Ryan Chenkie: [0:00] We've now get things set up so when users connect to our API, they are going to get a session established and a cookie set in the browser. So what we can do now is when users log in, let's set the user information on the session.

[0:14] First let's review what we've currently got happening when a user authenticates, we take the email and the password that they sent from the login form, then we find that user by their email, and next we verify their password.

[0:25] We've got this function here called verify password which is going to take the user supplied password, and then the password that is hashed in the database for the user and compare those two, make sure it's good and if so we're creating a JSON Web Token for the user currently.

[0:40] Once we got the JSON Web Token, we send that back in response with some other information, so remember we are getting away from JSON Web Token authentication in this module.

[0:50] We're going to completely remove JSON Web Tokens, and we're going to rely on cookies and sessions, but for the time being, we're going to run these in tandem so that we can piece by piece remove the JSON Web Token parts of our app and swap it in for cookies and sessions.

[1:05] So the very first thing that we can do here is we can just set the user info on the session, as the user authenticates. So right before we respond with our JSON data, let's say, request.session.user=userinfo.

[1:18] Let's save that. Now let's go and log in once more and see if we can get the user's information logged out to the console, so we'll log out and then log back in. Once we do we get back over to the dashboard, and we get the user information that we have previously saved on the session.

[1:40] So one nice thing about this approach is the user information now exists on our session object. So any request comes in will now have this session object, and we can pull user information from it, we can get the user's ID, we can tell other things like their name and email, and that's going to be useful as we build out our end point.

[2:00] Now one caveat, when it comes to working with cookies and sessions, is that they are stateful, and they're more volatile. What that means is if I were to restart the server, so I will save this here and give the server a restart. Now if I come back over and refresh the page to get dashboard data, again, I no longer have that user session here.

[2:22] That's because every time that I restart the server, the session information is going to be wiped. Keep in mind that the setup that we have currently here with just keeping sessions in memory on the server that's not going to cut it, that's not going to work for any production level application.

[2:37] That's because the production your server will get restarted all the time, maybe it's from an automatic daily restart like his demo on Heroku or maybe it's because your application crashes and needs to restart.

[2:49] Either way it will need a robust session store. We'll see how to do that later on. For now, let's just set this up on the signup route as well and we'll be done with this step. Coming down to sign up, let's go up here just above where we respond to data, and we'll say that our user info is going to be set on session as well.

Advanced React Security Patterns - Pro Package

Already enrolled?
Sign in to continue learning.