API Design in Node.js, v4 Comparing & Hashing Passwords
Transcript from the "Comparing & Hashing Passwords" Lesson
>> Last we talked about doing authentication things like middleware to protect different API routes, and creating JSON web tokens that we can issue to new users or returning users. Now we need to do the other side and allow users to be created and allow users to come back and actually receive a JSON Web Token.
[00:00:20] So that's what we're going to do. So we know from our schema that a user needs a unique username and a password in order for them to be created. So what we wanna do is create a handler for the user, so they can do that. But before we can do that, we're gonna need some helper functions that we're gonna use to hash a user's password, so we don't store them as plain text in the database.
[00:00:44] Storing a user's password as plain text in a database is no longer practice. Because if someone gets access to your database, they get access to your users passwords, you're just done. So you're better off not knowing your users passwords. So we do that by hashing them, so that's what we're gonna do.
[00:01:01] So what we're gonna do is go back into auth, and we're gonna do some stuff with bcrypt. So, you can go to auth, I'm already here, and you can import, okay. You can import bcrypt from bcrypt, like that. I'm gonna make a function called, comparePasswords, like that. And it's gonna take two arguments.
[00:01:33] It's going to take the plain text password that someone is trying to sign in with. So we're gonna use comparePasswords function when someone tries to sign in. So we're gonna take the password they're sending us in plain text and compare it to the password that's hashed, that's saved in the database, to see if they're the same.
[00:01:57] So we're gonna take the plaintext password and we're gonna take the hashed password. Or hash. And then it's gonna return bcrypt.compare Password,hash. This is gonna return a promise that returns true or false, if password that they pass, it matches this hash, that was also passed too. So that's for sign in.
[00:02:37] And then for the initial hashing of your password, we can just call another function, we'll call this one hashPassword. This one just takes in a plain text password, and it's just going to return bcrypt.hash password, like that. Need an h in hash. Yeah, that makes a big difference.
[00:03:08] [LAUGH] That'd be a whole different function. Yeah, just make sure we export these things, put export in front of them. Okay. Yeah, I guess, in order to be super safe, we wanna add a salt, which is a number. How do I explain a salt? Salt is like second ingredient, I think that's why they call it a salt.
[00:03:38] [LAUGH] So, hashing is an algorithm that spits out, almost kind of like what we did for Json. We're talking a deterministic value based off some input, and salt is just an extra variable to give you a different variety of that output. So, it's basically just makes the hash harder to guess, because people do brute force attacks, where they just run every possible combination until they can guess the hash, right?
[00:04:12] By adding a salt, it just makes it exponentially harder for that person to do that, it went from, maybe this was gonna take 100 million requests to 100 million times to the power of 10 or something like that, that's what a salt does. It just makes it exponentially harder or they can just take your salt too, but then you can generate the salt, we're not gonna generate salts, we're just gonna just put a number here, I'll put 5.
[00:04:39] So, you can put 5 [INAUDIBLE].