# Creating the User Model

All applications require some kind of authentication and authorization.

- Authentication is the process of identifying the user. We send a user and password to the server and the server authenticates us.

- Authorization is determininig if the user has the right permission to perform a given operation. 

- In our *Restaurant* application we want to make sure that only autheticated users or only logged in users can perform operations that modify data. If the user is anonymous, if they are not logged in, they can only read data from the endpoints. If they want to crete a new menu or update a dish they have to be authenticated first. 

- For security, only admin users can delete data. This is a second level of authorization

In [None]:
// Restaurant/models/users.js
const Joi = require('joi');
const mongoose = require('mongoose');

const User = mongoose.model("User", new mongoose.Schema({
    name: {
        type: String,
        minlength: 5,
        maxlength: 50,
        required: true
    },
    email:{
        type: String,
        minlength: 5,
        maxlength: 255,
        unique: true,
        required: true
    },
    password:{
        type: String,
        minlength: 5,
        maxlength: 1024,
        required: true
    }
}));

function validateUser(user){
    const schema = Joi.object({
        name: Joi.string().min(5).max(5).required(),
        email: Joi.string().min(5).max(255).required().email(),
        password: Joi.string().min(5).max(255).required()
    })

    return schema.validate(user);
}

exports.User = User;
exports.validate = validateUser;

# Registering Users

We create **users.js** inside routes folder 


In [None]:
// Restaurant/routes/users.js
const {User, validate} = require('../models/user')
const express = require('express');
const router = express.Router();


router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User({
        name: req.body.name,
        email: req.body.email,
        password: req.body.password
    });

    await user.save();
    res.send(user);
});

module.exports = router;


# Using Lodash

- As we can see in previous code, we send complete user as response, it includes the user password.

- One solution is to send a custom object which includes only name and email.

- Other option is to use **Lodash**. Lodash has utility functions to work with objects. it is basically the optimized version of *underscore*. We install it with **npm i lodash**.

- By convention we use "**_**" name for constant when importing *lodash* (const _ = require('lodash');). "_" means underscore.

- **_.pick** method gets an object and returns a new object with selected property.

In [None]:
// Restaurant/routes/users.js
const {User, validate} = require('../models/user')
const express = require('express');
const router = express.Router();
const _ = require('lodash'); 

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User(_.pick(req.body, ['name', 'email', 'password']));
    await user.save();
    
    res.send(_.pick(user, ['_id','name', 'email']));
});

module.exports = router;


- With npm package **joi-password-complexity** we can cerate an object to validate password complexity. For exmple:

    {
        min: 8,
        max: 26,
        lowercase: 1,
        uppercase: 1,
        numeric: 1,
        symbol: 1
    }

# Hashing Passwords

- Hashing turns your password (or any other piece of data) into a short string of letters and/or numbers using an encryption algorithm. If a website is hacked, cyber criminals don’t get access to your password. Instead, they just get access to the encrypted “hash” created by your password (https://delinea.com/blog/how-do-passwords-work)

- We will use **bcrypt** package (**npm i bcrypt**).

- For example, we have a password 1234 and the hashed password abcd, which cannot decrypt by a hacker. However he/she can compile a list of popular passwords and hash them, and then, they can look at the database of our application and find hashed our password. That's we need a **Salt**.

- A **Salt** is basicly a random string that is added before or after the password, so the resulting hash password will be different each time on the Salt that is used.

* As a best practice, to generate a Salt we use asynchronous **bcrypt.genSalt** method. As an argument we pass the number of rounds we want to round this algorithm to generate the Sault. The higher the number, the longer is going to take to generate the Sault, and also it will be more complex and harder to break. we will use default valur **10**

In [None]:
//hash.js
const bcrypt = require('bcrypt');

async function run(){
    console.log(salt);
    console.log(hashedPassword);
}

run();

// output
// $2b$10$GOU/1rCpUtRy90NA1/O0eO //Salt
// $2b$10$GOU/1rCpUtRy90NA1/O0eOyfsF/7ZpfN1oXKXUPJJAvgQm.Rw8dr6 //Hashed Password

- Now, We are going to hash the password in users module. So, if we create a new user, we can see in oue MongoDB cloud database that the created user has a hashed password.


In [None]:
// Resaurant/router/users.js
const {User, validate} = require('../models/user')
const express = require('express');
const router = express.Router();
const _ = require('lodash'); 
const bcrypt = require('bcrypt');

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User(_.pick(req.body, ['name', 'email', 'password']));
    const salt = await bcrypt.genSalt(10);
    user.password = await bcrypt.hash(user.password, salt)
    await user.save();
    
    res.send(_.pick(user, ['_id','name', 'email']));
});

module.exports = router;


# Authenticating Users

- Inside routes we will create the **auth.js** file. Inthis file we implement the loging API.

- First we need to create a new validate function to check that in the body of the request we have email and password properties.

- Next, we need to make sure that we have a user with the given email. Then, we need to validate the password. For this we use **bcrypt.compare** method, which compares a plain text password with a hashed password. This method return a boolean, if the password given inthe body of request is equal to hasehd password of the user in the database, the method returns true.

In [None]:
// Restaurant/router/auth.js
const {User} = require('../models/user')
const Joi = require('joi');
const express = require('express');
const router = express.Router();
const bcrypt = require('bcrypt');

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (!user) return res.status(400).send('Invalid email or password');
    
    const validPassword = await bcrypt.compare(req.body.password, user.password);
    if (!validPassword) return res.status(400).send('Invalid email or password');
    
    res.send(true); // for now we send a simple true value to the client.
});

function validate(req){
    const schema = Joi.object({
        email: Joi.string().min(5).max(255).required().email(),
        password: Joi.string().min(5).max(255).required()
    })

    return schema.validate(req);
}

module.exports = router;



# JSON Web Tokens

- We have an endpoint for authenticating users. Now instead of return a true value to the client we will return a **JSON Web Token** (JWT). It is basically a long string that identifies a user. It’s similar to a passport or driver’s license.

- When the user logs in, on the server we generate the JWT and we give it to the client. Next time when Client come back to server and call whenever API endpoint it needs to show this JWT. So, on the client we need to store the JWT. The client can be a web or mobile app. If it is a web app build with Angular or React, we can use local storage which is a special storage place available in all browsers. If it is a mobile app we have a similar option depending on what platform we use.

- in **jwt.io** website for working with JWT. In *Encoded* part we can see an example of a JWT. it has trhee colored parts which correspond to header, payload and verify siganture.

- In the Header we have two properties: *algorithm*: used for encoding this token and *type* which is JWT.

- The Payload has three properties: *sub* which is like a user id, *name* and *admin*. Payload includesbasic  public properties about the user and everytime that we send a token form the client to the server we can easily extract this information, so we don't have to query the database.

- The verify siganature is a digital signature which is createde based on the content of the JWT along with a secret or private key. This private key is only available on the server. If a malicious user gets the JWT and modify for example the admin property the digitak signature will be invalid because the content of the JWT was modified so a new digital signature is required. But the hacker cannot generate this digital signature because they will need the private key which is only available on the server.

- To generate JSON Web Tokens in an Express app use **jsonwebtoken** package (npm i jsonwebtoken). The **sign** method synchronously sign the given payload into a JSON Web Token string payload

In [None]:
// Restaurant/router/auth.js
const {User} = require('../models/user')
const Joi = require('joi');
const express = require('express');
const router = express.Router();
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (!user) return res.status(400).send('Invalid email or password');
    
    const validPassword = await bcrypt.compare(req.body.password, user.password);
    if (!validPassword) return res.status(400).send('Invalid email or password');
    
    const token = jwt.sign({_id: user._id}, 'jwtPrivateKey');
    res.send(token);
});

function validate(req){
    const schema = Joi.object({
        email: Joi.string().min(5).max(255).required().email(),
        password: Joi.string().min(5).max(255).required()
    })

    return schema.validate(req);
}

module.exports = router;

//postman POST
// http://localhost:3000/api/auth/
//     {
//         "email": "user_email,
//         "password": "user_password"
//     }

// JWT response
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
// eyJfaWQiOiI2MmZlNWJhZjRiMjQ1NmJmYTc4MTUyNjUiLCJuYW1lIjoiU2ViYXN0aWFuIEdpbCIsImlhdCI6MTY2MDg1Mjg5M30.
// HQTqZvHKEbQTrMIZSL7ATIQcXV9Iqz3utLrqV2qQXVI

# Storing Secrets in Environment Variables

- We need to store de **PrivateKey** in an environment variable because we should never store secrets in code base or anyone with acces to source code can get them.

- We first install the config module (**npm i config**). Then we create a new folder called **config** and inside it we create **default.json** configuration file. In this file we create an object with **jwtPrivateKey** property and set it to an empty string. We are just defining a template for all the settings in our application.

- Next, we create another file called **custom-environment-variables.json**. In this file we specify the mapping between the application settings and environment variables. So we create an object with **jwtPrivateKey** property and set it to *jwtPrivateKey*. However, as a best practice is better to prefix this with an application name so we don't end up with one application setting overriding another application setting. So we set it to **restaurant_jwtPrivateKey**.

- In **auth.js** module, we first import the config  and then we replace *jwtPrivateKey* with the call to config that get method. Now, *jwtPrivateKey* is the name of our application setting and its value will be in an environment variable.

- in **index.js** when the application starts we want to make sure that this environment variable is set, otherwise we have to terminate the application because our authentication endpoint won't function properly. To do this we load the config module and then we verify if the *jwtPrivateKey* variable is set. If not, we use global object **process** which has **exit** method. If we pass 0 to this method indicates succes, other number indicates failure.


In order for the application to work, we need set our environment variable. So in console: **set restaurant_jwtPrivateKey=mySecureKey**

In [None]:
//Restaurant/config/default.json
//----------------------------------------------------------------
{
    "jwtPrivateKey": ""
}


//Restaurant/config/custom-environment-variables.json
//----------------------------------------------------------------
{
    "jwtPrivateKey": "restaurant_jwtPrivateKey"
}




// Restaurant/router/auth.js
//----------------------------------------------------------------
const {User} = require('../models/user')
const Joi = require('joi');
const express = require('express');
const router = express.Router();
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');
const config = require('config');

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (!user) return res.status(400).send('Invalid email or password');
    
    const validPassword = await bcrypt.compare(req.body.password, user.password);
    if (!validPassword) return res.status(400).send('Invalid email or password');
    
    const token = jwt.sign({_id: user._id, name:user.name}, config.get('jwtPrivateKey'));
    res.send(token);
});

function validate(req){
    const schema = Joi.object({
        email: Joi.string().min(5).max(255).required().email(),
        password: Joi.string().min(5).max(255).required()
    })

    return schema.validate(req);
}

module.exports = router;



//Restaurant/index.js
//----------------------------------------------------------------
const config = require('config');
const Joi = require('joi');
Joi.objectId = require('joi-objectid')(Joi);
const mongoose = require('mongoose');
const express = require('express');
const menus = require('./router/menus');
const dishes = require('./router/dishes');
const customers = require('./router/customers');
const orders = require('./router/orders');
const users = require('./router/users');
const auth = require('./router/auth');
const app = express();

app.use(express.json());
app.use('/api/menus', menus);
app.use('/api/dishes', dishes);
app.use('/api/customers', customers);
app.use('/api/orders', orders);
app.use('/api/users', users);
app.use('/api/auth', auth);

if(!config.get('jwtPrivateKey')){
    console.log('jwtPrivateKey is not defined');
    process.exit(1);
}

mongoose.connect('mongodb+srv://sebastian:4321@cluster0.reo2xyq.mongodb.net/?retryWrites=true&w=majority')
    .then(() => {console.log('Connected to mongoDB...')})
    .catch(err => {console.error('Could not connect to mongoDB...')});


    const port = 3000 || process.env.PORT;
app.listen(port, () => {
    console.log( `Listening on port ${port}...` );
})


# Setting Response Headers

- We will return the JSON Web Token in an http header. So, in **users.js**, before sends the response to the client, we generate the token, and then we call **res.header** method. For any custom headers that we define in our application we should prefix these headers with "**x-**" and then a name like "**auth-token**". This is the first argument which is the name of the header (*x-auth-token*). The second argument is the value which in this case is the token.

- If we create a new user, the client will get in he header of the response the generated JSON Web Token.

![image.png](attachment:image.png)

In [None]:
//Restaurant/router/users.js
//----------------------------------------------------------------
const jwt = require('jsonwebtoken');
const config = require('config');
const {User, validate} = require('../models/user')
const express = require('express');
const router = express.Router();
const _ = require('lodash'); 
const bcrypt = require('bcrypt');

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User(_.pick(req.body, ['name', 'email', 'password']));
    const salt = await bcrypt.genSalt(10);
    user.password = await bcrypt.hash(user.password, salt)
    await user.save();
    
    const token = jwt.sign({_id: user._id}, config.get('jwtPrivateKey'));
    res.header('x-auth-token', token).send(_.pick(user, ['_id','name', 'email']));
});

module.exports = router;


# Encapsulating Logic in Mongoose Models

- In **users.js** and **auth.js** modules we generate the token with the same PayLoad (*{_id: user.id}*). If we add another property in this payload (username, email, rol) we have to remember change the payload in both modules. 

- In object-oriented programming we have a priciple called **Information Expert Principle**. That means an object that has enough information and is an expert in a given area, should be responsible for making decisinos and performing tasks. In our case, the **user** object has all the information, so it should be responsible for generating its authentication token. Therefore, user object should have a **generateAuthToken** method 

- to encapsulate this logic we create a new method for **user** object using **methods** property of **userSchema**. the new method will be called **generateAuthToken**.


In [None]:
// Restaurant/models/user.js
...
userSchema.methods.generateAuthToken = function (){
    return jwt.sign({_id: this._id}, config.get('jwtPrivateKey'));
}
...

After creating new user method, we use it in auth and users module for registering and authorization

In [None]:
// Restaurant/router/users.js
                        .
                        .
                        .
                    
router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User(_.pick(req.body, ['name', 'email', 'password']));
    const salt = await bcrypt.genSalt(10);
    user.password = await bcrypt.hash(user.password, salt)
    await user.save();
    
    const token = user.generateAuthToken();
    res.header('x-auth-token', token).send(_.pick(user, ['_id','name', 'email']));
});
                        .
                        .
                        .


                        
// Restaurant/router/auth.js
                        .
                        .
                        .
                    
router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (!user) return res.status(400).send('Invalid email or password');
    
    const validPassword = await bcrypt.compare(req.body.password, user.password);
    if (!validPassword) return res.status(400).send('Invalid email or password');
    
    const token = user.generateAuthToken(); 
    res.send(token);
});
                        .
                        .
                        .

# Authorization Middleware

- Some endpoints should only be called for authenticated users. To enforce this we need to read the request headers expecting a JSON web token stored in **x-auth-token**. if token does not exist, we return a **401** error which means that client does not have the authentication credentials to acces to the resource.

- As we dont want to repeat this logic at every route handler that modifies data, we need to put this logic in a middleware function and then we can apply it in route handlers that require it.

- We create a new folder called **middleware** and create a new file called **auth.js**

In [None]:
//Restaurant/middleware/auth.js
//---------------------------------------------------------------------
const jwt = require('jsonwebtoken');
const config = require('config');

module.exports = function (req, res, next) {
    const token = req.header('x-auth-token');
    if(!token) return res.status(401).send('Acces denied. No token provided.');
    
    try{
        const decoded = jwt.verify(token, config.get('jwtPrivateKey'));
        req.user = decoded; // req.user will contain only the user id
        next();
    }
    catch(ex){
        res.status(400).send('Invalid token');
    }
}


# Protecting Routes

- We want to apply the developed middleware function selectively to certain endpoints.


- In post, put, get, delete methods there is a second optional argument which is a middleware function to be executed before the other middleware function which is the route handler. We add **auth** (authorization) middleware function to POST method of **menus** module. When we run the code and try to post a new menu in POSTMAN, the resonse is **Acces denied. No token provided.** with status **401 Unauthorized**. When we provide in the header of the POST content a **key:x-auth-token** with a valid token value, we can post a new menu. 


- finally, we protect POST, PUT and DELETE methods with **auth** middleware for *customers, dishes, orders,* and  *menus* modules.

In [None]:
//Restaurant/routes/menus.js
//------------------------------------------------------
                    .
                    .
                    .
                    
router.post('/', auth, async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    const menu = new Menu(req.body);
    await menu.save();
    res.send(menu);
});

router.put('/:id', auth, async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(404).send(error.details[0].message);

    const menu = await Menu.findByIdAndUpdate(req.params.id, req.body, {new: true}); 
    if (!menu) return res.status(404).send('The menu with the given ID was not found');
    
    res.send(menu);
});

router.delete('/:id', auth, async (req, res) => {
    const menu = await Menu.findByIdAndDelete(req.params.id); 
    if (!menu) return res.status(404).send('The menu with the given ID was not found');
    
    res.send(menu);
});
                    .
                    .
                    .

# Getting the Current User

- Sometimes we need to get information about the current logged in user. We are going to add a new endpoint for getting the current user.


- The often used approach to get the current user information is to have an api endpoint like **me**. With this the client is not going to send the user id, we get it from the JSON Web Token.


- We use the JWT to get the id and the id to find the user in User collection. When we find the user we need to exclude the password.

- We only can acces to user information if we provide a valid JWT in the header of the GET request.

In [None]:
//Restaurant/routes/users.js
//----------------------------------------------------------------------
const auth = require('../middleware/auth');
const {User, validate} = require('../models/user')
const express = require('express');
const router = express.Router();
const _ = require('lodash'); 
const bcrypt = require('bcrypt');

router.get('/me', auth, async (req, res) => {   
    const user = await User.findById(req.user._id).select('-password');
    res.send(user);
});

router.post('/', async (req, res) => {
    const {error} = validate(req.body);
    if (error) return res.status(400).send(error.details[0].message);
    
    let user = await User.findOne({email: req.body.email});
    if (user) return res.status(400).send('User already registered');
    
    user = new User(_.pick(req.body, ['name', 'email', 'password']));
    const salt = await bcrypt.genSalt(10);
    user.password = await bcrypt.hash(user.password, salt)
    await user.save();
    
    const token = user.generateAuthToken();
    res.header('x-auth-token', token).send(_.pick(user, ['_id','name', 'email']));
});

module.exports = router;


# Logging Out Users

- When the user wants to logout we simply delete a token from the client. Store the token on the server in the database is a very bad practice becase tokens are like keys that give to client acces to protected api endpoints. If for any reason we need to sotre a token in a database we need to ensure that it is encrypted or hashed. 

- As a security best practice whenever we send the token from the server to the client, we need make sure to use **https** because the data is encrypted from the client to the server.

# Role-based Authorization

- Certain operation such deleting data can only be performed by admins. 
- We add a new property **isAdmin** to **userSchema** in **user.js** module.
- Then, we add the new property to the JWT payload in **generateAuthToken** method. Next time we send JWT to the server we can extract this property directly from the token

In [None]:
//Restaurant/models/user.js
//-------------------------------------------------------------
const jwt = require('jsonwebtoken');
const config = require('config');
const Joi = require('joi');
const mongoose = require('mongoose');

const userSchema = new mongoose.Schema({
    name: {
        type: String,
        minlength: 5,
        maxlength: 50,
        required: true
    },
    email:{
        type: String,
        minlength: 5,
        maxlength: 255,
        unique: true,
        required: true
    },
    password:{
        type: String,
        minlength: 5,
        maxlength: 1024,
        required: true
    },
    isAdmin: Boolean
});

userSchema.methods.generateAuthToken = function (){
    return jwt.sign({_id: this._id, isAdmin: this.isAdmin}, config.get('jwtPrivateKey'));
}

const User = mongoose.model("User", userSchema);

function validateUser(user){
    const schema = Joi.object({
        name: Joi.string().min(5).max(50).required(),
        email: Joi.string().min(5).max(255).required().email(),
        password: Joi.string().min(5).max(255).required()
    })

    return schema.validate(user);
}

exports.User = User;
exports.validate = validateUser;

- Now on the server we need a new middleware function to check if the current user is an admin or not. So we create a new file **admin.js** inside middleware folder.


- In this new file we use **req.user** which is set previously by **auth** middleware. If *req.user.isAdmin* is false, we return a **403** status which means **forbidden**.


- We use **401 Unauthorized** when user try to acces to a protected resource but they don't supply a valid JWT. We give them a chance to retry and send a valid JWT. If they send a valid JWT and they're still not allowed to acces to target resource that's when we use **403 forbbiden**, Which indicates them that don't try againt, they just don't have acces to resource.


- We apply auth and admin middleware functions to DELETE method of **menus.js** module.

In [None]:
//Restaurant/router/menus.js
const admin = require('../middleware/admin');
                        .
                        .
                        .
                        
router.delete('/:id', [auth, admin], async (req, res) => {
    const menu = await Menu.findByIdAndDelete(req.params.id); 
    if (!menu) return res.status(404).send('The menu with the given ID was not found');
    
    res.send(menu);
});
                        .
                        .
                        .
                        

When we create a new user we don't can't set **isAdmin** property. To set it we go to the cloud database and set it manually. 
Once done, we authenticate with this user and the returned JWT will jave the **isAdmin** property. 