1 00:00:01,130 --> 00:00:03,200 So, we're currently in the process 2 00:00:03,200 --> 00:00:06,500 of putting some finishing touches on our API, 3 00:00:06,500 --> 00:00:09,120 and one of the things that we need to do now 4 00:00:09,120 --> 00:00:11,242 is to fix some of the authentication 5 00:00:11,242 --> 00:00:14,603 and authorization in all our resources. 6 00:00:16,190 --> 00:00:19,340 And we're gonna start here with our tour resource. 7 00:00:19,340 --> 00:00:21,190 And since all the authentication 8 00:00:21,190 --> 00:00:24,200 and authorization stuff is always defined 9 00:00:24,200 --> 00:00:25,960 on the route declarations, 10 00:00:25,960 --> 00:00:29,590 well, we're gonna work here on the tour routes file. 11 00:00:29,590 --> 00:00:32,850 So, this tour API that we have here 12 00:00:32,850 --> 00:00:36,470 is basically what we want to expose to the world. 13 00:00:36,470 --> 00:00:38,460 So for example, we might want to allow 14 00:00:38,460 --> 00:00:41,300 other travel sites to embed our tours 15 00:00:41,300 --> 00:00:42,970 into their own website. 16 00:00:42,970 --> 00:00:46,080 And so that's what this API is basically for. 17 00:00:46,080 --> 00:00:49,230 And so therefore, we will not have any authorization 18 00:00:49,230 --> 00:00:51,130 on get tour requests. 19 00:00:51,130 --> 00:00:52,060 Right? 20 00:00:52,060 --> 00:00:54,448 And so we should actually get rid of the one 21 00:00:54,448 --> 00:00:55,598 that we have currently. 22 00:00:56,600 --> 00:00:57,433 Right? 23 00:00:57,433 --> 00:00:58,480 So, this one. 24 00:00:58,480 --> 00:01:00,270 So on getting all the tours, 25 00:01:00,270 --> 00:01:02,080 right now we have to protect it, 26 00:01:02,080 --> 00:01:05,700 and so only authenticated users can use that. 27 00:01:05,700 --> 00:01:06,533 Okay? 28 00:01:06,533 --> 00:01:08,260 But again, that doesn't make much sense, 29 00:01:08,260 --> 00:01:10,080 because you want to expose this part 30 00:01:10,080 --> 00:01:12,700 of the API to everyone. 31 00:01:12,700 --> 00:01:14,990 So, let's get rid of that. 32 00:01:14,990 --> 00:01:18,960 However, the actions of creating or editing tours, 33 00:01:18,960 --> 00:01:20,860 we only want to allow lead guides 34 00:01:20,860 --> 00:01:23,820 and administrators to perform these actions. 35 00:01:23,820 --> 00:01:26,130 So of course, no normal users, 36 00:01:26,130 --> 00:01:27,950 and also no normal guides. 37 00:01:27,950 --> 00:01:30,520 So, just admins and lead guides. 38 00:01:30,520 --> 00:01:32,363 And so let's put that here actually. 39 00:01:35,005 --> 00:01:36,922 Authcontroller.protect, 40 00:01:40,440 --> 00:01:43,703 and authcontroller.restrictto. 41 00:01:48,060 --> 00:01:48,893 Admin, 42 00:01:51,930 --> 00:01:53,083 and lead guide. 43 00:01:55,430 --> 00:01:56,930 Give it a save here, 44 00:01:56,930 --> 00:01:59,620 and that looks just fine. 45 00:01:59,620 --> 00:02:03,210 And next up we want to do the same with editing. 46 00:02:03,210 --> 00:02:04,043 Right? 47 00:02:04,043 --> 00:02:06,840 So we already did that actually in the leading, 48 00:02:06,840 --> 00:02:10,863 and so let's just copy what we have here to patch as well. 49 00:02:13,000 --> 00:02:16,940 Give it a save, and now that actually looks perfect. 50 00:02:16,940 --> 00:02:18,440 Okay? 51 00:02:18,440 --> 00:02:19,890 So everything else, 52 00:02:19,890 --> 00:02:22,330 even getting just one single tour here, 53 00:02:22,330 --> 00:02:25,357 is of course free to everyone, okay? 54 00:02:25,357 --> 00:02:28,950 And the same goes for getting the top tours, 55 00:02:28,950 --> 00:02:31,820 and also getting the tour statistics. 56 00:02:31,820 --> 00:02:33,880 Now here, about the get monthly plan, 57 00:02:33,880 --> 00:02:35,980 well we also might want to restrict that. 58 00:02:35,980 --> 00:02:39,473 Only, for example, to everyone except normal users. 59 00:02:40,340 --> 00:02:41,220 Okay? 60 00:02:41,220 --> 00:02:43,433 So that's copy this one here as well, 61 00:02:44,820 --> 00:02:48,493 give it a save, and then also add the normal guides. 62 00:02:51,230 --> 00:02:52,063 Alright? 63 00:02:52,063 --> 00:02:55,860 And so, that looks perfect at this point, I think. 64 00:02:55,860 --> 00:02:56,693 Okay? 65 00:02:56,693 --> 00:03:00,233 So basically, our tour router is now completed. 66 00:03:01,250 --> 00:03:02,220 Perfect. 67 00:03:02,220 --> 00:03:04,010 And I'm not going to test all of this 68 00:03:04,010 --> 00:03:06,990 because we already know that it works. 69 00:03:06,990 --> 00:03:08,060 Alright? 70 00:03:08,060 --> 00:03:09,720 So, let's close this one 71 00:03:09,720 --> 00:03:12,660 and move straight to the next one. 72 00:03:12,660 --> 00:03:14,600 So, these first routes here 73 00:03:14,600 --> 00:03:17,150 are of course open to everyone. 74 00:03:17,150 --> 00:03:19,080 So, signing up, logging in, 75 00:03:19,080 --> 00:03:22,000 forget password, and reset password. 76 00:03:22,000 --> 00:03:25,020 For none of these you need to be logged in. 77 00:03:25,020 --> 00:03:26,130 Right? 78 00:03:26,130 --> 00:03:27,930 But, you need to be logged in 79 00:03:27,930 --> 00:03:31,760 so to be authenticated to update your password, 80 00:03:31,760 --> 00:03:33,403 to get your own information, 81 00:03:34,540 --> 00:03:37,700 to update or to delete your own account, 82 00:03:37,700 --> 00:03:39,620 and really for all these other operations 83 00:03:39,620 --> 00:03:40,680 here as well. 84 00:03:40,680 --> 00:03:44,320 So we don't want the public to basically get information 85 00:03:44,320 --> 00:03:45,990 about all the users. 86 00:03:45,990 --> 00:03:48,780 We also don't want anyone to delete users, 87 00:03:48,780 --> 00:03:52,130 or to update users, and really none of these 88 00:03:52,130 --> 00:03:55,150 operations here should be free for the public. 89 00:03:55,150 --> 00:03:55,983 Okay? 90 00:03:55,983 --> 00:03:57,520 So for all of these routes here, 91 00:03:57,520 --> 00:03:59,290 starting from this point, 92 00:03:59,290 --> 00:04:01,600 you will always have to be authenticated. 93 00:04:01,600 --> 00:04:02,433 Alright? 94 00:04:02,433 --> 00:04:04,960 And so, we could now go ahead and add 95 00:04:04,960 --> 00:04:09,960 this authcontroller.protect to all of these routes, 96 00:04:09,970 --> 00:04:13,330 but actually we can do better than that, right? 97 00:04:13,330 --> 00:04:14,780 So in order to do that, 98 00:04:14,780 --> 00:04:17,790 let's keep in mind that this protect function here 99 00:04:17,790 --> 00:04:19,550 is really just a middleware. 100 00:04:19,550 --> 00:04:21,910 And also remember that middleware 101 00:04:21,910 --> 00:04:24,960 runs always in sequence, right? 102 00:04:24,960 --> 00:04:26,940 Now with this router that we have here, 103 00:04:26,940 --> 00:04:28,810 that we created in the beginning, 104 00:04:28,810 --> 00:04:31,000 is kind of like a mini application. 105 00:04:31,000 --> 00:04:32,420 Remember that? 106 00:04:32,420 --> 00:04:34,570 And so just like with the regular app 107 00:04:34,570 --> 00:04:37,410 we can use middleware on this router as well. 108 00:04:37,410 --> 00:04:38,470 Okay? 109 00:04:38,470 --> 00:04:41,403 And so, we can do something like this. 110 00:04:42,260 --> 00:04:44,780 Router.use, 111 00:04:44,780 --> 00:04:49,453 and now authcontroller.protect, 112 00:04:50,980 --> 00:04:52,140 and that's it. 113 00:04:52,140 --> 00:04:53,060 And what this will do 114 00:04:53,060 --> 00:04:55,200 is to basically protect all the routes 115 00:04:55,200 --> 00:04:57,243 that come after this point. 116 00:04:58,120 --> 00:04:58,953 Okay? 117 00:04:58,953 --> 00:05:00,770 And again, that's because middleware 118 00:05:00,770 --> 00:05:02,240 runs in sequence. 119 00:05:02,240 --> 00:05:05,090 And so after these four middleware functions, 120 00:05:05,090 --> 00:05:06,940 because remember that technically 121 00:05:06,940 --> 00:05:08,770 this is still also middleware, 122 00:05:08,770 --> 00:05:12,270 then the next middleware in the stack is this protect. 123 00:05:12,270 --> 00:05:14,710 And this will then only call the next middleware 124 00:05:14,710 --> 00:05:16,590 if the user is authenticated. 125 00:05:16,590 --> 00:05:20,550 And the next middleware in this case is this patch here. 126 00:05:20,550 --> 00:05:21,383 Okay? 127 00:05:21,383 --> 00:05:23,030 And so, again, what this is means 128 00:05:23,030 --> 00:05:24,390 is that all of this routes 129 00:05:24,390 --> 00:05:26,570 to all these middlewares, technically, 130 00:05:26,570 --> 00:05:29,940 that come after this one are now protected. 131 00:05:29,940 --> 00:05:32,680 And so, we can go ahead and remove this protect 132 00:05:32,680 --> 00:05:33,863 from all of them. 133 00:05:35,800 --> 00:05:36,633 Okay? 134 00:05:41,320 --> 00:05:44,450 And just to prove you that this now still works, 135 00:05:44,450 --> 00:05:48,760 let's just go ahead and get the me information. 136 00:05:48,760 --> 00:05:50,413 So basically the current user. 137 00:05:51,390 --> 00:05:52,793 So if I now run this, 138 00:05:54,490 --> 00:05:56,740 you'll see that it still works. 139 00:05:56,740 --> 00:05:58,873 And if I take away the authentication, 140 00:06:00,720 --> 00:06:03,540 then it says we are not logged in. 141 00:06:03,540 --> 00:06:06,513 And so that's exactly what that protect middleware does. 142 00:06:07,650 --> 00:06:08,483 Right? 143 00:06:09,810 --> 00:06:11,973 So, it's now going to be back to working. 144 00:06:13,180 --> 00:06:14,330 So, perfect! 145 00:06:14,330 --> 00:06:16,700 That's a nice little trick in order to protect 146 00:06:16,700 --> 00:06:18,880 all of the routes at the same time, 147 00:06:18,880 --> 00:06:20,830 typically by using a middleware 148 00:06:20,830 --> 00:06:23,233 that comes before all these other routes. 149 00:06:25,070 --> 00:06:25,990 Okay? 150 00:06:25,990 --> 00:06:28,020 And for example, if we now move this 151 00:06:28,020 --> 00:06:31,100 a little bit up, like this for example, 152 00:06:31,100 --> 00:06:33,200 then we would also need to be logged in 153 00:06:33,200 --> 00:06:35,860 in order to use forgot password. 154 00:06:35,860 --> 00:06:36,810 Right? 155 00:06:36,810 --> 00:06:38,693 So, let me just prove that to you. 156 00:06:39,930 --> 00:06:40,763 Okay? 157 00:06:40,763 --> 00:06:43,970 And so usually, of course, we do not need to be logged in 158 00:06:43,970 --> 00:06:45,820 in order to forget our password, 159 00:06:45,820 --> 00:06:48,800 because that wouldn't make any sense, right? 160 00:06:48,800 --> 00:06:50,760 But right now, since we move that middleware 161 00:06:50,760 --> 00:06:53,207 a bit up, it says "you are not logged in". 162 00:06:54,230 --> 00:06:55,160 Okay? 163 00:06:55,160 --> 00:06:59,090 And so really, that proves that this authcontroller here 164 00:06:59,090 --> 00:07:00,333 is doing it's job. 165 00:07:03,080 --> 00:07:06,120 So, protect all routes -- 166 00:07:08,690 --> 00:07:09,903 after this middleware. 167 00:07:12,750 --> 00:07:13,583 Okay. 168 00:07:13,583 --> 00:07:15,680 Now also remember how we said that 169 00:07:15,680 --> 00:07:18,480 all of these actions here should only be executed 170 00:07:18,480 --> 00:07:20,010 by administrators, 171 00:07:20,010 --> 00:07:23,130 and so now we can actually use the exact same technique 172 00:07:23,130 --> 00:07:26,213 that we used up here to protect all of these routes. 173 00:07:27,630 --> 00:07:30,337 So, router.use, 174 00:07:32,622 --> 00:07:36,122 authcontroller.restrictto, 175 00:07:38,000 --> 00:07:39,030 admin. 176 00:07:39,030 --> 00:07:39,863 Okay? 177 00:07:39,863 --> 00:07:42,700 And so now, only admins will be able to get all users, 178 00:07:42,700 --> 00:07:46,340 to create new users, to get users again, 179 00:07:46,340 --> 00:07:49,160 and to patch and delete users. 180 00:07:49,160 --> 00:07:50,010 Alright? 181 00:07:50,010 --> 00:07:51,540 And so from this point on, 182 00:07:51,540 --> 00:07:53,810 all the routes are not only protected, 183 00:07:53,810 --> 00:07:56,220 but also restricted only to the admin. 184 00:07:56,220 --> 00:07:59,300 But of course, the ones that come before everyone 185 00:07:59,300 --> 00:08:02,420 who is logged in can access them, okay? 186 00:08:02,420 --> 00:08:04,070 So let me just prove that to you. 187 00:08:05,290 --> 00:08:09,160 So, I'm going to log in, not with admin, 188 00:08:09,160 --> 00:08:10,633 but with testuser. 189 00:08:14,230 --> 00:08:15,780 Okay? 190 00:08:15,780 --> 00:08:18,120 And so we got logged in successfully, 191 00:08:18,120 --> 00:08:21,823 now let's try to see all the users. 192 00:08:24,800 --> 00:08:26,830 And now it says you are not logged in. 193 00:08:26,830 --> 00:08:29,090 Well, we are actually logged in, 194 00:08:29,090 --> 00:08:31,653 but we forgot to add the authorization here. 195 00:08:32,920 --> 00:08:36,810 So, bearer token, send it again, 196 00:08:36,810 --> 00:08:39,993 and now we see you don't have permission to perform. 197 00:08:40,990 --> 00:08:45,073 But now, when we change this to the administrator, 198 00:08:46,090 --> 00:08:48,130 so we log in as an admin now, 199 00:08:48,130 --> 00:08:51,460 and now as we get all the users, 200 00:08:51,460 --> 00:08:52,713 then of course it works. 201 00:08:54,190 --> 00:08:55,870 So, perfect! 202 00:08:55,870 --> 00:08:58,310 And that actually finishes the authentication 203 00:08:58,310 --> 00:09:02,060 and authorization for these users as well. 204 00:09:02,060 --> 00:09:03,980 But just to reflect that in Postman, 205 00:09:03,980 --> 00:09:08,420 let's actually go back and so basically 206 00:09:08,420 --> 00:09:11,040 put the authorization here, everywhere. 207 00:09:11,040 --> 00:09:12,240 Okay? 208 00:09:12,240 --> 00:09:14,190 And again, that's because later on 209 00:09:14,190 --> 00:09:16,610 we're gonna create an API documentation 210 00:09:16,610 --> 00:09:19,860 based on the collection that we created here. 211 00:09:19,860 --> 00:09:22,240 And then, it's important that we actually mark 212 00:09:22,240 --> 00:09:23,793 this one here as protected. 213 00:09:25,504 --> 00:09:26,337 Save it. 214 00:09:28,600 --> 00:09:29,973 Save this one as well. 215 00:09:31,070 --> 00:09:33,603 And the same for update and delete user. 216 00:09:35,840 --> 00:09:38,133 So, bearer token, save, 217 00:09:39,330 --> 00:09:40,883 and the same for update. 218 00:09:46,048 --> 00:09:49,290 Alright, and actually since we're doing that, 219 00:09:49,290 --> 00:09:51,233 let's do the same with all the others. 220 00:09:52,100 --> 00:09:54,083 So, not the reviews, 221 00:09:55,430 --> 00:09:57,063 that one is for a bit later, 222 00:09:59,730 --> 00:10:02,430 but really for the tours. 223 00:10:02,430 --> 00:10:05,223 So here we no longer need any authentication, 224 00:10:06,860 --> 00:10:08,350 so let's save that. 225 00:10:08,350 --> 00:10:11,490 Forgetting we also don't need any authorization, 226 00:10:11,490 --> 00:10:15,823 but for creating we now need the bearer token. 227 00:10:17,460 --> 00:10:18,420 Okay? 228 00:10:18,420 --> 00:10:21,710 Also for updating, and so it makes sense 229 00:10:22,620 --> 00:10:26,530 to protect them here in Postman as well. 230 00:10:26,530 --> 00:10:28,210 Now this one already had it, 231 00:10:28,210 --> 00:10:30,390 because we actually used this one to test it 232 00:10:30,390 --> 00:10:31,340 in the first place. 233 00:10:32,910 --> 00:10:36,790 So this one did not have it, but the get monthly plan, 234 00:10:36,790 --> 00:10:38,463 we protected this one as well. 235 00:10:39,780 --> 00:10:42,070 Add the bearer token here as well, 236 00:10:42,070 --> 00:10:43,730 and so I believe with this 237 00:10:43,730 --> 00:10:47,800 we are really completed now, with these, too. 238 00:10:47,800 --> 00:10:51,210 And so what we need to do to finish now this part 239 00:10:51,210 --> 00:10:55,550 is here, fix the same thing on the reviews as well. 240 00:10:55,550 --> 00:10:57,390 And the first thing that I want to do 241 00:10:57,390 --> 00:10:59,700 is to basically protect all of the routes 242 00:10:59,700 --> 00:11:01,900 which have to do with reviews. 243 00:11:01,900 --> 00:11:04,520 So, we want no one who is not authenticated 244 00:11:04,520 --> 00:11:09,520 to get, or to post, or to change, or delete any reviews. 245 00:11:10,620 --> 00:11:11,900 Okay? 246 00:11:11,900 --> 00:11:14,573 We say router.use, 247 00:11:15,710 --> 00:11:19,750 authentication controller.protect. 248 00:11:19,750 --> 00:11:20,583 Okay? 249 00:11:20,583 --> 00:11:22,400 And so that means that from this point 250 00:11:22,400 --> 00:11:24,330 no one can access any of this route 251 00:11:24,330 --> 00:11:26,033 without being authenticated. 252 00:11:27,342 --> 00:11:31,150 But we can remove this part here, okay? 253 00:11:31,150 --> 00:11:33,910 And so now with authentication out of the way, 254 00:11:33,910 --> 00:11:36,490 let's think about authorization. 255 00:11:36,490 --> 00:11:38,980 So, first of all, only users should 256 00:11:38,980 --> 00:11:40,790 be able to post reviews. 257 00:11:40,790 --> 00:11:44,050 No guides, and also no administrators. 258 00:11:44,050 --> 00:11:47,120 And so this part, we actually already have that here. 259 00:11:47,120 --> 00:11:48,050 Okay? 260 00:11:48,050 --> 00:11:50,720 Then, admins should be able to update 261 00:11:50,720 --> 00:11:53,700 or to delete reviews, just like regular users, 262 00:11:53,700 --> 00:11:56,060 of course, so that they can then edit 263 00:11:56,060 --> 00:11:58,150 or delete their own reviews. 264 00:11:58,150 --> 00:12:02,220 And finally, guides can not add, edit, or delete reviews. 265 00:12:02,220 --> 00:12:06,060 Since the guides are the ones who are performing the job, 266 00:12:06,060 --> 00:12:08,610 so it would be weird if they could post reviews 267 00:12:08,610 --> 00:12:12,120 themselves, or edit other peoples' reviews, right? 268 00:12:12,120 --> 00:12:16,110 And so let's put what we just described into code. 269 00:12:16,110 --> 00:12:18,530 So, basically patch and delete 270 00:12:20,360 --> 00:12:21,800 are restricted 271 00:12:23,680 --> 00:12:25,053 to users, 272 00:12:26,840 --> 00:12:29,573 or actually just user, and admin. 273 00:12:33,160 --> 00:12:36,893 And then the same thing for deleting. 274 00:12:38,400 --> 00:12:39,233 Okay? 275 00:12:39,233 --> 00:12:41,970 And so you see that now guides and lead guides 276 00:12:41,970 --> 00:12:44,810 have nothing to do at all with reviews. 277 00:12:44,810 --> 00:12:47,620 All they can do is to really get reviews, 278 00:12:47,620 --> 00:12:51,260 but not changing or posting them at all, okay? 279 00:12:51,260 --> 00:12:53,800 And so, quickly now in Postman, 280 00:12:53,800 --> 00:12:55,463 let's put that here as well. 281 00:12:56,400 --> 00:13:00,283 So create new reviews already has the authorization, 282 00:13:01,390 --> 00:13:03,633 get all reviews also needs it now. 283 00:13:05,550 --> 00:13:08,803 So, with the bearer token, save that, 284 00:13:13,530 --> 00:13:15,623 here, the bearer token as well. 285 00:13:21,510 --> 00:13:25,633 Now write, and also get one single review. 286 00:13:31,360 --> 00:13:33,820 Actually let's nicely order this as well, 287 00:13:33,820 --> 00:13:36,783 so that all of them are kind of in the same order. 288 00:13:39,300 --> 00:13:41,740 And now about these two here, they actually 289 00:13:41,740 --> 00:13:43,900 are also protected. 290 00:13:43,900 --> 00:13:44,733 Right? 291 00:13:44,733 --> 00:13:46,610 Because ultimately it's the review handlers 292 00:13:46,610 --> 00:13:48,803 that are actually called for both of them. 293 00:13:49,920 --> 00:13:53,483 And so here we also need to add that bearer token. 294 00:13:55,060 --> 00:13:55,893 Okay? 295 00:13:55,893 --> 00:13:58,320 So now, basically, the only way of getting access 296 00:13:58,320 --> 00:14:03,320 to data about reviews is to call all of the tours. 297 00:14:03,350 --> 00:14:04,183 Right? 298 00:14:04,183 --> 00:14:07,460 At least for people that are not authenticated. 299 00:14:07,460 --> 00:14:08,450 Okay? 300 00:14:08,450 --> 00:14:11,380 So, let's close all of this, 301 00:14:11,380 --> 00:14:14,470 and so I think we're now good to go, 302 00:14:14,470 --> 00:14:16,890 and we actually finished this part as well. 303 00:14:16,890 --> 00:14:18,940 Let's just clean it up here a little bit. 304 00:14:20,210 --> 00:14:23,610 And yeah, I think that's it. 305 00:14:23,610 --> 00:14:26,340 So with this we actually finished the authentication 306 00:14:26,340 --> 00:14:30,070 and authorization parts of all our three resources, 307 00:14:30,070 --> 00:14:33,040 so we're really close to finishing our API here. 308 00:14:33,040 --> 00:14:35,920 There's only a small amount of things left to do, 309 00:14:35,920 --> 00:14:37,520 and so we're going to do all of that 310 00:14:37,520 --> 00:14:39,103 in the rest of this section.