Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,330 --> 00:00:03,630 Over the last lectures, 2 00:00:03,630 --> 00:00:05,290 we ensured that we can 3 00:00:05,290 --> 00:00:08,060 log in and log out and create users. 4 00:00:08,060 --> 00:00:11,200 And that we protect certain pages. 5 00:00:11,200 --> 00:00:14,260 And that we control which page can be visited, 6 00:00:14,260 --> 00:00:16,840 if we're locked in or locked out. 7 00:00:16,840 --> 00:00:19,010 That certain pages like the profile page 8 00:00:19,010 --> 00:00:22,500 can't be visited that were redirected automatically. 9 00:00:22,500 --> 00:00:24,890 And all of that works now. 10 00:00:24,890 --> 00:00:28,970 All of that works with help of the Next Auth package, 11 00:00:28,970 --> 00:00:32,600 and the session which it checks for us. 12 00:00:32,600 --> 00:00:34,390 And just to make this really clear, 13 00:00:34,390 --> 00:00:36,360 when I say session here, 14 00:00:36,360 --> 00:00:39,730 I am talking about this json web token. 15 00:00:39,730 --> 00:00:43,110 Which is managed automatically by Next Auth. 16 00:00:43,110 --> 00:00:45,040 Which is stored by Next Auth 17 00:00:45,040 --> 00:00:48,550 in our browser this cookie, 18 00:00:48,550 --> 00:00:51,210 which holds this token is created there. 19 00:00:51,210 --> 00:00:53,640 And Next Auth determines whether 20 00:00:53,640 --> 00:00:55,610 we have an active session, 21 00:00:55,610 --> 00:00:57,900 so if this user is logged in, 22 00:00:57,900 --> 00:01:00,500 by checking that cookie and that token 23 00:01:00,500 --> 00:01:02,440 that's stored in that cookie. 24 00:01:02,440 --> 00:01:05,489 That is what happens when we call getsession here, 25 00:01:05,489 --> 00:01:09,050 or in our main-navigation component 26 00:01:09,050 --> 00:01:11,560 when we use the useSession hook. 27 00:01:11,560 --> 00:01:14,093 And that's what we did up to this point. 28 00:01:14,950 --> 00:01:17,720 Now one crucial feature is missing, 29 00:01:17,720 --> 00:01:21,730 one of the main reasons for adding authentication. 30 00:01:21,730 --> 00:01:26,010 Because having this client site protection here is nice, 31 00:01:26,010 --> 00:01:28,650 protecting certain pages and making sure 32 00:01:28,650 --> 00:01:30,820 we can't reach certain pages, 33 00:01:30,820 --> 00:01:32,990 is all nice and good. 34 00:01:32,990 --> 00:01:34,410 But what really matters, 35 00:01:34,410 --> 00:01:36,810 is what we as a user can do. 36 00:01:36,810 --> 00:01:39,520 Which API routes we can hit. 37 00:01:39,520 --> 00:01:42,640 Here we got this change password example. 38 00:01:42,640 --> 00:01:44,170 But of course for example, 39 00:01:44,170 --> 00:01:45,970 if you're building an online shop, 40 00:01:45,970 --> 00:01:49,630 you might only want to allow logged in users, 41 00:01:49,630 --> 00:01:53,310 to create and delete and manage products. 42 00:01:53,310 --> 00:01:56,050 And in the interface which your website 43 00:01:56,050 --> 00:01:58,340 has for managing those products, 44 00:01:58,340 --> 00:02:01,625 you would be sending requests behind the scenes, 45 00:02:01,625 --> 00:02:04,560 to certain API end points, 46 00:02:04,560 --> 00:02:06,770 certain API routes. 47 00:02:06,770 --> 00:02:10,850 Where those requests then trigger certain operations. 48 00:02:10,850 --> 00:02:12,630 Like the creation of a product 49 00:02:12,630 --> 00:02:15,130 or the deletion of a product. 50 00:02:15,130 --> 00:02:17,870 And of course you want to make sure that, 51 00:02:17,870 --> 00:02:21,330 those requests only trigger those operations, 52 00:02:21,330 --> 00:02:24,500 if they come from authenticated users. 53 00:02:24,500 --> 00:02:28,170 So that if you have API routes in your project, 54 00:02:28,170 --> 00:02:31,200 API routes that do certain operations 55 00:02:31,200 --> 00:02:34,700 that are only allowed for authenticated users, 56 00:02:34,700 --> 00:02:38,660 that in those API routes you also verify, 57 00:02:38,660 --> 00:02:40,630 whether that request is coming 58 00:02:40,630 --> 00:02:43,330 from an authenticated user or not. 59 00:02:43,330 --> 00:02:45,870 Because even if you have full control 60 00:02:45,870 --> 00:02:47,920 over this user interface, 61 00:02:47,920 --> 00:02:52,920 requests to APIs can also be sent with other tools. 62 00:02:53,290 --> 00:02:56,530 From the command line, with tools like Postman 63 00:02:56,530 --> 00:02:59,580 which allows you to create http requests. 64 00:02:59,580 --> 00:03:03,650 So there are ways of sending requests to APIs, 65 00:03:03,650 --> 00:03:06,700 that don't require your website. 66 00:03:06,700 --> 00:03:10,170 And therefore protecting the pages on those websites, 67 00:03:10,170 --> 00:03:13,200 is one thing but we also need protection 68 00:03:13,200 --> 00:03:15,320 in those API routes. 69 00:03:15,320 --> 00:03:18,180 Where we validate incoming requests, 70 00:03:18,180 --> 00:03:21,100 and double check that this request 71 00:03:21,100 --> 00:03:24,140 is coming from an authenticated source. 72 00:03:24,140 --> 00:03:25,830 And I'm emphasizing this here, 73 00:03:25,830 --> 00:03:29,890 because this is another key part of authentication. 74 00:03:29,890 --> 00:03:32,300 It's not just about the client site, 75 00:03:32,300 --> 00:03:34,560 it is also about the server site , 76 00:03:34,560 --> 00:03:36,950 about those API routes. 77 00:03:36,950 --> 00:03:38,940 And that's therefore what we're going to 78 00:03:38,940 --> 00:03:40,833 take a closer look at now. 5858