Exactly, excellent tutorial!

Vscode icons

Yes the general approach is enough. Just note that I did not include the database part of the solution. I would use a static file like that to store actual data.

The whole point of doing the hashing on the server is to purposely slow down the process. You want to make it harder for people to hack. The salt values we also want to generate on the server, away from the client. We need to be able to compare the hashed value that is already on the server with the plain password by running it through the hashing process in a way that hides information from the hacker.

Thanks Steve, not sure how far $10 AUD goes in Canada, but hopefully it buys you a beer! Your videos have been really helpful and got me a long way to understanding JavaScript and Node from absolute beginning.

@@the7engine thanks. It definitely will buy me a beer. Probably two. 😃

Basically but the compare is protected against timing attacks I believe

​@@SteveGriffith-Prof3ssorSt3v3 I can't understand how it's able to do this if every time the same word is hashed, a different string is generated. (I'm using this bcrypt-generator.com/ to test it) I guess there must be some sort of complex algorithm running in the background.

Ev is the variable holding the event object passed to the function. I would recommend you watch my javascript events playlist.

@@SteveGriffith-Prof3ssorSt3v3 - Thank you. This helps.

The registration should really use two factor authentication / validation via email. If they register then say that an email has been sent to the account to validate/activate the account. The email can say an attempt was made to re-register with the email address if it already existed. But getting into dealing with emails is a whole other topic that I didn't have time to do here. Great question.

@@SteveGriffith-Prof3ssorSt3v3 Thank you for your reply! The registration example makes a lot more sense in regards to whether or not we're telling attackers if an email exists or not. I've really been enjoying your ExpressJS playlist; thanks for the work you've put into it!

I have a Playlist on express.

@@SteveGriffith-Prof3ssorSt3v3 but specifically including sessions? I’d love to see how you go about incorporating MySQL and check a session against a cookie and so on.

@@the7engine JWT is the new way of tracking sessions. That is what this video covers. The old cookie based session id stuff I did with PHP. I think I have a video in my PHP playlist about that. MySQL tends to be separate from session management unless you are putting a session id into a user table in order to log things for a specific user. With JWT, the token is the session identifier. It is being passed with every request, similar to cookies. Here is another video I did about JWT kzbin.info/www/bejne/h3SmnoqEoaqemrs

find is a synchronous method. The parser will not jump over it.

@@SteveGriffith-Prof3ssorSt3v3 Thanks

If there is no token then you are managing users and sessions in a different way

@@SteveGriffith-Prof3ssorSt3v3 So if I set up register and login like what you did in this video without give out any token, the app won't know if this user is login or not, right?

@@lookingforbino you have to write the code that does things based on there being a token

The method you are looking for is the res.redirect( ) - expressjs.com/en/4x/api.html#res.redirect

No. If you get a response from the server then the fetch has not failed. You need to write the code to check the http status code or look at the object that was returned.

I don't understand what you are asking.

Please feel free to post and tutorial requests in the comments here - kzbin.info/www/bejne/gnTIq5SuZ9qBacU

Just check in the browser console, browser network tab, and console on the server to see if an error is occurring at one of those points.

@@SteveGriffith-Prof3ssorSt3v3 I did. There is no error message showing. But I saw that it is not proceeding to the loginSuccess function :(

@@SteveGriffith-Prof3ssorSt3v3 Its response is status 202.That is what I saw in the network console

I wouldn't. If I'm using NodeJS then NodeJS will be the server. If I'm using PHP or Ruby then I would use Apache or NGINX as the webserver.

There are lots of ways to do redirects. After a login, the best is with a server-side redirect. Instead of res.status(200).send({ data: { token: 'this is a pretend token' } }); in app.js you would use res.set( ) to put your token in the headers and then send the actual file you want with send( ).

@@SteveGriffith-Prof3ssorSt3v3 Actually figured what the problem is, i am using fetch with header set with token and in the server side using res.render("dashboard", { user: req.user }); since this will send an html file to client, the wrong i did was using response.json() to get that html, when i used response.text() i am getting that html and replacing with body.innerHTML. At first I tried server side rendering only but couldn't render. Below is my fetch call after some validation making a POST request and clling login(email, password) which will give me back token and after storing in local sorage making GET request getProfile() inside the login() itself with token inside it async function getProfile(token) { const url = "/users/me"; const response = await fetch(url, { method: "GET", headers: { Authorization: "Bearer " + token, "Content-type": "application/json; charset=UTF-8", }, }); const data = await response.text(); document.body.innerHTML = data; } I have 2 doubts 1. how to achieve server side render while using fetch in the client side ( also tried redirect as follow still not working) without manually replacing the body in the fetch call like above 2. In the above code i am able to login and view the dashboard but when again refresh or navigate to some other page which has to be authenticated, i am unable to authenticate, how to detect the presence of token for all request when a token is registered while a user is logged in Thanks in advance

This was back in 2019 or 2020. There have been version changes to everything since then.

Please add your request to the comments here - kzbin.info/www/bejne/gnTIq5SuZ9qBacU

@@SteveGriffith-Prof3ssorSt3v3 Done

Btw, I believe you should have this line of code at line 76 in app.js "let submittedPass = req.body.password; //plain text from browser" in case there was no match for the email.

Where ever you save your user information you need to add a field to represent their user type or a field to represent what they are allowed to do. I did a video on how to save a bunch of permissions in a single integer last week - kzbin.info/www/bejne/e4fZi3-cf9l0gZo Once you have the user type or permission number then you need to add the checks for those as middleware that is always checked.

@@SonNguyen-gb7pz If there is no match for the email i don't care what password they sent. That line is only needed in the one place it already exists.

​@@SteveGriffith-Prof3ssorSt3v3 On server-side, it will throw an error "UnhandledPromiseRejectionWarning: ReferenceError: submittedPass is not defined" because submittedPass isn't on the scope. Anyway, I get your whole idea. Thank you so much.

We don't want there to be a difference in the time it takes to test emails that exist vs ones that don't. Hackers can use that to test whether accounts exist for specific emails. Then they only need the password.

@@SteveGriffith-Prof3ssorSt3v3 But its also possible if we return email not exist error on front end which developers usually do. Is it bad practice?

@@aimanzaheb1475 yes. That is a bad practice. Never tell someone trying to log in if the email or username do not exist

@@SteveGriffith-Prof3ssorSt3v3 But users might have problem who have multiple emails & they forgot which email they did use while registering.

@@aimanzaheb1475 That's why we have the forgot/reset password screen. But we still shouldn't tell them if the email exists. Just say an email was sent if the account exists.

Sure. you could do that too.