Damn... My head almost exploded because I tryed to understand how the heck a middleware (express-session) can set a header (Set-Cookies) in a router (register) while that middleware has been defined BEFORE our router. After 45 mins of digging into express-session source code, I found it(express-session) uses a library called "on-header" which create listenners which are executed when a response is about to write headers; a kind of interceptor (for angular people). In fact, the only way to succeed in it withouth using the previous method, would have been to use a middleware after the definition of our routes, and it will force us to call the nextFunction in every route/router. Well, that's a BIT tricky...
You have the best content in the whole youtube. Please don't stop producing it. I am still waiting for you to continue the GraphQL course. I will be happy see you at udemy. too.
Thanks a lot, I appreciate that. Currently going through tumultuous times in my personal life (yet again), but this channel is a long-term investment, and I'll never stop producing content one way or another. Always happy to share new things I learn.
Conceptually, a user may only register if they are a guest. That is, if they are already logged in (based on the cookie or token that was sent in the request to /register), that means they have already registered in the past, so they don't need to (and should not be able to, for data integrity) sign up again.
Happy to see that you're making new content! How would you handle "logout of all sessions" for a specific user? Seems like this is a missing feature of connect-redis/express-session.
Haven't tried it yet, but a plan of attack that I have is to store every sessionId on login in a database and relate this to the userId. If the user requests a "logout of all devices", we could look up the session ids and delete them from redis. We could clean up old database entries using a cron. Would appreciate your input if you have the time! Good luck on your upcoming videos. Looking forward to them.
Laravel actually has something like that Auth::logoutOtherDevices($password); except it requires the user's password. Effectively, they store user's password hash in the remember me cookie, so when the hash in the users table changes, and the users makes a request with a stale cookie, that session gets invalidated. But, that's only if they checked the remember me checkbox; I believe Laravel also stores the password hash on the session object, so the same logic still applies. Jeffrey Way has a neat demo on this laracasts.com/series/whats-new-in-laravel-5-6/episodes/7 In Node.js though, first thing that came to mind, I'd have a table called sessions and store user_id and session_id (in Redis) on it. Every time they login (i.e. create a new session), I store that record. When they decide to log out all other devices, I find all sessions by user_id and purge them from Redis using session_id as the key. IMO you need a "lookup table" in your DB because you can't afford to loop through sessions in Redis, unserialize them one by one, and match each against user_id; that's too expensive.
@@Simongislen You beat me by 5 mins, I didn't see your comment. But you figured it out yourself, great job! A cron job would work; in Laravel, they have "request lottery" where each request has a small chance to trigger a background task to clean up expired records from the DB. But in the case of logout, you could clear out the entries from the sessions table right after you purge the keys from Redis (you won't need them anymore I think).
hi, your works are awesome. i follow your tutorial word for word and create amazing things. Although in this tutorial i have a problem. In the auth file/ const login, when ever i type in the line req.session!.userId = userId it gives the error "Property 'userId' does not exist on type 'Session & Partial'.". i have tried and tried. Pls provide a fix or a lesson on how to fix it
Thanks for the great content man!, I really hope you can slow down a little bit (I want to follow along with you without having to stop the video every couple minutes :D, and maybe spend a little bit more time explaining the theory behind whatever you are doing (Stephen Grider style :D))
Damn... My head almost exploded because I tryed to understand how the heck a middleware (express-session) can set a header (Set-Cookies) in a router (register) while that middleware has been defined BEFORE our router.
After 45 mins of digging into express-session source code, I found it(express-session) uses a library called "on-header" which create listenners which are executed when a response is about to write headers; a kind of interceptor (for angular people).
In fact, the only way to succeed in it withouth using the previous method, would have been to use a middleware after the definition of our routes, and it will force us to call the nextFunction in every route/router.
Well, that's a BIT tricky...
Alex you are a great developer. Congrats!
your hairstyle is like a closed curly bracket ❤️
You have the best content in the whole youtube. Please don't stop producing it. I am still waiting for you to continue the GraphQL course. I will be happy see you at udemy. too.
Thanks a lot, I appreciate that. Currently going through tumultuous times in my personal life (yet again), but this channel is a long-term investment, and I'll never stop producing content one way or another. Always happy to share new things I learn.
very useful topic and great explanation
Thank you for the amazing content, the best course I have ever seen...
I wonder from where and how you got so much knowledge ....
Working in the industry for a few years. I'm not even at the level of a library maintainer or a core engineer. Just an amateur
will in-memory session store using connect mongo work across multiple backend instances ?
I want to point out that you have to use the data returned from the validateAsync function instead of req.body
Thank you for making these videos !!
tks
Pro level content, as always.
Thanks a lot brother for sharing your knowledge.
wish u used react as frontend..
So great! So easy! Perfect tutorial! Thanks!
Do we really need guest (isLoggedIn) middleware? Is it a good practice or just for demonstration purpose?
Conceptually, a user may only register if they are a guest. That is, if they are already logged in (based on the cookie or token that was sent in the request to /register), that means they have already registered in the past, so they don't need to (and should not be able to, for data integrity) sign up again.
Happy to see that you're making new content! How would you handle "logout of all sessions" for a specific user? Seems like this is a missing feature of connect-redis/express-session.
Haven't tried it yet, but a plan of attack that I have is to store every sessionId on login in a database and relate this to the userId. If the user requests a "logout of all devices", we could look up the session ids and delete them from redis. We could clean up old database entries using a cron. Would appreciate your input if you have the time! Good luck on your upcoming videos. Looking forward to them.
Laravel actually has something like that Auth::logoutOtherDevices($password); except it requires the user's password. Effectively, they store user's password hash in the remember me cookie, so when the hash in the users table changes, and the users makes a request with a stale cookie, that session gets invalidated. But, that's only if they checked the remember me checkbox; I believe Laravel also stores the password hash on the session object, so the same logic still applies. Jeffrey Way has a neat demo on this laracasts.com/series/whats-new-in-laravel-5-6/episodes/7
In Node.js though, first thing that came to mind, I'd have a table called sessions and store user_id and session_id (in Redis) on it. Every time they login (i.e. create a new session), I store that record. When they decide to log out all other devices, I find all sessions by user_id and purge them from Redis using session_id as the key. IMO you need a "lookup table" in your DB because you can't afford to loop through sessions in Redis, unserialize them one by one, and match each against user_id; that's too expensive.
Code Realm Sounds reasonable. I'll look into the laravel solution as well. Thanks a ton!
@@Simongislen You beat me by 5 mins, I didn't see your comment. But you figured it out yourself, great job!
A cron job would work; in Laravel, they have "request lottery" where each request has a small chance to trigger a background task to clean up expired records from the DB. But in the case of logout, you could clear out the entries from the sessions table right after you purge the keys from Redis (you won't need them anymore I think).
hi, your works are awesome. i follow your tutorial word for word and create amazing things. Although in this tutorial i have a problem. In the auth file/ const login, when ever i type in the line req.session!.userId = userId it gives the error "Property 'userId' does not exist on type 'Session & Partial'.". i have tried and tried. Pls provide a fix or a lesson on how to fix it
validateAsync doesn't work for me. "validation_1.registerSchema.validateAsync is not a function"
You'd need to have the latest Joi library v16.x.x or above via @hapi/joi. See the docs hapi.dev/family/joi/?v=16.1.8#anyvalidateasyncvalue-options
Bro need example for oauth2.0 could you please make a vit
Thanks for the great content man!, I really hope you can slow down a little bit (I want to follow along with you without having to stop the video every couple minutes :D, and maybe spend a little bit more time explaining the theory behind whatever you are doing (Stephen Grider style :D))
Awesome, Thanks.
the realm of code
Use prettier please
We lost you!