1
00:00:00,210 --> 00:00:05,670
In this video we're going to finish converting our user routes to use authentication down below.

2
00:00:05,670 --> 00:00:11,520
There are a couple of important routes that aren't using authentication such as the ability to update

3
00:00:11,520 --> 00:00:14,740
a user profile or delete a given user.

4
00:00:14,760 --> 00:00:18,630
We want to make sure we're using authentication for these as well.

5
00:00:18,630 --> 00:00:24,000
Now it might not seem like it but we're actually nearing the end of the section in this video.

6
00:00:24,030 --> 00:00:29,910
We're gonna take care of all of the user routes and then in the next couple we'll focus on the task

7
00:00:29,940 --> 00:00:37,050
related routes and setting up that association where each task is owned by a specific user.

8
00:00:37,050 --> 00:00:44,370
For now though we're gonna focus on the last three routes in this file deleting a user by I.D. updating

9
00:00:44,370 --> 00:00:48,870
a user by I.D. and then getting a user by I.D..

10
00:00:48,870 --> 00:00:52,600
Now this first one is actually not something we need anymore.

11
00:00:52,650 --> 00:00:59,610
We should not be able to get a user by I.D. unless it's our own user I.D. In which case we already have

12
00:00:59,610 --> 00:01:01,880
a route that gets that done up above.

13
00:01:01,890 --> 00:01:05,070
This is how we can fetch our own user profile.

14
00:01:05,100 --> 00:01:11,250
I shouldn't be able to fetch the user profile of other users for the application so we have three routes

15
00:01:11,250 --> 00:01:17,520
that need fixing and we're gonna take the easy way out with the first one and end up removing it altogether.

16
00:01:17,520 --> 00:01:20,960
Now the other two are things we still want to be able to do.

17
00:01:20,970 --> 00:01:27,510
Users should be able to update their profile and they should be able to remove their profile altogether.

18
00:01:27,510 --> 00:01:33,570
So with these we'll do a bit of refactoring integrating authentication and then wiring it up to work

19
00:01:33,690 --> 00:01:34,440
correctly.

20
00:01:34,440 --> 00:01:39,900
We'll start with delete together and then we'll focus on update afterwords and right here the first

21
00:01:39,900 --> 00:01:43,430
thing we're gonna do is add the off middleware into the mix.

22
00:01:43,500 --> 00:01:49,760
So I'll be passing in off as the second argument moving our callback function to the third argument

23
00:01:49,770 --> 00:01:56,730
position meaning that this is only going to run if the user is authenticated from here we want to adjust

24
00:01:56,760 --> 00:02:01,530
the path this is taking in the I.D. of the user to remove.

25
00:02:01,620 --> 00:02:07,770
And even if you're authenticated we don't want you to be able to provide the I.D. of the user to remove.

26
00:02:07,770 --> 00:02:10,350
Instead we're going to remove you.

27
00:02:10,380 --> 00:02:17,760
You should not be able to provide the idea of another user to delete them either accidentally or maliciously.

28
00:02:17,820 --> 00:02:25,170
So right here the path will change to forward slash users forward slash me as a way to remove your own

29
00:02:25,170 --> 00:02:26,760
user profile.

30
00:02:26,760 --> 00:02:30,860
Now this means we will have to make a small change to the code down below.

31
00:02:31,050 --> 00:02:36,120
We have request dot parameter dot I.D. which no longer exists.

32
00:02:36,180 --> 00:02:43,170
The I.D. We're going to use instead is request dot user dot underscore I.D..

33
00:02:43,170 --> 00:02:50,280
Remember we attached the user onto the request object and we do have access to it since we are using

34
00:02:50,340 --> 00:02:52,340
the authentication middleware.

35
00:02:52,440 --> 00:02:57,530
If we weren't using this middleware then we wouldn't have requested a user but we are.

36
00:02:57,540 --> 00:02:58,590
So we do.

37
00:02:58,590 --> 00:02:59,850
And there we go.

38
00:02:59,880 --> 00:03:06,300
This is all we need to do to allow a logged in user to delete their own profile.

39
00:03:06,300 --> 00:03:08,780
Now we could change things up even further.

40
00:03:08,880 --> 00:03:13,510
In this case there's no need to check if there was a user with that I.D..

41
00:03:13,590 --> 00:03:19,950
Since we literally just fetched them from the database when authenticating so let's go ahead and refactor

42
00:03:19,950 --> 00:03:26,880
out these lines right here I'm gonna go ahead and comment them out using command forward slash or control

43
00:03:26,910 --> 00:03:33,360
forward slash depending on your operating system and we're going to replace all of that with a single

44
00:03:33,360 --> 00:03:35,160
statement down below.

45
00:03:35,280 --> 00:03:41,280
Right here we're gonna be using the remove method on the Mongoose document.

46
00:03:41,280 --> 00:03:47,700
So we have save for saving the data that we've changed and we've used that plenty of times before but

47
00:03:47,700 --> 00:03:51,990
we also have on user the following remove.

48
00:03:52,020 --> 00:03:53,740
Now this is indeed a synchronous.

49
00:03:53,760 --> 00:03:55,680
So I'll use a weight with it.

50
00:03:56,190 --> 00:04:02,190
So all we're doing here is removing the user whose authenticated it achieves the exact same result as

51
00:04:02,190 --> 00:04:03,170
what we had above.

52
00:04:03,330 --> 00:04:06,960
But in my opinion it's a nicer setup down below.

53
00:04:06,960 --> 00:04:10,500
The last thing we have to change is what exactly we're sending back.

54
00:04:10,500 --> 00:04:13,830
We no longer have a standalone user variable.

55
00:04:13,830 --> 00:04:17,910
Instead we have request dot user and there we go.

56
00:04:17,940 --> 00:04:23,910
Now we have the final version of this end point and we can test it out from postman so I'm gonna head

57
00:04:23,910 --> 00:04:28,580
over to postman and go to my delete user request near the bottom.

58
00:04:28,590 --> 00:04:34,740
Now this still has the old you are L structure so the first thing I'm gonna do is remove the I.D. and

59
00:04:34,740 --> 00:04:36,100
replace it with me.

60
00:04:36,180 --> 00:04:39,350
So forward slash users forward slash me.

61
00:04:39,600 --> 00:04:45,120
I'll go ahead and save that request to make sure that we use the same you are structure in the future

62
00:04:45,480 --> 00:04:50,880
and there's no need to worry about authentication since it's inheriting that from the parent.

63
00:04:50,910 --> 00:04:55,780
Now we can actually fire this off and see what we get down below I get a two hundred.

64
00:04:55,800 --> 00:05:01,950
Meaning that things went well and right here I can see the pro file of the user that was deleted.

65
00:05:02,090 --> 00:05:08,120
If I send this off again I would expect things to fail since I've completely trashed that user account

66
00:05:08,270 --> 00:05:13,850
and they're no longer in the database now because we've set up postman automation we can get back up

67
00:05:13,850 --> 00:05:20,210
and running with a single request I create a new user using the create user request I'm now logged in

68
00:05:20,210 --> 00:05:25,880
as them and I can continue experimenting with my other routes such as reading a profile.

69
00:05:25,880 --> 00:05:31,100
So being able to work with postman and easily switch between requests is gonna be really important in

70
00:05:31,100 --> 00:05:33,910
the long run with deleting user out of the way.

71
00:05:33,920 --> 00:05:36,130
Let's go ahead and focus on the other route.

72
00:05:36,140 --> 00:05:42,770
We need to take care of the ability to update the user profile so we'll end up making a similar set

73
00:05:42,770 --> 00:05:48,980
of changes restricting it to the user who is authenticated as opposed to allowing you to update any

74
00:05:48,980 --> 00:05:50,900
user if you know their I.D..

75
00:05:50,930 --> 00:05:53,510
That's not what we want for our application.

76
00:05:53,510 --> 00:05:59,470
You should only be able to update your own user profile when you're authenticated correctly.

77
00:05:59,630 --> 00:06:00,370
Right here.

78
00:06:00,440 --> 00:06:03,530
This is going to be your challenge for the video.

79
00:06:03,530 --> 00:06:07,760
You'll be refactoring the update profile route shown below.

80
00:06:07,790 --> 00:06:10,860
So first up we want to change that you are El structure.

81
00:06:10,910 --> 00:06:15,050
We no longer want to accept an I.D. as part of that.

82
00:06:15,050 --> 00:06:18,590
Next up we want to add the authentication middleware into the mix.

83
00:06:18,590 --> 00:06:23,660
You should only be able to update a user profile if you are authenticated.

84
00:06:23,780 --> 00:06:30,530
From there you're going to use the existing user document instead of fetching a new one by the parameter

85
00:06:30,680 --> 00:06:36,620
provided we're no longer going to have that parameter and there's no longer a need to fetch the user

86
00:06:36,830 --> 00:06:40,340
since we already have access to them on request.

87
00:06:40,370 --> 00:06:44,330
So you'll use that instead throughout the entire function.

88
00:06:44,330 --> 00:06:49,260
Any time we use user you'll have to use request not user instead.

89
00:06:49,370 --> 00:06:55,970
Next up you want to test your work and postman so tried to update a user profile and make sure it works

90
00:06:55,970 --> 00:06:57,070
as expected.

91
00:06:57,110 --> 00:07:03,320
Take as much time as you need it to knock this out test your work when you're done come back and click

92
00:07:03,320 --> 00:07:03,700
play

93
00:07:07,000 --> 00:07:07,690
how'd you do.

94
00:07:07,720 --> 00:07:10,470
Let's go ahead and kick things off with step number one.

95
00:07:10,480 --> 00:07:12,540
We need to update that you are real.

96
00:07:12,550 --> 00:07:20,470
No longer are we going to accept an I.D. instead it'll be forward slash users forward slash me for updating

97
00:07:20,530 --> 00:07:22,090
your own profile.

98
00:07:22,090 --> 00:07:27,370
Next up we have to add authentication into the mix to know which user we're actually going to update

99
00:07:27,370 --> 00:07:32,350
since we're no longer accepting their I.D. as a U RL parameter.

100
00:07:32,350 --> 00:07:38,770
Right here to get that done we just pass in the off middleware as the second argument moving our callback

101
00:07:38,920 --> 00:07:41,740
to the third argument position.

102
00:07:41,740 --> 00:07:48,550
Next up we have to make changes to the callback function code and we want to use the existing user document

103
00:07:48,580 --> 00:07:50,530
on a request not user.

104
00:07:50,530 --> 00:07:53,290
Instead of fetching a new one down below.

105
00:07:53,290 --> 00:07:59,020
Now I can highlight user by just clicking anywhere inside of it to see all of the times we've used it.

106
00:07:59,020 --> 00:08:01,860
Right here there are a few different use cases of it.

107
00:08:02,170 --> 00:08:07,370
So we have to make sure we address all of those in order to complete step 3 successfully.

108
00:08:07,750 --> 00:08:10,660
Everything up above can stay exactly as it is.

109
00:08:10,660 --> 00:08:12,350
That's perfectly fine.

110
00:08:12,370 --> 00:08:15,600
We're gonna start by removing this line right here.

111
00:08:15,640 --> 00:08:16,260
We know need.

112
00:08:16,270 --> 00:08:19,680
We no longer need to fetch the user by that parameter.

113
00:08:19,680 --> 00:08:24,810
Instead we're just going to access request down user which already exists.

114
00:08:24,850 --> 00:08:29,560
So right here we are setting properties on user that doesn't exist anymore.

115
00:08:29,560 --> 00:08:34,660
Instead it is request that user down below we try to save the user.

116
00:08:34,660 --> 00:08:38,200
It needs to be request dot user dot save.

117
00:08:38,530 --> 00:08:43,390
From here we run a little code to figure out if the user actually existed.

118
00:08:43,390 --> 00:08:44,770
We know they existed.

119
00:08:44,800 --> 00:08:52,000
So this can be removed completely and we know they existed because they just logged in about 10 milliseconds

120
00:08:52,060 --> 00:08:52,950
ago.

121
00:08:52,960 --> 00:08:56,050
So from here we can now continue on down the list.

122
00:08:56,050 --> 00:09:00,310
The last thing we do is we send that user back request Dot.

123
00:09:00,310 --> 00:09:02,920
User is what we're going to send back.

124
00:09:03,070 --> 00:09:07,800
And now that we have this in place our patch route is actually all done.

125
00:09:07,930 --> 00:09:14,080
We can move on to the final step which is to test our work over inside of postmen right here.

126
00:09:14,080 --> 00:09:19,330
I'll be removing the challenge comments which I have in place and we'll move over to post man and try

127
00:09:19,330 --> 00:09:21,510
to update a user profile.

128
00:09:21,550 --> 00:09:26,800
So right here if I read the user profile I can see the current information.

129
00:09:26,830 --> 00:09:30,100
Let's go ahead and actually change that using update.

130
00:09:30,190 --> 00:09:31,960
User down below.

131
00:09:31,960 --> 00:09:38,500
Now once again I do have to remove the I.D. from the U.R.L. and swap that out with forward slash users

132
00:09:38,560 --> 00:09:40,780
forward slash me instead.

133
00:09:41,200 --> 00:09:46,150
And now I can use the body to determine what exactly I'd like to change.

134
00:09:46,390 --> 00:09:49,800
Let's go ahead and provide some changes we'd like to apply.

135
00:09:49,810 --> 00:09:56,940
I'll start by changing the age I'll go ahead and set that equal to twenty seven.

136
00:09:56,940 --> 00:09:58,710
I think it's zero right now.

137
00:09:58,710 --> 00:10:00,160
Let me double check.

138
00:10:00,180 --> 00:10:01,090
Yes it is.

139
00:10:01,210 --> 00:10:03,150
And I'll also change the name.

140
00:10:03,180 --> 00:10:11,020
So right here I can go back to update user I'll update that name to the following.

141
00:10:11,200 --> 00:10:14,020
Let's go ahead and use something like Mike.

142
00:10:14,140 --> 00:10:17,380
And finally I'll also update the password.

143
00:10:17,380 --> 00:10:20,650
I'll change the password over to something new.

144
00:10:20,650 --> 00:10:25,920
Let's go ahead and use computer 0 9 8.

145
00:10:25,960 --> 00:10:26,960
Perfect.

146
00:10:27,010 --> 00:10:32,410
Now that we have this in place I'm going to fire the request off to task that things worked as expected

147
00:10:32,830 --> 00:10:33,620
down below.

148
00:10:33,730 --> 00:10:37,390
I do see the name of Mike and the age of twenty seven.

149
00:10:37,450 --> 00:10:41,590
The only thing I'm not sure about is if the password got changed correctly.

150
00:10:41,590 --> 00:10:44,770
So let's go ahead and try to log in once again.

151
00:10:44,770 --> 00:10:47,500
I'm gonna take the password and copy it to the clipboard.

152
00:10:47,500 --> 00:10:49,480
Though you could just memorize it.

153
00:10:49,600 --> 00:10:54,370
We're gonna head over to the log in user request and this should now fail.

154
00:10:54,370 --> 00:10:59,940
Since I've updated the password right here it is indeed failing which is excellent.

155
00:10:59,950 --> 00:11:05,450
Now I'm going to take the old password remove it and put the new password in.

156
00:11:05,590 --> 00:11:07,050
I'm going to send that off.

157
00:11:07,090 --> 00:11:08,860
And once again it works.

158
00:11:08,920 --> 00:11:15,400
So down below I can see I was able to log in with the new password and without the old one letting us

159
00:11:15,400 --> 00:11:18,730
know that the update worked as expected.

160
00:11:18,730 --> 00:11:25,090
So down below for that update user request I am going to go ahead and save it so we can use these settings

161
00:11:25,120 --> 00:11:26,420
going forward.

162
00:11:26,440 --> 00:11:32,160
Now I just change the password for logging in in order to make sure things work consistently.

163
00:11:32,320 --> 00:11:38,470
I'll also change the password for creating the user though I could have just reverted the log in request

164
00:11:38,650 --> 00:11:41,870
to using the same password I had used before.

165
00:11:41,890 --> 00:11:46,360
As long as those two are consistent it'll be easy to switch back and forth.

166
00:11:46,600 --> 00:11:52,720
Now that we have this in place all of the rounds in the user file are using authentication and they're

167
00:11:52,720 --> 00:11:57,760
locked down in a way where a user can only manipulate their own profile.

168
00:11:57,790 --> 00:12:03,590
They can't go off and mess with other users that are using the task manager application.

169
00:12:03,640 --> 00:12:09,390
Now with the user routes out of the way it's time to focus on something we haven't touched on so far.

170
00:12:09,400 --> 00:12:13,160
This section are task related routes.

171
00:12:13,300 --> 00:12:16,040
We're going to start that process in the next lesson.

172
00:12:16,060 --> 00:12:18,490
So let's go ahead and jump right in.