How to Create a Secure REST API with Node.js and Express

Excellent tutorial. However, if I am to be nitpicking, you may want to change "ok" to "success".
It does the exact same thing, but the industry as a whole has decided that "success" is the word to use to verify a request.

Personally, I don't think it matters, but if you use standard nomenclature when writing demos for job applications, you are far more likely to get the job.

The mindset behind the code is still 100% correct though. We don't just send a different key, like "not_ok" or "unsuccessful", but rather flip "success"/"ok" to false if it failed.
This is because some failures won't send any response at all, so even if there is a communications error, you can still just look for if that "success" is true on the receiving end. It either being false or not existing at all will both then produce the error message.

If you want to go a bit more advanced, you can also add an error array with the error code, a user-friendly message to display front-end and a dev-friendly message to display in the log. Though don't have your code rely on this error array existing, as a communications error will not produce it.

morphman

its really rare to find tutorials like this one simple with great explanation and straight to the point with out using tons of unnecessary libraries and tools that will make the video much longer and complicated for no reason thanks

mohanedmohsen

hey Vincent! it's been awhile but this look really interesting! looking forward to the premier of it!

samuelhuang

Good work man, you have a talent, keep making videos, if you upload consistently great things will happen

josecoverlessons

keep on filming, those tutorial are great! Your channel will blow off eventually

domentrontelj

Looking forward to your next new video 😃

goldfishbrainjohn

Great video! Simple and to the point with all the relevant information.
The client side would be very interesting to see with one of the common frameworks out there.

puito

You shouldnt send the token to the server through header, cause that means client side the token will need to be stored somewhere.
You need to use secured httponly cookie for that. Only the webbrowser can access it, and not the javascript, preventing agains xss attacks.
That's an OWASP recommendation.

EmmanuelIstace

great video! Just that I checked the video again and the question is solved xD

rayoseldev

Thanks for the video! How can one handle token? With google sing in? Do we store the token from the Google directly?

BaneCodes

video is great ..but yeah you could have explained more on the auth rote and auth.js, keep creating awesome videos and subscribers will turn large numbers....

tushaar

The error im getting while starting the server is using the middleware for the routes/messages.js as when i do router.get('/', [auth, admin(or any roles)], (req, res) => { ... } im getting error i guess. as middleware is using object instead of function. is there anything that can be done?

baibhavkc

In demo you have shown the post call from post man, I see header specified, you never showed the header. I am not sure if it matters, but i am getting 400 error on the first post to get token.

siarheiish

Hello vincent, ive got a question to ask, whats stopping the guys just taking the token and then use postman to change data with?

naufaldbei

what is middleware in this app's
context

ordered_saddle

can you make videos about part 2 i really need user vaildation and database tuts for my project, It's hard to find out the most secure way to do all these things, and your tutorials are super I have your channel on notification, I'll watch as soon as it comes out!!!!

andyqu

Awesome video!! I'm in the same as age as you. Really respect!!

phamuyen

and how can I encrypt that data sent and received from the server? Anyone can enter my app with a fake name and password just by changing the server response from ok:false to ok:true. This can be easily done using burpsuite

MsSoldadoRaso

Bcrypt hashes the password, not encryption.

introduction

I tried this, and when I send in the email and pw (I redid the token every time) Node server ends and points to
" if (!user) throw new Error("Invalid email or password."); " in routes/auth.js. all packages are installed and up to date. I pretty much followed through this entire video and checked with your git codes, so I;m not sure where I went wrong, or can it be Express that's causing problems?

donaskmey