1 00:00:00,191 --> 00:00:02,870 In this lecture, we're very quickly 2 00:00:02,870 --> 00:00:07,210 gonna learn how to test for secure https connections, 3 00:00:07,210 --> 00:00:08,730 with a Heroku, 4 00:00:08,730 --> 00:00:11,041 because we actually need that, at one point, 5 00:00:11,041 --> 00:00:12,983 in our application. 6 00:00:14,540 --> 00:00:18,560 So, let's go here to our authentication controller. 7 00:00:18,560 --> 00:00:21,060 And right here at the top, 8 00:00:21,060 --> 00:00:24,049 in this create sent token function, 9 00:00:24,049 --> 00:00:26,840 here is the place where we set 10 00:00:26,840 --> 00:00:30,240 the adjacent web cookie to secure, 11 00:00:30,240 --> 00:00:32,343 if we are currently in production. 12 00:00:33,300 --> 00:00:34,661 Remember that. 13 00:00:34,661 --> 00:00:37,630 So, remember that we created this function 14 00:00:37,630 --> 00:00:39,270 with adjacent response, 15 00:00:39,270 --> 00:00:41,255 it also sends a cookie, 16 00:00:41,255 --> 00:00:44,670 which also contains the adjacent web token. 17 00:00:44,670 --> 00:00:47,090 And that cookie has a couple of options. 18 00:00:47,090 --> 00:00:49,260 The first one, when it expires. 19 00:00:49,260 --> 00:00:50,093 The second one, 20 00:00:50,093 --> 00:00:54,490 that it can only be accessed via http basically. 21 00:00:54,490 --> 00:00:56,570 And then, when we're in production, 22 00:00:56,570 --> 00:00:59,344 we said that this cookie can only be sent 23 00:00:59,344 --> 00:01:01,480 on a secure connection. 24 00:01:01,480 --> 00:01:04,770 So, basically, on an https connection. 25 00:01:04,770 --> 00:01:05,810 All right. 26 00:01:05,810 --> 00:01:08,117 Now, the problem with that is that actually, 27 00:01:08,117 --> 00:01:10,810 the fact that we are in production, 28 00:01:10,810 --> 00:01:14,370 does not mean that connection is actually secure. 29 00:01:14,370 --> 00:01:15,340 Right? 30 00:01:15,340 --> 00:01:18,200 Because of course, not all deployed applications 31 00:01:18,200 --> 00:01:21,470 are automatically set to https. 32 00:01:21,470 --> 00:01:25,021 And so we need to change this if that we have here. 33 00:01:25,021 --> 00:01:25,892 All right. 34 00:01:25,892 --> 00:01:29,700 Now, in express we actually have a secure property 35 00:01:29,700 --> 00:01:31,860 that is on the request. 36 00:01:31,860 --> 00:01:33,682 And only when the connection is secure, 37 00:01:33,682 --> 00:01:38,630 then this request dot secure is true. 38 00:01:38,630 --> 00:01:39,463 Okay? 39 00:01:39,463 --> 00:01:41,090 Makes sense, right? 40 00:01:41,090 --> 00:01:43,790 Now the problem is, that actually in Heroku, 41 00:01:43,790 --> 00:01:45,370 this doesn't work. 42 00:01:45,370 --> 00:01:47,107 And that's because Heroku proxy's, 43 00:01:47,107 --> 00:01:52,107 so basically redirect or modifies all incoming requests 44 00:01:52,290 --> 00:01:56,170 into our application before they actually reach the app. 45 00:01:56,170 --> 00:01:57,003 All right. 46 00:01:57,003 --> 00:02:00,682 So, in order to make this also work on Heroku 47 00:02:00,682 --> 00:02:04,200 we need to also test if the x forward proto 48 00:02:04,200 --> 00:02:06,952 header is set to https. 49 00:02:06,952 --> 00:02:07,785 All right. 50 00:02:07,785 --> 00:02:09,204 So, that sounds a bit confusing, 51 00:02:09,204 --> 00:02:13,170 but again, this is something Heroku does internally. 52 00:02:13,170 --> 00:02:16,549 So, let's test here if req.secure is true, 53 00:02:16,549 --> 00:02:21,549 or if req.headers. 54 00:02:22,134 --> 00:02:27,134 And the header that we're looking for is x forwarded proto. 55 00:02:29,820 --> 00:02:33,830 And this header is set to https 56 00:02:33,830 --> 00:02:36,210 if we are on a secure connection. 57 00:02:36,210 --> 00:02:37,050 All right? 58 00:02:37,050 --> 00:02:40,190 So, this is something very Heroku specific. 59 00:02:40,190 --> 00:02:43,870 And that's why I left this here for the last section, 60 00:02:43,870 --> 00:02:46,113 after we already deployed the application. 61 00:02:46,950 --> 00:02:50,700 So, if either req.secure is true, 62 00:02:50,700 --> 00:02:55,150 or if this header here is set to https, 63 00:02:55,150 --> 00:02:58,660 then we want the secure options here set to true. 64 00:02:58,660 --> 00:03:01,213 And, so, we can actually refactor this. 65 00:03:02,680 --> 00:03:04,500 So, basically we can take this, 66 00:03:04,500 --> 00:03:06,180 because this will be true. 67 00:03:06,180 --> 00:03:08,186 And, so, I say if this is true, 68 00:03:08,186 --> 00:03:10,860 then let's say equal true here. 69 00:03:10,860 --> 00:03:12,041 So, that doesn't make sense. 70 00:03:12,041 --> 00:03:15,023 We can instead simply do it like this. 71 00:03:16,590 --> 00:03:18,110 All right? 72 00:03:18,110 --> 00:03:20,820 And, actually, we can take it even further. 73 00:03:20,820 --> 00:03:23,883 And put the secure option right here. 74 00:03:25,350 --> 00:03:28,313 So, why have it outside if we can just put it here? 75 00:03:29,150 --> 00:03:33,823 So, secure equals this, okay? 76 00:03:35,550 --> 00:03:37,723 And then we no longer need this. 77 00:03:38,910 --> 00:03:41,370 And, since we're refactoring, 78 00:03:41,370 --> 00:03:46,173 we actually no longer need this variable here at all. 79 00:03:48,130 --> 00:03:50,946 So, let's just put it here, give it a safe, 80 00:03:50,946 --> 00:03:53,520 and there's something wrong there. 81 00:03:53,520 --> 00:03:55,950 Okay, and so, now the problem is that 82 00:03:55,950 --> 00:03:59,190 do not have access currently to the request 83 00:03:59,190 --> 00:04:00,680 in this function. 84 00:04:00,680 --> 00:04:03,103 Okay, so, we need to add it here. 85 00:04:04,050 --> 00:04:09,050 Request and then wherever we have create sent token, 86 00:04:09,120 --> 00:04:11,693 we of course need to pass in the request in there. 87 00:04:13,020 --> 00:04:14,063 So, that's here. 88 00:04:17,000 --> 00:04:19,763 So, use command D to find the next one basically. 89 00:04:21,150 --> 00:04:22,353 Request here. 90 00:04:27,740 --> 00:04:31,193 And then finally here as well. 91 00:04:33,010 --> 00:04:36,352 Okay, so, that looks much nicer 92 00:04:36,352 --> 00:04:40,940 and it should also work a lot nicer than before. 93 00:04:40,940 --> 00:04:44,480 However, right now, this is still not going to be working, 94 00:04:44,480 --> 00:04:47,460 because there's just one more thing that we need to do, 95 00:04:47,460 --> 00:04:51,350 which is basically to make our application trust proxy's. 96 00:04:51,350 --> 00:04:54,180 So, again, request dot secure doesn't work 97 00:04:54,180 --> 00:04:57,550 in the first place because Heroku acts as a proxy, 98 00:04:57,550 --> 00:05:01,500 which kind of redirects and modifies incoming requests. 99 00:05:01,500 --> 00:05:04,819 And, so, we need to go to app dot JS 100 00:05:04,819 --> 00:05:08,010 and then right after this one here, 101 00:05:08,010 --> 00:05:10,640 let's now trust proxy's. 102 00:05:10,640 --> 00:05:15,033 And we do that by saying app dot enable trust proxy. 103 00:05:20,680 --> 00:05:21,513 Okay? 104 00:05:21,513 --> 00:05:24,498 So, this is something that is built into express 105 00:05:24,498 --> 00:05:26,980 for this kind of situations. 106 00:05:26,980 --> 00:05:27,813 All right? 107 00:05:27,813 --> 00:05:31,400 And so, only if we have this setting here correctly set up, 108 00:05:31,400 --> 00:05:35,210 then this header here will be correctly set, 109 00:05:35,210 --> 00:05:38,483 and we will be able to read its value. 110 00:05:39,450 --> 00:05:40,410 All right? 111 00:05:40,410 --> 00:05:44,470 So, this is how you test if a connection is secure or not, 112 00:05:44,470 --> 00:05:47,363 when you have your application deployed to Heroku.