Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,070 --> 00:00:05,110 Now, to understand how authentication works, 2 00:00:05,110 --> 00:00:07,600 it is important to really understand 3 00:00:07,600 --> 00:00:11,290 why we need authentication in the first place. 4 00:00:11,290 --> 00:00:14,800 And the answer here is that we need authentication 5 00:00:14,800 --> 00:00:19,770 in a website because some content should be protected. 6 00:00:19,770 --> 00:00:23,530 Not all users and visitors of our website 7 00:00:23,530 --> 00:00:26,600 should be able to access all content. 8 00:00:26,600 --> 00:00:30,270 That's why we have authentication in place. 9 00:00:30,270 --> 00:00:33,580 Now, content can be different things. 10 00:00:33,580 --> 00:00:36,780 Sometimes you have pages on your site 11 00:00:36,780 --> 00:00:39,300 that should be locked if users 12 00:00:39,300 --> 00:00:41,170 are not authenticated. 13 00:00:41,170 --> 00:00:44,530 For example, throughout this course section, 14 00:00:44,530 --> 00:00:47,970 we are going to work on this demo website here 15 00:00:47,970 --> 00:00:51,270 and there we have this dummy starting page. 16 00:00:51,270 --> 00:00:53,830 Then we have this login page 17 00:00:53,830 --> 00:00:56,780 where we can also create new users 18 00:00:56,780 --> 00:00:59,320 and we have this profile page 19 00:00:59,320 --> 00:01:02,200 where users can change their password. 20 00:01:02,200 --> 00:01:06,310 And for example, this page, this profile page 21 00:01:06,310 --> 00:01:08,890 should only be accessible to users 22 00:01:08,890 --> 00:01:10,620 who are logged in. 23 00:01:10,620 --> 00:01:12,480 And if you are not logged in, 24 00:01:12,480 --> 00:01:15,690 you should not be able to visit this page. 25 00:01:15,690 --> 00:01:19,210 So this kind of content might be locked. 26 00:01:19,210 --> 00:01:22,410 This page should maybe not be accessible 27 00:01:22,410 --> 00:01:24,850 to non-logged in users. 28 00:01:24,850 --> 00:01:27,520 But it's not just pages like this. 29 00:01:27,520 --> 00:01:31,660 Protected content could also be some data 30 00:01:31,660 --> 00:01:33,530 that you're storing in a database, 31 00:01:33,530 --> 00:01:37,870 some API endpoints to which your React application 32 00:01:37,870 --> 00:01:41,180 might be sending requests on certain pages 33 00:01:41,180 --> 00:01:45,040 that should be locked for non-authenticated users, 34 00:01:45,040 --> 00:01:48,590 and there are many examples you could come up with 35 00:01:48,590 --> 00:01:51,010 but back on this page, 36 00:01:51,010 --> 00:01:52,534 on this profile page, 37 00:01:52,534 --> 00:01:56,240 it would be this Change Password request, 38 00:01:56,240 --> 00:01:59,440 which we are sending when this button is clicked. 39 00:01:59,440 --> 00:02:01,350 I mean, at the moment, nothing happens here. 40 00:02:01,350 --> 00:02:03,200 We're going to build this together 41 00:02:03,200 --> 00:02:05,360 but of course, when that button is clicked, 42 00:02:05,360 --> 00:02:08,320 it would be a realistic expectation 43 00:02:08,320 --> 00:02:12,270 that some request is sent to some server 44 00:02:12,270 --> 00:02:16,557 to update this user's password in the database. 45 00:02:16,557 --> 00:02:19,750 And even though we wanna lock down 46 00:02:19,750 --> 00:02:21,990 this profile page entirely, 47 00:02:21,990 --> 00:02:26,990 we also might want to lock down that API endpoint 48 00:02:27,170 --> 00:02:29,500 to which we're sending this request 49 00:02:29,500 --> 00:02:34,500 so that a request sent to this API endpoint can't succeed 50 00:02:34,860 --> 00:02:37,130 if the user is not logged in 51 00:02:37,130 --> 00:02:41,220 because if the API endpoint would not be locked down, 52 00:02:41,220 --> 00:02:44,070 that would mean that any user 53 00:02:44,070 --> 00:02:47,510 who knows the URL of that endpoint 54 00:02:47,510 --> 00:02:50,360 could send a request to change the password 55 00:02:50,360 --> 00:02:54,330 of some other user and that would be very insecure. 56 00:02:54,330 --> 00:02:56,970 So that's why we might not just want 57 00:02:56,970 --> 00:02:59,840 to restrict pages on our websites, 58 00:02:59,840 --> 00:03:02,210 but also API endpoints 59 00:03:02,210 --> 00:03:06,883 to which we send requests from inside our React app. 60 00:03:07,860 --> 00:03:11,080 So that's why we need authentication. 61 00:03:11,080 --> 00:03:13,410 And that brings up another question. 62 00:03:13,410 --> 00:03:17,500 How does authentication then work in general? 63 00:03:17,500 --> 00:03:20,660 And here the answer is quite straightforward. 64 00:03:20,660 --> 00:03:25,220 In general, authentication is a two-step process. 65 00:03:25,220 --> 00:03:28,170 The first step is always to get access, 66 00:03:28,170 --> 00:03:30,770 to get the permission for this user. 67 00:03:30,770 --> 00:03:33,700 And you get that access, that permission 68 00:03:33,700 --> 00:03:37,480 by providing your credentials by logging in. 69 00:03:37,480 --> 00:03:40,810 Of course, you, first of all, need to create an account 70 00:03:40,810 --> 00:03:42,050 but once you've got that, 71 00:03:42,050 --> 00:03:44,670 you do log in with your credentials, 72 00:03:44,670 --> 00:03:48,130 this data is then sent to some server 73 00:03:48,130 --> 00:03:50,650 where we can look into a database 74 00:03:50,650 --> 00:03:53,800 and verify your password and email combination 75 00:03:53,800 --> 00:03:55,666 and if that is valid, 76 00:03:55,666 --> 00:03:59,670 the server, the backend to which the request is sent 77 00:03:59,670 --> 00:04:02,320 grants this permission. 78 00:04:02,320 --> 00:04:04,700 Then once we have this permission, 79 00:04:04,700 --> 00:04:09,450 we can unlock certain pages on the website 80 00:04:09,450 --> 00:04:12,520 and/or, depending on what we need to do, 81 00:04:12,520 --> 00:04:16,700 use that permission to send subsequent requests 82 00:04:16,700 --> 00:04:21,700 to other protected resources on an API endpoint. 83 00:04:21,740 --> 00:04:23,710 So we first get that permission 84 00:04:23,710 --> 00:04:27,390 and then we can send more requests 85 00:04:27,390 --> 00:04:31,940 to other endpoints with that permission attached. 86 00:04:31,940 --> 00:04:34,910 And that's indeed, how that generally works. 87 00:04:34,910 --> 00:04:38,370 We have our client with the React app running in the browser 88 00:04:38,370 --> 00:04:40,400 and some backend server 89 00:04:40,400 --> 00:04:43,190 with some server-side code written by us 90 00:04:43,190 --> 00:04:45,140 or written by someone else. 91 00:04:45,140 --> 00:04:47,600 It can be a third-party API, 92 00:04:47,600 --> 00:04:51,310 an external API with which we're working here 93 00:04:51,310 --> 00:04:54,020 or it can be our own API. 94 00:04:54,020 --> 00:04:56,350 And then we, first of all, send that request 95 00:04:56,350 --> 00:04:58,910 with the email, password combination, 96 00:04:58,910 --> 00:05:01,170 the server then verifies that, 97 00:05:01,170 --> 00:05:02,740 checks our credentials 98 00:05:02,740 --> 00:05:05,290 and then either grants permission 99 00:05:05,290 --> 00:05:09,083 for further requests or denies that. 100 00:05:09,940 --> 00:05:12,050 And then we can use that permission 101 00:05:12,050 --> 00:05:14,563 as I described it a couple of seconds ago. 102 00:05:15,620 --> 00:05:17,570 But is that enough 103 00:05:17,570 --> 00:05:19,580 if we just get this permission 104 00:05:19,580 --> 00:05:21,310 and we then can use this permission 105 00:05:21,310 --> 00:05:23,183 for subsequent requests? 106 00:05:24,290 --> 00:05:26,700 Well, it's not enough. 107 00:05:26,700 --> 00:05:29,760 A yes or no alone is not enough 108 00:05:29,760 --> 00:05:34,760 to then access protected resources like API endpoints. 109 00:05:34,820 --> 00:05:39,170 And it's not enough because a yes or no 110 00:05:39,170 --> 00:05:41,120 is easy to fake. 111 00:05:41,120 --> 00:05:44,650 If the server to which we send our credentials 112 00:05:44,650 --> 00:05:48,080 would just reply with a yes or no, 113 00:05:48,080 --> 00:05:50,160 we could just skip that step 114 00:05:50,160 --> 00:05:54,290 of getting the permission and just instead add our own yes 115 00:05:54,290 --> 00:05:58,640 or no to requests for protected resources. 116 00:05:58,640 --> 00:06:00,380 So that's why this is not enough 117 00:06:00,380 --> 00:06:04,790 and why authentication is a bit more elaborate than that. 118 00:06:04,790 --> 00:06:08,060 That part with sending and checking the credentials 119 00:06:08,060 --> 00:06:12,030 all needs to happen but the response sent back 120 00:06:12,030 --> 00:06:15,080 by the server to the client must be more 121 00:06:15,080 --> 00:06:17,209 than just a yes or no. 122 00:06:17,209 --> 00:06:20,210 And here we've got two main approaches, 123 00:06:20,210 --> 00:06:22,370 which are commonly used. 124 00:06:22,370 --> 00:06:26,090 We can either work with server-side sessions 125 00:06:26,090 --> 00:06:28,793 or with authentication tokens. 126 00:06:29,820 --> 00:06:31,510 Now, server-side sessions 127 00:06:31,510 --> 00:06:35,400 are a very traditional approach of handling authentication 128 00:06:35,400 --> 00:06:39,740 and they are a great approach of handling authentication. 129 00:06:39,740 --> 00:06:41,910 With server-side sessions, 130 00:06:41,910 --> 00:06:45,100 once a server grants you access, 131 00:06:45,100 --> 00:06:48,490 that server stores a unique identifier 132 00:06:48,490 --> 00:06:52,150 for your client, so for this specific user 133 00:06:52,150 --> 00:06:54,690 who was just granted access. 134 00:06:54,690 --> 00:06:58,360 The server generates and stores some unique identifier 135 00:06:58,360 --> 00:07:00,530 for this specific client 136 00:07:00,530 --> 00:07:03,420 and therefore, every visitor of a website 137 00:07:03,420 --> 00:07:07,950 who authenticates gets his or her own identifier stored 138 00:07:07,950 --> 00:07:08,853 on the server. 139 00:07:09,720 --> 00:07:13,670 But this identifier is not just stored on the server, 140 00:07:13,670 --> 00:07:16,550 it's also sent back to the client. 141 00:07:16,550 --> 00:07:18,507 So the response of the server 142 00:07:18,507 --> 00:07:21,050 is not just this yes or no 143 00:07:21,050 --> 00:07:23,550 but instead, it does now also 144 00:07:23,550 --> 00:07:26,020 include this unique identifier. 145 00:07:26,020 --> 00:07:28,200 So the server and the client, 146 00:07:28,200 --> 00:07:31,490 both parties know this identifier. 147 00:07:31,490 --> 00:07:33,500 And then it's this identifier, 148 00:07:33,500 --> 00:07:37,730 which is attached to future requests to this server 149 00:07:37,730 --> 00:07:40,410 and since the server knows this identifier, 150 00:07:40,410 --> 00:07:43,290 this identifier can't be faked. 151 00:07:43,290 --> 00:07:46,090 If you come up with your own random identifier, 152 00:07:46,090 --> 00:07:47,860 the server won't know it 153 00:07:47,860 --> 00:07:52,030 and access will be denied for this subsequent request. 154 00:07:52,030 --> 00:07:54,280 So that's a great mechanism. 155 00:07:54,280 --> 00:07:57,680 But this mechanism has one disadvantage. 156 00:07:57,680 --> 00:08:01,330 It works great if your backend, your server 157 00:08:01,330 --> 00:08:04,560 and your front end are tightly coupled 158 00:08:04,560 --> 00:08:06,930 but if you've got decoupled ends, 159 00:08:06,930 --> 00:08:09,840 if you've got your Single Page Application served 160 00:08:09,840 --> 00:08:13,560 by server A and you've got your backend application, 161 00:08:13,560 --> 00:08:17,534 your REST API served by server B, 162 00:08:17,534 --> 00:08:20,319 then there is no tight coupling. 163 00:08:20,319 --> 00:08:24,810 The backend API probably should work independent 164 00:08:24,810 --> 00:08:27,640 from the front-end Single Page Application 165 00:08:27,640 --> 00:08:30,110 and vice versa. 166 00:08:30,110 --> 00:08:32,370 Or if you are building an API 167 00:08:32,370 --> 00:08:35,630 that is there to be used by many websites, 168 00:08:35,630 --> 00:08:38,840 think about something like the Google Maps API, 169 00:08:38,840 --> 00:08:43,320 then, of course, this API also can't be tightly coupled 170 00:08:43,320 --> 00:08:46,490 and focused on one specific front end. 171 00:08:46,490 --> 00:08:49,000 Instead it needs to stay flexible. 172 00:08:49,000 --> 00:08:53,870 And that's why then you don't wanna store some identifier 173 00:08:53,870 --> 00:08:55,470 on the server. 174 00:08:55,470 --> 00:08:59,040 The server should be stateless, as it's called. 175 00:08:59,040 --> 00:09:01,940 The server should not store this kind of data 176 00:09:01,940 --> 00:09:03,950 about the connected clients. 177 00:09:03,950 --> 00:09:07,640 There is a decoupled backend and front-end situation. 178 00:09:07,640 --> 00:09:10,620 And you will very often have to deal with that 179 00:09:10,620 --> 00:09:13,030 when building Single Page Applications 180 00:09:13,030 --> 00:09:16,030 and that's therefore, the part I wanna focus on 181 00:09:16,030 --> 00:09:17,189 in this module 182 00:09:17,189 --> 00:09:19,650 because in this situation, 183 00:09:19,650 --> 00:09:22,267 you can use authentication tokens 184 00:09:22,267 --> 00:09:25,590 because the idea here is generally is the same. 185 00:09:25,590 --> 00:09:28,340 There is just one key difference. 186 00:09:28,340 --> 00:09:32,740 The general idea still is that you send some credentials, 187 00:09:32,740 --> 00:09:35,210 email and password to a server 188 00:09:35,210 --> 00:09:37,990 and the server validates those credentials 189 00:09:37,990 --> 00:09:40,750 by comparing your email password combination 190 00:09:40,750 --> 00:09:42,793 to what's stored in the database. 191 00:09:43,750 --> 00:09:45,500 Then if that's valid, 192 00:09:45,500 --> 00:09:49,920 the server creates a permission token, 193 00:09:49,920 --> 00:09:52,850 which is basically just a very long string 194 00:09:52,850 --> 00:09:56,630 with some data encoded into that string. 195 00:09:56,630 --> 00:10:00,260 The server will basically use some algorithm 196 00:10:00,260 --> 00:10:04,120 to encode some data, like the email address 197 00:10:04,120 --> 00:10:06,850 of the user and a bunch of other pieces of data 198 00:10:06,850 --> 00:10:08,400 into one string, 199 00:10:08,400 --> 00:10:10,650 which can be decoded back 200 00:10:10,650 --> 00:10:13,440 into these individual pieces of data. 201 00:10:13,440 --> 00:10:16,440 It's really just a way of gluing different pieces 202 00:10:16,440 --> 00:10:17,663 of data together. 203 00:10:18,570 --> 00:10:22,300 Now, this token will be generated by the server 204 00:10:22,300 --> 00:10:26,540 with a specific algorithm and very important, 205 00:10:26,540 --> 00:10:30,950 with a key, which will be used for hashing that data 206 00:10:30,950 --> 00:10:32,290 into a string, 207 00:10:32,290 --> 00:10:35,140 which is only known by the server. 208 00:10:35,140 --> 00:10:36,800 So there is a key involved, 209 00:10:36,800 --> 00:10:40,553 which is only known by the server, not by the client. 210 00:10:41,560 --> 00:10:44,220 Now, this token is not stored by the server 211 00:10:44,220 --> 00:10:46,440 but sent back to the client 212 00:10:46,440 --> 00:10:50,260 but only the server knows how to create that token 213 00:10:50,260 --> 00:10:52,453 because of that key which is involved. 214 00:10:53,290 --> 00:10:56,800 Now, therefore, the client can then use this token, 215 00:10:56,800 --> 00:10:59,560 so the React app is able to use that token 216 00:10:59,560 --> 00:11:03,200 to attach it to future requests 217 00:11:03,200 --> 00:11:06,670 to protected resources on the server. 218 00:11:06,670 --> 00:11:11,420 And even though the server hasn't stored this identifier, 219 00:11:11,420 --> 00:11:14,050 as it did in the session approach, 220 00:11:14,050 --> 00:11:16,720 the server is able to verify 221 00:11:16,720 --> 00:11:19,760 that this token was created by it 222 00:11:19,760 --> 00:11:23,130 because only the server knows this private key, 223 00:11:23,130 --> 00:11:26,350 which was involved in the token creation process 224 00:11:26,350 --> 00:11:28,560 and therefore, the incoming token, 225 00:11:28,560 --> 00:11:30,760 which is attached to the request 226 00:11:30,760 --> 00:11:32,680 for some protected resource 227 00:11:32,680 --> 00:11:35,820 can be validated by the server 228 00:11:35,820 --> 00:11:39,020 because the server is able to check if that token 229 00:11:39,020 --> 00:11:42,770 could have been created by it, by the server. 230 00:11:42,770 --> 00:11:45,900 And if the token was faked or created 231 00:11:45,900 --> 00:11:47,490 with a different key, 232 00:11:47,490 --> 00:11:52,180 then the server will detect this and will deny access. 233 00:11:52,180 --> 00:11:54,468 So this is then another secure way 234 00:11:54,468 --> 00:11:57,635 of identifying a client to the server. 235 00:11:59,360 --> 00:12:02,800 And this is an approach that allows for decoupling 236 00:12:02,800 --> 00:12:04,700 of front-end and backend 237 00:12:04,700 --> 00:12:08,050 and it's therefore, the approach we're going to use 238 00:12:08,050 --> 00:12:09,703 in this course module. 18416