Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,930 --> 00:00:03,210 So we have our user model set up 2 00:00:03,210 --> 00:00:06,440 ready to save users with secure passwords. 3 00:00:06,440 --> 00:00:08,850 And so next up, we're gonna really implement 4 00:00:08,850 --> 00:00:11,670 user authentication and authorization. 5 00:00:11,670 --> 00:00:14,230 So in simple terms, the whole work flow 6 00:00:14,230 --> 00:00:16,530 of logging users in and allowing them 7 00:00:16,530 --> 00:00:19,360 to interact with certain protected resources 8 00:00:19,360 --> 00:00:22,163 that non-logged in users cannot access. 9 00:00:23,100 --> 00:00:26,050 Now there are many authentication methods out there, 10 00:00:26,050 --> 00:00:29,360 but the one we're gonna use is a very modern, simple 11 00:00:29,360 --> 00:00:34,360 and secure approach called Json Web Tokens or JWT for short. 12 00:00:35,170 --> 00:00:38,100 So Json Web Tokens are a stateless solution 13 00:00:38,100 --> 00:00:39,500 for authentication. 14 00:00:39,500 --> 00:00:43,410 So there is no need to store any session state on the server 15 00:00:43,410 --> 00:00:47,360 which of course is perfect for restful APIs like the one 16 00:00:47,360 --> 00:00:48,580 that we're building. 17 00:00:48,580 --> 00:00:53,080 Because remember, restful APIs should always be stateless. 18 00:00:53,080 --> 00:00:56,300 And the most widely used alternative to authentication 19 00:00:56,300 --> 00:01:00,240 with JWTs is to just store the user's log-in state 20 00:01:00,240 --> 00:01:02,420 on the server using sessions. 21 00:01:02,420 --> 00:01:05,150 But then of course does not follow the principle 22 00:01:05,150 --> 00:01:08,700 that says that restful APIs should be stateless 23 00:01:08,700 --> 00:01:12,293 and that's why we're opting for a solution like JWTs. 24 00:01:13,130 --> 00:01:15,960 So now let's take a look at how authentication 25 00:01:15,960 --> 00:01:18,660 actually works with Json Web Tokens. 26 00:01:18,660 --> 00:01:21,600 And assuming we already have a registered user 27 00:01:21,600 --> 00:01:25,380 in our database, this is how a user logs into the app. 28 00:01:25,380 --> 00:01:28,700 So the user's client starts by making a post request 29 00:01:28,700 --> 00:01:32,330 with the username or email and the password. 30 00:01:32,330 --> 00:01:35,400 The application then checks if the user exists 31 00:01:35,400 --> 00:01:37,430 and if the password is correct. 32 00:01:37,430 --> 00:01:40,340 And if so, a unique Json Web Token for only 33 00:01:40,340 --> 00:01:44,010 that user is created using a secret string 34 00:01:44,010 --> 00:01:46,290 that is stored on a server. 35 00:01:46,290 --> 00:01:49,410 And a JWT itself is really just a string 36 00:01:49,410 --> 00:01:51,150 that looks something like this. 37 00:01:51,150 --> 00:01:54,170 But we're gonna talk more about the JWT itself 38 00:01:54,170 --> 00:01:55,770 in the next slide. 39 00:01:55,770 --> 00:02:00,440 Anyway, the server then sends that JWT back to the client 40 00:02:00,440 --> 00:02:04,160 which will store it either in a cookie or in local storage. 41 00:02:04,160 --> 00:02:06,930 And just like this the user is authenticated 42 00:02:06,930 --> 00:02:09,570 and basically logged into our application 43 00:02:09,570 --> 00:02:12,720 without leaving any state on the server. 44 00:02:12,720 --> 00:02:16,310 So the server does in fact not know which users 45 00:02:16,310 --> 00:02:17,930 are actually logged in. 46 00:02:17,930 --> 00:02:20,960 But of course, the user knows that he's logged in 47 00:02:20,960 --> 00:02:25,040 because he has a valid Json Web Token which is a bit like 48 00:02:25,040 --> 00:02:29,270 a passport to access protected parts of the application. 49 00:02:29,270 --> 00:02:32,470 So again, just to make sure you got the idea. 50 00:02:32,470 --> 00:02:35,330 A user is logged in as soon as he get back 51 00:02:35,330 --> 00:02:39,720 his unique valid Json Web Token which is not saved anywhere 52 00:02:39,720 --> 00:02:41,030 on the server. 53 00:02:41,030 --> 00:02:44,840 And so this process is therefore completely stateless. 54 00:02:44,840 --> 00:02:49,300 Then, each time a user wants to access a protected route, 55 00:02:49,300 --> 00:02:51,940 like his user profile data, for example, 56 00:02:51,940 --> 00:02:55,360 he sends his Json Web Token along with a request. 57 00:02:55,360 --> 00:02:58,480 So it's a bit like showing his passport to get access 58 00:02:58,480 --> 00:03:00,450 to that route, right? 59 00:03:00,450 --> 00:03:03,870 And that's probably the best and easiest way to understand 60 00:03:03,870 --> 00:03:05,320 this whole idea. 61 00:03:05,320 --> 00:03:07,910 Now once the request hits the server, 62 00:03:07,910 --> 00:03:11,140 our app will then verify if the Json Web Token 63 00:03:11,140 --> 00:03:12,580 is actually valid. 64 00:03:12,580 --> 00:03:15,760 So if the user is really who he says he is. 65 00:03:15,760 --> 00:03:17,710 And more about how this step works 66 00:03:17,710 --> 00:03:19,660 a bit later in this video. 67 00:03:19,660 --> 00:03:22,710 Now if the token is actually valid, well, 68 00:03:22,710 --> 00:03:26,210 then the requested data will be sent to the client 69 00:03:26,210 --> 00:03:29,400 and if not, then there will be an error telling the user 70 00:03:29,400 --> 00:03:32,600 that he's not allowed to access that resource. 71 00:03:32,600 --> 00:03:34,880 And as long as the user is logged in, 72 00:03:34,880 --> 00:03:38,230 this is how it's gonna work each time that he requests data 73 00:03:38,230 --> 00:03:39,843 from any protected route. 74 00:03:40,840 --> 00:03:43,000 Now what's very important to note here 75 00:03:43,000 --> 00:03:47,570 is that all this communication must happen over https. 76 00:03:47,570 --> 00:03:51,510 So secure encrypted http in order to prevent 77 00:03:51,510 --> 00:03:55,840 that anyone can get access to passwords or Json Web Tokens. 78 00:03:55,840 --> 00:03:59,090 Only then we have a really secure system. 79 00:03:59,090 --> 00:04:02,430 But we will talk about that later in the section, okay. 80 00:04:02,430 --> 00:04:05,120 So I know that this can look quite confusing 81 00:04:05,120 --> 00:04:06,900 in the beginning when you first try 82 00:04:06,900 --> 00:04:09,120 to wrap your head around it, but actually 83 00:04:09,120 --> 00:04:13,490 the principle itself is actually quite simple, all right? 84 00:04:13,490 --> 00:04:15,830 And this is really all you need to know in order 85 00:04:15,830 --> 00:04:20,370 to be able to implement authentication using JWT. 86 00:04:20,370 --> 00:04:22,740 But let's now dive a little bit deeper into how 87 00:04:22,740 --> 00:04:25,880 the JWT itself actually works. 88 00:04:25,880 --> 00:04:30,310 So a Json Web Token looks like left part of this screenshot 89 00:04:30,310 --> 00:04:35,310 which was taken from the JWT debugger at jwt.io. 90 00:04:35,940 --> 00:04:38,650 So essentially, it's an encoding string 91 00:04:38,650 --> 00:04:40,430 made up of three parts. 92 00:04:40,430 --> 00:04:44,140 The header, the payload and the signature. 93 00:04:44,140 --> 00:04:47,910 Now the header is just some metadata about the token itself 94 00:04:47,910 --> 00:04:50,910 and the payload is the data that we can encode 95 00:04:50,910 --> 00:04:54,470 into the token, any data really that we want. 96 00:04:54,470 --> 00:04:56,690 So the more data we want to encode here, 97 00:04:56,690 --> 00:04:58,890 the bigger the JWT. 98 00:04:58,890 --> 00:05:01,750 Anyway, these two parts are just plain text 99 00:05:01,750 --> 00:05:04,860 that will get encoded, but not encrypted. 100 00:05:04,860 --> 00:05:08,790 So anyone will be able to decode them and to read them. 101 00:05:08,790 --> 00:05:11,730 So we cannot store any sensitive data in here. 102 00:05:11,730 --> 00:05:13,460 But that's not a problem at all 103 00:05:13,460 --> 00:05:16,580 because in the third part, so in the signature, 104 00:05:16,580 --> 00:05:19,370 is where things really get interesting. 105 00:05:19,370 --> 00:05:22,990 The signature is created using the header, the payload 106 00:05:22,990 --> 00:05:26,020 and the secret that is saved on the server. 107 00:05:26,020 --> 00:05:27,080 Remember that? 108 00:05:27,080 --> 00:05:28,760 And this whole process is then called 109 00:05:28,760 --> 00:05:30,883 signing the Json Web Token. 110 00:05:31,900 --> 00:05:35,590 So again, the signing algorithm takes the header, 111 00:05:35,590 --> 00:05:40,590 the payload and the secret to create a unique signature. 112 00:05:40,650 --> 00:05:43,200 So only this data plus the secret 113 00:05:43,200 --> 00:05:46,160 can create this signature, all right? 114 00:05:46,160 --> 00:05:49,200 Then together with the header and the payload, 115 00:05:49,200 --> 00:05:52,310 these signature forms the JWT, 116 00:05:52,310 --> 00:05:55,190 which then gets sent to the client. 117 00:05:55,190 --> 00:05:58,320 Now as I mentioned briefly, right in the first slide, 118 00:05:58,320 --> 00:06:02,000 once the server receives a JWT to grant access 119 00:06:02,000 --> 00:06:05,010 to a protected route, it needs to verify it 120 00:06:05,010 --> 00:06:07,730 in order to determine if the user really is 121 00:06:07,730 --> 00:06:10,120 who he claims to be, right? 122 00:06:10,120 --> 00:06:13,890 In other words, it will verify if no one changed the header 123 00:06:13,890 --> 00:06:16,580 and the payload data of the token. 124 00:06:16,580 --> 00:06:20,030 So again, this verification step will check 125 00:06:20,030 --> 00:06:23,350 if no third party actually altered either the header 126 00:06:23,350 --> 00:06:26,280 or the payload of the Json Web Token. 127 00:06:26,280 --> 00:06:29,650 So, how does this verification actually work? 128 00:06:29,650 --> 00:06:32,560 Well it is actually quite straightforward. 129 00:06:32,560 --> 00:06:35,410 So once the JWT is received, 130 00:06:35,410 --> 00:06:38,920 the verification will take it's header and payload 131 00:06:38,920 --> 00:06:41,540 and together with the secret that is still saved 132 00:06:41,540 --> 00:06:45,440 on the server, basically create a test signature. 133 00:06:45,440 --> 00:06:48,390 But the original signature that was generated 134 00:06:48,390 --> 00:06:53,390 when the JWT was first created is still in the token, right? 135 00:06:53,930 --> 00:06:56,550 And that's the key for this verification. 136 00:06:56,550 --> 00:06:59,180 Because now all we have to do is to compare 137 00:06:59,180 --> 00:07:02,590 the test signature with the original signature. 138 00:07:02,590 --> 00:07:05,050 And if the test signature is the same 139 00:07:05,050 --> 00:07:08,460 as the original signature, then it means that the payload 140 00:07:08,460 --> 00:07:11,760 and the header have not been modified, right? 141 00:07:11,760 --> 00:07:13,690 Because if they had been modified, 142 00:07:13,690 --> 00:07:16,720 then the test signature would have to be different. 143 00:07:16,720 --> 00:07:19,600 Therefore in this case where there has been no alteration 144 00:07:19,600 --> 00:07:22,990 of the data, we can then authenticate the user. 145 00:07:22,990 --> 00:07:24,940 And of course, if the two signatures 146 00:07:24,940 --> 00:07:27,520 are actually different, well, then it means 147 00:07:27,520 --> 00:07:29,870 that someone tampered with the data. 148 00:07:29,870 --> 00:07:32,780 Usually by trying to change the payload. 149 00:07:32,780 --> 00:07:35,470 But that third party manipulating the payload 150 00:07:35,470 --> 00:07:38,750 does of course not have access to the secret, 151 00:07:38,750 --> 00:07:41,370 so they cannot sign the JWT. 152 00:07:41,370 --> 00:07:44,320 So the original signature will never correspond 153 00:07:44,320 --> 00:07:46,050 to the manipulated data. 154 00:07:46,050 --> 00:07:49,160 And therefore, the verification will always fail 155 00:07:49,160 --> 00:07:50,700 in this case. 156 00:07:50,700 --> 00:07:53,850 And that's the key to making this whole system work. 157 00:07:53,850 --> 00:07:57,190 It's the magic that makes JWT so simple, 158 00:07:57,190 --> 00:07:59,790 but also extremely powerful. 159 00:07:59,790 --> 00:08:01,560 So let me summarize it again. 160 00:08:01,560 --> 00:08:04,830 Without the secret, no one will be able to manipulate 161 00:08:04,830 --> 00:08:07,920 the JWT data because they cannot create 162 00:08:07,920 --> 00:08:10,960 a valid signature for the new data. 163 00:08:10,960 --> 00:08:13,570 I mean they could manipulate the data of course, 164 00:08:13,570 --> 00:08:16,870 but it will always fail the verification step. 165 00:08:16,870 --> 00:08:19,900 Now, don't worry, we're not gonna actually implement 166 00:08:19,900 --> 00:08:22,660 these JWT algorithms by ourself. 167 00:08:22,660 --> 00:08:24,830 They are very complex and we're not gonna 168 00:08:24,830 --> 00:08:27,060 reinvent the wheel here, all right? 169 00:08:27,060 --> 00:08:29,910 But it's still very important to actually understand 170 00:08:29,910 --> 00:08:32,110 how this whole process works behind the scene. 171 00:08:32,110 --> 00:08:35,570 And I hope that this lecture did just that for you. 172 00:08:35,570 --> 00:08:38,370 But now, let's move on to the next lecture 173 00:08:38,370 --> 00:08:40,433 to actually start using all this. 14176