1
00:00:03,080 --> 00:00:06,920
Welcome back. Security is a very very important thing on the web.

2
00:00:07,280 --> 00:00:14,360
And as developers we have a responsibility to make sure that whatever user information we get we handle

3
00:00:14,360 --> 00:00:17,160
it with care in a secure fashion.

4
00:00:18,770 --> 00:00:27,160
And up until now I have shown you how to do a simple Sign In setup but I haven't really shown you a secure

5
00:00:27,160 --> 00:00:28,820
way of doing that.

6
00:00:30,190 --> 00:00:32,810
And in this video I'm going to talk about bcrypt-nodejs.

7
00:00:32,890 --> 00:00:39,560
And bcrypt is a library that is very very powerful.

8
00:00:40,660 --> 00:00:45,500
It allows us to create a very secure login.

9
00:00:45,500 --> 00:00:46,650
Now what does that mean?

10
00:00:46,970 --> 00:00:49,000
Let me show you.

11
00:00:49,120 --> 00:00:58,160
Up until now we had'password' just in plain text. In real life

12
00:00:58,250 --> 00:01:06,800
we are never ever storing passwords as plain texts like this just like a string into our database.

13
00:01:08,530 --> 00:01:16,300
This is exactly how companies get hacked and passwords get released of users when they store it like this.

14
00:01:16,300 --> 00:01:24,040
We want to store passwords in something called hashes and I'll get to what that is in a second but I

15
00:01:24,040 --> 00:01:31,540
want to change the database around to show you a more realistic look of how things will be stored.

16
00:01:31,540 --> 00:01:35,680
You see in our database we can have something perhaps like

17
00:01:39,730 --> 00:01:46,910
'login:' and this login will contain an array of objects

18
00:01:50,590 --> 00:01:51,760
that has an 'id:'

19
00:01:51,880 --> 00:02:05,320
let's just say '987' with the hash which will be empty for now and then an email and this e-mail will just

20
00:02:05,590 --> 00:02:08,150
reference john@gmail.com.

21
00:02:08,229 --> 00:02:12,480
This is something that we'll get more into as we talk about databases.

22
00:02:12,680 --> 00:02:18,230
But I want to show you – I want to demonstrate this point to you.

23
00:02:18,380 --> 00:02:27,920
In order for us to handle the sensitive information, that is, if John let's say enters our site and wants

24
00:02:27,920 --> 00:02:40,010
to do a Sign In he's going to give us his email plus his password, which is 'cookies'. Now, he is trusting

25
00:02:40,010 --> 00:02:41,490
us with this information.

26
00:02:41,690 --> 00:02:47,360
And the very first thing we want to do is – well we're definitely not going to add it as a query string

27
00:02:47,720 --> 00:02:52,020
in a GET request – we're going to add it to a POST request.

28
00:02:52,040 --> 00:02:55,530
So it's in the body of the request.

29
00:02:55,940 --> 00:02:59,220
We also wanted to send it over HTTPS.

30
00:02:59,420 --> 00:03:01,750
That is something that requires a certificate.

31
00:03:02,180 --> 00:03:08,690
And we're not going to get into that but we definitely want to include it through an HTTPS request so

32
00:03:08,690 --> 00:03:12,110
that it's encrypted. When he sends 'cookies'

33
00:03:12,260 --> 00:03:20,510
it's going to get jumbled up and nobody in the middle can see this or they'll be able to see it but

34
00:03:20,510 --> 00:03:22,210
they won't understand what it means.

35
00:03:22,520 --> 00:03:30,750
And only the server once it receives this password can actually understand that this stands for 'cookies'.

36
00:03:32,100 --> 00:03:34,110
All right, so one is HTTPS.

37
00:03:34,150 --> 00:03:38,010
The second thing is, how do we store that password?

38
00:03:39,230 --> 00:03:47,430
Well we store it in a hash, and bcrypt, the package that I was just talking about, allows us to do this.

39
00:03:47,480 --> 00:03:52,230
Let me just download this package and show you how it works.

40
00:03:58,680 --> 00:03:59,250
There you go.

41
00:03:59,430 --> 00:04:07,300
Now with the bcrypt installed you can see over here that it has a few things we can use and I'm going to copy and paste

42
00:04:07,300 --> 00:04:14,770
this and move some of this stuff around.

43
00:04:14,770 --> 00:04:16,440
I'm actually going to put this at the bottom.

44
00:04:20,490 --> 00:04:25,030
bcrypt gives us a way to hash a password

45
00:04:27,940 --> 00:04:29,650
and a way to compare

46
00:04:32,210 --> 00:04:35,970
passwords or hashes. But what does that mean?

47
00:04:36,070 --> 00:04:40,850
Let's go one by one.

48
00:04:41,030 --> 00:04:43,880
If I grab this function and in our '/signin'

49
00:04:46,770 --> 00:04:55,530
or sorry I guess in our '/register' because that's when we give our password. In our '/register' when we run

50
00:04:57,620 --> 00:05:01,410
'bcrypt.hash' and instead of 'bacon'

51
00:05:01,420 --> 00:05:04,450
this is what we pass as the user's password

52
00:05:04,660 --> 00:05:11,640
– if we pass the password here, well we have a couple of parameters that they give us

53
00:05:11,640 --> 00:05:13,240
and these are options that we can enter.

54
00:05:13,260 --> 00:05:15,200
For now we'll just leave it the way it is.

55
00:05:18,840 --> 00:05:28,050
If I 'console.log' the hash that we receive in this function – so bcrypt is going to hash the password

56
00:05:28,410 --> 00:05:33,780
and then return this hash – we're going to just say 'hash'.

57
00:05:33,840 --> 00:05:35,550
All right so let's just see what happens here.

58
00:05:35,580 --> 00:05:37,980
I'm going to Save. Then I'll run

59
00:05:37,980 --> 00:05:44,000
'npm start' going back to our Postman.

60
00:05:44,160 --> 00:05:48,830
If I do '/register' with Ann – I'm going to click Send

61
00:05:51,940 --> 00:05:56,070
and I get 'bcrypt is not defined' because I haven't included it here.

62
00:05:56,080 --> 00:06:02,090
Let's do that let's do 'const bcrypt = require('bcrypt-nodejs')'

63
00:06:05,360 --> 00:06:08,750
-

64
00:06:08,740 --> 00:06:12,730
Let's save that and try that again.

65
00:06:12,840 --> 00:06:13,870
I'm going to click send.

66
00:06:15,900 --> 00:06:28,030
We go back to the console – do you see that? We just got a hash and that is what a hash function does. A hash function

67
00:06:32,820 --> 00:06:44,030
A hash function takes a string and jumbles it up in a way that there's no way I'm going to be able to

68
00:06:44,030 --> 00:06:50,650
figure out that this [the hash] stands for the password 'cookies' and hash functions are one way.

69
00:06:50,970 --> 00:06:57,140
That is you can enter 'cookies' and you'll get this but you'll never be able to go back.

70
00:06:57,620 --> 00:07:03,930
And the other quality of hash functions is that if I now do this again with password – Oh I guess the

71
00:07:03,930 --> 00:07:05,870
password for Ann was 'apples'

72
00:07:05,880 --> 00:07:14,460
– if I click send I go back I see that the hash the first time and the second time are different.

73
00:07:14,460 --> 00:07:19,920
And although hash functions actually always return the same thing for the same value bcrypt is a

74
00:07:19,920 --> 00:07:25,800
little bit more secure than that and adds a bit of other magic to make sure that it's impossible to

75
00:07:25,950 --> 00:07:27,940
ever figure out what the password is.

76
00:07:27,960 --> 00:07:37,270
But now we can store this hash – this jumbled up value – in our database in here for the login and anytime

77
00:07:37,320 --> 00:07:43,560
we do sign in and we want to check if the user's passwords match.

78
00:07:43,890 --> 00:07:47,800
Well now – let me remove this

79
00:07:47,940 --> 00:07:48,600
– we have

80
00:07:52,130 --> 00:07:53,940
– let's go to '/signin' and at the top

81
00:07:57,130 --> 00:08:05,090
we can compare the hashes so grabbing the hash that we had before – let's use this one

82
00:08:05,390 --> 00:08:07,230
or let's use the latest one that we got.

83
00:08:08,160 --> 00:08:09,330
I will replace this.

84
00:08:09,330 --> 00:08:18,450
It's going to look pretty ugly but I'm going to replace this hash with this long string and I'm going

85
00:08:18,450 --> 00:08:19,230
to compare

86
00:08:21,650 --> 00:08:26,170
'apples' because that's what Ann's password is.

87
00:08:26,240 --> 00:08:31,480
If I compare 'apples' to this hash – let's console.log.

88
00:08:32,679 --> 00:08:34,480
'first guess'

89
00:08:38,230 --> 00:08:42,730
we'll have the response again

90
00:08:42,860 --> 00:08:46,970
– that is what we receive after bcrypt does this.

91
00:08:47,140 --> 00:08:52,380
And the second time around we'll also do a 'console log' with the wrong password, which is 'veggies'

92
00:08:57,560 --> 00:09:04,480
and this will be the 'second guess'.

93
00:09:04,510 --> 00:09:06,640
Let's go to do a Sign In.

94
00:09:06,640 --> 00:09:11,990
It doesn't really matter what it is because we're not really worried about a response.

95
00:09:13,330 --> 00:09:21,180
And I get an error saying hash is not defined because I haven't updated this hash to what we just

96
00:09:21,180 --> 00:09:21,930
copied before.

97
00:09:21,930 --> 00:09:23,230
So let me do that.

98
00:09:26,480 --> 00:09:27,080
There you go.

99
00:09:28,860 --> 00:09:30,980
Let me go back click Send.

100
00:09:32,320 --> 00:09:34,110
If I look back here I get

101
00:09:34,120 --> 00:09:36,160
'first guess is true'

102
00:09:36,370 --> 00:09:39,920
that is, 'apples' equals this hash

103
00:09:39,940 --> 00:09:45,310
they gave us but 'veggies' does not equal the hash that they gave us there.

104
00:09:48,400 --> 00:09:53,830
Let me close that a little bit. And bcrypt is really really powerful.

105
00:09:53,840 --> 00:09:59,780
We're going to use this when we actually implement a database to our registration. Using bcrypt, which

106
00:09:59,780 --> 00:10:07,730
is a tried and tested hashing package, we can safely store users' information, users' passwords into our

107
00:10:07,730 --> 00:10:14,840
database and nobody even if they – even if hackers access our database – they'll have a very hard time getting

108
00:10:14,840 --> 00:10:16,500
the user passwords.

109
00:10:17,300 --> 00:10:22,370
They may be able to get their email addresses but never our passwords and we'll implement that in our

110
00:10:22,370 --> 00:10:25,770
database using bcrypt.

111
00:10:25,830 --> 00:10:29,940
But I really want to emphasize this point because security is really important.

112
00:10:30,930 --> 00:10:37,570
Always send any sensitive information from the front-end to the back-end using HTTPS

113
00:10:38,550 --> 00:10:48,960
in a POST body and if you get something like a password the way you store it into the database is using

114
00:10:48,960 --> 00:10:51,820
something like bcrypt to generate a hash,

115
00:10:52,140 --> 00:11:00,220
and every time a user signs in, check that hash with whatever the user inputted. In the next part I've

116
00:11:00,250 --> 00:11:01,210
left for you

117
00:11:01,330 --> 00:11:08,830
a security article that I wrote that may be a little bit advanced but I think covers the best way for

118
00:11:08,830 --> 00:11:14,710
you to store user passwords – something that is overlooked quite often but again very very important if

119
00:11:14,710 --> 00:11:18,100
you want to be that top developer.

120
00:11:18,180 --> 00:11:19,770
I'll see in the next one. Bye-bye