1
00:00:00,570 --> 00:00:01,403
Narrator: We're now able

2
00:00:01,403 --> 00:00:03,300
to make an authenticated request

3
00:00:03,300 --> 00:00:05,460
with this requireAuth middleware,

4
00:00:05,460 --> 00:00:08,310
in which we told passport to authenticate a user

5
00:00:08,310 --> 00:00:10,620
using the jwt strategy

6
00:00:10,620 --> 00:00:14,820
that we defined inside of our passport.js file.

7
00:00:14,820 --> 00:00:18,750
We now need to to create the last route in our application,

8
00:00:18,750 --> 00:00:20,910
the login route.

9
00:00:20,910 --> 00:00:22,770
So to get our login route working,

10
00:00:22,770 --> 00:00:25,470
it's gonna require a little bit of thought on our part.

11
00:00:25,470 --> 00:00:27,360
Right now we've got a flow

12
00:00:27,360 --> 00:00:30,120
where a user can sign up with an email and password

13
00:00:30,120 --> 00:00:32,970
and get a token in exchange.

14
00:00:32,970 --> 00:00:35,580
Remember, as far as a end user is concerned,

15
00:00:35,580 --> 00:00:36,450
as far as, like, you know,

16
00:00:36,450 --> 00:00:38,160
someone who's actually using our app,

17
00:00:38,160 --> 00:00:41,070
they have no idea that a token is involved at all.

18
00:00:41,070 --> 00:00:43,620
So our means of authentication at,

19
00:00:43,620 --> 00:00:44,850
kinda like first glance or, you know,

20
00:00:44,850 --> 00:00:46,200
that first initial contact,

21
00:00:46,200 --> 00:00:49,860
is always gonna be an email and a password.

22
00:00:49,860 --> 00:00:52,470
That means that on our sign in route

23
00:00:52,470 --> 00:00:54,120
we're not gonna be getting a token,

24
00:00:54,120 --> 00:00:57,063
we're going to be getting an email and a password.

25
00:00:58,380 --> 00:01:01,260
So the key here is that we need to find some way

26
00:01:01,260 --> 00:01:04,620
to authenticate a user first with an email and password.

27
00:01:04,620 --> 00:01:06,660
And only when they're able to,

28
00:01:06,660 --> 00:01:08,820
when we're able to confirm that email and password,

29
00:01:08,820 --> 00:01:11,850
then do we give them an actual token.

30
00:01:11,850 --> 00:01:13,260
So here's what we're going to do.

31
00:01:13,260 --> 00:01:16,530
We're going to use another passport strategy.

32
00:01:16,530 --> 00:01:18,540
We're gonna use a local,

33
00:01:18,540 --> 00:01:21,000
what's referred to as a local strategy.

34
00:01:21,000 --> 00:01:23,580
And this local strategy is going to try

35
00:01:23,580 --> 00:01:28,050
to authenticate a user using a email and password.

36
00:01:28,050 --> 00:01:29,940
Local in this case is kind of referring to as,

37
00:01:29,940 --> 00:01:33,570
like local database or data that is stored locally.

38
00:01:33,570 --> 00:01:36,720
So we're going to make another strategy just in line

39
00:01:36,720 --> 00:01:40,320
or kind of like in parallel to our JwtStrategy.

40
00:01:40,320 --> 00:01:42,120
And this local strategy is going to attempt

41
00:01:42,120 --> 00:01:46,920
to authenticate a user given only an email and a password.

42
00:01:46,920 --> 00:01:48,870
If they're successfully authenticated

43
00:01:48,870 --> 00:01:50,070
with email and password,

44
00:01:50,070 --> 00:01:52,680
then we could let them through to some route handler

45
00:01:52,680 --> 00:01:54,570
that will set up, that will give them

46
00:01:54,570 --> 00:01:57,300
a very particular JWT token

47
00:01:57,300 --> 00:01:59,460
that they can then use in the future.

48
00:01:59,460 --> 00:02:02,280
Okay, so let's go ahead and get started.

49
00:02:02,280 --> 00:02:03,210
The first thing we need to do

50
00:02:03,210 --> 00:02:06,930
is install the passport local strategy plugin.

51
00:02:06,930 --> 00:02:09,240
So it is a separate NPM module.

52
00:02:09,240 --> 00:02:12,570
Let's open up our terminal and it closed down my server

53
00:02:12,570 --> 00:02:17,570
and run "npm install -- save passport-local."

54
00:02:27,675 --> 00:02:32,425
And then I'll start my server back up with "npm run dev."

55
00:02:33,480 --> 00:02:35,760
All right, back in our passport.js file

56
00:02:35,760 --> 00:02:40,760
we're going to create local strategy right here.

57
00:02:42,180 --> 00:02:44,340
We need to import our strategy helper.

58
00:02:44,340 --> 00:02:45,173
So we'll say,

59
00:02:45,173 --> 00:02:48,980
"const LocalStrategy = require('passport-local')."

60
00:02:52,140 --> 00:02:54,000
Then we can make our local strategy.

61
00:02:54,000 --> 00:02:58,853
So we'll say "const localLogin" is "new LocalStrategy."

62
00:03:00,750 --> 00:03:02,670
We're going to pass in some options in here

63
00:03:02,670 --> 00:03:04,380
that we'll define in just a second.

64
00:03:04,380 --> 00:03:06,240
And then we'll also have a call back

65
00:03:06,240 --> 00:03:09,513
with an email, password, and done.

66
00:03:13,140 --> 00:03:16,020
So the field in here that's going to determine,

67
00:03:16,020 --> 00:03:18,300
or the kinda the options that we're gonna place in here,

68
00:03:18,300 --> 00:03:21,570
we need to specifically tell this local strategy

69
00:03:21,570 --> 00:03:23,460
exactly where to look in the request

70
00:03:23,460 --> 00:03:26,880
to get access to our email or our kinda username.

71
00:03:26,880 --> 00:03:29,400
So local strategy by default is going to assume

72
00:03:29,400 --> 00:03:33,660
that it's going to be passed a username and a password.

73
00:03:33,660 --> 00:03:37,800
So we're saying, "well, we're not using usernames per se,

74
00:03:37,800 --> 00:03:39,450
we're using emails."

75
00:03:39,450 --> 00:03:42,930
So we need to tell this local strategy right here

76
00:03:42,930 --> 00:03:46,290
to use a usernameField of "email."

77
00:03:46,290 --> 00:03:47,250
This is a really long line.

78
00:03:47,250 --> 00:03:51,330
So let's pull this out to a separate declaration.

79
00:03:51,330 --> 00:03:53,557
I'm gonna say "const localOptions"

80
00:03:54,515 --> 00:03:55,697
is "usernameField: 'email'."

81
00:04:00,240 --> 00:04:03,863
And then we'll change this out to "localOptions."

82
00:04:03,863 --> 00:04:04,696
There we go.

83
00:04:05,910 --> 00:04:07,740
So just to make sure that we're clear on the purpose

84
00:04:07,740 --> 00:04:09,570
of this usernameField right here,

85
00:04:09,570 --> 00:04:12,540
when I sign in, we're going to eventually end up

86
00:04:12,540 --> 00:04:13,373
with something like,

87
00:04:13,373 --> 00:04:18,373
you know, a post request going to probably sign in.

88
00:04:18,720 --> 00:04:21,329
We will not have this authorization header

89
00:04:21,329 --> 00:04:25,350
and I'm going to be posting an email and a password.

90
00:04:25,350 --> 00:04:27,750
So by default, the local strategy is going

91
00:04:27,750 --> 00:04:29,370
to look at the request body

92
00:04:29,370 --> 00:04:31,830
and it's going to find this password field for us.

93
00:04:31,830 --> 00:04:35,160
So the password is handled automatically.

94
00:04:35,160 --> 00:04:36,540
But as far as a username goes,

95
00:04:36,540 --> 00:04:38,820
it expects that it's going to have a username

96
00:04:38,820 --> 00:04:41,130
and it expects that it's going to be available

97
00:04:41,130 --> 00:04:44,010
on the username property of the request.

98
00:04:44,010 --> 00:04:45,390
We're not using usernames though,

99
00:04:45,390 --> 00:04:46,920
we're using email addresses,

100
00:04:46,920 --> 00:04:48,720
and that's why we are passing this option

101
00:04:48,720 --> 00:04:52,230
to say when you want to get access to the username,

102
00:04:52,230 --> 00:04:54,990
look at the email property of the request.

103
00:04:54,990 --> 00:04:55,860
That's all we're doing here.

104
00:04:55,860 --> 00:04:58,660
We're saying specifically, "look at the email property."

105
00:05:00,360 --> 00:05:05,220
So after the LocalStrategy parses the request,

106
00:05:05,220 --> 00:05:07,830
it pulls out the email and the password

107
00:05:07,830 --> 00:05:10,980
and it hands it to us in this callback right here.

108
00:05:10,980 --> 00:05:13,087
So now in here we have to

109
00:05:13,087 --> 00:05:16,293
"Verify this username and password,

110
00:05:17,220 --> 00:05:21,180
call done with the user

111
00:05:21,180 --> 00:05:25,590
if it is the correct username and password

112
00:05:25,590 --> 00:05:30,450
otherwise, call done with false."

113
00:05:30,450 --> 00:05:33,090
Okay, so that's the next step that we're going to do.

114
00:05:33,090 --> 00:05:35,703
Let's tackle this next step in the next section.