Perfect folks. Okay, any other questions? No. Can we move forward with our workshop? Authentication. Do you like authentication? No. No. Does anybody like authentication? It's a necessary evil. It's a necessary evil, cool. We are going to make it fun. Hey, we are talking about Fastify JWT. So, JWT is probably the most popular way of doing authentications these days. Most hyped way of doing authentication these days. So, essentially, you basically generate a JWT token, you authenticate you users amount, then you generate a JWT token that can be used to access your application. A JWT token is typically part, is composed of various things. It can encode some information, like for example, the user, and then that is signed. More questions coming, I will answer later, okay? On that. So, this is it. We can use, authentication. So we want, I ask you to change your index.js file, to use, add the fastify-jwt plugin, using an un-coded string, as a secret property. So, essentially something like, fake, that would do. And the configuration options, okay? Then, add, then change your logging route, so that, you actually generate terms, at JWT token, when that is done. When the, if the username and password match. Okay? Off you go.
So, a few questions, that came in. What about using Fastify sensible and Return Reply Unauthorized? Yes, that's perfectly fine. Fastify sensible, it's one of. It's a nice utility module. That, there are a lot of things, that you can actually just use, so that you don't need to, do a lot of things yourself. You can, just use this and everything will just work. It's actually, there's lots of very handy bits, in here. I personally like it. Another question, that came in, was, can Fastify Oauth with Azure? Or MS Graph API using MSAL? So, long story short, there is no out of the box module, that I know of. But, this is buts, the life is full of buts. In one of the projects, that I'm working on at the minute, we have it, authenticating against, Azure AD B2C, for example. So it's actually very simple, to create those authentications from scratch. But I don't know if there is a plugin, and how much is, those are different, compared to, I know Azure AD, integrates in one way, Azure AD B2C, integrates in another different way. And I highly suspect that, MS Graph API, would actually authenticate it, yet in another different way. For, the beauty of Azure, I don't know how many of you have been working on Azure, but it has been a wild ride so far. So, essentially it's, I don't know, I have my feelings.
Mateo, I have a question regarding, how do you recommend to handle secrets, using libraries like, dotenv, or what do you recommend us, to handle secrets in production mode? Okay, first of all, there is a few bits to say. I recommend you to not use, R-coded secret for your JWT token. You should use, public private, key certificate, private, public private key system. So that, there is actually a full key object, that you are, that you are passing through. So, that's the first one I recommend, okay? Which I truly think is the best way. And these are typically the only one using that, knowing that secret, having that private key, is either, Cognito or Out0, or, Azure, ADB2C, or one of those systems. So essentially, somebody else in your, in the architecture of your system, is handling authentication for you. So, this is the starting point of, on authentication, you should not be doing it. Okay? My recommendation is, like authentication is a tricky business these days. Lots of things to consider, unless you know what you're doing, you know, try to avoid it. Generically, four secrets, I recommend either loading them up, via environment variables. So that, you are loading them up, and so on and so forth. However, loading them up via environment variable, kind of, expose you to some leakage risks, in the more tight environments. Because, essentially, if you are defining, so those environment variables, are passed in via Kubernetes, or via AWS, Azure, and so on and so forth. So by poking, reading up those settings on all the pods, that your container, are configured, they will be able to, read those secrets. Right? So, my recommendation instead, is to, if in those more tight security deployments, is to use, your cloud specific, secret management. So, on Azure, there is this key management system, on Azure, AWS, has the same. I don't remember the name. I just, they are all the same, to some extent, we have just published an article at nearform, about these modules. So there is this thing called, Fastify, Secrets, and core and so on. So you have, here we go. Well, these are not linked here. So, this Fastify Secrets AWS, for example. So these are for AWS, it increase with AWS Secrets Manager, and, essentially, it's, you just, you can just read things up, essentially. So, note that with these, you will just need to assign a role, using AWS, to that container, and you will be able to read it. So there is no configuration needed, what said the secret, from the app. Does it make sense? Totally, I completely agree with you. Even there is another service called Bout, which is very good. Yeah, yeah, yeah, I know. Yeah, I, we don't support these in this module, but, Oh, sorry. I didn't want to open this up, and I want to open the blog, and there is, we just published this article, and I'm covering secrets in Fastify. So it's, maybe you want to take a look.