# Creating a user model

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');

const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password']
    }
})

const User = mongoose.model('User', userSchema);
module.exports = User;

# Creating a new user

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');


let app = express();

const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json());

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/users', authRouter); # defing routes for users

app.all('*', (req, res, next)=>{
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    res.status(201).json({
        status: 'success',
        data: {
            user: newUser
        }
    })
});

In [None]:
# Routes/authRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/signup').post(authController.signup);

module.exports = router;

# Encrypting password

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');

const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, # not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, # store the path of photo
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false # will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            # This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    }
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12); # more the cost, better encryption
    this.passwordConfirm = undefined; # becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})

const User = mongoose.model('User', userSchema);
module.exports = User;

- More the cost, better the encrption

# Signing up a user

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = jwt.sign({id: newUser._id}, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })

    res.status(201).json({
        status: 'success',
        token, # token: token
        data: {
            user: newUser
        }
    })
});

In [None]:
# config.env

NODE_ENV=development
PORT=3000
LOCAL_CONN_STR=mongodb://localhost:27017/cineflix
CONN_STR=mongodb+srv://saurabhp850701:syNMGbBNVdGVdFVJ@cluster0.nyktqa6.mongodb.net/cineflix?retryWrites=true&w=majority&appName=Cluster0
DB_USER=saurabhp850701
DB_PASSWORD=syNMGbBNVdGVdFVJq
JWT_SECRET_STR='123adffg-qw4-dg23-sfg8dfgh9g6sa5f@' # atleast 32 characters
LOGIN_EXPIRES=10000000 # millisecond

- More the properties are in payload better and secure the token is created.
- Secret string should be atleast 32 characters long as per standard, longer the string is better it is

# Logging in a user

Logging in a user is simply means to sign a json web token(JWT) and send it back to the client but in this case e will only issue a token if the user exists in the database and password provided for that user is correct.

In [None]:
# Routes/authRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/signup').post(authController.signup);
router.route('/login').post(authController.login);

module.exports = router;

In [None]:
# controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    #check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    #check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    #check if the user exisys and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })
})

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');

const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, # not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false # will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            # This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    }
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; #becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})
userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}

const User = mongoose.model('User', userSchema);
module.exports = User;

# Protecting routes

Let's say we want to protect getAllMovies routes that means only want to allow the logged in users to get access to a list of all the movies.

For this what we need to do is before running this `getAllMovies` handler function we would need to have some check in place in order to verify if the user is actually logged in or not and best way of doing that is to use middleware function

In [None]:
# Routes/moviesRoutes.js

const express = require('express');
const moviesController = require('./../Controllers/moviesController');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/highest-rated')
        .get(moviesController.getHighestRated, moviesController.getAllMovies)

router.route('/movie-stats')
        .get(moviesController.getMovieStats)

router.route('/movies-by-genre/:genre')
        .get(moviesController.getMoviesByGenre)

router.route('/')
    .get(authController.protect, moviesController.getAllMovies)
    .post(moviesController.createMovie)
    
router.route('/:id')
    .get(moviesController.getMovie)
    .patch(moviesController.updateMovie)
    .delete(moviesController.deleteMovie)

module.exports = router;

In [None]:
# Controllers/errorController.js


const CustomError = require('./../Utils/CustomError');


const devErrors = (res, error)=>{
    res.status(error.statusCode).json({
        status: error.status,
        message: error.message,
        stackTrace: error.stack,
        error: error
    })
}

const castErrorHandler = (err)=>{
    const msg = `Invalid value for ${err.path}:  ${err.value}`
    return new CustomError(msg, 400);
}
const duplicateKeyErrorHandler = (err)=>{
    const name = err.keyValue.name;
    const msg = `Movie with name: ${name} already exists. Please use another name`;
    return new CustomError(msg, 400);
}
const validationErrorHandler = (err)=>{
    const errors = Object.values(err.errors).map(val => val.message);
    const errorMessages = errors.join(". ");
    const msg = `Inavlid input data: ${errorMessages}`;
    return new CustomError(msg, 400);
}
const handleExpiredJWT = (err)=>{
    return new CustomError("Your token has expired. Please login again", 401); //displayed in production mode
}
const handleJWTError = (err)=>{
    return new CustomError("Invalid token. Please login again", 401); //displayed in production mode
}

const prodErrors = (res, error)=>{
    if(error.isOperational){
        res.status(error.statusCode).json({
            status: error.status,
            message: error.message
        })
    } else{
        res.status(500).json({
            status:'Error',
            message:"Something went very wrong! please try again later"
        })
    }
}
module.exports = (error, req, res, next)=>{ // GLOBAL ERROR HANDLING MIDDLEWARE
    error.statusCode = error.statusCode || 500;
    error.status = error.status || "error";
    
    if(process.env.NODE_ENV === 'development'){
        devErrors(res, error);
    } else if(process.env.NODE_ENV === 'production'){
        
        if(error.name === 'CastError'){
            error = castErrorHandler(error);
        }
        if(error.code === 11000){
            error = duplicateKeyErrorHandler(error);
        }
        if(error.name === "ValidationError"){
            error = validationErrorHandler(error);
        }
        if(error.name === "TokenExpiredError"){
            error = handleExpiredJWT(error);
        }
        if(error.name === "JsonWebTokenError"){
            error = handleJWTError(error);
        }

        prodErrors(res, error);
    }
}

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');


const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            // This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    },
    passwordChangedAt: Date # newly added
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; //becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})

userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}

userSchema.methods.isPasswordChanged = async function(JWTTimestamp){
    if(this.passwordChangedAt){
        const pswdChangedTimestamp = parseInt(this.passwordChangedAt.getTime()/1000, 10);
        console.log(pswdChangedTimestamp, JWTTimestamp);
        return JWTTimestamp < pswdChangedTimestamp;
    }
    return false;
}

const User = mongoose.model('User', userSchema);
module.exports = User;

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exisys and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })    
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    #1. Read the token and check if it exists:
    
    # the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    #2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    #3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    #4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    #5. Allow user to access route:
    req.user = user;
    next();
})

# User roles and permission : Authorization

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');


const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    role: { # newly added field
        type: String,
        enum: ['user', 'admin'], # can be any name
        default: 'user'
    },
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            // This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    },
    passwordChangedAt: Date
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; //becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})
userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}
userSchema.methods.isPasswordChanged = async function(JWTTimestamp){
    if(this.passwordChangedAt){
        const pswdChangedTimestamp = parseInt(this.passwordChangedAt.getTime()/1000, 10);
        console.log(pswdChangedTimestamp, JWTTimestamp);
        return JWTTimestamp < pswdChangedTimestamp;
    }
    return false;
}

const User = mongoose.model('User', userSchema);
module.exports = User;

Here we have small problem: using signup endpoint any user can log in as admin that means  any user can make request to this url (`http://127.0.0.1:3000/api/v1/users/signup`) and there can specify role as admin:
`{
	"name": "Mark",
	"email": "mark@hotmail.com",
	"password": "mark12345",
	"passwordConfirm": "mark12345",
    "role": "admin"
}`

In this way all the user can make themselves as admin. This is one bug that we might need to fix in future.

<hr>

Now what we want is let's John is logged in to our application and he is trying to access delete route. So if he is able to access this delete route that means he should be able to delete movie from database.

Now before we allow a user to delete a movie from the database first we need to check if user is logged in or not and for we can use this `authController.protect` middleware before allowing user to delete a movie. Then we also want to check if the user has permission to delete a movie and for that we need to create another middleware function:


In [None]:
# Routes/moviesRoutes.js

const express = require('express');
const moviesController = require('./../Controllers/moviesController');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/highest-rated')
        .get(moviesController.getHighestRated, moviesController.getAllMovies)

router.route('/movie-stats')
        .get(moviesController.getMovieStats)

router.route('/movies-by-genre/:genre')
        .get(moviesController.getMoviesByGenre)

router.route('/')
    .get(authController.protect, moviesController.getAllMovies)
    .post(moviesController.createMovie)
    
router.route('/:id')
    .get(moviesController.getMovie)
    .patch(moviesController.updateMovie)
    .delete(authController.protect, authController.restrict('admin'), moviesController.deleteMovie)

module.exports = router;

In [None]:
# controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exisys and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })    
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

Above we handle case when only admin has permission to delete movie. In realworld we can have mutiple roles that can have same permission. let's say admin and test are two roles that have permission to delete that movie. We can handle this case by:

In [None]:
# Routes/moviesRoutes.js

router.route('/:id')
    .get(moviesController.getMovie)
    .patch(moviesController.updateMovie)
    .delete(authController.protect, authController.restrict('admin','test'), moviesController.deleteMovie)

In [None]:
# controllers/authController.js

# we will use rest paramaters

exports.restrict = (...role)=>{ # stored as array
    return (req, res, next)=>{
        if(!role.includes(req.user.role)){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}


# Password reset functionality

Here basically two steps are involved:

1. User sends a POST request to forgot password route only with his email address. This will then create a reset token and send that to the email address that was provided so just a simple random token not a json web token.
2. The user then sends a POST request to reset password with the new password and the token sent to his email. 



In [None]:
# Routes/authRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/signup').post(authController.signup);
router.route('/login').post(authController.login);
router.route('/forgotPassword').post(authController.forgotPassword);
router.route('/resetPassword/:token').patch(authController.resetPassword);

module.exports = router;

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');
const crypto = require('crypto');


const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    role: {
        type: String,
        enum: ['user', 'admin'],
        default: 'user'
    },
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            // This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    },
    passwordChangedAt: Date,
    passwordResetToken: String,
    passwordResetToeknExpires: Date
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; //becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})
userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}
userSchema.methods.isPasswordChanged = async function(JWTTimestamp){
    if(this.passwordChangedAt){
        const pswdChangedTimestamp = parseInt(this.passwordChangedAt.getTime()/1000, 10);
        console.log(pswdChangedTimestamp, JWTTimestamp);
        return JWTTimestamp < pswdChangedTimestamp;
    }
    return false;
}
userSchema.methods.createResetPasswordToken = function(){
    const resetToken = crypto.randomBytes(32).toString('hex');
    this.passwordResetToken = crypto.createHash('sha256').update(resetToken).digest('hex'); // encrypted reset token will be saved in database
    this.passwordResetToeknExpires = Date.now()+10*60*1000; // 10 minutes

    console.log(resetToken, this.passwordResetToken);

    return resetToken; // user will get plain reset token
}


const User = mongoose.model('User', userSchema);
module.exports = User;

In [None]:
# config.env

NODE_ENV=development
PORT=3000
LOCAL_CONN_STR=mongodb://localhost:27017/cineflix
CONN_STR=mongodb+srv://saurabhp850701:syNMGbBNVdGVdFVJ@cluster0.nyktqa6.mongodb.net/cineflix?retryWrites=true&w=majority&appName=Cluster0
DB_USER=saurabhp850701
DB_PASSWORD=syNMGbBNVdGVdFVJq
JWT_SECRET_STR='123adffg-qw4-dg23-sfg8dfgh9g6sa5f@'
LOGIN_EXPIRES=1000000000

EMAIL_USER=b81987e35258c7
EMAIL_PASSWORD=a1c2b485218656
EMAIL_HOST=sandbox.smtp.mailtrap.io
EMAIL_PORT=25

In [None]:
# Utils/email.js

const nodemailer = require('nodemailer');

const sendEmail= async (option)=>{
    //CREATE A TRANSPORTER
    const transporter = nodemailer.createTransport({
        host: process.env.EMAIL_HOST,
        port: process.env.EMAIL_PORT,
        auth: {
            user: process.env.EMAIL_USER,
            pass: process.env.EMAIL_PASSWORD
        }
    })
    // DEFINE EMAIL OPTIONS
    const emailOptions = {
        from: "Cineflix Support<support@cineflix.com>",
        to: option.email,
        subject: option.subject,
        text: option.message
    }
    await transporter.sendMail(emailOptions);
}

module.exports = sendEmail;

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exisys and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })    
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

exports.forgotPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. GET USER BASED ON POSTED EMAIL:
    const user = await User.findOne({email: req.body.email});
    if(!user){
        const error = new CustomError("Couldn't find user with given email", 404);
        next(error);
    }

    //2. GENERATE A RANDOM RESET TOKEN:
    const resetToken = user.createResetPasswordToken();
    await user.save({validateBeforeSave: false});

    //3. SEND THE TOKEN BACK TO THE USER EMAIL:
    const resetUrl = `${req.protocol}://${req.get('host')}/api/v1/users/resetPassword/${resetToken}`;
    console.log(resetUrl);

    const message = `We have received a password reset request. Please use the below link to reset your password.\n\n${resetUrl}\n\nThis link is valid for 10 minutes only.`;

    try{
        await sendEmail({
            email: user.email,
            subject: "Password change request received",
            message: message
        });
        res.status(200).json({
            status: 'success',
            message: 'Password reset link sent to user email'
        })
        
    }catch(err){
        user.passwordResetToken = undefined;
        user.passwordResetToeknExpires = undefined;
        user.save({validateBeforeSave: false})

        return next(new CustomError("There was an error in sending password reset email. Please try again later.", 500))
    }
})

exports.resetPassword = (req, res, next)=>{

}

# Setting new password for user

In [None]:
# Controllers/authcontroller.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exists and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })    
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

exports.forgotPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. GET USER BASED ON POSTED EMAIL:
    const user = await User.findOne({email: req.body.email});
    if(!user){
        const error = new CustomError("Couldn't find user with given email", 404);
        next(error);
    }

    //2. GENERATE A RANDOM RESET TOKEN:
    const resetToken = user.createResetPasswordToken();
    await user.save({validateBeforeSave: false});

    //3. SEND THE TOKEN BACK TO THE USER EMAIL:
    const resetUrl = `${req.protocol}://${req.get('host')}/api/v1/users/resetPassword/${resetToken}`;
    console.log(resetUrl);

    const message = `We have received a password reset request. Please use the below link to reset your password.\n\n${resetUrl}\n\nThis link is valid for 10 minutes only.`;

    try{
        await sendEmail({
            email: user.email,
            subject: "Password change request received",
            message: message
        });
        res.status(200).json({
            status: 'success',
            message: 'Password reset link sent to user email'
        })
        
    }catch(err){
        user.passwordResetToken = undefined;
        user.passwordResetToeknExpires = undefined;
        user.save({validateBeforeSave: false})

        return next(new CustomError("There was an error in sending password reset email. Please try again later.", 500))
    }
})

exports.resetPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. IF THE USER EXISTS WITH THE GIVEN TOKEN & TOKEN HAS NOT EXPIRED:
    const token = crypto.createHash('sha256').update(req.params.token).digest('hex');
    const user = await User.findOne({passwordResetToken: token, passwordResetToeknExpires: {$gt: Date.now()}});

    if(!user){
        const error = new CustomError("Token is invalid or expired", 400);
        next(error);
    }

    //2. RESETING THE USER PASSWORD:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;

    user.passwordResetToken = undefined;
    user.passwordResetToeknExpires = undefined;
    user.passwordChangedAt = Date.now();

    //3. LOGIN THE USER:
    try {
        await user.save();
        
        const loginToken = signToken(user._id);
        res.status(200).json({
            status: 'success',
            token: loginToken
        });
    } catch (err) {
        return next(new CustomError(err.message, 400)); // Catch validation errors
    }
})

# Updating the user password

In [None]:
# Routes/authRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/signup').post(authController.signup);
router.route('/login').post(authController.login);
router.route('/forgotPassword').post(authController.forgotPassword);
router.route('/resetPassword/:token').patch(authController.resetPassword);
router.route('/updatePassword').patch(authController.protect, authController.updatePassword);

module.exports = router;

In [None]:
# Controllers/authcontroller.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    const token = signToken(newUser._id);

    res.status(201).json({
        status: 'success',
        token,
        data: {
            user: newUser
        }
    })
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exists and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    const token = signToken(user._id);

    res.status(200).json({
        status: 'success',
        token, 
        user
    })    
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

exports.forgotPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. GET USER BASED ON POSTED EMAIL:
    const user = await User.findOne({email: req.body.email});
    if(!user){
        const error = new CustomError("Couldn't find user with given email", 404);
        next(error);
    }

    //2. GENERATE A RANDOM RESET TOKEN:
    const resetToken = user.createResetPasswordToken();
    await user.save({validateBeforeSave: false});

    //3. SEND THE TOKEN BACK TO THE USER EMAIL:
    const resetUrl = `${req.protocol}://${req.get('host')}/api/v1/users/resetPassword/${resetToken}`;
    console.log(resetUrl);

    const message = `We have received a password reset request. Please use the below link to reset your password.\n\n${resetUrl}\n\nThis link is valid for 10 minutes only.`;

    try{
        await sendEmail({
            email: user.email,
            subject: "Password change request received",
            message: message
        });
        res.status(200).json({
            status: 'success',
            message: 'Password reset link sent to user email'
        })
        
    }catch(err){
        user.passwordResetToken = undefined;
        user.passwordResetToeknExpires = undefined;
        user.save({validateBeforeSave: false})

        return next(new CustomError("There was an error in sending password reset email. Please try again later.", 500))
    }
})

exports.resetPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. IF THE USER EXISTS WITH THE GIVEN TOKEN & TOKEN HAS NOT EXPIRED:
    const token = crypto.createHash('sha256').update(req.params.token).digest('hex');
    const user = await User.findOne({passwordResetToken: token, passwordResetToeknExpires: {$gt: Date.now()}});

    if(!user){
        const error = new CustomError("Token is invalid or expired", 400);
        next(error);
    }

    //2. RESETING THE USER PASSWORD:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;

    user.passwordResetToken = undefined;
    user.passwordResetToeknExpires = undefined;
    user.passwordChangedAt = Date.now();

    console.log("reset done")

    //3. LOGIN THE USER:
    try {
        await user.save();
        
        const loginToken = signToken(user._id);
        res.status(200).json({
            status: 'success',
            token: loginToken
        });
        console.log("login");
    } catch (err) {
        console.log("no login")
        return next(new CustomError(err.message, 400)); // Catch validation errors
    }
})
exports.updatePassword = asyncErrorHandler(async (req, res, next)=>{
    // GET CURRENT USER DATA FROM DATABASE:
    const user = await User.findById(req.user._id).select('+password');

    // CHECK IF THE SUPPLIED CURRENT PASSWORD IS CORRECT:
    if(!(await user.comparePasswordInDb(req.body.currentPassword, user.password))){
        return next(new CustomError("Current password you rpovided is wrong", 401));
    }

    // IF SUPPLIED PASSWORD IS CORRECT, UPDATE USER PASSWORD WITH NEW VALUE:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;
    await user.save();

    // lOGIN USER & SEND JWT:
    const token  = signToken(user._id);
    res.status(200).json({
        status: 'success',
        token,
        data: {
            user
        }
    })
})

Now if we look at our code we are repeating following code at mutiple places `login`, `signup`, `reset` and `update`:

<code>
    const token  = signToken(user._id);
    res.status(200).json({
        status: 'success',
        token,
        data: {
            user
        }
    })
</code>

So, let's refactor this code along with some changes in other files to strcuture the code in their specific files:

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');
const userRoute = require('./Routes/userRoute');


let app = express();

const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json());

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/auth', authRouter);
app.use('/api/v1/user', userRoute);

app.all('*', (req, res, next)=>{
    // res.status(404).json({
    //     status: 'fail',
    //     message: `Can't find ${req.originalUrl} on this server`
    // })
    // const err = new Error(`Can't find ${req.originalUrl} on this server`);
    // err.status = 'fail';
    // err.statusCode = 404;
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;

In [None]:
# Controllers/userController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const { createSendResponse } = require('./authController'); // Import the function

const util = require('util');


exports.updatePassword = asyncErrorHandler(async (req, res, next)=>{
    // GET CURRENT USER DATA FROM DATABASE:
    const user = await User.findById(req.user._id).select('+password');

    // CHECK IF THE SUPPLIED CURRENT PASSWORD IS CORRECT:
    if(!(await user.comparePasswordInDb(req.body.currentPassword, user.password))){
        return next(new CustomError("Current password you provided is wrong", 401));
    }

    // IF SUPPLIED PASSWORD IS CORRECT, UPDATE USER PASSWORD WITH NEW VALUE:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;
    await user.save();

    // lOGIN USER & SEND JWT:
    createSendResponse(user, 200, res);
})

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}
const createSendResponse = (user, statusCode, res)=>{
    const token = signToken(user._id);

    res.status(statusCode).json({
        status: 'success',
        token,
        data: {
            user
        }
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    createSendResponse(newUser, 201, res);
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exists and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    createSendResponse(user, 200, res);   
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

exports.forgotPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. GET USER BASED ON POSTED EMAIL:
    const user = await User.findOne({email: req.body.email});
    if(!user){
        const error = new CustomError("Couldn't find user with given email", 404);
        next(error);
    }

    //2. GENERATE A RANDOM RESET TOKEN:
    const resetToken = user.createResetPasswordToken();
    await user.save({validateBeforeSave: false});

    //3. SEND THE TOKEN BACK TO THE USER EMAIL:
    const resetUrl = `${req.protocol}://${req.get('host')}/api/v1/users/resetPassword/${resetToken}`;
    console.log(resetUrl);

    const message = `We have received a password reset request. Please use the below link to reset your password.\n\n${resetUrl}\n\nThis link is valid for 10 minutes only.`;

    try{
        await sendEmail({
            email: user.email,
            subject: "Password change request received",
            message: message
        });
        res.status(200).json({
            status: 'success',
            message: 'Password reset link sent to user email'
        })
        
    }catch(err){
        user.passwordResetToken = undefined;
        user.passwordResetToeknExpires = undefined;
        user.save({validateBeforeSave: false})

        return next(new CustomError("There was an error in sending password reset email. Please try again later.", 500))
    }
})

exports.resetPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. IF THE USER EXISTS WITH THE GIVEN TOKEN & TOKEN HAS NOT EXPIRED:
    const token = crypto.createHash('sha256').update(req.params.token).digest('hex');
    const user = await User.findOne({passwordResetToken: token, passwordResetToeknExpires: {$gt: Date.now()}});

    if(!user){
        const error = new CustomError("Token is invalid or expired", 400);
        next(error);
    }

    //2. RESETING THE USER PASSWORD:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;

    user.passwordResetToken = undefined;
    user.passwordResetToeknExpires = undefined;
    user.passwordChangedAt = Date.now();

    console.log("reset done")

    //3. LOGIN THE USER:
    try {
        await user.save();
        
        createSendResponse(user, 200, res);
        console.log("login");
    } catch (err) {
        console.log("no login")
        return next(new CustomError(err.message, 400)); // Catch validation errors
    }
})

exports.createSendResponse = createSendResponse;


In [None]:
# Routes/authRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');

const router = express.Router();

router.route('/signup').post(authController.signup);
router.route('/login').post(authController.login);
router.route('/forgotPassword').post(authController.forgotPassword);
router.route('/resetPassword/:token').patch(authController.resetPassword);

module.exports = router;

In [None]:
# Routes/userRoute.js

const express = require('express');

const authController = require('./../Controllers/authController');
const userController = require('./../Controllers/userController');

const router = express.Router();

router.route('/updatePassword').patch(authController.protect, userController.updatePassword);

module.exports = router;

# Updating current user details

In [None]:
# Routes/userRoute.js

const express = require('express');
const authController = require('./../Controllers/authController');
const userController = require('./../Controllers/userController');

const router = express.Router();

router.route('/updatePassword').patch(authController.protect, userController.updatePassword);
router.route('/updateMe').patch(authController.protect, userController.updateMe);

module.exports = router;

In [None]:
# Controllers/userController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const { createSendResponse } = require('./authController'); // Import the function

const util = require('util');

const filterReqObj = (obj, ...allowedFields)=>{
    const newObj = {};
    Object.keys(obj).forEach(prop=>{
        if(allowedFields.includes(prop)){
            newObj[prop] = obj[prop];
        }
    })
    return newObj;
        
}


exports.updatePassword = asyncErrorHandler(async (req, res, next)=>{
    // GET CURRENT USER DATA FROM DATABASE:
    const user = await User.findById(req.user._id).select('+password');

    // CHECK IF THE SUPPLIED CURRENT PASSWORD IS CORRECT:
    if(!(await user.comparePasswordInDb(req.body.currentPassword, user.password))){
        return next(new CustomError("Current password you provided is wrong", 401));
    }

    // IF SUPPLIED PASSWORD IS CORRECT, UPDATE USER PASSWORD WITH NEW VALUE:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;
    await user.save();

    // lOGIN USER & SEND JWT:
    createSendResponse(user, 200, res);
})

exports.updateMe = asyncErrorHandler(async (req, res, next)=>{
    // 1) Create error if user POSTs password data
    if(req.body.password || req.body.passwordConfirm){
        return next(new CustomError('This route is not for password updates. Please use /updatePassword', 400))
    }

    // 2) Update user document
    const filterObj = filterReqObj(req.body, 'name', 'email');
    const updatedUser = await User.findByIdAndUpdate(req.user.id, filterObj, {
        new: true,
        runValidators: true
    });

    res.status(200).json({
        status: 'success',
        data: {
            user: updatedUser
        }
    })
})


# Deleting the current user

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');
const crypto = require('crypto');


const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    role: {
        type: String,
        enum: ['user', 'admin'],
        default: 'user'
    },
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            // This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    },
    active: {
        type: Boolean,
        default: true,
        select: false
    },
    passwordChangedAt: Date,
    passwordResetToken: String,
    passwordResetToeknExpires: Date
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; //becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})
userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}
userSchema.methods.isPasswordChanged = async function(JWTTimestamp){
    if(this.passwordChangedAt){
        const pswdChangedTimestamp = parseInt(this.passwordChangedAt.getTime()/1000, 10);
        console.log(pswdChangedTimestamp, JWTTimestamp);
        return JWTTimestamp < pswdChangedTimestamp;
    }
    return false;
}
userSchema.methods.createResetPasswordToken = function(){
    const resetToken = crypto.randomBytes(32).toString('hex');
    this.passwordResetToken = crypto.createHash('sha256').update(resetToken).digest('hex'); // encrypted reset token will be saved in database
    this.passwordResetToeknExpires = Date.now()+10*60*1000; // 10 minutes

    console.log(resetToken, this.passwordResetToken);

    return resetToken; // user will get plain reset token
}


const User = mongoose.model('User', userSchema);
module.exports = User;

In [None]:
# Routes/userRoute.js

const express = require('express');
const authController = require('./../Controllers/authController');
const userController = require('./../Controllers/userController');

const router = express.Router();

router.route('/updatePassword').patch(authController.protect, userController.updatePassword);
router.route('/updateMe').patch(authController.protect, userController.updateMe);
router.route('/deleteMe').patch(authController.protect, userController.deleteMe);

module.exports = router;

In [None]:
# Controllers/userController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const { createSendResponse } = require('./authController'); // Import the function

const util = require('util');

const filterReqObj = (obj, ...allowedFields)=>{
    const newObj = {};
    Object.keys(obj).forEach(prop=>{
        if(allowedFields.includes(prop)){
            newObj[prop] = obj[prop];
        }
    })
    return newObj;
        
}

exports.updatePassword = asyncErrorHandler(async (req, res, next)=>{
    // GET CURRENT USER DATA FROM DATABASE:
    const user = await User.findById(req.user._id).select('+password');

    // CHECK IF THE SUPPLIED CURRENT PASSWORD IS CORRECT:
    if(!(await user.comparePasswordInDb(req.body.currentPassword, user.password))){
        return next(new CustomError("Current password you provided is wrong", 401));
    }

    // IF SUPPLIED PASSWORD IS CORRECT, UPDATE USER PASSWORD WITH NEW VALUE:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;
    await user.save();

    // lOGIN USER & SEND JWT:
    createSendResponse(user, 200, res);
})

exports.updateMe = asyncErrorHandler(async (req, res, next)=>{
    // 1) Create error if user POSTs password data
    if(req.body.password || req.body.passwordConfirm){
        return next(new CustomError('This route is not for password updates. Please use /updatePassword', 400))
    }

    // 2) Update user document
    const filterObj = filterReqObj(req.body, 'name', 'email');
    const updatedUser = await User.findByIdAndUpdate(req.user.id, filterObj, {
        new: true,
        runValidators: true
    });

    res.status(200).json({
        status: 'success',
        data: {
            user: updatedUser
        }
    })
})

exports.deleteMe = asyncErrorHandler(async (req, res, next)=>{
    await User.findByIdAndUpdate(req.user.id, {active: false});

    res.status(204).json({
        status: 'success',
        data: null
    })
})


Currently we are simply doing soft delete by setting `active` property to `false`.

**Let's implement an api to get all user:**

In [None]:
# Controllers/userController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const { createSendResponse } = require('./authController'); // Import the function

const util = require('util');

exports.getAllUsers = asyncErrorHandler(async (req, res, next)=>{
    const users = await User.find();

    res.status(200).json({
        status: 'success',
        result: users.length,
        data: {
            users
        }
    })
})

const filterReqObj = (obj, ...allowedFields)=>{
    const newObj = {};
    Object.keys(obj).forEach(prop=>{
        if(allowedFields.includes(prop)){
            newObj[prop] = obj[prop];
        }
    })
    return newObj;
        
}


exports.updatePassword = asyncErrorHandler(async (req, res, next)=>{
    // GET CURRENT USER DATA FROM DATABASE:
    const user = await User.findById(req.user._id).select('+password');

    // CHECK IF THE SUPPLIED CURRENT PASSWORD IS CORRECT:
    if(!(await user.comparePasswordInDb(req.body.currentPassword, user.password))){
        return next(new CustomError("Current password you provided is wrong", 401));
    }

    // IF SUPPLIED PASSWORD IS CORRECT, UPDATE USER PASSWORD WITH NEW VALUE:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;
    await user.save();

    // lOGIN USER & SEND JWT:
    createSendResponse(user, 200, res);
})

exports.updateMe = asyncErrorHandler(async (req, res, next)=>{
    // 1) Create error if user POSTs password data
    if(req.body.password || req.body.passwordConfirm){
        return next(new CustomError('This route is not for password updates. Please use /updatePassword', 400))
    }

    // 2) Update user document
    const filterObj = filterReqObj(req.body, 'name', 'email');
    const updatedUser = await User.findByIdAndUpdate(req.user.id, filterObj, {
        new: true,
        runValidators: true
    });

    res.status(200).json({
        status: 'success',
        data: {
            user: updatedUser
        }
    })
})

exports.deleteMe = asyncErrorHandler(async (req, res, next)=>{
    await User.findByIdAndUpdate(req.user.id, {active: false});

    res.status(204).json({
        status: 'success',
        data: null
    })
})


In [None]:
# Routes/userRouter.js

const express = require('express');
const authController = require('./../Controllers/authController');
const userController = require('./../Controllers/userController');

const router = express.Router();

router.route('/getAllUsers').get(userController.getAllUsers);

router.route('/updatePassword').patch(authController.protect, userController.updatePassword);
router.route('/updateMe').patch(authController.protect, userController.updateMe);
router.route('/deleteMe').delete(authController.protect, userController.deleteMe);

module.exports = router;

Let's say we want get only active users:

In [None]:
# Models/userModel.js

const mongoose = require('mongoose');
const validator = require('validator');
const bcrypt = require('bcryptjs');
const crypto = require('crypto');


const userSchema = new mongoose.Schema({
    name: {
        type: String,
        required: [true, 'Please tell us your name!']
    },
    email: {
        type: String,
        required: [true, 'Please provide your email'],
        unique: true,
        lowercase: true, // not a validator, will transform email into lowercase before saving to DB
        validate: [validator.isEmail, 'Please provide a valid email']
    },
    photo: String, // store the path of photo
    role: {
        type: String,
        enum: ['user', 'admin'],
        default: 'user'
    },
    password: {
        type: String,
        required: [true, 'Please provide a password'],
        minlength: 8,
        select: false // will not show up in any output
    },
    passwordConfirm: {
        type: String,
        required: [true, 'Please confirm your password'],
        validate: {
            // This only works on CREATE and SAVE
            validator: function(val){
                return val === this.password;
            },
            message: 'Passwords are not the same!'
        }
    },
    active: {
        type: Boolean,
        default: true,
        select: false
    },
    passwordChangedAt: Date,
    passwordResetToken: String,
    passwordResetToeknExpires: Date
})

userSchema.pre('save', async function(next){
    if(!this.isModified('password')){
        return next();
    }
    this.password = await bcrypt.hash(this.password, 12);
    this.passwordConfirm = undefined; //becoz we want passwordConfirm to confirm the same value, we don't want to store it in out database
    next();
})
userSchema.pre(/^find/, function(next){
    this.find({active: {$ne: false}});
    next();
})
userSchema.methods.comparePasswordInDb = async function(pswd, pswdDB){
    return await bcrypt.compare(pswd, pswdDB);
}
userSchema.methods.isPasswordChanged = async function(JWTTimestamp){
    if(this.passwordChangedAt){
        const pswdChangedTimestamp = parseInt(this.passwordChangedAt.getTime()/1000, 10);
        console.log(pswdChangedTimestamp, JWTTimestamp);
        return JWTTimestamp < pswdChangedTimestamp;
    }
    return false;
}
userSchema.methods.createResetPasswordToken = function(){
    const resetToken = crypto.randomBytes(32).toString('hex');
    this.passwordResetToken = crypto.createHash('sha256').update(resetToken).digest('hex'); // encrypted reset token will be saved in database
    this.passwordResetToeknExpires = Date.now()+10*60*1000; // 10 minutes

    console.log(resetToken, this.passwordResetToken);

    return resetToken; // user will get plain reset token
}


const User = mongoose.model('User', userSchema);
module.exports = User;

# Using cookie for sending JWT

In [None]:
# Controllers/authController.js

const User = require('./../Models/userModel');
const asyncErrorHandler = require('./../Utils/asyncErrorHandler')
const jwt = require('jsonwebtoken');
const CustomError = require('./../Utils/CustomError');
const sendEmail = require('./../Utils/email');
const crypto = require('crypto');

const util = require('util');

const signToken = id=>{
    return jwt.sign({ id }, process.env.JWT_SECRET_STR, {
        expiresIn: process.env.LOGIN_EXPIRES
    })
}
const createSendResponse = (user, statusCode, res)=>{
    const token = signToken(user._id);

    const options = {
        maxAge: process.env.LOGIN_EXPIRES,
        httpOnly: true
    }
    if(process.env.NODE_ENV === 'production'){
        options.secure = true;
    }
    res.cookie('jwt', token, options);
    user.password = undefined;

    res.status(statusCode).json({
        status: 'success',
        token,
        data: {
            user
        }
    })
}

exports.signup = asyncErrorHandler(async (req, res, next) =>{
    const newUser = await User.create(req.body);

    createSendResponse(newUser, 201, res);
});

exports.login = asyncErrorHandler(async (req, res, next)=>{

    const email = req.body.email;
    const password = req.body.password;
    //const {email, password} = req.body;

    //check if email and password is present in request body
    if(!email || !password){
        const error = new CustomError("Please provide email and password for login", 400);
        return next(error);
    }

    //check if user exists with given email
    const user = await User.findOne({ email }).select('+password');

    //check if the user exists and password matches
    if(!user || !(await user.comparePasswordInDb(password, user.password))){
        const error = new CustomError("Incorrect email or password", 400);
        return next(error);
    }

    createSendResponse(user, 200, res);   
})

exports.protect = asyncErrorHandler(async (req, res, next)=>{
    //1. Read the token and check if it exists:
    
    // the common practice to send token with request is by using http headers with request
    const testToken = req.headers.authorization;
    let token;
    if(testToken && testToken.startsWith('Bearer')){
        token = testToken.split(' ')[1];
    }
    if(!token){
        next(new CustomError('you are not logged in', 401))
    }
    //console.log(token);

    //2. validate the token:
    const decodedToken = await util.promisify(jwt.verify)(token, process.env.JWT_SECRET_STR);
    console.log(decodedToken);

    //3. if the user exists (might be user logged in and immediately user has been delete from DB for some reason):
    const user = await User.findById(decodedToken.id);
    if(!user){
        const error = new CustomError('The user belonging to this token does no longer exist', 401)
        next(error);
    }

    const isPasswordChanged = await user.isPasswordChanged(decodedToken.iat)
    //4. if the user changed password after the token was issued:
    if(isPasswordChanged){
        const error = new CustomError('User recently changed password. Please login again', 401);
        return next(error);
    }

    //5. Allow user to access route:
    req.user = user;
    next();
})

exports.restrict = (role)=>{
    return (req, res, next)=>{
        if(req.user.role !== role){
            const error = new CustomError("You don't have permission to perform this action", 403);
            next(error);
        }
        next();
    }
}

exports.forgotPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. GET USER BASED ON POSTED EMAIL:
    const user = await User.findOne({email: req.body.email});
    if(!user){
        const error = new CustomError("Couldn't find user with given email", 404);
        next(error);
    }

    //2. GENERATE A RANDOM RESET TOKEN:
    const resetToken = user.createResetPasswordToken();
    await user.save({validateBeforeSave: false});

    //3. SEND THE TOKEN BACK TO THE USER EMAIL:
    const resetUrl = `${req.protocol}://${req.get('host')}/api/v1/users/resetPassword/${resetToken}`;
    console.log(resetUrl);

    const message = `We have received a password reset request. Please use the below link to reset your password.\n\n${resetUrl}\n\nThis link is valid for 10 minutes only.`;

    try{
        await sendEmail({
            email: user.email,
            subject: "Password change request received",
            message: message
        });
        res.status(200).json({
            status: 'success',
            message: 'Password reset link sent to user email'
        })
        
    }catch(err){
        user.passwordResetToken = undefined;
        user.passwordResetToeknExpires = undefined;
        user.save({validateBeforeSave: false})

        return next(new CustomError("There was an error in sending password reset email. Please try again later.", 500))
    }
})

exports.resetPassword = asyncErrorHandler(async (req, res, next)=>{
    //1. IF THE USER EXISTS WITH THE GIVEN TOKEN & TOKEN HAS NOT EXPIRED:
    const token = crypto.createHash('sha256').update(req.params.token).digest('hex');
    const user = await User.findOne({passwordResetToken: token, passwordResetToeknExpires: {$gt: Date.now()}});

    if(!user){
        const error = new CustomError("Token is invalid or expired", 400);
        next(error);
    }

    //2. RESETING THE USER PASSWORD:
    user.password = req.body.password;
    user.passwordConfirm = req.body.passwordConfirm;

    user.passwordResetToken = undefined;
    user.passwordResetToeknExpires = undefined;
    user.passwordChangedAt = Date.now();

    console.log("reset done")

    //3. LOGIN THE USER:
    try {
        await user.save();
        
        createSendResponse(user, 200, res);
        console.log("login");
    } catch (err) {
        console.log("no login")
        return next(new CustomError(err.message, 400)); // Catch validation errors
    }
})

exports.createSendResponse = createSendResponse;

Now JWt is being sent with http cookie and this will allow us to prevent any cross-site scripting attack which will try to read JWT. 

# Implementing rate limiting

By implementing rate limiting, we restrict same IP address from making too many requests to the server in a given period of time.

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit'); # npm install express-rate-limit

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');
const userRoute = require('./Routes/userRoute');


let app = express();

let limiter = rateLimit({
    max: 3,
    windowMs: 60 * 60 * 1000, // 1hour
    message: 'Too many requests from this IP, please try again in an hour'
})
app.use('/api', limiter);


const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json());

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/auth', authRouter);
app.use('/api/v1/user', userRoute);

app.all('*', (req, res, next)=>{
    // res.status(404).json({
    //     status: 'fail',
    //     message: `Can't find ${req.originalUrl} on this server`
    // })
    // const err = new Error(`Can't find ${req.originalUrl} on this server`);
    // err.status = 'fail';
    // err.statusCode = 404;
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;

# Setting security HTTP headers

Helmet helps secure express app by setting HTTP response headers.

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');
const userRoute = require('./Routes/userRoute');


let app = express();

app.use(helmet());

let limiter = rateLimit({
    max: 3,
    windowMs: 60 * 60 * 1000, // 1hour
    message: 'Too many requests from this IP, please try again in an hour'
})
app.use('/api', limiter);


const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json({limit: '10kb'})); # amount of data that our apis will accept in request body

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/auth', authRouter);
app.use('/api/v1/user', userRoute);

app.all('*', (req, res, next)=>{
    // res.status(404).json({
    //     status: 'fail',
    //     message: `Can't find ${req.originalUrl} on this server`
    // })
    // const err = new Error(`Can't find ${req.originalUrl} on this server`);
    // err.status = 'fail';
    // err.statusCode = 404;
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;

In `app.use(express.json({limit: '10kb'}));` this line of code,  passing `{{limit: '10kb'})` allow us to prevent denial of service attack.

# Data sanitization

We can add more security in our express app by doing data sanitization which we receive in the request body. 

An attacker can send malicious data with request body which can harm the application. so before using request data we might want to sanitize it.

Data sanitization simply means to clean all the data that is coming from a malicious code that is the code which is trying to attack our application.

malicious data can come to request body in two ways: By injecting a no SQL query in the request body OR By injecting some malicious JavaScript code with the HTML.

An attacker can pass some NoSQL query which can delete all the data in database or in a collection or which can read all the user details from the database or it can do something which can harm our application. So we need to avoid any NoSQL query injection in the request body.

So for that what we need to do is we need to take request data and we need to sanitize it.

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const sanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');
const userRoute = require('./Routes/userRoute');


let app = express();

app.use(helmet());

let limiter = rateLimit({
    max: 3,
    windowMs: 60 * 60 * 1000, // 1hour
    message: 'Too many requests from this IP, please try again in an hour'
})
app.use('/api', limiter);


const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json({limit: '10kb'})); // amount of data that our apis will accept in request body

app.use(sanitize()); # prevent NoSQL query injection problem
app.use(xss())

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/auth', authRouter);
app.use('/api/v1/user', userRoute);

app.all('*', (req, res, next)=>{
    // res.status(404).json({
    //     status: 'fail',
    //     message: `Can't find ${req.originalUrl} on this server`
    // })
    // const err = new Error(`Can't find ${req.originalUrl} on this server`);
    // err.status = 'fail';
    // err.statusCode = 404;
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;

# Preventing parameter pollution

Let's say we want ot sort movie by duration and price and for that we will have make request: `{{url}}/api/v1/movies/?sort=duration&sort=price`

When we send this request, we will get an error

In [None]:
# app.js

const express = require('express');
const fs = require('fs');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const sanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');

const moviesRouter = require('./Routes/moviesRoutes');
const CustomError = require('./Utils/CustomError');
const globalErrorHandler = require('./Controllers/errorController');
const authRouter = require('./Routes/authRouter');
const userRoute = require('./Routes/userRoute');


let app = express();

app.use(helmet());

let limiter = rateLimit({
    max: 30,
    windowMs: 60 * 60 * 1000, // 1hour
    message: 'Too many requests from this IP, please try again in an hour'
})
app.use('/api', limiter);


const logger = function(req, res, next){
    console.log("custom  middleware called");
    next();
}

app.use(express.json({limit: '10kb'})); // amount of data that our apis will accept in request body

app.use(sanitize()); // prevent NoSQL query injection problem
app.use(xss())
app.use(hpp({whitelist: ['duration', 'ratings', 'releaseYear', 'releaseDate', 'genres', 'directors', 'actors', 'price']})) // prevent parameter pollution

if(process.env.NODE_ENV === 'development'){
    app.use(morgan('dev'));
}

app.use(express.static('./public'))
app.use(logger);
app.use((req, res, next) => {
    req.requestedAt = new Date().toISOString();
    next();
})

app.use('/api/v1/movies', moviesRouter);
app.use('/api/v1/auth', authRouter);
app.use('/api/v1/user', userRoute);

app.all('*', (req, res, next)=>{
    // res.status(404).json({
    //     status: 'fail',
    //     message: `Can't find ${req.originalUrl} on this server`
    // })
    // const err = new Error(`Can't find ${req.originalUrl} on this server`);
    // err.status = 'fail';
    // err.statusCode = 404;
    const err = new CustomError(`Can't find ${req.originalUrl} on this server`, 404);
    next(err);
})

app.use(globalErrorHandler);

module.exports = app;