(Mongoose) How to get user._id from session in order to POST data including this user._id

Question

I am new in Mongoose. I'm developing a MEAN stack To do list with user authentification.

(In other words, a user can register login and create, get, update and delete the to do's).

It means 2 schemas: 'users' and 'tasks' With a relationship one to many: a user can have many tasks, many tasks belongs to a user.

This is how it looks the 'tasks' Schema:

const TaskSchema = new Schema({
        title:{
        type: String,
        required: true
        },
        owner:{
            type: Schema.Types.ObjectId,
            ref:'User'
        }
    });

In order to build the CRUD methods I will need the user._id as a 'owner' attribute, otherwhise any user could have access to the tasks list, create update or delete a task,

To get the user._id it I was thinking two options:

1. Angular2 at the front end would get the user._id from the localStorage of the browser where was stored previously to keep the user logged in.

   const user = localStorage.getItem('user');

   And then send it in the same object as I send the 'title' attribute. I think this option is too insecure as anyone from the front-end could send any id.

2. Get the current user._id at the back-end from the sessions. (I would't know how to do it though). And include it in the new task object at the POST method, something like this:

.post('/task', function(req, res, next){ function(req, res, next){

var task = new Task({
    title: req.body.title,
   owner : req.user._id     /// Does not do nothing
});

if(!task.title){
    res.status(400);
    res.json({
        "error":"Bad Data"
    });
} else{
    task.save(task, function(err, task){
        if(err){
            res.send(err);
        }
        res.json(task);
    });
}

});

Taking the second option (unless the former is better), how would you build the POST method? Concretely, how can I get the current user._id from the session and include it the new Task object?

I look forward of receiving your feedback soon. Thank you.

Answer 1

A bit different but:

User Model:

var UserSchema = new mongoose.Schema({
    username: String,
    password: String
});

Tasks Model:

var taskSchema = mongoose.schema({
    text: String,
    author: {
        id: {
            type: mongoose.Schema.Types.ObjectId,
            ref: "User"
        },
        username: String
    }
});

module.exports = mongoose.model("Task", taskSchema);

Create a task with post route:

var text = req.body.text;
var author = {
    id: req.user._id,
    username: req.user.username
};

var newTask = {text: text, author: author};

Task.create(newTask, function(err, addedTask){
     // what you wanna do
});

Similarly with edit/update you can use a put route (edit) and delete route (method override for delete) with a 'checkTaskOwnership' middleware and then

Task.findByIdAndUpdate / Task.findByIdAndRemove