1
00:00:00,150 --> 00:00:04,070
Know that there's a relationship set up between users and tasks.

2
00:00:04,080 --> 00:00:10,860
In this video we'll be heading over to the task router to add authentication to those final four task

3
00:00:10,920 --> 00:00:12,690
related end points.

4
00:00:12,690 --> 00:00:17,770
We're going to do some together and some will be your challenge for the video.

5
00:00:17,770 --> 00:00:23,190
So to kick things off we're actually going to skip the second one where you fetch all tasks and we're

6
00:00:23,190 --> 00:00:28,700
going to start with the third one where you fetch a task by I.D..

7
00:00:28,860 --> 00:00:31,020
Now we still want to do just that.

8
00:00:31,050 --> 00:00:37,950
I want the user to be able to fetch a task by I.D. But first I'm going to make sure they're authenticated.

9
00:00:37,980 --> 00:00:45,390
And second I'm going to make sure that the task they're trying to fetch was a task they actually created

10
00:00:45,540 --> 00:00:47,880
to get started as you probably expected.

11
00:00:47,880 --> 00:00:53,500
We're simply going to add to the off middleware into the mix and that's going to give us an easy win.

12
00:00:53,610 --> 00:00:58,870
The next thing we need to do is to change how we're fetching the task down below.

13
00:00:58,890 --> 00:01:05,670
We're fetching it by I.D. Now we are still going to take the I.D. into account but we also need to take

14
00:01:05,670 --> 00:01:08,540
into account the value for the owner field.

15
00:01:08,820 --> 00:01:14,160
I need to make sure that lines up with the authenticated users user I.D..

16
00:01:14,160 --> 00:01:20,460
So right here that means we have to change how we're fetching the task find my I.D. won't let us limit

17
00:01:20,460 --> 00:01:21,900
by multiple fields.

18
00:01:21,990 --> 00:01:25,430
We can just use find one to get that done.

19
00:01:25,470 --> 00:01:35,710
So right here const task equals I'll use a wait with a task dot find one to find a single task.

20
00:01:35,790 --> 00:01:41,610
And here we pass in that object where we can specify as many or as few things as we want.

21
00:01:41,610 --> 00:01:49,470
For example I can filter by I.D. here using the shorthand sense I have a variable with the same name

22
00:01:49,890 --> 00:01:57,320
and I can also go ahead and filter by the owner value and the value I'm looking for an owner is whatever

23
00:01:57,320 --> 00:02:02,580
is stored under request dot user ID dot underscore I.D..

24
00:02:02,580 --> 00:02:06,430
So here I'm just using the idea of the authenticated user.

25
00:02:06,450 --> 00:02:11,100
So now I'll only be able to get the details of a task if I'm logged in.

26
00:02:11,100 --> 00:02:17,460
And the task I'm fetching is a task I've created now that we have this in place we can remove the old

27
00:02:17,460 --> 00:02:19,720
line and we're actually done.

28
00:02:19,800 --> 00:02:26,160
If I'm not the owner or the I.D. doesn't line up I won't get anything back and I'll get a 4 0 4 as the

29
00:02:26,160 --> 00:02:28,720
return value which is appropriate.

30
00:02:28,770 --> 00:02:33,710
So there's no need to say something like this task exists but you don't own it.

31
00:02:33,780 --> 00:02:36,840
That's giving away more information than you probably want to.

32
00:02:37,020 --> 00:02:44,490
It's simply good enough to say for 0 4 if those two things don't match up with any tasks in the database

33
00:02:44,970 --> 00:02:49,810
now that we have this in place let's go ahead and test it out to make sure it works as expected.

34
00:02:49,830 --> 00:02:55,200
Now for the moment we only have one user and they have a couple of tasks in order to make sure all of

35
00:02:55,200 --> 00:02:56,270
this is working.

36
00:02:56,310 --> 00:03:00,840
We shouldn't get a second user into the mix and have them create their own tasks.

37
00:03:00,840 --> 00:03:05,280
And just so we can make sure that our access control is actually functional.

38
00:03:05,280 --> 00:03:08,010
So over in post man what does that really mean.

39
00:03:08,010 --> 00:03:11,700
It means we're going to create a second user over here.

40
00:03:11,700 --> 00:03:14,790
We have the data for the first user we've created.

41
00:03:14,820 --> 00:03:17,780
We can just switch this up to something else.

42
00:03:17,850 --> 00:03:24,300
I'll go ahead and use Mike at example dot com and I will use Mike as the name up above.

43
00:03:24,450 --> 00:03:30,420
And then I'm going to fire that off to create the second user and I'll automatically be logged in as

44
00:03:30,420 --> 00:03:31,120
them.

45
00:03:31,260 --> 00:03:35,940
Then all I'm going to do is revert those changes back to what they were before.

46
00:03:35,940 --> 00:03:41,880
So now we're logged in as that second user and we're going to do is create a couple of tasks for them

47
00:03:41,880 --> 00:03:42,680
as well.

48
00:03:42,750 --> 00:03:46,480
So we'll have two users in total each with two tasks.

49
00:03:46,620 --> 00:03:50,940
Right here I'll go ahead and say something specific to Mike.

50
00:03:51,090 --> 00:03:59,760
Let's just say Mike has something to do and I'll go ahead and change the completed value for this over

51
00:03:59,760 --> 00:04:00,810
to true.

52
00:04:01,140 --> 00:04:06,120
I can fire that off and make sure it's created successfully which it is down below.

53
00:04:06,120 --> 00:04:09,270
Then we can add another one I'll leave completed off.

54
00:04:09,300 --> 00:04:11,220
So it will default to false.

55
00:04:11,220 --> 00:04:18,480
And right here I can say something like find a new job I'll send that off as well to create the second

56
00:04:18,630 --> 00:04:19,740
task.

57
00:04:19,800 --> 00:04:26,580
Now let's go ahead and try to find our task by I.D. I'm going to copy the idea of that task to the clipboard

58
00:04:27,030 --> 00:04:34,110
and I'm gonna head over to the read task and point right here I have that showing up all I need to do

59
00:04:34,410 --> 00:04:40,740
is swap out the I.D. up above with the I.D. I just copy to the clipboard and I should now be able to

60
00:04:40,740 --> 00:04:42,990
fire this off successfully.

61
00:04:42,990 --> 00:04:45,080
I'm gonna send it off and what do I get.

62
00:04:45,150 --> 00:04:47,840
I get my task showing up now.

63
00:04:47,880 --> 00:04:49,990
This is testing that things are working.

64
00:04:50,070 --> 00:04:55,950
When I'm logged in as the user and I'm fetching a task that I do own let's make sure that I can't fetch

65
00:04:55,950 --> 00:04:59,460
this task if I'm logged in as the other user.

66
00:04:59,460 --> 00:05:05,240
So now we're going to log in as that first user once again over here for log in user.

67
00:05:05,240 --> 00:05:13,100
I have that data from earlier in the class I log in as that first user head back over to the read task

68
00:05:13,160 --> 00:05:16,990
request and try to fire off the exact same request.

69
00:05:17,000 --> 00:05:21,290
The only thing that's changed is now on user 1 instead of User 2.

70
00:05:21,440 --> 00:05:23,900
And I'm not the one who created this.

71
00:05:23,930 --> 00:05:25,890
If I fire that off what do I get.

72
00:05:25,970 --> 00:05:28,800
I get a 4 0 4 which is fantastic.

73
00:05:28,820 --> 00:05:35,930
So users can pull their tasks by I.D. if they created them and you can't pull a task by I.D. even if

74
00:05:35,930 --> 00:05:37,130
you're authenticated.

75
00:05:37,190 --> 00:05:40,080
If you were not the person who created it.

76
00:05:40,160 --> 00:05:43,150
So that is all we needed to change for this router.

77
00:05:43,160 --> 00:05:48,650
Right here we added the author middleware and we tweaked one line of code.

78
00:05:48,650 --> 00:05:52,880
Now we're going to end up doing the same thing for the other routes in this file.

79
00:05:52,880 --> 00:05:57,290
There are three others and we'll start with get tasks right here.

80
00:05:57,290 --> 00:06:02,240
Now getting this done is going to be your challenge for the video and I have some challenge comments

81
00:06:02,240 --> 00:06:08,310
to outline what I'd like you to do though the process is basically identical to what we did down below.

82
00:06:08,450 --> 00:06:13,460
The first thing you're going to do is add authentication to the end point and from there you're going

83
00:06:13,460 --> 00:06:16,400
to change which tasks we return.

84
00:06:16,400 --> 00:06:24,200
Right now we would end up sending back both users for tasks even though each of them only have two associated

85
00:06:24,200 --> 00:06:25,520
with their account.

86
00:06:25,550 --> 00:06:31,880
So we want to take the authenticated user I.D. into account when finding the tasks we want to limit

87
00:06:31,910 --> 00:06:33,320
by the owner.

88
00:06:33,320 --> 00:06:35,140
Now there are two ways to do that.

89
00:06:35,180 --> 00:06:42,470
We could modify the task dot find call to search for the owner inside of here or we could use the populate

90
00:06:42,500 --> 00:06:48,630
functionality we explored in the last video to get all of the tasks for a specific user.

91
00:06:48,650 --> 00:06:50,750
Either way would work from there.

92
00:06:50,750 --> 00:06:51,920
Test your work.

93
00:06:51,920 --> 00:06:58,640
Make sure that you can only see the tasks created by that specific user when firing the request off

94
00:06:58,700 --> 00:07:02,190
over in post man pause the video knock that out.

95
00:07:02,210 --> 00:07:04,640
And when you're done come back and click play

96
00:07:08,620 --> 00:07:09,660
how that go.

97
00:07:09,670 --> 00:07:13,540
Let's go ahead and kick things off by adding authentication into the mix.

98
00:07:13,540 --> 00:07:20,200
So right here we will set up the off middleware and from there we'll be able to go ahead and modify

99
00:07:20,200 --> 00:07:21,880
the line down below.

100
00:07:21,880 --> 00:07:23,890
Now there's two approaches you could have taken.

101
00:07:23,890 --> 00:07:28,150
One would be to change what we provide as the object argument.

102
00:07:28,270 --> 00:07:33,150
We would set up owner and the value we'd be looking for is on request.

103
00:07:33,280 --> 00:07:35,890
User dot underscore I.D..

104
00:07:36,010 --> 00:07:39,140
This would 100 percent get the job done.

105
00:07:39,160 --> 00:07:44,050
I'll also show you the alternative which would be to do the following right here.

106
00:07:44,110 --> 00:07:47,890
I would use a wait with request dot user.

107
00:07:48,310 --> 00:07:52,000
Now here what I'm going to do is populate their tasks.

108
00:07:52,000 --> 00:08:01,310
So dot populate populating the tasks exactly like we did in the last video then we just call the function

109
00:08:01,310 --> 00:08:02,560
we've used before.

110
00:08:02,720 --> 00:08:05,310
E X E C populate.

111
00:08:05,510 --> 00:08:07,900
This would also work just as well.

112
00:08:07,940 --> 00:08:13,460
And then down below we would just send back request user Doc tasks.

113
00:08:13,550 --> 00:08:19,310
So either approach is gonna get the job done as long as the end point works as expected then your solution

114
00:08:19,310 --> 00:08:21,230
is valid up above.

115
00:08:21,230 --> 00:08:25,960
I'll remove those challenge comments and we can test things out over and post man.

116
00:08:26,000 --> 00:08:29,380
I'll save the task router over in post man.

117
00:08:29,390 --> 00:08:31,850
We can move over to the Reid tasks.

118
00:08:31,870 --> 00:08:38,360
End Point here I'll fire them off while logged in as that first user and I can see the tax we created

119
00:08:38,360 --> 00:08:38,840
for them.

120
00:08:39,320 --> 00:08:45,350
I don't see that task about Mike and I don't see the task about getting a new job because those were

121
00:08:45,350 --> 00:08:51,980
created by the second user and I'm authenticated as the first user so I only see the two tasks.

122
00:08:52,010 --> 00:08:56,900
This one actually created now that that end point is all wrapped up.

123
00:08:56,930 --> 00:08:58,710
We can continue down the list.

124
00:08:58,820 --> 00:09:05,270
We already knocked out this one and the next one we have right here is the ability to update a task

125
00:09:05,330 --> 00:09:10,510
by IDC and we're gonna end up working through a similar process to the other two.

126
00:09:10,520 --> 00:09:12,780
Now this one will work through together.

127
00:09:12,800 --> 00:09:17,310
Let's start by adding authentication in and down below.

128
00:09:17,310 --> 00:09:20,040
We're gonna go ahead and switch how things work.

129
00:09:20,040 --> 00:09:24,250
Right now we are finding the task by I.D. which we don't want to do.

130
00:09:24,330 --> 00:09:28,890
We want to find it by I.D. but also by the owner value.

131
00:09:29,130 --> 00:09:32,750
So const task equals a weight.

132
00:09:32,910 --> 00:09:35,600
We are going to await a call to task.

133
00:09:35,700 --> 00:09:36,790
Find one.

134
00:09:36,960 --> 00:09:43,530
We're going to find it by its I.D. we get that value exactly where we were getting it before that is

135
00:09:43,530 --> 00:09:53,220
and request dot paradigms dot I.D. and also owner and owner is going to be request dot user dot underscore

136
00:09:53,240 --> 00:09:53,920
I.D..

137
00:09:54,060 --> 00:09:55,100
Perfect.

138
00:09:55,110 --> 00:09:59,910
So now we're finding the task by a way that takes the owner into account.

139
00:09:59,910 --> 00:10:05,090
Now right here we're actually trying to update the task before we even know if it exists.

140
00:10:05,100 --> 00:10:10,470
All I'm going to do is take these two lines and move them below the if statement.

141
00:10:10,470 --> 00:10:13,050
So now we'll have that for all for print.

142
00:10:13,050 --> 00:10:19,820
If no task is found either because it doesn't exist by the I.D. or you're not the creator.

143
00:10:19,860 --> 00:10:25,560
So now that we have this in place let's go ahead and test our work and make sure we can update our tasks

144
00:10:25,620 --> 00:10:28,890
and that we can't update someone else's tasks.

145
00:10:28,950 --> 00:10:35,010
So over and post man I'm logged in as that first user and I have a couple of tasks right here I'm going

146
00:10:35,010 --> 00:10:41,160
to go ahead and grab the I.D. for the second one go to office and I'm going to try to update it.

147
00:10:41,190 --> 00:10:47,880
So right here I'll grab that I.D. I'll head over to update task and paste that in the U.R.L..

148
00:10:48,240 --> 00:10:48,860
Now here.

149
00:10:48,900 --> 00:10:55,050
I will switch up the completed value so if I go back to read it tasks we can see it was false it was

150
00:10:55,050 --> 00:10:57,170
not completed over here.

151
00:10:57,180 --> 00:10:59,900
I will adjust that over to true.

152
00:10:59,910 --> 00:11:06,230
I'm going to fire off the request down below I get a two hundred and I can see the updated task go to

153
00:11:06,240 --> 00:11:15,060
office is now completed from here what I'm gonna do is try to update a task that I did not create.

154
00:11:15,150 --> 00:11:21,090
So to do this we could log in as that second user and grab one of those task ideas or we could do that

155
00:11:21,090 --> 00:11:27,720
from over in the database which is the approach I'll take I'll go over to the tasks collection and refresh

156
00:11:27,720 --> 00:11:29,060
things and here.

157
00:11:29,070 --> 00:11:32,680
The second two those belong to the other user.

158
00:11:32,850 --> 00:11:38,850
So I'm going to right click one of them and edit it just so I can copy its I.D. to the clipboard.

159
00:11:38,850 --> 00:11:41,190
Here we have the task that Mike created.

160
00:11:41,190 --> 00:11:42,730
Find a new job.

161
00:11:42,930 --> 00:11:48,480
Once I have that I.D. I can head back over to postmen and pasted in up above.

162
00:11:48,480 --> 00:11:54,570
Now I'm still logged in as that first user I should not be able to update this task down below.

163
00:11:54,570 --> 00:11:56,730
I fire that off and what do I get.

164
00:11:56,790 --> 00:12:00,540
I get a floral for showing up which is fantastic.

165
00:12:00,540 --> 00:12:07,500
So now all of the routes are converted except for the final one which is the route for deleting a task

166
00:12:07,560 --> 00:12:09,300
by I.D. right here.

167
00:12:09,300 --> 00:12:12,180
This is gonna be your second challenge for the video.

168
00:12:12,210 --> 00:12:13,330
So what are you going to do.

169
00:12:13,350 --> 00:12:17,370
You're gonna do the same sort of thing we've done three times already.

170
00:12:17,370 --> 00:12:22,290
You're gonna add authentication you're going to make sure that when you delete the task you're taking

171
00:12:22,290 --> 00:12:24,750
the owner into account as well.

172
00:12:24,750 --> 00:12:29,220
Right here we have find one and delete which can allow you to get that done.

173
00:12:29,310 --> 00:12:30,750
Similar to how we used.

174
00:12:30,780 --> 00:12:32,780
Find one up above.

175
00:12:33,000 --> 00:12:37,340
Then you're going to test your work tried to delete a task that you've created.

176
00:12:37,350 --> 00:12:38,360
It should work.

177
00:12:38,490 --> 00:12:42,110
Then try to delete a task created by another user.

178
00:12:42,180 --> 00:12:45,810
And that should fail take some time to knock this out.

179
00:12:45,810 --> 00:12:49,170
Test your work and when you're done come back and click play

180
00:12:52,530 --> 00:12:53,400
how'd that go.

181
00:12:53,400 --> 00:12:57,860
Let's go ahead and kick things off by adding authentication into the mix.

182
00:12:57,870 --> 00:13:03,900
I'm gonna get that done right here by setting up the off middleware then down below we have to update

183
00:13:03,930 --> 00:13:05,940
how we are finding the task.

184
00:13:05,940 --> 00:13:11,990
This approach is no longer going to work as it only takes the task I.D. into account.

185
00:13:12,060 --> 00:13:17,970
Instead we want to take task I.D. and the owner value so const task equals.

186
00:13:17,970 --> 00:13:23,410
I'll use a wait with task dot find one and delete.

187
00:13:23,430 --> 00:13:29,580
Which is very similar to find by I.D. and delete though we can provide an object like we do with find

188
00:13:29,580 --> 00:13:34,780
one to specify the criteria we're using for searching here.

189
00:13:35,160 --> 00:13:42,240
The underscore I.D. field needs to have the following value which comes from request dot paradigms dot

190
00:13:42,300 --> 00:13:50,760
I.D. and the owner needs to line up with the I.D. of the authenticated user request dot user dot underscore

191
00:13:50,910 --> 00:13:51,840
I.D..

192
00:13:51,840 --> 00:13:52,800
Perfect.

193
00:13:52,800 --> 00:13:55,450
That's all we had to do in order to get this done.

194
00:13:55,500 --> 00:13:58,350
So let's go ahead and remove the other line.

195
00:13:58,380 --> 00:14:04,760
We will remove the challenge comments save the program and now we're going to test things out.

196
00:14:05,040 --> 00:14:09,980
Now over here I already have an I.D. of a task that I did not create.

197
00:14:09,990 --> 00:14:13,020
I used that to make sure that updating failed.

198
00:14:13,020 --> 00:14:18,510
I'm going to start by making sure deleting fails since I already have this idea available.

199
00:14:18,510 --> 00:14:24,460
So over here for a delete task I will try to delete the task that I also could not update.

200
00:14:24,510 --> 00:14:26,440
It should not work here either.

201
00:14:26,580 --> 00:14:28,650
I'll fire that off and what do I get.

202
00:14:28,650 --> 00:14:35,790
I get a 4 0 4 now if I head back over to read tasks I can see the tasks that I do have control over

203
00:14:36,180 --> 00:14:42,660
and I'm going to delete the second one by its I.D. so I'll copy the idea to the clipboard head over

204
00:14:42,660 --> 00:14:43,730
to delete task.

205
00:14:43,740 --> 00:14:47,000
And from here we're just going to paste it up top.

206
00:14:47,100 --> 00:14:49,860
I fire this off and this time it should work.

207
00:14:49,860 --> 00:14:51,310
And right here it did.

208
00:14:51,350 --> 00:14:58,380
I have a two hundred and I can see the deleted task if I were to request all of my tasks again I would

209
00:14:58,380 --> 00:15:02,270
expect to just have one and that is exactly what I get.

210
00:15:02,280 --> 00:15:07,380
I no longer have to go to the office but I still have to finish this node course.

211
00:15:07,470 --> 00:15:14,130
So with this in place all of the task routes they require authentication and they also take that into

212
00:15:14,130 --> 00:15:17,520
account when it comes to the relationship between you.

213
00:15:17,610 --> 00:15:21,670
The authenticated user and the task you're trying to work with.

214
00:15:21,750 --> 00:15:28,290
When you create a task it's associated with your user and whenever you try to read a task update a task

215
00:15:28,320 --> 00:15:34,140
or delete a task we make sure it's a task that you actually created.

216
00:15:34,140 --> 00:15:39,300
All right with this in place there's only one more thing I want to cover in this section and that is

217
00:15:39,300 --> 00:15:47,020
coming up next we're gonna talk about how we can delete the tasks for a user who's deleted themselves.

218
00:15:47,100 --> 00:15:52,980
So if I close down my user profile I would expect all of my tasks to go away as well.

219
00:15:53,010 --> 00:15:53,910
We'll knock that out.

220
00:15:53,910 --> 00:15:55,090
Coming up next.