when dealing with users' passwords and other sensitive data.
we need to secure them otherwise it can be hacked.
Hashing ensures hackers can't steal data because the hashed inputs are not in their original form, making the data useless without a key to decipher the data. In a technique known as salting, random data gets attached to the input of a hash function. Hashing is a one-way technique to hash the password we we can come back.
supposes the user signup the page in the backend part the password will hashed and next time if the user login with the same password then it will hashed again and then match the stored hased hash and if the hash is matched then the user will be able to log in.
Hashing is more secure when we apply salt to it. it is more secure than encoding and decoding. Because it is a one-way Hashing
In this blog, we’ll be implementing authentication with password hashing in Node.js. For this, we’ll be using crypto, a package password hashing for Node.js.
Pre-requisites
Some knowledge of node js and Database
Node js should be installed in your system.
express server
Mongoose module for MongoDB connection and queries.
Crypto module for hashing.
and Lots of excitement🤓
Step 1
Create 1 main folder in my case I am using the Node folder.
Inside it.
index.js is the main file where I am creating the server
// index .js
const express = require('express');
const mongoose = require('mongoose')
const bodyPaser = require('body-parser');
const user = require('./router/router')
const app = express();
app.use(express.json());
// database connection
mongoose.connect("Enter your mongoDB sting/url ")
.then((e)=> console.log("MongoDB Connected"));
app.use(bodyPaser.json());
// routing
app.use('/api/user',user);
// server
const port = 8000;
app.listen(port,()=>{
console.log(`Server is runing on port ${port}`)
});
in the above file, I just created a local server and connected to the database const bodyPaser = require('body-parser');
body-parser: body-parser is a middleware module used to parse the request body in a Node.js/Express application. It is used to extract data from the request body, such as form data or JSON payload
Step 2 🤠
let's do some routing
// router.js
const express = require('express');
const router = express.Router();
const User = require('../model/user');
// api routing
router.post('/login',(req,res)=>{
User.findOne({email:req.body.email},(err,user)=>{
if(user === null){
return res.status(400).send({
message:"User not found."
});
}
else {
if(user.validPassword(req.body.Password)){
return res.status(201).send({
message:"User Logged In",
})
}
else{ res.status(400).send({
message:"Worng Password"
})
}
}
})
})
// user signup
router.post('/signup',(req,res)=>{
// creating an empty user object
let newUser = new User();
// initialze newUer object with requestr data
newUser.name = req.body.name,
newUser.email = req.body.email,
newUser.password=req.body.password
// calling funciton to hash password
newUser.setPassword(req.body.password);
// save new object to database
newUser.save((err,save)=>{
if(err){
return res.status(400).send({
message:"Falied to user."
});
}
else{ return req.status(201).send({
message:"User added Successfully."
})
}
})
})
module.exports = router;
At first, the user will sign up.
then the password is hashed.
if it tries to login again then it will rehash and match to the stored hash password. In the above code, I used two API signups and a login
Step 3 🤓
Modeling
For hashing, I am using crypto module
first, I create a schema for my user I just take my name, email, and password.
// model/user.js
const mongoose = require("mongoose");
const crypto = require('node:crypto');
// create a user schema
const UserSchema = mongoose.Schema({
name:{
type: String,
required : true
},
email:{
type:String,
required:true
},
hash:String,
salt:String
});
// making salt
UserSchema.method.setPassword = function(Password){
// create unique salt
this.salt = crypto.randomBytes(16).toString('hex');
this.hash = crypto.pbkdf2Sync(Password,this.salt,
1000,64,`sha12`).toString('hex');
}
// checking that entered password is correct or not
UserSchema.method.validPassword = function(Password){
const hash = crypto.pbkdf2(Password
,this.salt,1000,64,`sha512`).toString('hex');
return this.hash === hash
}
const User = module.exports = mongoose.model('User',UserSchema)
You can test these APIs on Postman or Thunderclinet where you want. And get your hash password.😎
crypto.pbkdf2Sync(Password,this.salt,
1000,64,`sha12`).toString('hex');
crypto.pbkdf2Sync: This represents thepbkdf2Syncfunction from thecryptomodule in Node.js, which is used for password-based key derivation.Password: This is the password that will be used as input for key derivation.this.salt: This is the salt value used in the key derivation process. A salt is a random value added to the input password to prevent precomputed attacks.1000: This represents the number of iterations that the PBKDF2 algorithm will execute. More iterations increase the time required to derive the key, thereby increasing its security.64: This specifies the length of the derived key in bytes. In this case, the derived key will be 64 bytes long.sha12: This specifies the hash function used in the key derivation process. In this case,sha12refers to the SHA-512 hashing algorithm.toString('hex'): This converts the derived key from a buffer to a hexadecimal string representation. The 'hex' parameter is used to specify the encoding (hexadecimal in this case).
The salt is a randomly generated value that is added to the password before hashing it. It adds an extra layer of security to the hash by making it unique even if two users have the same password. This helps to prevent the use of rainbow tables (precomputed tables of hashes) to crack passwords
Note - I take some reference from another article which was written by Ashish Sharma🤓 on internet
Thank you for reading my content. Be sure to follow and comment on what you want me to write about next 🤓