Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Learn how to use the bcrypt Node module to hash a password and save it in a MongoDB database.
Note
The bcrypt module only runs under Python 2 (not Python 3). You can read more about this on the bcrypt Node.js package page. In addition, Andrew Chalkley explains how to overcome this problem in his npm Basics course in the Installing Local Packages video.
Resources
Now, with the better understanding of
some underlying encryption concepts,
0:00
let's jump back to coding using bcrypt and
Mongoose.
0:04
I'll add a method to hash the password
when a user registers with our site.
0:07
To do that we'll update the user schema
and use a bit of Mongoose middleware.
0:12
But first we need to
install the bcrypt module.
0:17
I'll open up the terminal make sure
I'm in the projects root directory,
0:20
and run NPM install bcrypt dash dash save.
0:26
So, that the module is installed and
0:31
saved as a dependency in our
package dot Jayson file.
0:33
Now, to update the user module,
I'll switch back to my code editor and
0:37
open the user dot js file
inside the models directory.
0:42
I need to require bcrypt, And,
I'll do that by assigning it to a.
0:48
And I'll do that by assigning
it to a variable named bcrypt.
0:56
Now, Mongoose provides something
called a pre-save hook.
1:03
That's basically a function that Mongoose
runs just before saving a record to Mongo.
1:07
In this case we want to hash the password
1:12
just before we store a new
user record in the database.
1:15
We do this by calling
the pre-method on our schema.
1:19
The method takes two arguments.
1:27
The hook name, in this case save.
1:29
That's a special Mongoose keyword.
1:32
So, before saving the record
Mongoose runs a function.
1:34
And, that's the second argument passed to
the pre-method, this anonymous function.
1:38
You'll notice that the function
takes next as a parameter.
1:44
Middleware, which we'll talk more about
in the next section of this course,
1:48
provides a way to process input as it's
passed through a chain of commands.
1:52
Next, here,
represents the next piece of middleware or
1:57
the next function that
runs after this one.
1:59
Express takes care of figuring
out which middleware runs next.
2:02
But, in this specific case
after this function runs
2:06
Mongoose saves the record to Mongo.
2:09
In the pre-save hook,
Mongoose assigns the database
2:11
object it's about to insert into Mongo
to the JavaScript keyword, this.
2:16
In the context of this callback function,
the word, this, refers to the object
2:23
we created containing the information
the user entered in the sign up form.
2:30
So, the variable user here,
holds the user object and it's data.
2:35
Okay, now I'll use bcrypt.
2:40
And, bcrypt, fortunately, provides
a method for creating both a hash, and
2:44
a salt, in one function call.
2:48
The hash method takes three arguments.
2:50
A plaintext password, a number, and
2:54
a callback function that's run
once the hash is generated.
2:57
User contains the document that
Mongoose will insert into Mongo.
3:03
And, password is
the property on that object
3:07
that holds the plaintext
password supplied by the user.
3:10
The second argument.
3:14
The number ten here tells bcrypt how many
times to apply the encryption algorithm.
3:15
The bigger the number the slower
the process, but the greater the security.
3:21
We're using ten here which
provides good security
3:25
without adversely affecting
our servers performance.
3:28
The third argument is a callback function.
3:31
Bcrypt runs this callback
after the password is hashed.
3:34
Bcrypt passes two
arguments to this callback,
3:38
an error if the hashing fails, and
the hash value if it succeeds.
3:41
In this example, we'll use the callback
function to replace the plain text
3:47
password with the hash password.
3:51
First I'll handle any errors.
3:56
If there is an error,
I'll just pass it along, and
3:58
it'll eventually get handled by our
error handler in the app dot js file.
4:01
If there is no error,
4:06
we can assign the new hashed value to
the password property of the user object.
4:08
In other words,
4:14
we simply overwrite the plain text
password with the new secure hash.
4:15
And lastly, we call next, which calls
the next function in the middleware stack.
4:20
In this case Mongoose will
save the data to Mongo.
4:25
All right, let's save this file and
see how it works.
4:28
If you don't already have your application
running, go to your terminal or
4:32
console program and type Nodemon.
4:36
Then open your web browser,
and go to local host 3000.
4:40
Click on the sign-up link, and
fill it out with some information.
4:43
Click the sign-up form to submit it.
4:48
Again, we are sent to the profile route,
which we haven't yet created.
4:53
We'll do that soon.
4:57
Of course, we don't know if the
application correctly hashed the password
4:59
and stored it into Mongo unless we
look inside the Mongo database.
5:02
I'm going to use the Mongo shell again.
5:07
So go to Terminal, or
your console program.
5:09
I'm going to open a new tab and
type Mongo to enter the Mongo shell.
5:13
If you're on Windows you can
launch the Mongo executable.
5:18
I'll select our bookworm database,
use bookworm.
5:21
I can see if there's anything in
the user's collection by typing DB
5:26
dot the collection name dot and find.
5:30
Also to make sure the output looks good in
the terminal I'll call the pretty method.
5:34
There's a new document with
a hash password success.
5:40
At this point our application
is about halfway done and
5:45
most of the time consuming
work is completed.
5:48
In the next section of this course
we'll add the login feature.
5:50
See you there.
5:53
You need to sign up for Treehouse in order to download course files.
Sign up