Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

How would I implement an easy and somewhat save password-authentification with next.js, mongoDB and bcrypt?

byMR
May 13, 2023

I am a hobby programmer and don’t need an industry-standard for my project. However, I would like to implement a reasonably secure password authentication in my next.js project and only use my next.js backend API and a MongoDB (Atlas via Data API) for this purpose.

I am aware that there are different 3rd-party authentication processes available and that there are even more secure options. Therefore, I want to emphasize that I am looking for something on a lower level.

My basic setup is that user data with names and passwords (bcrypt encrypted) are stored in my database. Now, when the user enters their login data, I’m not sure how to proceed. At some point, I have to execute bcrypt.compare(password, hashedPassword) to verify the password. However, in my understanding, I either have to send the hashed password to my frontend (which feels wrong) or send the password as plain text to the backend via an HTTP request (which also feels wrong). Client-side hashing of the password is not possible because, with the use of salt (e.g. bcrypt.hash(password, 10)), I cannot compare two hashed strings.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

Can someone explain to me in simple terms how to best approach comparing passwords in this setup?

>Solution :

you are not sending any credentials to the client. you handle everything on the server.

you send user inputs (email,password,etc) to the server. server first has to validate those values. then on server you get the user from the db.

// you validated the req.body data first
let user = await User.findOne({ email: req.body.email });
if (!user) return res.status(400).send("invalid password or email");

user holds the user data. I am assuming you already hashed the password when a user signs up.

const validPassword = await bcrypt.compare(req.body.password, user.password);
if (!validPassword) return res.status(400).send("invalid email or password");

when you send data from client to server, you are sending over https it is not plain text. that data is encrypted by tls protocol

It should be noted that TLS does not secure data on end systems. It
simply ensures the secure delivery of data over the Internet, avoiding
possible eavesdropping and/or alteration of the content.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading