1
00:00:00,810 --> 00:00:01,643
Instructor: In the last section,

2
00:00:01,643 --> 00:00:03,180
we took a look at Robomongo

3
00:00:03,180 --> 00:00:06,720
and we saw that we were storing our passwords in plain text.

4
00:00:06,720 --> 00:00:10,290
This opens us up to a huge security vulnerability

5
00:00:10,290 --> 00:00:13,980
where if a malicious actor ever got access to our database,

6
00:00:13,980 --> 00:00:16,980
they could see all of our users plain text passwords.

7
00:00:16,980 --> 00:00:18,780
So we decided that we need to somehow

8
00:00:18,780 --> 00:00:22,380
encrypt these passwords before they got saved.

9
00:00:22,380 --> 00:00:26,460
To do so, we installed the bcrypt library

10
00:00:26,460 --> 00:00:28,440
and then we added a whole bunch of code

11
00:00:28,440 --> 00:00:30,930
inside of our user model with the explanation of...

12
00:00:30,930 --> 00:00:32,610
Well, we'll talk about what it's doing later.

13
00:00:32,610 --> 00:00:33,750
So... (laughs)

14
00:00:33,750 --> 00:00:35,520
It's now that time, let's talk about exactly

15
00:00:35,520 --> 00:00:36,970
what this code here is doing.

16
00:00:38,280 --> 00:00:41,130
I'm gonna break this up into a couple different steps

17
00:00:41,130 --> 00:00:43,170
and we're gonna break it up using comments.

18
00:00:43,170 --> 00:00:45,540
So the first comment I'm gonna add is,

19
00:00:45,540 --> 00:00:49,710
before saving a model, run this function.

20
00:00:49,710 --> 00:00:51,450
That's the first thing that happens here.

21
00:00:51,450 --> 00:00:56,450
This userschema.pre and then save, literally means presave

22
00:00:57,780 --> 00:01:01,800
or before the model gets saved, run this function.

23
00:01:01,800 --> 00:01:03,870
So this is a hook of sorts

24
00:01:03,870 --> 00:01:06,573
that runs before the user ever gets saved.

25
00:01:09,690 --> 00:01:11,070
Inside of the function,

26
00:01:11,070 --> 00:01:12,810
there's a little bit of a gotcha here

27
00:01:12,810 --> 00:01:16,110
but the context of this function is the user model.

28
00:01:16,110 --> 00:01:17,700
So this right here, this line right here,

29
00:01:17,700 --> 00:01:20,400
is basically, it's just getting access to the user model.

30
00:01:20,400 --> 00:01:21,780
That's all that's happening here.

31
00:01:21,780 --> 00:01:23,190
I know this probably looks a little bit weird

32
00:01:23,190 --> 00:01:25,440
but just take my word for it.

33
00:01:25,440 --> 00:01:28,860
We're going to get access to the user model.

34
00:01:28,860 --> 00:01:30,180
So at this point in time,

35
00:01:30,180 --> 00:01:33,630
user is an instance of the user model.

36
00:01:33,630 --> 00:01:36,900
So it's an instance that has a very specific username

37
00:01:36,900 --> 00:01:39,780
or excuse me, a very specific email and password

38
00:01:39,780 --> 00:01:41,430
that we could reference if we wanted to

39
00:01:41,430 --> 00:01:45,369
using user.email or user.password.

40
00:01:45,369 --> 00:01:48,360
(keys clacking)

41
00:01:48,360 --> 00:01:51,390
Then we started to make use of the bcryt library.

42
00:01:51,390 --> 00:01:52,500
And I've got a great diagram

43
00:01:52,500 --> 00:01:54,600
that's gonna explain exactly what's going on.

44
00:01:54,600 --> 00:01:57,000
But first, let's put a little bit of comments in here

45
00:01:57,000 --> 00:01:58,530
to explain it.

46
00:01:58,530 --> 00:02:01,350
First, we're going to generate a salt.

47
00:02:01,350 --> 00:02:04,260
And we're gonna talk about what a salt is, bear with me.

48
00:02:04,260 --> 00:02:07,440
After we generate a salt, it takes some amount of time.

49
00:02:07,440 --> 00:02:09,570
So it takes, you know, some number of milliseconds

50
00:02:09,570 --> 00:02:11,070
to generate a salt.

51
00:02:11,070 --> 00:02:12,900
So rather than say, genSalt

52
00:02:12,900 --> 00:02:15,690
and then, in the line beneath it, you know, xyz,

53
00:02:15,690 --> 00:02:17,400
whatever else afterwards,

54
00:02:17,400 --> 00:02:19,200
because it takes some amount of time

55
00:02:19,200 --> 00:02:21,300
we're gonna pass a callback function

56
00:02:21,300 --> 00:02:25,616
that genSalt should run after the salt has been created.

57
00:02:25,616 --> 00:02:28,593
So I'm gonna say, generate a salt then run callback.

58
00:02:30,270 --> 00:02:32,430
After the salt has been created,

59
00:02:32,430 --> 00:02:34,950
we've got the variable right here, this is our salt,

60
00:02:34,950 --> 00:02:39,950
we're then going to hash our password using the salt.

61
00:02:41,760 --> 00:02:45,150
And by hash, I basically really mean encrypt.

62
00:02:45,150 --> 00:02:48,663
So hash or encrypt our password using this salt.

63
00:02:49,500 --> 00:02:52,020
That gives us another callback

64
00:02:52,020 --> 00:02:55,050
because this is also gonna take some amount of time to run.

65
00:02:55,050 --> 00:02:56,790
So, we get another callback.

66
00:02:56,790 --> 00:02:58,650
The result of which is the hash

67
00:02:58,650 --> 00:03:01,233
which is is basically, our encrypted password.

68
00:03:02,340 --> 00:03:07,290
So down here, we're going to overwrite plain text password

69
00:03:07,290 --> 00:03:09,663
with encrypted password.

70
00:03:10,860 --> 00:03:12,360
Then as a very final step,

71
00:03:12,360 --> 00:03:15,150
we say, next, which basically means

72
00:03:15,150 --> 00:03:16,380
go ahead and save the model.

73
00:03:16,380 --> 00:03:18,120
So, this was a presave hook.

74
00:03:18,120 --> 00:03:20,520
We say next to say, go ahead, you can save the model.

75
00:03:20,520 --> 00:03:22,070
That's totally fine, go for it.

76
00:03:23,280 --> 00:03:25,710
All right, so we got some number of comments in here.

77
00:03:25,710 --> 00:03:28,650
Let's first test this out and make sure that, you know...

78
00:03:28,650 --> 00:03:29,790
I just wanna see in Robomongo.

79
00:03:29,790 --> 00:03:31,770
I wanna see like encrypted password

80
00:03:31,770 --> 00:03:34,530
or some password that's really hard to read.

81
00:03:34,530 --> 00:03:37,590
So, I'm gonna flip back over to postman.

82
00:03:37,590 --> 00:03:39,510
I'm going to change my email slightly,

83
00:03:39,510 --> 00:03:41,253
just to get a unique email.

84
00:03:42,330 --> 00:03:43,890
I'll save it.

85
00:03:43,890 --> 00:03:47,190
And I still have success true. Perfect.

86
00:03:47,190 --> 00:03:50,520
Let's flip back over to Robomongo.

87
00:03:50,520 --> 00:03:52,620
I'm gonna refresh with Command + R.

88
00:03:52,620 --> 00:03:54,330
Here's my new user.

89
00:03:54,330 --> 00:03:56,100
And I can now see that my password

90
00:03:56,100 --> 00:03:58,620
is not the simple string 123

91
00:03:58,620 --> 00:04:01,680
but it's this really long string of characters.

92
00:04:01,680 --> 00:04:04,230
If I right click and then hit edit document, you can see...

93
00:04:04,230 --> 00:04:06,210
Wow. Yeah, there's a lot of stuff going on here.

94
00:04:06,210 --> 00:04:08,860
This is definitely something encrypted at this point.

95
00:04:09,960 --> 00:04:12,843
So, let's talk about bcrypt and exactly what it's doing.

96
00:04:15,510 --> 00:04:19,709
This is a diagram that summarizes the bcrypt process.

97
00:04:19,709 --> 00:04:22,380
There's really two-steps to bcrypt.

98
00:04:22,380 --> 00:04:24,120
First, saving a password,

99
00:04:24,120 --> 00:04:25,800
which is the code that we just wrote.

100
00:04:25,800 --> 00:04:27,780
And then, there is comparing a password,

101
00:04:27,780 --> 00:04:29,850
like when we want to sign in.

102
00:04:29,850 --> 00:04:31,620
So, we're not quite at this step yet.

103
00:04:31,620 --> 00:04:34,650
We're not on step two yet, we're still on step one.

104
00:04:34,650 --> 00:04:36,870
So, let's focus on everything up here.

105
00:04:36,870 --> 00:04:39,180
And then, when we do the our sign in logic,

106
00:04:39,180 --> 00:04:42,840
we will go over that additional content here.

107
00:04:42,840 --> 00:04:46,653
So when we save a password, we generate a salt.

108
00:04:48,120 --> 00:04:50,790
A salt is just an encrypted string

109
00:04:50,790 --> 00:04:52,380
or it is a string of characters,

110
00:04:52,380 --> 00:04:55,440
a randomly generated string of characters.

111
00:04:55,440 --> 00:04:58,980
By combining a salt and a plain password,

112
00:04:58,980 --> 00:05:01,773
we get a hashed password.

113
00:05:03,600 --> 00:05:05,280
When we look in Robomongo

114
00:05:05,280 --> 00:05:07,890
and we got this long string of characters right here,

115
00:05:07,890 --> 00:05:09,600
this long string of characters

116
00:05:09,600 --> 00:05:14,400
contains both the salt and the hashed password.

117
00:05:14,400 --> 00:05:16,350
So, remember we generated a salt,

118
00:05:16,350 --> 00:05:18,360
we took the password as well,

119
00:05:18,360 --> 00:05:19,953
we hashed the password.

120
00:05:21,180 --> 00:05:24,870
This long string right here, contains the hash password

121
00:05:24,870 --> 00:05:26,670
but it also contains the salt.

122
00:05:26,670 --> 00:05:28,860
So in other words, this string of characters right here,

123
00:05:28,860 --> 00:05:31,620
contains two values, it contains our salt

124
00:05:31,620 --> 00:05:32,940
and our encrypted password.

125
00:05:32,940 --> 00:05:33,813
Two things.

126
00:05:34,980 --> 00:05:35,820
You might be wondering.

127
00:05:35,820 --> 00:05:36,810
Okay, what's the point of this?

128
00:05:36,810 --> 00:05:39,390
Why do we have two characters or two separate variables

129
00:05:39,390 --> 00:05:40,980
inside the string right here?

130
00:05:40,980 --> 00:05:42,690
The answer is that it's very important

131
00:05:42,690 --> 00:05:45,060
when we go to sign in a user.

132
00:05:45,060 --> 00:05:47,160
And we'll talk about exactly what's going on here.

133
00:05:47,160 --> 00:05:49,020
But all I want you to know for right now

134
00:05:49,020 --> 00:05:52,650
is that as we are saving our password, we generate a salt,

135
00:05:52,650 --> 00:05:54,420
We take our plain password

136
00:05:54,420 --> 00:05:57,930
we encrypt the password into a hash password.

137
00:05:57,930 --> 00:05:59,910
And then, we save into the database

138
00:05:59,910 --> 00:06:01,980
the salted version, or excuse me,

139
00:06:01,980 --> 00:06:04,233
the salt plus the hashed password.

140
00:06:05,280 --> 00:06:06,113
Okay.

141
00:06:07,380 --> 00:06:10,350
So with a little bit more knowledge of what's going on here,

142
00:06:10,350 --> 00:06:12,030
let's continue in the next section

143
00:06:12,030 --> 00:06:15,180
where we will start working on our sign in route.

144
00:06:15,180 --> 00:06:16,130
I'll see you there.