NodeJS - Passport password appears as plain text in DB - node.js

Probably I am missing something here.
Got an Express server with MongoDB and i'm using passport to authenticate.
I'm using one of the standard code example to signup and it seems ok, but I can see the password I type in the password field (plain text) in my DB.
I expected it to be encrypted...
Am i doing something wrong?

You have to hash the password yourself. Here is how to do it using brcypt:
function hashPassword (password) {
return bcrypt.hashSync(password, bcrypt.genSaltSync());
}
So before you save your user to the DB simply invoke that function like so:
user.password = hashPassword(thepassword);

Related

Mongodb Realm, registerUser is undefined, Node.js

I followed the docs,
https://docs.mongodb.com/realm/node/manage-email-password-users/#node-manage-email-password-users
app.emailPasswordAuth.registerUser(email, password);
It complains registerUser is undefined.
By following the type interface, I tried realmApp.auth.emailPassword.registerUser, it complains registerUser is not a function.
I have checked email/password user authentication, which is on.
Can anyone tell me what could possibly go wrong here?
I couldn't find any example that is using Node.js to register a user with email and password.
Figured it out.
The docs should be updated to realmApp.auth.emailPassword.registerEmail(email, password);

Store session in client's browser using raw node.js and cookie without express

I am trying to store client session using raw node.js without express.
When a user logs in I have the username and password. Now, how to store a session in client browser using cookie. And how to identify the user when they refresh the tab or goes to another link.I don't want to use client-sessions module as I want to understand the approach.
any help will be appreciated.
First of all, I suggest you to watch everything about authentication in NodeJS It explains cookies in a part very well.
You have to give the browser some data to hold for it to use later, which being cookies. Browser uses this data to show the server what kind of authentications it has processed before for the server and the user to proceed without repetition.
In node.js, using client-sessions module, you can set a cookie by calling
app.post('/login', function(req,res){
User.findOne({password: req.body.userPassword}, function(err, user){
if(user){
req.session.user = user; //here you are setting the cookie for the client,
}
})
})
You could also specify what kind of cookie you want to set by just adding it a property
req.session.userEmail = user.email;
Now let's check how the server uses authentication
app.get('/someUrl', function(req,res){
if(req.session.user){
console.log("user exists!");
}
})
You can check what the client sends you by using session property of req object => req.session
To bind it with database you need to do,
if(req.session.user){
User.findOne({email: req.session.user.email}, func...)
}
So basically, with each request that client sends, this procedure is used by the server to identify the cookies and to make the web-app user-friendly with no repetition.
It is like giving every student an ID in a school for authentication.
Security
For security, the node module cookie-sessions encrypt data automatically when we add secret attribute in app.use() function. Please see using secret in client-sessions module

Feathersjs local auth password verification doesn't work

I've set the fields:
local: { usernameField: 'username', passwordField: 'sha_pass_hash' }
and the model like it is supposed to be. Whenever i try to send my payload to the server i only receive error: (401) Route: /auth/local - Invalid login.
Now my question is how the password verification works, since i, by no chance, can get this working.
The Password is stored as a sha1 inside the database and i sent the sha1 password as part of the payload.
Why is it not comparing them directly, what exactly does it? I'm just confused.
The default hash comparison is expecting a bcrypt hashed (+ salted) string (created by the hashPassword hook).
If you want to use plain SHA1 hashed passwords you can use auth 1.0 and implement a custom verifier.

Cant access property of req.user

I'm writing in Node using passport.js to authenticate.
console.log(req.user);
returns
{ group: 'CuManager',
password: 'password',
username: 'administrator',
cu_id: 2,
_id: 569fd3f4328ef124be533caf }
but
console.log(req.user.cu_id);
returns
undefined
I was thinking that cu_id property maybe is not available due to serialization/deserialization, but it's there. I just can't access it.
How can I do that?
I need it for
find({cu_id : req.user.cu_id})
BTW I can't help thinking passport.js is little overcomplicated (maybe we just don't get along). What else can I use to authenticate users in Node (I use express)?
If req.user is a Mongoose document, you should probably add cu_id to the proper schema.
Otherwise you can use something like req.user.toObject().cu_id to access the property, or make sure that somehow the result of doc.toObject() is assigned to req.user.
As for a Passport-replacement: this depends on how exactly you want to authenticate your users. If you're POST'ing a login form to an Express route, you can perform the password validation and session setup yourself.
try parsing it in JSON.
JSON.parse(req.user)['cu_id']

Accessing session in everyauth.password?

I'm working on a node express app, and I've got it working well with the Facebook authentication already. I'm now attempting to enable our own email/password login and running it to a roadblock. With Facebook I am able to access and write to the session during auth:
everyauth.faceboook
// Basic stuff
.findOrCreateUser( function( sess, accessToken, extra, fbUser) {
var promise = this.Promise();
sess.myvar = myvar
// Find user in DB, etc
promise.fulfill(fbUser);
return promise()
This works great as I can save some stuff I need later to the session right in this method. But I'm not sure how to do the same thing when using everyauth password login:
everyauth.password
// Basic stuff
.authenticate( function(email, password) {
var promise = this.Promise();
// Create new user in DB, etc
// Now I need to save stuff to the session but I'm not sure how to access
// it in here...
promise.fulfill(newUser)
return promise
So is there any way to access the session in the authenticate and login methods (which use the same API) of everyauth.password?
You can't access the session from your .authenticate function, and what you're trying to do here feels wrong. Your .authenticate function should simply be looking up the user by the login parameter, validating that the password parameter matches the user's password and then returning the user object for that user via the callback. If you want to use everyauth to also create users you should be using the .validateRegistration and .registerUser functions.

Resources