Name: Node.jsのユーザー認証を構築する - パスワードログイン (Build Node.js User Authentication - Password Login)
Uploaded: 2021-01-14T10:42:23.000Z
Duration: 13 min 31 s
Description: VoiceTubeの動画で発音を聞きながら英語表現を覚えよう！学べる英語：

法助動詞 A2

user authentication is crucial to every single website out there, but it can be difficult to build a secure user authentication system.

現在進行形

So in today's video, I'm gonna walk you through all the cryptography and security steps you need to take to build your own log in system using Know Js.

And it is your first time around on this channel.

Make sure you subscribe for more videos where I simplify the web for you to get started.

I just have a blank project open and the first thing we want to do is initialize that using MPM so we can take an M.

P m on it and we put Dash, why is just going to give us all default values for a Pakistani?

And the next thing we need to do is actually install the packages we're gonna use for creating our express server.

So we need express, which we're going to create a server with.

We're also gonna need be crypt, which is going to allow us to do all of our cryptography and securing of our passwords hashes after that's done in stolen.

We're going to install another package which is called Node Mon, which will allow us to restart our server automatically without having to manually.

Carrot crashed our server and then restarted.

So we just type in N p M I Dash, dash save Dev node mon.

And this is just a Deb dependency because we only are going to be using this when we're developing our site.

And as I said, as any time we make a change to our site, it's going to automatically refresh our server for us.

And once that's done being downloaded, we're gonna create a script that's going to allow us to start our server using no demon.

So to do that, we could just come in here, create a script called Deb start.

We just want to set that equal to hear Nude mon, and we're gonna call server dot Js, which is the file we're gonna save our server into on the current moved this test script since we're not gonna use that, and we can close out this package dot Jason and create that service I Js file just like this.

And in here we actually want to set up express.

So we're gonna get expressed first by saying const Express is equal to require express is gonna pull in the express library and we want to get the app before that's we're gonna say contact is equal to running that express function next week in Just say, ap dot listen on port 3000 and then just save that and we can run and PM run, Debs start.

And that's going to start up our server on Port 3000.

But it's not gonna do anything because we don't have any route set up.

We're gonna create a rabbit here, but you're gonna be apt.

I get it is we're getting all of our users.

And when you create a real application, you're not gonna wanna have a route that exposes your user's password information.

But for testing purposes and to show you how this works, we're gonna create this users route, so she's gonna be at slash users, and it's going to come in here with a request and a response.

And all we're gonna do is we just want to send that users.

So we're gonna say response dot Jason and we want to send our users so it's created users variable or we're gonna store users in a real application you would most like.

We want to store this in a database somewhere, but for testing purposes, just a local variable will be just fine.

Now, in order to actually test to make sure AP eyes working was great.

We're gonna call it request dot rest and I'm using the package, which is over here.

It's called Rest Client and this allows me to make rest request inside GS code.

If you want, you can use a package or a applications such as postman to make these request outside of your i de text editor.

But I prefer to do this in the text editor since easiest and what we want to do is we want to get riposte, which is going to be at local host 3000.

They're gonna make sure it's a slash slash and we want to go 3000 users and we could just send this request here and you can see it's going to get an empty array of users because Right now, we have no users in our ray.

And if we wanted to add something, for example, we added a user.

But the name of name and we re run this, send the request.

So we know that this is working properly.

What's default this back to an empty array.

Now, with any form of user authentication system, we need to have a way to create users.

So we're going to use a post request for that will say at Post, and we're gonna post to slash users again.

We're gonna get that request and the response in here as our function And in here, we need to do all of our code for creating the user, hashing the password that they sent to us and saving it inside of this variable here.

So let's go over and emulate what our response is going to look like.

We're just gonna say post here http slash slash local host 3000 and we want to just post to users.

And of course, we want to make sure that the content type here is going to be for Jason's.

We're gonna say application slash Jason and essentially all we're gonna do is we're gonna pass a name.

We're gonna say Kyle, for example, and then we want to pass a password as well.

There's gonna be in the password variable, and we're gonna pass along the password of password just for testing purposes.

And essentially, we're gonna pass this tour server, and we want to convert this into a user in our users variable here and now.

The first thing you may be thinking is why not just put that directly into the users So we could just say request stop body dot name, name so we could get a variable here.

User is going to be equal to the name just like this, and the password is going to be the same thing.

And now you may be thinking that's perfectly fine.

And we want to make sure that we're actually able to accept Jason so we could just say app that use express dot Jason, just like this is real.

Our application to accept Jason and then we just want to say resident status status set that equal to 201 and just sent a blank response back down to the user.

Now, if we come over here and test this, you're gonna see it says it was created, sent us a blank response.

And if we check over users, you see that our users being saved here.

But the problem is, is our password here is stored in plain text.

If anyone gets access to our database in any way, they have all of the passwords and user names for every single user.

We want to make sure that our passwords are hash, so that even if someone gets access to our database, they won't actually know what the user's passwords are.

Let's go back over to our server and require be crypt.

So we're gonna create a variable here, be Crips.

And that's just going to be equal to require that library of decrypt just like this and to hash a password, we need to have two steps we need to number one.

Create assault And then we need to use that salt along with the password to create a hashed password.

And the purpose of the salt is if we have a normal password, let's just say that we take the string here.

We want it through some kind of algorithm.

We just say a function called hash just like this and that is going to respond and return to us something.

For example, let's just say it returns to us a password that are a hash password that looks like this.

Now, if we hash that exact same password later, it's going to return to us the exact same string.

Which means if multiple users have the same password, they're going to have the exact same hash in our database, which makes it easy.

If a potential malicious person gets access to our database and they cracked one password, they're able to crack every other password that looks exactly the same and has the same hash.

So the way assault works is we hashed our password, but what we do is we take some kind of salt and we add it to the beginning of our password before we hash it and this salt is different for every single user.

Which means that when we hashed our password, it may look like this.

And then if we come down here and hash a new password, we're gonna use a different salt.

And the hash for that password is going to look completely different.

Even though the passwords are exactly the same, this just makes it so that your database is more secure.

If someone gets access to it and they're not able to hash and break people's passwords because we have this salt on, we just need to make sure we store the salt along with the password.

So when the user tries to log in, we can use the same salt when we hash the password.

And luckily be crypt takes care of all of this for us.

So let's just delete all this code here on.

We actually want to use be crypt, which is an asynchronous library.

So let's make sure we use an asynchronous functioning here and we're gonna use a try catch, and the first thing we want to do is we want to generate assault.

So what is going to say Consul To is going to be equal to decrypt dot jen salt, and it's just not gonna take any primaries.

This is going to be 10 and the larger you make this number, the longer it's going to take to make the hash.