fix(login): use bcrypt

RisingStack · Aug 7, 2017 · 9d69ea7 · 9d69ea7 · RoelRoel · Aug 16, 2017
1 parent 7accca3
commit 9d69ea7
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -3,4 +3,8 @@
 1. `git clone git@github.com:RisingStack/nodehero-authentication.git`
 2. `cd nodehero-authentication`
 3. `npm install`
-4. `npm start`
+4. `REDIS_STORE_URI=redis://localhost REDIS_STORE_SECRET=my-strong-secret npm start`
+
+## Pre requirements
+
+- Running [Redis](https://redis.io/) database
diff --git a/app/authentication/init.js b/app/authentication/init.js
@@ -1,11 +1,18 @@
 const passport = require('passport')
+const bcrypt = require('bcrypt')
 const LocalStrategy = require('passport-local').Strategy
 
 const authenticationMiddleware = require('./middleware')
 
+// Generate Password
+const saltRounds = 10
+const myPlaintextPassword = 'my-password'
+const salt = bcrypt.genSaltSync(saltRounds)
+const passwordHash = bcrypt.hashSync(myPlaintextPassword, salt)
+
 const user = {
   username: 'test-user',
-  password: 'test-password',
+  passwordHash,
   id: 1
 }
 
@@ -26,18 +33,28 @@ passport.deserializeUser(function (username, cb) {
 
 function initPassport () {
   passport.use(new LocalStrategy(
-    function(username, password, done) {
-      findUser(username, function (err, user) {
+    (username, password, done) => {
+      findUser(username, (err, user) => {
         if (err) {
           return done(err)
         }
+
+        // User not found
         if (!user) {
+          console.log('User not found')
           return done(null, false)
         }
-        if (password !== user.password  ) {
-          return done(null, false)
-        }
-        return done(null, user)
+
+        // Always use hashed passwords and fixed time comparison
+        bcrypt.compare(password, user.passwordHash, (err, isValid) => {
+          if (err) {
+            return done(err)
+          }
+          if (!isValid) {
+            return done(null, false)
+          }
+          return done(null, user)
+        })
       })
     }
   ))

diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
   },
   "homepage": "https://github.com/RisingStack/nodehero-authentication#readme",
   "dependencies": {
+    "bcrypt": "1.0.2",
     "body-parser": "1.15.1",
     "connect-redis": "3.0.2",
     "express": "4.13.4",