What is the purpose of a middleware in express

Hello guys, from what I have read, in Express.js, middleware is a function that intercepts incoming requests and gives access to the request and response objects. What is it purpose/importance? How does it relate to route handlers please
22 Replies
glutonium
glutonium4w ago
middlewares are just codes or processes u want to run AFTER a request has been recieved and BEFORE the request is processed. hence the "middle" in middleware for example, say u r using cookies to store data such as access and refresh tokens which r needed to make sure the user doesnt need to provide login information everytime they visit your site. now in order to use cookies, u r going to need a middleware such as cookie-parser. which sets the cookies up for you / parses the cookies so u can use them directly from request which otherwise u cant. u get a request u want to process that request. while processing the request u need to use cookies. and for that u want it to be accessible from the request object. how can u have that? by the use of cookie-parser middleware. so now what happens is, - u get request - before u process the request u use cookie-parser to parse the cookies - u process the request Now likewise cookie-parser, there are lots of middleware u will need. and in a nutshell , middle wares r just some intermediary processes that u r required to do before u process the request yourself
Faker
FakerOP4w ago
yep I see, for the cookies example, what happens behind the scene, like we want to login without entering our login details, the login details are stored somewhere? Then when it is access what happens please
glutonium
glutonium4w ago
this is where the concept access of access tokens and refresh tokens come in these "tokens" are like hashed data. jwt is a nodejs lib that is used to create these "tokens" now these tokens are generated from the user data whenn user log in for the first time, u create these tokens and u r required to give a secret key that is used to encode the data and u can use the same key to decode the token i think it is better if u check their site once
glutonium
glutonium4w ago
JWT.IO
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
glutonium
glutonium4w ago
go here and scroll down
Faker
FakerOP4w ago
oh I see interesting
glutonium
glutonium4w ago
these is the algorith related data. this is what ywt uses to create these tokens
No description
glutonium
glutonium4w ago
nothing to worry about
Faker
FakerOP4w ago
yep I see, I will need to learn cookies and tokens etc, seem interesting
glutonium
glutonium4w ago
this is the payload so this is waht gets converted into the token
No description
Faker
FakerOP4w ago
this is the same thing as "session management" ?
glutonium
glutonium4w ago
this is where u would be using the user daya yup exactly
Faker
FakerOP4w ago
yeah I see session management is just another word refering to cookies/tokens ?
glutonium
glutonium4w ago
this is the secret key that is used to encode and decode the data
No description
glutonium
glutonium4w ago
and finally this is your token
No description
glutonium
glutonium4w ago
no. cookies and tokens are used when it comes to session management. these r just 2 tools that u will be using
Faker
FakerOP4w ago
hmm what is session management ? Like the time the user is currently login something like that?
glutonium
glutonium4w ago
now if u understand the images i sent then the whole process is as follows - u will have a secret key for generating refresh token and access token. this same key will be used to then convert the token back to original data aka decoding. this is very secret. if anyone gets the secret key, they can decode the token - user signs up - user login in for the first time - u use the user info such as below to generate access token and refresh token
{
"_id": "1234567890",
"name": "John Doe",
"password": "super_secret_pass",
"email": "[email protected]"
}
{
"_id": "1234567890",
"name": "John Doe",
"password": "super_secret_pass",
"email": "[email protected]"
}
- you save both tokens in cookies and only refresh tokens in DB. - next time a user visits your site, u get the access token from the cookie, u use your secret key to decode it, which returns you the original payload which is the following
{
"_id": "1234567890",
"name": "John Doe",
"password": "super_secret_pass",
"email": "[email protected]"
}
{
"_id": "1234567890",
"name": "John Doe",
"password": "super_secret_pass",
"email": "[email protected]"
}
-# this way now u get the user data without needing the user to fill up login form - u now use this to validate if the user is legit or not . if so just give users access to the site / their account - when access token expires (yes, both tokens have a expiry date and refresh token has higher expiry date than access token), u use the refresh token, decode it, get user data, generate new access toke AND refresh token and set that to cookie. when refresh token expires and eventually access token expires as well, the current session ends. user needs to fill the form again. a session is the time from when the user logs in up until they log out managing session is just managing how the user will stay logged in, for how long they'll stay logged in etc
Faker
FakerOP4w ago
what's the difference between refresh token and access token ? yep I see
glutonium
glutonium4w ago
nothing except the expiry date well, afaik i did not do much BE so i did not devle too much into these you can try searching what is the diff between access and refresh token
Faker
FakerOP4w ago
yep just did that, just like you mentioned, access tokens have shorter life span I have a clearer idea about tokens/middlewares now, thanks ! will come back if I have other doubts
glutonium
glutonium4w ago
gald to hear that u r welcomed
Want results from more Discord servers?
Add your server