What is the purpose of a middleware in express
Hello guys, from what I have read, in Express.js, middleware is a function that intercepts incoming requests and gives access to the request and response objects.
What is it purpose/importance? How does it relate to route handlers please
22 Replies
middlewares are just codes or processes u want to run AFTER a request has been recieved and BEFORE the request is processed. hence the "middle" in middleware
for example, say u r using cookies to store data such as access and refresh tokens which r needed to make sure the user doesnt need to provide login information everytime they visit your site. now in order to use cookies, u r going to need a middleware such as cookie-parser. which sets the cookies up for you / parses the cookies so u can use them directly from request which otherwise u cant.
u get a request
u want to process that request. while processing the request u need to use cookies. and for that u want it to be accessible from the request object. how can u have that? by the use of cookie-parser middleware.
so now what happens is,
- u get request
- before u process the request u use cookie-parser to parse the cookies
- u process the request
Now likewise cookie-parser, there are lots of middleware u will need. and in a nutshell , middle wares r just some intermediary processes that u r required to do before u process the request yourself
yep I see, for the cookies example, what happens behind the scene, like we want to login without entering our login details, the login details are stored somewhere? Then when it is access what happens please
this is where the concept access of access tokens and refresh tokens come in
these "tokens" are like hashed data. jwt is a nodejs lib that is used to create these "tokens"
now these tokens are generated from the user data
whenn user log in for the first time, u create these tokens
and u r required to give a secret key that is used to encode the data
and u can use the same key to decode the token
i think it is better if u check their site once
JWT.IO
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
go here
and scroll down
oh I see
interesting
these is the algorith related data. this is what ywt uses to create these tokens
nothing to worry about
yep I see, I will need to learn cookies and tokens etc, seem interesting
this is the payload
so this is waht gets converted into the token
this is the same thing as "session management" ?
this is where u would be using the user daya
yup exactly
yeah I see
session management is just another word refering to cookies/tokens ?
this is the secret key that is used to encode and decode the data
and finally this is your token
no. cookies and tokens are used when it comes to session management. these r just 2 tools that u will be using
hmm what is session management ? Like the time the user is currently login something like that?
now if u understand the images i sent then the whole process is as follows
- u will have a secret key for generating refresh token and access token. this same key will be used to then convert the token back to original data aka decoding. this is very secret. if anyone gets the secret key, they can decode the token
- user signs up
- user login in for the first time
- u use the user info such as below to generate access token and refresh token
- you save both tokens in cookies and only refresh tokens in DB.
- next time a user visits your site, u get the access token from the cookie, u use your secret key to decode it, which returns you the original payload which is the following
-# this way now u get the user data without needing the user to fill up login form
- u now use this to validate if the user is legit or not . if so just give users access to the site / their account
- when access token expires (yes, both tokens have a expiry date and refresh token has higher expiry date than access token), u use the refresh token, decode it, get user data, generate new access toke AND refresh token and set that to cookie. when refresh token expires and eventually access token expires as well, the current session ends. user needs to fill the form again.
a session is the time from when the user logs in up until they log out
managing session is just managing how the user will stay logged in, for how long they'll stay logged in etc
what's the difference between refresh token and access token ?
yep I see
nothing except the expiry date
well, afaik
i did not do much BE
so i did not devle too much into these
you can try searching what is the diff between access and refresh token
yep just did that, just like you mentioned, access tokens have shorter life span
I have a clearer idea about tokens/middlewares now, thanks ! will come back if I have other doubts
gald to hear that
u r welcomed