If there is anything you were disappointed I didn’t talk about in this video, let me know and I’ll make another video to cover it. Maybe refresh tokens is something I could have covered.
@Dylan-yc9qs3 жыл бұрын
Great video man this helped me a lot. Can I just make one tiny suggestion for future videos? So ive used JWT without cookie parser so im familiar with how JWT works. I think it would be more helpful to a wider audience of people if you coded some of the stuff in the video. Just a tiny suggestion because I believe you are really good at explaining these things. Anyways thank you for the video!
@velara314 Жыл бұрын
If the user interacts with the site then the timeout resets correct? Is JWT a library on npm or an approach for authentication? Have you thought about creating a basic register/ login site?
@wiktorwachowski6291 Жыл бұрын
Yes, exactly that's what I thought. You should have at least mentioned them even if you didn't plan to go deeper so others could get to know that this thing exists
@James-g9n5e2 ай бұрын
awesome dude....in 10 minutes you covered something that troubled me for hours...thank you.
@MMH94MMH Жыл бұрын
I'm a PHP developer and this topic was one of the most confusing parts for me and I was looking for a simple explanation to understand this concept and you did very well, thank you very much.
@gavinv.48722 жыл бұрын
You are a legend! After combing through videos with people never quite explaining how to generate/store JWT tokens (securely), this was the video that put it all together. Thanks! My login portal will be built in your honor😆
@duygukocar76232 жыл бұрын
Amazing! I spent 2 hours trying to understand this simple thing from other videos. Thank you !
@knightOfGamingGames Жыл бұрын
You saved my brain from burning out! Thank you for explaining what JWT does!
@SlainR23 жыл бұрын
I really like your videos, the manner you present the content always catchs my attention. Great work! Could you do a full youtubes series about Authentication/Authorization?
@WebDevCody3 жыл бұрын
Yeah that’s probably a good idea. A lot of people seem confused about auth / authorization / jwt in general
@WewCode Жыл бұрын
hey man long term viewer here! i just wanna say even your old videos really help me out i was trying to get my jwt to work for the last 3 days and i finally got it thanks to you and another youtube ben awad! just wanted to say thank you!
@WebDevCody Жыл бұрын
Glad to hear it! I sometimes think those old videos become useless after some time.
@fullstackmarketing2474 ай бұрын
Lol I was literally 30 seconds and I had to stop and subscribe to this guy. I already know he's going to be excellent at explaining
@Kyle-wc6soАй бұрын
I like the way you explain this. thorough and effective. thank you
@meghanathshetty17976 ай бұрын
simple explanation for such an confusing topic, Thank you
@slimyelow Жыл бұрын
Chome will not set the cookie. It is received in 'Network' but in the 'Application' Tab it does not.
@deepanshukant392 Жыл бұрын
You found any fix to it?
@newtonw.1937 Жыл бұрын
I have the same problem....did you find a fix??
@krishnakanthati8510 Жыл бұрын
Did you find anything?
@Howtoclaim1017 ай бұрын
Did you find anything?
@liveupdate64674 ай бұрын
You have to set the 'Access-Control-Allow-Credentials' header by the server and if you are using axios or fetch, the add a 'withCredentials' option and set it to true
@mohitpal15052 ай бұрын
cookieParser is not for putting jwt in the users' cookie, but instead to read the cookie from incoming users requests for authorizing. When it comes to setting up the cookie initially by the server, that can be done without the cookieParser too
@ares57517 күн бұрын
im a student and i am only developing on localhost at the moment. could you please explain if this requires an actual extablished connection (which i dont know how to yet) or if i can slap this on my project and will work on localhost without issues? i saw you have declared a variable for a port, but thats where my knowledge about connections ends
@hoanglongluong43553 ай бұрын
With your doing, I wonder if two different account logins are on the same device. How did the server return and manage their cookie & token? Can you explain this situation, many thanks
@pedromora35202 ай бұрын
Wondeful! The content was clear and very informative. It helped me figure things out. Thank you a lot!
@rotivanov Жыл бұрын
Dude you are AWESOME! You are helping me to achieve so much! I love your work mate!
@githmin Жыл бұрын
Best explanation on JWT. TYSM!
@KashanPardesi11 ай бұрын
That was awesome, quick and to the point! Thanks!
@RaviKumar-wx1yt7 ай бұрын
Do we need to do anything on UI for setting up the cookie? I am receiving the Set-Cookie header but not seeing in the browser
@whiteknife59935 ай бұрын
same problem. Did you solve it?
@leonardoveque715710 ай бұрын
I wont watch your video because in the title has 10 minutes but actually have 10 minutes and 19 seconds. Great video my friend, merry christmas
@WebDevCody10 ай бұрын
😂
@israelruas9487 ай бұрын
Thank you so much. Your video saved my application
@fluttterdev1k3 ай бұрын
In my code, I store the refresh token inside an HttpOnly cookie. Every time a user wants to open the website, it checks if the refresh token cookie is expired. If it is expired, the user is logged out and asked to log in again. If it is not expired, a new access token is created and the user is taken to the homepage without being asked to log in. The access token expires after 15 minutes, and at that point, the refresh token inside the cookie is checked again. If the refresh token is still valid, a new access token is created automatically, and the API request is made. Is there a problem with this approach?
@planetmall22 жыл бұрын
This is an amazing example and explanation. Thank you.
@DalisYn Жыл бұрын
this was such a clear explanation
@soduno5964 сағат бұрын
What is going through my head is if the user guess the secret thats on the server, then they can easilly manipulate the JWT? Would it be valid to use secrets rotation for this purpose?
@WebDevCody3 сағат бұрын
Yes but how would a user guess the secret? If it’s 32 characters long it would take way over a trillion years to brute force. But yes you should rotate secrets every so often in case you leak one
@gonzalorobledo99476 ай бұрын
Excellent explanation, one question, in localhost everything works fine when connecting frontend with backend, but in production (backend in railway and frontend in vercel) the cookies never arrive to the front and therefore does not start the session, what can I do?
@WebDevCody6 ай бұрын
I’d probably get your api hosted as a sub domain and setup the policy to allow wildcard certs so the same cookie will be forwarded on both the ui and api requests. If you put something in front such as cloudflare, it’s possible to make rewrite rules do your api can be accessed with a /api subdomain path I think
@gonzalorobledo99476 ай бұрын
Ok, thanks!
@AliAliOxenFree Жыл бұрын
Nice explanation! Earned yourself a sub with this banger
@VayunEkbote Жыл бұрын
I can see the set-cookie in the response headers but cannot see the cookie in the application tab. Why is it so?
@newcode7847 Жыл бұрын
Hi, did you find any solution ?
@VayunEkbote Жыл бұрын
@@newcode7847 you need to set the secure to true
@TyquanWorldNN Жыл бұрын
@@newcode7847 You have to set the domain value to "localhost" when your making a res.cookie([nameofcookie], [value], {domain: "localhost", path:"/"})
@bamideleprecious3481 Жыл бұрын
@@VayunEkbotestill not working
@haritpatel50018 ай бұрын
we gotta send the withCredentials: true, in axios while making a request, it should resolve your problem.
@rodrigocasarinperea4422 Жыл бұрын
Thanks broo! This is exactly what I was looking for
@piegpa3 жыл бұрын
Nice one, good overview, thanks!
@WebDevCody3 жыл бұрын
Glad you liked it!
@GarmrZero133 жыл бұрын
I think refresh tokens would be cool to go over. Ive been fiddling with them but have not yet figured a 'good' way to refresh a jwt with react
@WebDevCody3 жыл бұрын
I could do that next probably. Idk if I’ll do it in react since the concepts I cover apply to all frameworks basically
@myke69724 ай бұрын
Hello, Im having an issue where there''s a response header for set-cookies, but no cookies ion the application storage, why is that?
@myke69724 ай бұрын
please answer D: i literally keep searching for 5hours now, ofcourse i have breaks but its been 5hours, and im just a abeginner
@aniketbhalla1521 Жыл бұрын
Please do the same video video by setting the http only cookie at the frontend in a react app, making the SPA app's routes protected with each request. And also with sameSite set to strict. I'll be thankful.
@emiremark28896 ай бұрын
fantastic explanation
@unitybr32222 жыл бұрын
Thanks, you saved my world!
@mgnfy-view7 ай бұрын
Well made video. Got it down instantly!
@asfandiyar5829 Жыл бұрын
Exactly what I wanted. Thanks
@shahidabbas29322 жыл бұрын
Sir setting req.user = user not working in typescript ? const user = jwt.verify........... how it extract user from jwt automatically?
@brunonery80983 ай бұрын
Thk bro! Thats a great video!
@darkfoxwillie3 жыл бұрын
Hello bro! Good video in fact it was for a video of tokens that a subscribed to your channel jeje. A question my bro, how should I store the token? Also why and how I need to use refresh tokens. Thank you very much for your videos they are really useful :)
@WebDevCody3 жыл бұрын
People say to store the token in a cookie similar to how I did in this video. I personally think you can store it in local storage just fine if needed
@7906jun3 жыл бұрын
FIrstly, thank you so much for this video. It helped me so much. I hope you reach your subscribers goal. But I have one question. So, I noticed that you did "req.user". The user contains id, iat, and exp. But you never used this "user" you sent to the request object. So my question is, how and when would you need to use this "user" ? Thank you for your time.
@WebDevCody3 жыл бұрын
You would use the req.user.id to fetch data from the database that belongs to that id.
@DaviMartins99 Жыл бұрын
Such a great lesson!
@naufalnasrullah69652 ай бұрын
3:53 Is it the backend, not the frontend, that set cookies on the user's browser? pls answer me :(
@WebDevCody2 ай бұрын
The backend sets a response header which tells a browser to store a cookie
@naufalnasrullah69652 ай бұрын
@@WebDevCody in other word, frontend don't need to set the cookie again right?
@WebDevCody2 ай бұрын
@@naufalnasrullah6965 correct
@naufalnasrullah69652 ай бұрын
@@WebDevCody is it best practices that used by industries/developer? I'm still student so i confused..
@blazi_0Ай бұрын
@@naufalnasrullah6965 yeah bro absolutely, also you need a route to refreshing tokens so when token expires on front end you his this route to get and set new token in the cookies
@rjwhite44247 ай бұрын
so every 15 minutes I have to log back in?
@sede1892 жыл бұрын
Nice job. May be you can add another section to use an actual oauth issuer like okta
@newtonw.1937 Жыл бұрын
The set cookie is received in 'Network-(response header )' but in the 'Application-(cookie storage)' the cookie is not saved by the browser😔😔 ----help?? anyone??
@darshanprajapati960118 күн бұрын
cookie-parser is not working on production this is working only in local
@piotrjasiulewicz4086 ай бұрын
god tier tutorial
@manzelo9855 Жыл бұрын
Really good work man :D
@daredevil51869 ай бұрын
Amazing video man!
@seanfrancisco762 жыл бұрын
Do you have a file that works for aptopayments specifically? thanks!
@neoTriny7 ай бұрын
Thank you sir, its awesome 🤝
@CansinLale4 ай бұрын
Cookies header is full but cookie is not stored
@andylib2 жыл бұрын
This was great, thank you!
@hemersonallan2 жыл бұрын
1 million likes !!!! tnx
@smitagravat10632 жыл бұрын
I am getting token in postmen but it is not being saved in cookies in chrome
@deepanshukant392 Жыл бұрын
You found any fix to it?
@tfandrad3 Жыл бұрын
Me too, anyone fix this?
@whiteknife59935 ай бұрын
Did you fix it?????????????😭😭😭😭😭😭😭😭
@smitagravat10635 ай бұрын
I fixed it like a year ago and now forget what was the problem
@awaraamin6850 Жыл бұрын
Great input, thank you
@egeozel809 ай бұрын
Very nice, thanks and good job.
@AhmedHuzain Жыл бұрын
Very useful. Thanks!
@tunaalkan54078 ай бұрын
Thank you do you have the full tutorial?
@SeibertSwirl3 жыл бұрын
Good job babe!
@mrlectus Жыл бұрын
does this also keep the user logged in?
@satorugojo7140 Жыл бұрын
can you help me with authorisation through headers
@RatherBeCancelledThanHandled8 ай бұрын
Well explained :)
@ramiworkstation2 ай бұрын
Thank you 💌
@tibz92572 жыл бұрын
Thanks for this tutorial! Was really helpful but I can't get the "Token" Cookie in the "Application" tab even if I have the "Set-Cookie" in the Network response Headers... I'm looking at some forums but it looks like Chrome don't want to set cookies on URL with port since a few version.. Any idea?
@WebDevCody2 жыл бұрын
Double check secure is not set, and you have an expires value set? You also might need to set withCredentials: true if you’re using axios
@eyaouni-vg4ji Жыл бұрын
@@WebDevCody thank you very muck i was searching for solving this problem for 7 days and u have help me i'm so thankfull for u ..Big respect
@tfandrad3 Жыл бұрын
@@eyaouni-vg4ji help me bro
@henriqueb5637 Жыл бұрын
@@eyaouni-vg4ji Could you please share how you managed to solve this problem?
@henriqueb5637 Жыл бұрын
@@tfandrad3 I have the same issue. Did you find the cause? Please share it
@MrMome16122 жыл бұрын
Your hand is freakishly huge😱
@Yusuf-ok5rk Жыл бұрын
best comment ever
@germanoller441810 ай бұрын
thanks mate, raelly helpful
@sekarana98653 жыл бұрын
Hi could you please clarify my doubt if some one steal a valid JWT token and send behalf of us , how it should be validated in this case..
@WebDevCody3 жыл бұрын
if someone steals your token there isn't much you can do, and it would probably be hard to know if your token was stolen in the first place. You could try implementing some type of blacklist to check if the token should be considered "invalid", but at that point, you are defeating the purpose of using JWT for stateless requests.
@sekarana98653 жыл бұрын
@@WebDevCody Thanks for prompt update..keep up the good work..
@peytoncastillo4508 Жыл бұрын
Great video!
@r0bits593 Жыл бұрын
I dont understand how does your browser know on how to save the received cookie in the Application -> Cookies tab
@WebDevCody Жыл бұрын
the browser inspects your headers for the Set-Cookie response header, and if it sees it, it'll store the cookie in the browser's cookie storage
@r0bits593 Жыл бұрын
@@WebDevCody Done! Thanks, its working now
@vladislavivanov15463 жыл бұрын
Hey man, what's the name of the theme you are using? It looks smooth
@WebDevCody3 жыл бұрын
shades of purple
@vaisakhgopinath33463 жыл бұрын
Nice explanation
@WebDevCody2 жыл бұрын
Thanks for liking
@Robin-os1os11 ай бұрын
Thanks cookie parser !
@sharathkk18078 ай бұрын
very useful tnq
@nqssss Жыл бұрын
THANK YOU SO MUCH
@ruhitbaidya9910 Жыл бұрын
Pretty explain ❤️❤️❤️
@dorianmayamba6177 Жыл бұрын
Question why can we still access it in the browser if it’s in http only?
@WebDevCody Жыл бұрын
Like access it in dev tools? Http only just means you can’t access it from javascript, this prevents any malicious script from reading your cooking and then forwarding them to the hacker. I think they keep all cookies visible in the browser so that users can see and delete cookies; you wouldn’t want a browser storing tons of cookies users don’t even know about
@dorianmayamba6177 Жыл бұрын
Alright so Chatgpt could be wrong 😂😂 I mean it makes sense because I saw that when the user tries to access it by the key it returns an empty string
@ammarys99808 ай бұрын
quick note, YOU DON"T NEED cookie-pareser anymore.
@sabuein Жыл бұрын
Thank you.
@mjylove2Ай бұрын
awesome
@justine_chang39 Жыл бұрын
awesome video
@FirstLast-rp7jq Жыл бұрын
can you make a tutorial with refresh token?
@learncomputer8526 Жыл бұрын
My jwt token not store in cookie
@learncomputer8526 Жыл бұрын
Solution kha ha
@iiinicky6224 Жыл бұрын
Thanks!
@velara314 Жыл бұрын
Just started this video and at 1:28 you have at line 8 you are destructuring the request body into an object. but what is the variable name!?!? …nevermind. i see. it’s not destructuring into an object but two variables. 🙄
@georgeomara6 ай бұрын
💯
@rajendraraj88103 жыл бұрын
Subscribed!..
@notfadeaway6617 Жыл бұрын
nice video.
@Robert-36917 ай бұрын
I'm in love with this content. I recently read a similar book, and I was completely in love with it. "Mastering AWS: A Software Engineers Guide" by Nathan Vale
@armankazi17992 жыл бұрын
Vs code theme name?
@DollyCleveland-l1f19 күн бұрын
Jones Nancy Lee Kenneth Garcia Cynthia
@LanBothan6 күн бұрын
Lopez Frank Smith Kenneth Harris Eric
@WalterWilliamse-i3s28 күн бұрын
Davis Matthew Harris Steven Brown Angela
@graphiclife541612 күн бұрын
expiration 1 hour, that is so unrealistic. So person needs to login every hour. Come on don't just copy paste tutorials from other people.
@WebDevCody12 күн бұрын
It’s calling teaching. If you want production quality get a job
@abulsyed4851 Жыл бұрын
Hi when I use local storage to save my jwt, I can easily check if the jwt exists in local storage and protect my SPA pages - if the jwt is in local storage. But when I try check if the httpOnly cookie exists using Cookies.get('myCookie'); I get undefined. But I can see the cookie in the chrome dev tools. I noticed the only work around was to set the httpOnly to false and then I could see my cookie. So yeah my question is if I wanna store as httpOnly: true. How can I access the cookie so I can protect my SPA pages.
@WebDevCody Жыл бұрын
The cookie will be sent on your http requests automatically. Usually you add withCredentials: true for axios and credentials: “include” for fetch and it’ll attach the cookie on the request.
@abulsyed4851 Жыл бұрын
@@WebDevCody no I mean how can I protect my react pages? Usually I would check if a jwt is stored in local storage and if it is, I will allow users to access the authenticated pages and vice verse if the the jwt doesn't exist in local storage. But with httpOnly cookie I'm unable to check in my react app if the cookie exists. I've tried for example but this only works when the cookie httpOnly is set to false. Can't I see if the httpOnly cookie exists from my react app? Since I want to check if it does - so then I can protect my pages.
@WebDevCody Жыл бұрын
@@abulsyed4851 oh you’d need to hit an endpoint on the backend such as /api/me to see if you’re authenticated or not. If it returns 200 status, keep a Boolean like isAuthenticated true stored in global state somewhere. When a route load, check for that Boolean and redirect if it is false
@jotaroisdarius1918 Жыл бұрын
@@abulsyed4851 your react app can't check it but your server can since it's httpOnly, so you'd have to create an endpoint to check if you have that cookie and then you'd handle things according to the response