Using bcrypt to store password in NodeJS.

Posted byKumar Gandhi KPosted inMongoose, NodeJSTags:, ,

Before starting the post I would like to assume few things:

  1. You have knowledge about NodeJS.
  2. You have setup sample NodeJS app using express and mongoDB

In case you have no idea what I am talking about then its best to know about them. Few links below will help.

https://nodejs.org/en/

https://expressjs.com/

https://www.mongodb.com/

Now let’s get to post…

Install bcryptjs:

$npm install bcryptjs

Hash your password:

Instead of storing the passwords in plain text we will use a method called hash in bcryptjs to generate hash. Hashing or password hashing is a process used to turn or transform your original plain string into another encrypted string. And this new string or hash is stored in DB. Even if someone finds the hash they won’t be able to login. This is the most secure way.

bcrypt.hash(myPassword, 10)

I would prefer you spend some time to read more about the plugin here.

Below is my sample code which creates a user and store the hash for password.

const bcrypt = require("bcryptjs");

exports.createUser = (req, res, next) => {
  bcrypt.hash(req.body.password, 10).then(hash => {
    const user = new User({
      username: req.body.username,
      password: hash,
      displayName: req.body.displayName,
      roles: req.body.roles,
    });
    user
        .save()
        .then(result => {
          res.status(201).json({
            message: "User created!",
            result: result
          });
        })
        .catch(err => {
          res.status(500).json({
            message: "Invalid authentication credentials!",
            error: err
          });
        });
  });
};

Below is the sample code for user login.

const bcrypt = require("bcryptjs");
const User = require("../models/user");

exports.userLogin = (req, res, next) => {
  let fetchedUser;
  User.findOne({ username: req.body.username })
      .then(user => {
        if (!user) {
          return res.status(401).json({
            message: "Auth failed"
          });
        }
        fetchedUser = user;
        return bcrypt.compare(req.body.password, user.password);
      })
      .then(result => {
        if (!result) {
          return res.status(401).json({
            message: "Authentication failed, please check your login credentials."
          });
        }
        res.status(200).json({
          message: "Login success."
        });
      })
      .catch(err => {
        return res.status(401).json({
          message: "Invalid authentication credentials!",
          error: err
        });
      });
};

Here we use the compare method in bcrypt to check if the entered user password matches with the stored password. It’s valid only if they match. You can also observe I am returning few responses with status codes at each step of the way.

Below is the schema for user just in case.

const mongoose = require("mongoose");
const uniqueValidator = require("mongoose-unique-validator");

const userSchema = mongoose.Schema({
  username: { type: String, required: true, unique: true },
  password: { type: String, required: true },
  displayName: { type: String },
  roles: { type: [String], required: true }
});

userSchema.plugin(uniqueValidator);

module.exports = mongoose.model("User", userSchema);

Published by Kumar Gandhi K

Hi! I’m Kumar and I live in Bangalore (IN) with my family. By profession I’m a Web Developer experienced in a vast variety of frameworks and technologies, like, HTML, CSS, JavaScript, Angular, Bootstrap… Using these i have built or sometimes maintained mid market and enterprise level applications. I worked for few software companies over the years and on few domains like finance, field-service and storage. I also did consulting job at one point. I am loyal and hard (or for better word smart) working individual. In my free time I read books, in fact I buy a lot of books hoping that some day I might find all the time in the world to read them and I also enjoy watching TV.

Leave a comment