameter we get this password hash and now we want to compare them that they're completely the same and for this we can also use bcrypt has a compare method and we can use it we can say here decrypt doctor come prepare then we can say our new password against the password hash we have to cut you off so this should be done methods that we will need in this first step and now we can answer it here we we are returning the same as here any or a boolean and before we can use it or of a service in our other module and a user module we have to export it so we can go here like exports and we can say we want to export our out service now we can go into our user module and implement everything so we have to import here first our out module so we can use the service and then we have to think what are we adding to our user models so in our interface we are adding across an email for the user which is of type string and we also are adding the password property which is also of type string a so since we added I'm hero we also want to add them in our user entity and we make it the same at the same spot so in the last two pieces we have first our email of type string and it is of course a column and a second we have our password which is also a string and it's also column and we said we always want to have the email stored in lower case in the database so we can do use a notation before insert from an STS or from type or and I think yet I do I am and we can say email to lower case and this is a list of email is email to lower case service will always be stalking locus in the database or before you make anything so it's easy to search for it now we can go to our user service and we have to modify like our create method cost but now we are restoring the user and the database but what we want to do is you want to hash with us without self so what we can do now is we can return or endure out service so we have to inject it then we can say private service and then we can use it here and we have here our hash password method and we can insert here our user password and then we can type the outcome and we want to do is switch map to it and we will receive as well yeah the password hash password hash which is on top string and we want to return from this user repository as before not save not our user like here but now we want to create a new user so we can say Const new user and here we can use our user entity to turn witness and then we set all the properties so email we can begin with name just use a dot name new user dot user name is user dot user name we have your user dot email it's user dot email and at last our new user dot password it's not our user password but our password hash that we could from our out service and so we want to store here our mini user and now we can make it so that we return this user but if we do this like this you'll return the whole user we don't want to get the password hash outside of the application so we can also five this and map it and what we will receive here is user from the type user and we have to remove the password from the payload so we have our pip password sorry and we can just rip it apart and then we return our result so guessable amend the catch error and then we throw an error so error I think it's knowing this so we have to import them don't know why it's not working we don't use this we use error my insolence so we have our so we have been bought them by hand switch map map and throw catch era from I think it's extra as Reuters service should know I'll be fine and we can remove our comment here now we can modify or change the next method and like we did here we have to remove the password in everywhere so we can just comment this out again and we can say return from we can do this we can just type it and then we map our user list from the type user and we can say Const password and here we have our result and then we return our research unless we have to do also with our find one which is a bit more complicated but we can also just make it here we can type it and we map our user and we turn and the user without the password so now we have here array I think it's for business and so from users we have to remove so we can make for each we can say action and we can remove it from every you can delete it every single one and then we can return it this should work so we can google it property so we can like this and let's see if it's working I'm not quite sure the delete one we do not need to change but we the update one method because if you think about it we we don't want that to be user can just change the password by sending an API request the sent the one or trained female because normally like for bleep s what you would do something like you request resetting your password and you will receive an email to make sure that it's really the user asking and in the similar is linked with a key or with a tray WT or whatever something something to identify the user and then you can power copy paste it into your browser and we can use this to identify you and then you can enter your new password so we don't want to do this here so easily so what we can do is we delete our email and our password from it so it will not be changed or updated and yeah of course the same as with the email if the email is changeable so it can be changed so easy it's not good because the email is the thing is the last thing that's able to identify who is the user really so but now we need new methods we need our login method and here will we will receive a user and we want to return an observable and and by we're running strings because we are returning and we train WT token so this is just the string for this we can write our own the method we can say we want to validate a user and by email and by password so we have an email which is a string and we have a password which is a string and we cross certain observable we type user and here for we want to find the user by email so I think we don't have this method yet so what we can do is find by mail and here we want to have our email which is a string and we are observable of type user and here we can say we want to return from this user repository dot find one and we can pass an email and then we will return the user object so we can use the visitor here we can use this fight by mail and we can pass in our email and we get real returning or we are getting our user now we can use again our switch map and we have here our user and for this we want to use our a little bit easier our out service and here we have own method compare passwords so now we received here our password I'm the user from the input when we log in and we have restored of the stored hash has a path password hash from your database so we want to compare them now and the first is the new persona of a second one is a password hash so we pass in the password and the user password and then we can type this result again and map the outcome and here we will receive a green and with this and just record match and we can say if match we want to return the user so we have to again remove the password from it and we return our side and in v---aids we want to throw a design error so now we have very simply we find already user by email you get the whole user object when we use our compare password letter from bcrypt or observers here to compare it with the new password or message from the user with the password that's stored in the database and then we will return receipt booing that's true of arts if it's returned our user object without a password and divots files we will just to return our own error so we can use this now in our login method we can say we want to return this validate user and what we pass in this our user dot email and our user password and here we can make a switch map again we can decide if we receive a user we have a user object we can generate a tray WT service so we can sell it return this out service and we can use our first lapidaire generate lead immunity and as a payload we want to have our user and we can pipe this map take it out of T so we'll return the string this you know ads case in the return trust some word so you can narrow or something wrong for them shirts so the last thing now is to add a piece in the controller so we have here our controller and we have still our create route and maybe we can just make it a little bit fancier we can say meth user will be returning the user but if we catch an arrow then we want to return our error method so we may have to make it available and we can't just say error this error oops error message here so we are returning the user now we also can return an object so there will be a wrong message that we made it here but we will yeah get here ma'am the next thing is we will need a login method so this will also be a post so it's protected I can just say it's okay we can call a method login and we need our body here we are just getting or a user object and you know we're trying observer we return yeah like an object first matter we can use our user service and we use our login method and here we need our user and we pipe it and we map our tray WT which is a string and we return the way to delete this excess token still why what does it want okay service and we need another racketeer format it yeah here's something this should be it so since the code has now done we can just ardent look at the thing works fine if not we have to fix the mistakes so we can just run it our NPM start script as before or in the last videos and can look at first an error already coming up or not services are working we are mapping all the routes we have here or a new love in Arad and now we can test it with them the post mentor thing works exit expected so we have our key to all users and this should return empty array cause of database is empty at the moment so we can add a new user and you remember now before we had trust name and username and every senator that says we need more arguments so what we need to do here is we have to add our email and let's just say it's Thomas set tests of the year and we have our password we can just make it to write a separate password I know we can send it again and now it should be I didn't see you see since we were like here you know I use a service removing the password yeah from it so it's not getting returned so we just returned renamed username email and be ID'd so you want to save this request here so we have here then we are all get seeing an user by ID so we can track we have ID - it's working we get it and password is also not there we want to update one so we can is dated name for it for example and updated username and like when we see here we get all our users we have here this user we created and the name is Thomas test and user names Thomas one if we make this put request now we can see we have like affected so make it to correct ID in so affected one if we get this again we now see we have updated name and update user name and if we make it for two and we add email and we can say should not work and the same for password cause like you remember we made it delete here we delete it please so they are not getting updated and so we make this recur so now we have here our two so here we need to come up and so we if it's and send out when I sent here we should have two two and the email should stay the same CVD nice stayed the same than being rest changed I can thank you sir and we can save this so you have to remember change was idea to what you need and we also can create if you use any queries are sexually in the same I don't know what did here so that we can use this and test our login method we can use as body our email and password and we can make post and now it should return our tray WT talk you can see here we are having our access token and now if I copy it and I paste it in the tray WTO as we have seen ever start of the video we can have a look at it so you see it faster here we have our header it's JWT the algorithm then we have here our payload where we have our user this was what we set it up here our opmod here and our out service we said we would sign it with our user that we get here we have our i i i i ET and this is when it was created and it will expire in hundred seconds so you see one and a half minutes or something and like we are here in enveloped signature and now i can copy my secret from our data and far so here too and if I paste it here in here you see now a signature is verified as a tester right secret so so at last we want to rename this not a squared user but login and to save it to the YouTube block and this can be deleted so a last thing that we can do is we export it here and we have also already at the TR we will just replace this collection so now this is updated to follow request so now we can commit our changes them on this branch and we use for the message for the title of our story so it's when you're free and what we did we want to edit our out module we added we lock in route or all of in endpoint and we added the trade under your teeth and the password hashing so then we can push this to the branch so you can copy this need to set our upstream punch to get lap of course and now we can use git flow to finish our future and now what this does that is it will merge our feature video 3 then it will be developed and you can see it now here what all changed now you see the feature branch was merged I can to develop and it was deleted locally and it has also been delete remotely and now we are back on branch with a lot so we have to push this also serve is the last thing that we're doing in this video we can have a hard look here on the ground master we are still on the last comet so video to that we made but if we switch to develop we would see the last comment from video 3 here and we can see that everything that we did here like adding our module module is here so you can check it out and the second thing that we need to do is we appear or block protract you can check the story and we can see that we created a new end point location with this done and we check the password and we also expanded our user model with invalid password we expanded it create endpoint we are storing the inner always in lower case in our database and we elect module for this so we can save this and we can move it also to down so the last thing that we are really doing now is looking at the next video in this series and there we are adding the property role to our user and then we protect some endpoints for some you will just need a villager AWT and for some you will need to correct role and for this we make a custom implementation of we it has role annotation or guard and use this so it will check the tray WT get the user and will track is he having the right role to access this resource and then we will do some minor fixes changes in our code base and we will add patron or peggy nader paginating to the get all requests so you can like patron like you have 10 years and you're the Navitus so it's easier if you later will show them in the front-end if you make it in a table or something so you can peg in it between the patron so thanks for watching
Info
Channel: Thomas Oliver
Views: 18,381
Rating: 4.8935361 out of 5
Keywords: javascript, typescript, nest, nestjs, nest.js, angular, typeorm, git, gitflow, node, blog, development, api, observables, rxjs, nestjs7, bcrypt, jwt, authentication
Id: bbDDSylRM04
Channel Id: undefined
Length: 46min 54sec (2814 seconds)
Published: Thu May 14 2020
Related Videos
NestJS: JWT- and Role based API Protection | Blog Project V-04
Thomas Oliver
14K
Learn Nest.js from Scratch by building an API
Academind
242K
Matt Walters - How to CQRS in Node: Eventually Consistent, Unidirectional Systems with Microservices
The Nodejs Meetup
17K
NestJS: Register & Login w/bcrypt & ... | NestJS Auth with JWT & Password Hashing Series 2/4
Thomas Oliver
4.2K
Docker For Beginners: From Docker Desktop to Deployment
Travis Media
456K
JWT Authentication Node.js Tutorial with GraphQL and React
Ben Awad
187K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1M
NestJS Authentication: JWTs, Sessions, logins, and more! | NestJS PassportJS Tutorial
Marius Espejo
22K
NestJS Crash Course - 2021
Laith Harb
24K
Build A Node.js API Authentication With JWT Tutorial
Dev Ed
554K
Design Microservice Architectures the Right Way
InfoQ
542K
REST API Crash Course - Introduction + Full Python API Tutorial
Caleb Curry
232K
NestJS GraphQL Complete Course | NestJS - GraphQL - Postgres - relational resolvers and many more.
Krish Dinesh
4.7K
What Is JWT and Why Should You Use JWT
Web Dev Simplified
465K
NestJS Crash Course: Everything you need to know! | NodeJS Tutorial 2021
Marius Espejo
29K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.