WEBVTT

00:01.590 --> 00:06.510
So let's keep working on validating our sign you URLs so we can allow users to reset passwords.

00:06.540 --> 00:12.240
And right now I'm looking at Mongo, which is in the CMD Web folder, the main entry point for our front

00:12.240 --> 00:12.450
end.

00:13.410 --> 00:19.260
And I know that I'm going to need both the URL to the front end and I'm going to need the secret key

00:19.260 --> 00:21.210
that we specified in API Dutko.

00:21.300 --> 00:24.110
So let's go over to API Dongo and copy that information.

00:24.780 --> 00:28.350
So I'm going to want these two things, the command line flags.

00:29.970 --> 00:33.630
And I'm also going to need to add in my config these two entries.

00:33.660 --> 00:38.940
So let's go back to Mango and I'll paste that those two lines in here.

00:39.600 --> 00:45.000
And it's really important that you use the same secret key here on the front end as you do in the back

00:45.000 --> 00:45.260
end.

00:45.270 --> 00:49.640
Otherwise, your validation is not going to work when you test the URLs authenticity.

00:50.190 --> 00:58.320
And let's go back up here to our config and go back to API and we'll copy these two things from the

00:58.320 --> 01:03.870
config type config and put it right back here and mango right at the end.

01:04.570 --> 01:08.920
OK, so now I have that information available to me the next time I start my application.

01:09.840 --> 01:15.390
Now let's go set up a route to the page which ultimately will display the password reset form.

01:15.390 --> 01:18.870
So we'll go to rootstock go in the CMD Web folder.

01:20.130 --> 01:26.880
And right here after the forgot password, I'll simply add another Getrude Muxtape get slash and the

01:26.880 --> 01:35.970
user overused was reset password and this will go to a handler that will create in a minute after show

01:36.330 --> 01:38.190
reset password.

01:39.580 --> 01:42.210
OK, so let's go over to our handlers.

01:42.210 --> 01:42.960
Don't go.

01:43.590 --> 01:49.830
I'll just open up forgot password this way and then go to the very bottom and I'll create a new function

01:49.830 --> 01:50.070
here.

01:50.070 --> 01:58.200
A new handler func app pointed to application and we're going to call this one show reset password.

01:58.290 --> 01:59.670
And of course, this is a handler.

01:59.670 --> 02:00.900
So let's give it its two arguments.

02:07.670 --> 02:09.630
OK, let's give ourselves some room here.

02:11.240 --> 02:15.740
Now, what I want to do here, I know that my world is going to come to whatever my host is.

02:16.410 --> 02:22.130
Whatever the world for this is, I think is a reset password and then two query parameters appended

02:22.130 --> 02:22.610
on the end.

02:22.940 --> 02:28.610
But the very first thing I want to do is to actually validate the euro and make sure that the one they're

02:28.610 --> 02:30.710
going to is the one that's been signed.

02:30.710 --> 02:33.270
And if it's not, we'll just do some show, some kind of error.

02:33.860 --> 02:35.280
So first of all, let's get the euro.

02:35.660 --> 02:42.580
The euro is a sign the value of our request euro or you are right.

02:42.800 --> 02:43.340
There it is.

02:44.150 --> 02:45.400
So that gives me the euro.

02:45.800 --> 02:51.770
And the second thing I want to do is to create you are able to test to make sure that the one that they've

02:51.770 --> 02:54.280
gone to is one that we've signed and they're allowed to be there.

02:54.290 --> 02:57.710
So we'll go to create another variable test euro.

02:59.330 --> 03:04.940
And that will be a sign the value of from the format package as print F and we'll just build the URL.

03:05.060 --> 03:07.750
And all we need are two string placeholders like that.

03:08.930 --> 03:15.830
And the first one is going to be the URL of our front end, which we just put in our app config, config

03:16.610 --> 03:18.680
dot the front end.

03:19.610 --> 03:24.140
And the second replacement is the URL that we just grabbed right here.

03:24.620 --> 03:30.020
You URL and I probably should make those capital are in capital L because it is an acronym.

03:33.720 --> 03:34.350
That works better.

03:37.030 --> 03:45.130
So now that we have these, let's create a seiner variable, which is assign the value of from early

03:45.130 --> 03:51.460
seiner, the package that we created, and we just give it its secret key, which we now have in our

03:51.460 --> 03:59.410
app config after a secret key and convert it into a bite for me, just like it has to, which was very

03:59.410 --> 03:59.800
helpful.

04:00.820 --> 04:02.080
Now we'll see if it's valid.

04:02.470 --> 04:05.620
Valid will be a boolean that we get back from seiner.

04:05.620 --> 04:13.120
The variable we just created that gives us access to verify, token and verify token just needs test

04:13.220 --> 04:13.600
Yoro.

04:15.160 --> 04:17.950
So if it's valid, well let's just test this out.

04:18.130 --> 04:20.890
If valid, I'll just say w dot.

04:20.980 --> 04:26.940
Right and we'll make it a slice of bytes which it has to be valid.

04:28.650 --> 04:36.230
That's right, slice of life envelop.

04:37.140 --> 04:39.990
OK, so let's start our application.

04:40.290 --> 04:41.370
I'll stop it first.

04:41.580 --> 04:42.360
Make stop.

04:44.160 --> 04:46.990
And started late start, let's give this a try.

04:49.530 --> 04:51.180
So let's go back to our Web browser.

04:53.350 --> 04:58.780
And as you can see here in Mantrap, my inbox is empty, so I've deleted all the emails that were there

04:58.780 --> 05:02.890
before and I recommend that you do, too, just to make sure you're starting from a known state.

05:03.970 --> 05:08.260
And I'll put in a valid email admin at example, dot com on my Facebook password for.

05:10.130 --> 05:13.880
Which sends an email to mail trap and I'm going to mail trap.

05:16.230 --> 05:18.240
And refresh this, and there it is.

05:18.280 --> 05:23.280
OK, so it went to input widgets, dot dotcom, which is something we're going to have to fix because

05:23.280 --> 05:23.940
that's not right.

05:24.060 --> 05:27.720
First of all, let's just look at this email and let's see if it's valid.

05:27.720 --> 05:28.560
So I'll click on it.

05:28.590 --> 05:31.650
It should open a new browser window and check the signature.

05:33.400 --> 05:38.920
And there it is valid, but let's go up here and say, I don't want to change admins password, I want

05:38.920 --> 05:41.670
to change Trevor's password, just change that.

05:41.920 --> 05:45.700
So I'm just changing you out and it immediately says invalid.

05:46.180 --> 05:52.630
And if I change any single character anywhere in that euro, it just reports itself as invalid.

05:52.840 --> 05:54.760
And that is exactly what I want to do.

05:54.790 --> 05:56.650
So we have tamperproof you URLs.

05:57.700 --> 06:04.060
And the great thing about this is that at no point up to sending this email have we done any database

06:04.060 --> 06:09.850
lookups other than to verify that the email was actually valid when we when we received the submitted

06:09.850 --> 06:10.230
form.

06:10.540 --> 06:15.190
Everything else is just handled by cryptography and a tamper proof URL.

06:15.820 --> 06:16.240
All right.

06:16.390 --> 06:18.040
We'll move on in the next lecture.