Storing Passwords Securely

Now, with the better understanding of some underlying encryption concepts, 0:00 let's jump back to coding using bcrypt and Mongoose. 0:04 I'll add a method to hash the password when a user registers with our site. 0:07 To do that we'll update the user schema and use a bit of Mongoose middleware. 0:12 But first we need to install the bcrypt module. 0:17 I'll open up the terminal make sure I'm in the projects root directory, 0:20 and run NPM install bcrypt dash dash save. 0:26 So, that the module is installed and 0:31 saved as a dependency in our package dot Jayson file. 0:33 Now, to update the user module, I'll switch back to my code editor and 0:37 open the user dot js file inside the models directory. 0:42 I need to require bcrypt, And, I'll do that by assigning it to a. 0:48 And I'll do that by assigning it to a variable named bcrypt. 0:56 Now, Mongoose provides something called a pre-save hook. 1:03 That's basically a function that Mongoose runs just before saving a record to Mongo. 1:07 In this case we want to hash the password 1:12 just before we store a new user record in the database. 1:15 We do this by calling the pre-method on our schema. 1:19 The method takes two arguments. 1:27 The hook name, in this case save. 1:29 That's a special Mongoose keyword. 1:32 So, before saving the record Mongoose runs a function. 1:34 And, that's the second argument passed to the pre-method, this anonymous function. 1:38 You'll notice that the function takes next as a parameter. 1:44 Middleware, which we'll talk more about in the next section of this course, 1:48 provides a way to process input as it's passed through a chain of commands. 1:52 Next, here, represents the next piece of middleware or 1:57 the next function that runs after this one. 1:59 Express takes care of figuring out which middleware runs next. 2:02 But, in this specific case after this function runs 2:06 Mongoose saves the record to Mongo. 2:09 In the pre-save hook, Mongoose assigns the database 2:11 object it's about to insert into Mongo to the JavaScript keyword, this. 2:16 In the context of this callback function, the word, this, refers to the object 2:23 we created containing the information the user entered in the sign up form. 2:30 So, the variable user here, holds the user object and it's data. 2:35 Okay, now I'll use bcrypt. 2:40 And, bcrypt, fortunately, provides a method for creating both a hash, and 2:44 a salt, in one function call. 2:48 The hash method takes three arguments. 2:50 A plaintext password, a number, and 2:54 a callback function that's run once the hash is generated. 2:57 User contains the document that Mongoose will insert into Mongo. 3:03 And, password is the property on that object 3:07 that holds the plaintext password supplied by the user. 3:10 The second argument. 3:14 The number ten here tells bcrypt how many times to apply the encryption algorithm. 3:15 The bigger the number the slower the process, but the greater the security. 3:21 We're using ten here which provides good security 3:25 without adversely affecting our servers performance. 3:28 The third argument is a callback function. 3:31 Bcrypt runs this callback after the password is hashed. 3:34 Bcrypt passes two arguments to this callback, 3:38 an error if the hashing fails, and the hash value if it succeeds. 3:41 In this example, we'll use the callback function to replace the plain text 3:47 password with the hash password. 3:51 First I'll handle any errors. 3:56 If there is an error, I'll just pass it along, and 3:58 it'll eventually get handled by our error handler in the app dot js file. 4:01 If there is no error, 4:06 we can assign the new hashed value to the password property of the user object. 4:08 In other words, 4:14 we simply overwrite the plain text password with the new secure hash. 4:15 And lastly, we call next, which calls the next function in the middleware stack. 4:20 In this case Mongoose will save the data to Mongo. 4:25 All right, let's save this file and see how it works. 4:28 If you don't already have your application running, go to your terminal or 4:32 console program and type Nodemon. 4:36 Then open your web browser, and go to local host 3000. 4:40 Click on the sign-up link, and fill it out with some information. 4:43 Click the sign-up form to submit it. 4:48 Again, we are sent to the profile route, which we haven't yet created. 4:53 We'll do that soon. 4:57 Of course, we don't know if the application correctly hashed the password 4:59 and stored it into Mongo unless we look inside the Mongo database. 5:02 I'm going to use the Mongo shell again. 5:07 So go to Terminal, or your console program. 5:09 I'm going to open a new tab and type Mongo to enter the Mongo shell. 5:13 If you're on Windows you can launch the Mongo executable. 5:18 I'll select our bookworm database, use bookworm. 5:21 I can see if there's anything in the user's collection by typing DB 5:26 dot the collection name dot and find. 5:30 Also to make sure the output looks good in the terminal I'll call the pretty method. 5:34 There's a new document with a hash password success. 5:40 At this point our application is about halfway done and 5:45 most of the time consuming work is completed. 5:48 In the next section of this course we'll add the login feature. 5:50 See you there. 5:53