Placeholder Image

字幕列表 影片播放

  • user authentication is crucial to every single website out there, but it can be difficult to build a secure user authentication system.

  • So in today's video, I'm gonna walk you through all the cryptography and security steps you need to take to build your own log in system using Know Js.

  • And it is your first time around on this channel.

  • Make sure you subscribe for more videos where I simplify the web for you to get started.

  • I just have a blank project open and the first thing we want to do is initialize that using MPM so we can take an M.

  • P m on it and we put Dash, why is just going to give us all default values for a Pakistani?

  • Jason?

  • And there you go.

  • You see, It's created it for us.

  • And the next thing we need to do is actually install the packages we're gonna use for creating our express server.

  • So we need express, which we're going to create a server with.

  • We're also gonna need be crypt, which is going to allow us to do all of our cryptography and securing of our passwords hashes after that's done in stolen.

  • We're going to install another package which is called Node Mon, which will allow us to restart our server automatically without having to manually.

  • Carrot crashed our server and then restarted.

  • So we just type in N p M I Dash, dash save Dev node mon.

  • And this is just a Deb dependency because we only are going to be using this when we're developing our site.

  • And as I said, as any time we make a change to our site, it's going to automatically refresh our server for us.

  • So we don't have to do that manually.

  • And once that's done being downloaded, we're gonna create a script that's going to allow us to start our server using no demon.

  • So to do that, we could just come in here, create a script called Deb start.

  • We just want to set that equal to hear Nude mon, and we're gonna call server dot Js, which is the file we're gonna save our server into on the current moved this test script since we're not gonna use that, and we can close out this package dot Jason and create that service I Js file just like this.

  • And in here we actually want to set up express.

  • So we're gonna get expressed first by saying const Express is equal to require express is gonna pull in the express library and we want to get the app before that's we're gonna say contact is equal to running that express function next week in Just say, ap dot listen on port 3000 and then just save that and we can run and PM run, Debs start.

  • And that's going to start up our server on Port 3000.

  • But it's not gonna do anything because we don't have any route set up.

  • So let's create a very first rub.

  • We're gonna create a rabbit here, but you're gonna be apt.

  • I get it is we're getting all of our users.

  • And when you create a real application, you're not gonna wanna have a route that exposes your user's password information.

  • But for testing purposes and to show you how this works, we're gonna create this users route, so she's gonna be at slash users, and it's going to come in here with a request and a response.

  • And all we're gonna do is we just want to send that users.

  • So we're gonna say response dot Jason and we want to send our users so it's created users variable or we're gonna store users in a real application you would most like.

  • We want to store this in a database somewhere, but for testing purposes, just a local variable will be just fine.

  • Now, in order to actually test to make sure AP eyes working was great.

  • A file over here.

  • We're gonna call it request dot rest and I'm using the package, which is over here.

  • It's called Rest Client and this allows me to make rest request inside GS code.

  • If you want, you can use a package or a applications such as postman to make these request outside of your i de text editor.

  • But I prefer to do this in the text editor since easiest and what we want to do is we want to get riposte, which is going to be at local host 3000.

  • Who's 3000?

  • They're gonna make sure it's a slash slash and we want to go 3000 users and we could just send this request here and you can see it's going to get an empty array of users because Right now, we have no users in our ray.

  • And if we wanted to add something, for example, we added a user.

  • But the name of name and we re run this, send the request.

  • You'll see we get that user in our ray.

  • So we know that this is working properly.

  • What's default this back to an empty array.

  • Now, with any form of user authentication system, we need to have a way to create users.

  • So we're going to use a post request for that will say at Post, and we're gonna post to slash users again.

  • We're gonna get that request and the response in here as our function And in here, we need to do all of our code for creating the user, hashing the password that they sent to us and saving it inside of this variable here.

  • So let's go over and emulate what our response is going to look like.

  • We're just gonna say post here http slash slash local host 3000 and we want to just post to users.

  • And of course, we want to make sure that the content type here is going to be for Jason's.

  • We're gonna say application slash Jason and essentially all we're gonna do is we're gonna pass a name.

  • So let's do a name here.

  • We're gonna say Kyle, for example, and then we want to pass a password as well.

  • There's gonna be in the password variable, and we're gonna pass along the password of password just for testing purposes.

  • And essentially, we're gonna pass this tour server, and we want to convert this into a user in our users variable here and now.

  • The first thing you may be thinking is why not just put that directly into the users So we could just say request stop body dot name, name so we could get a variable here.

  • User is going to be equal to the name just like this, and the password is going to be the same thing.

  • Request dot body dot password.

  • And now you may be thinking that's perfectly fine.

  • This is going to work.

  • We could just say users dot push user.

  • And we want to make sure that we're actually able to accept Jason so we could just say app that use express dot Jason, just like this is real.

  • Our application to accept Jason and then we just want to say resident status status set that equal to 201 and just sent a blank response back down to the user.

  • Now, if we come over here and test this, you're gonna see it says it was created, sent us a blank response.

  • And if we check over users, you see that our users being saved here.

  • But the problem is, is our password here is stored in plain text.

  • If anyone gets access to our database in any way, they have all of the passwords and user names for every single user.

  • Our database.

  • And we definitely don't want that.

  • We want to make sure that our passwords are hash, so that even if someone gets access to our database, they won't actually know what the user's passwords are.

  • This is where V crypt comes in.

  • Let's go back over to our server and require be crypt.

  • So we're gonna create a variable here, be Crips.

  • Let's be crypt.

  • And that's just going to be equal to require that library of decrypt just like this and to hash a password, we need to have two steps we need to number one.

  • Create assault And then we need to use that salt along with the password to create a hashed password.

  • And the purpose of the salt is if we have a normal password, let's just say that we take the string here.

  • Passwords.

  • We want it through some kind of algorithm.

  • We just say a function called hash just like this and that is going to respond and return to us something.

  • For example, let's just say it returns to us a password that are a hash password that looks like this.

  • Now, if we hash that exact same password later, it's going to return to us the exact same string.

  • Which means if multiple users have the same password, they're going to have the exact same hash in our database, which makes it easy.

  • If a potential malicious person gets access to our database and they cracked one password, they're able to crack every other password that looks exactly the same and has the same hash.

  • So the way assault works is we hashed our password, but what we do is we take some kind of salt and we add it to the beginning of our password before we hash it and this salt is different for every single user.

  • Which means that when we hashed our password, it may look like this.

  • And then if we come down here and hash a new password, we're gonna use a different salt.

  • And the hash for that password is going to look completely different.

  • Even though the passwords are exactly the same, this just makes it so that your database is more secure.

  • If someone gets access to it and they're not able to hash and break people's passwords because we have this salt on, we just need to make sure we store the salt along with the password.

  • So when the user tries to log in, we can use the same salt when we hash the password.

  • And luckily be crypt takes care of all of this for us.

  • So let's just delete all this code here on.

  • We actually want to use be crypt, which is an asynchronous library.

  • So let's make sure we use an asynchronous functioning here and we're gonna use a try catch, and the first thing we want to do is we want to generate assault.

  • So what is going to say Consul To is going to be equal to decrypt dot jen salt, and it's just not gonna take any primaries.

  • We can add in around here by default.

  • This is going to be 10 and the larger you make this number, the longer it's going to take to make the hash.

  • But the more secure it will be.

  • So, for example, at 10 we can generate a few hashes per second.

  • But if you bump this up to something like 20 or 30 it's gonna take a few days to make one single hash.

  • I just like to leave this the default value, so just completely leave it out of there and only generate assault for us.

  • And since this is an asynchronous function, we need to make sure that we await this.

  • And then we need to actually create our hash password so we could say Hashed Password is going to be equal to again.

  • This isn't a pissing contest function, so we're gonna wait it and we just want to say, decrypt dot hash.

  • And this is just going to take in our normal password, which is requests dot body that password, and then after that, it's going to take the salt that we want to append to our hash and then we can just log that.

  • So let's do a console, that log of our salt and we're also going to counsel dot log are hashed password.

  • And now we're gonna bring all this code up here inside of our tribe just like that.

  • And instead of saving our password as the normal plain text password, we're going to save this as our hashed password.

  • Just like that.

  • And the way be crypt works.

  • Is it actually going to save the salt inside the password?

  • So we don't need to separately say that we want to start assault as well.

  • It already has that information inside the hast password.

  • And then we just want to set a simple catch in here in case something goes wrong.

  • We could just set the status here equal to 500 we can just send down nothing.

  • Now, let's save that and test that out.

  • If we go back over here, we click post.

  • We're going to see that are sold, is printed out right here.

  • And then we have our password, which is this entire thing down here, and you'll notice that the salt is at the very beginning of the password for every time that we encrypt it.

  • And thats how be crypt is able to use just the house password to be able to compare the other version because it saves both the salt, as you can see here the beginning as well as the hashed password.

  • And if we run this again with the exact same password and the quick send request, you'll see we get a different salt, which generates us a brand new, different password at the end here and now.

  • To test that even further, we can get a list of all of our users, and you can see we have that hashed password being stored.

  • So even if someone gets access to our database, they're not gonna have direct access to the passwords, and they're gonna have to crack them, which is incredibly time consuming and difficult to do.

  • So most likely, they won't be able to get any information from us.

  • Also, be crypt has a nice way of doing both generating assault and hash in the password in one single step, and we could just remove this salt section and in here instead of passing assault.

  • We passed the number of rounds we want, which by default is 10.

  • So we're gonna pass in 10 here, and it will generate the salt for us without us having to do that.

  • First initial stepped.

  • What's remove these logs statements, save it and come back here and make sure everything's working.

  • So let's send a request to generate a user and we'll get that user and you can see it properly generated a user for us.

  • Now they're able to store our user credentials.

  • Let's take a look at how we would log in a particular user.

  • So what's just copy all this cut up here paced it down here.

  • And essentially we're gonna do a post request again.

  • But we're gonna post to users slash log in.

  • And we want to make sure we just pass among the name and the password because we want to check the person's name and then check to make sure that the password matches the password that they saved with us.

  • So let's actually create that route here.

  • Come down here app dot Post and we won't oppose to users slash users slash Blufgan and this is going to take in request and a response were again going to make this an asynchronous function because we're gonna use be crypt, which is an asynchronous library to able to compare our passwords.

  • Now the first thing we need to do is get our user so we can just create a variable here, which is user, and that's going to be equal to taking our users variable.

  • And we're trying to find a particular user based on the name we passed in.

  • So if the user dot name is equal to request that body that name, then we know that we found a user from our initial list.

  • This is just matching on the name and we can come in here, put a single if statement which want to make sure that user actually exist.

  • So we'll say if the user is no, we're gonna send down and heir to the user.

  • You say return rez.

  • Dad set status whips status.

  • We want a 400 status, and we want to send them down.

  • Some text that says cannot find user.

  • There we go.

  • Now.

  • It would set up our tried catch because this is where we're actually going to do the comparison for a password so we can set up our catch and the catch is going to do the same.

  • Thing is they're catching the other one.

  • Just return a 500 air and send nothing down to the user.

  • And instead of our track, what we're gonna use is we're going to use be crypt dot compare And we're gonna first pass it the initial password.

  • So request that body, that password and then we want to pass it the hashed password So we could just say, user that password, which is our hash version of password, and this is going to compare these two passwords.

  • It's gonna make sure you get the salt out of this hash this initial password and make sure that both the hash versions equal the exact same thing, and we need to make sure we do.

  • This would be crypt compared because it's going to be more secure because they're able to prevent time and attacks, which is a certain type of attack that you can get hit with if you don't use be crypt compare and constant timing algorithms were just takes care for you, so you don't even have to worry about it next.

  • We just want to await this and we want to just check if these are the same because it's gonna return true or false for us.

  • So if the password is the same thing, we know our users logged in so we could just say rez dot send success So we know that they're logged in.

  • And if for some reason this didn't work these passwords or not this name and we could just send something down here that says not allowed now that we have that all saved was create a user so we can just send this post request And we can say, here we have our user Kyle created.

  • And now let's try to log them in with a different password.

  • This is a different password, so it should not work.

  • And if we send this, you see, we get an air saying that we're not allowed.

  • But if we type in the correct password and click send, you see it's getting success because it's able to match these two passwords, and that's all it takes to set up authentication.

  • If you want to see a more in depth tutorial of me creating a full application built around authentication.

  • Let me do it out of the comments below and make sure you check on my other videos where I simplify the Web linked over here.

  • Thank you very much for watching and have a good day.

user authentication is crucial to every single website out there, but it can be difficult to build a secure user authentication system.

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

A2 初級

構建Node.js用戶認證-密碼登錄 (Build Node.js User Authentication - Password Login)

  • 5 0
    林宜悉 發佈於 2021 年 01 月 14 日
影片單字