Add a Session-Based Middleware

Ryan Chenkie: [0:00] If we think back to the fundamentals course where we were using JSON Web Tokens, as our way to tell whether or not users should get access to certain resources, we were implementing some things that were very specific to JSON Web Tokens.

[0:13] For example, we have this attached user middleware. This middleware got the token from the authorization error and then decoded it and took that decoded token's payload and put it onto the request object.

[0:25] This was a representation of the user, it had the user's information, like their ID, and their name, email, etc. Now, because we're using sessions in this case, we no longer need to attach a user in this way.

[0:38] Instead, the user is going to be on the session that exists on the server whenever they log in or sign up. That means that there's no kind of work that we have to do every time a request comes into the server. Instead, the user information is just going to exist.

[0:52] For our purposes here, we can just actually delete all of this. We don't need this middleware at all anymore. We will, however, still need these middlewares, require off and require admin.

[1:03] We're going to continue using them at our various endpoints to protect them. However, we need to make some changes. For example, the require off middleware is using express JWT. This is very specific to JSON Web Tokens.

[1:17] Instead, now what we need is consult the user's session on our backend to tell whether or not they are authenticated. Let's get rid of this bit here and instead, let's implement our own custom middleware. Custom middlewares have a request, response, and next function.

[1:34] For our purposes here, this check is going to be fairly simple. We're going to look for a user coming in on the request.session and if there is no user, we're just going to return an error. We'll say, "Return a response with a status of 401." That's going to be a JSON response with a message that says, "Unauthorized."

[1:56] However, if the user does exist on the session, then we will just go on to the next function. Require admin can stay pretty much as it is but we're going to instead now take the user from request.session. Here this check is going to be, if user.role does not = admin. Let's save this now and we're going to go over to our dashboard here and refresh.

[2:19] First thing we'll see is that we've got an error and we're getting a 401. Once again, that's because every time we refresh our server here, it's going to wipe out our sessions. We're going to fix that in a little bit. For now, let's login once more. We'll log out and then back in.

[2:36] Now, we are able to get to that dashboard data. We've got a good result coming in there. One spot that we need to fix up still is going to be anywhere on our backends that we are using the user's ID in a request. For example, this inventory area.

[2:50] We're currently getting an error coming back from the server and that's because if we take a look at the endpoints which gives us inventory data, we're looking for this sub-property. That sub claim that was coming from the JSON Web Token is no longer going to be there. We need to change things up here.

[3:06] In this case, we will say, const destructured user = request.session. When we go to find inventory items, we're going to look for them where user = user._id.

[3:19] We'll need to make this change in our other endpoints as well. Coming down to where we post inventory items, let's overwrite this line, end-user.ID. We'll go in here as well. Now, where we delete inventory items, it'll be something similar, User where the user = user._id.

[3:41] Let's take a look at the other endpoints we've got. We have one here where we get users and that's just looking for all of them. We can leave that as is. Down here where we are getting bios, we can change this up. We'll have destructured user comes from the request session.

[3:56] Let's change this up a little bit because these names here are going to collide. We can just call this, "Found user." We'll change this up to say, When we respond with data, we will respond with, found Over here where we update a bio, we need to do the same thing. ID is going to be

[4:22] It looks like that is about it. Let's save this and we'll come back over and refresh. We'll need to login once more. Now, when we go over to inventory, we get our items and we can do things like delete them as well.