Password gets changed when updating User Model in Sails.js - javascript

/**
* User.js
*
* #description :: TODO: You might write a short summary of how this model works and what it represents here.
* #docs :: http://sailsjs.org/#!documentation/models
*/
var bcryptjs = require('bcryptjs');
function hashPassword(values, next) {
bcryptjs.hash(values.password, 10, function(err, hash) {
if (err) {
return next(err);
}
values.password = hash;
next();
});
}
module.exports = {
connection: 'mysql',
attributes: {
id:{
primaryKey: true,
autoIncrement: true,
unique: true
},
displayname:{
type: 'STRING',
required: true
},
password:{
type: 'STRING',
required: true
},
// Override toJSON instance method to remove password value
toJSON: function() {
var obj = this.toObject();
delete obj.password;
return obj;
},
},
// Lifecycle Callbacks
beforeCreate: function(values, next) {
hashPassword(values, next);
},
beforeUpdate: function(values, next) {
if (values.password) {
hashPassword(values, next);
}
else {
//IMPORTANT: The following is only needed when a BLANK password param gets submitted through a form. Otherwise, a next() call is enough.
User.findOne(values.id).done(function(err, user) {
if (err) {
next(err);
}
else {
values.password = user.password;
next();
}
});
}
},
validPassword: function(password, user, cb) {
bcryptjs.compare(password, user.password, function(err, match) {
if (err) cb(err);
if (match) {
cb(null, true);
} else {
cb(err);
}
});
}
};
The hashPassword(values, next); in beforeUpdate method changes the password while changing any values of the user model though i don't send the password value in the 'param'. But it works fine when i change password for the user.
Example: When i change password for the current user, it should changed pass, hash it and stored in database. But i don't want the password to get changed (changes to random password) when i am updating other data in User Model.
Edit: Working Now, Corrected Code:
Now, only if you send password: password in the Update method, it will update the password (hash and store) else it will only update the provided user fields.
Controller(UserController.js):
updateDisplayName: function(req, res) {
var userid = req.token;
var newDisplayName = req.param('newdisplayname');
User.update({id: userid},{displayname: newDisplayName}).exec(function afterwards(err,updated){
if (err) {
res.json(err);
} else {
res.json("Success");
}
});
},
Model(User.js):
beforeUpdate: function(values, next) {
if(values.password) {
hashPassword(values, next);
} else {
next();
}
},

beforeUpdate: function(values, next) {
if (values.password) {
hashPassword(values, next);
}
This code has the problem that everytime a user model is updated(not password change) for eg: displayName is updated. Password in user model is already encrypted, it gets encrypted again and old password wont work no more.
Solution is to remove password attribute from user model before normal update(not change password). During password change, new password has to be set to user.password and update should be called.

As far as I can see the problem is that you get the password param passed even though you're not changing it. How about doing a bcrypt.compare on it when it arrives. If it's a match then do not re-hash the password. If it doesnt match it's considered a new password and you go ahead an hash it?
I am having this conundrum myself and I am going for this approach.

Related

Bcrypt reset the hash and the passwords of the users are not good anymore each time the users POST data

I made a login with bcrypt.
I also made a page where users can edit their information, like their bio etc.
Each time an user edit his bio on this page the hash from bcrypt change, which is normal i suppose, but the user login back, the password is wrong...
I used the same model for mongoDb for the user when he log in and when he edit his data.
I started node.js recently so I apologize if my question is stupid,,,
The controller code with the Post :
app.post('/settings-user', mid.requiresLogin, function(req, res, next){
User.findById(req.session.userId, function (err, user) {
// todo: don't forget to handle err
if (!user) {
return res.redirect('/edit');
}
// good idea to trim
var bio = req.body.bio.trim();
// validate
if (!bio) { // simplified: '' is a falsey
req.flash('error', 'One or more fields are empty');
return res.redirect('/settings-user'); // modified
}
// no need for else since you are returning early ^
user.bio = bio;
// don't forget to save!
user.save(function (err) {
// todo: don't forget to handle err
res.redirect('/settings-user/');
});
});
});
The User model :
app.post('/settings-user', mid.requiresLogin, function(req, res, next){
User.findById(req.session.userId, function (err, user) {
// todo: don't forget to handle err
if (!user) {
return res.redirect('/edit');
}
// good idea to trim
var bio = req.body.bio.trim();
// validate
if (!bio) { // simplified: '' is a falsey
req.flash('error', 'One or more fields are empty');
return res.redirect('/settings-user'); // modified
}
// no need for else since you are returning early ^
user.bio = bio;
// don't forget to save!
user.save(function (err) {
// todo: don't forget to handle err
res.redirect('/settings-user/');
});
});
});
The User model :
var mongoose = require('mongoose');
var bcrypt = require('bcrypt');
var UserSchema = new mongoose.Schema({
email: {
type: String,
unique: true,
required: true,
trim: true
},
name: {
type: String,
required: true,
trim: true
},
password: {
type: String,
required: true
},
bio: {
type: String
}
});
// authenticate input against database documents
UserSchema.statics.authenticate = function(email, password, callback) {
User.findOne({ email: email })
.exec(function (error, user) {
if (error) {
return callback(error);
} else if ( !user ) {
var err = new Error('User not found.');
err.status = 401;
return callback(err);
}
bcrypt.compare(password, user.password , function(error, result) {
if (result === true) {
return callback(null, user);
} else {
return callback();
}
})
});
}
// hash password before saving to database
UserSchema.pre('save', function(next) {
var user = this;
bcrypt.hash(user.password, 10, function(err, hash) {
if (err) {
return next(err);
}
user.password = hash;
next();
})
});
var User = mongoose.model('User', UserSchema);
module.exports = User;
the pug file :
div
form(method='post', action='/settings-user')
label ADD BIO
br
input(type='text', name='bio', placeholder='Enter something', required='')
input(type='submit', value='Add Bio')
</body>
If anyone could help,,,
thank you!

get valid password with bcrypt

I am using nodejs with sequelize to setup my database, and currently i am trying to hash and salt my password, the hashing i already did, but now when i tyr to login i want to compare the password send in req.body with the hashed one, so i did this:
router.post('/', function (req, res, next) {
console.log("hi");
if (JSON.stringify(req.body) == "{}") {
return res.status(400).json({ Error: "Login request body is empty" });
}
if (!req.body.username || !req.body.password) {
return res.status(400).json({ Error: "Missing fields for login" });
}
var password = User.validPassword(req.body.password);
// search a user to login
User.findOne({ where: { username: req.body.username, password: password } }) // searching a user with the same username and password sended in req.body
.then(function (user) {
if (!user) {
return res.status(400).json({ Error: "There is no user with those fields" }); // if there is no user with specific fields send
}
return res.status(400).json({ Error: "loged in!" }); // username and password match
}).catch(function (err) {
return res.status(200).json({ message: "server issues when trying to login!" }); // server problems
});
});
my model is like this:
"use strict";
var sequelize = require('./index');
var bcrypt = require('bcrypt-nodejs');
module.exports = function (sequelize, DataTypes) {
var User = sequelize.define("User", {
username: DataTypes.STRING,
email: DataTypes.STRING,
password: DataTypes.STRING
}, {
classMethods: {
generateHash: function (password) {
console.log("hi");
return bcrypt.hashSync(password, bcrypt.genSaltSync(8), null);
},
validPassword: function (password) {
return bcrypt.compareSync(password, this.password);
}
}
});
return User;
}
i don't get any response from
var password = User.validPassword(req.body.password);
i tried to console.log but stilm no response, when i try to go to router /login it just doesn0t give me any response it is loading all the time, any sugestion?
To start with, your route defines a post action to / not /login. You can use postman to try that out if you don't have a front-end yet.
The validPassword method should be called on an instance of the User model so you should have written this portion of the code like this
router.post('/', function (req, res, next) {
console.log("hi");
if (JSON.stringify(req.body) == "{}") {
return res.status(400).json({ Error: "Login request body is empty" });
}
if (!req.body.username || !req.body.password) {
return res.status(400).json({ Error: "Missing fields for login" });
}
// search a user to login
User.findOne({ where: { username: req.body.username } }) // searching a user with the same username and password sended in req.body
.then(function (user) {
if(user && user.validPassword(req.body.password)) {
return res.status(200).json({message: "login successful"});
} else {
return res.status(401).json({message: "Unauthorized"});
}
}).catch(function (err) {
return res.status(200).json({ message: "server issues when trying to login!" }); // server problems
});
});
Also in you catch method, the status code should be something that depicts internal server error like 500. 200 is inappropriate.
Soo seems like I could answer my own question, with the help of Femi Oladeji, basicly the problem was related to the fact that i want to acess the methods trough a instance and not a model.
So when I tried to acces it with the user instance, there was no method that treat instances, so made some changes on my model.
"use strict";
var sequelize = require('./index');
var bcrypt = require('bcrypt-nodejs');
module.exports = function (sequelize, DataTypes) {
var User = sequelize.define("User", {
username: DataTypes.STRING,
email: DataTypes.STRING,
password: DataTypes.STRING
}, {
classMethods: {
generateHash: function (password) {
return bcrypt.hashSync(password, bcrypt.genSaltSync(8), null);
},
},
instanceMethods: {
validPassword: function (password) {
console.log(password, this.password)
return bcrypt.compareSync(password, this.password);
}
}
});
return User;
}
and there is the instanceMethods, that can treat the instance :)

Using bcryptjs with Mongo

I am trying to encrypt user passwords using Bcrpyt for my Angular app which uses Mongodb in the backend.
Here is the code
Model
var mongoose = require('mongoose');
var Schema = mongoose.Schema;
bcrypt = require('bcryptjs'),
SALT_WORK_FACTOR = 10;
var UserSchema = new mongoose.Schema({
name: String,
username: { type: String, required: true, index: { unique: true } },
email: String,
password: { type: String, required: true },
created_at: Date,
topics: [{type: Schema.Types.ObjectId, ref: 'Topic'}],
posts: [{type: Schema.Types.ObjectId, ref: 'Post'}],
comments: [{type: Schema.Types.ObjectId, ref: 'Comment'}]
});
UserSchema.pre('save', function(next) {
var user = this;
// only hash the password if it has been modified (or is new)
if (!user.isModified('password')) return next();
// generate a salt
bcrypt.genSalt(SALT_WORK_FACTOR, function(err, salt) {
if (err) return next(err);
// hash the password along with our new salt
bcrypt.hash(user.password, salt, function(err, hash) {
if (err) return next(err);
// override the cleartext password with the hashed one
user.password = hash;
next();
});
});
});
UserSchema.methods.comparePassword = function(candidatePassword, cb) {
bcrypt.compare(candidatePassword, this.password, function(err, isMatch) {
if (err) return cb(err);
cb(null, isMatch);
});
};
mongoose.model('User', UserSchema);
Create & Login inside Controller
var mongoose = require('mongoose');
var User = mongoose.model('User');
module.exports = (function() {
return {
login: function(req, res) {
User.findOne({email: req.body.email}, function(err, user) {
if(user === null) {
var error = "User not found"
console.log(error);
}
else{
user.comparePassword(req.body.password, function(err, isMatch){
if(err){
console.log("Password dont match");
} else{
console.log(user)
res.json(user);
}
})
}
})
},
create: function(req, res) {
var user = new User({name: req.body.name, username:req.body.username, email:req.body.email, password:req.body.password, created_at: req.body.created_at});
user.save(function(err) {
if(err) {
console.log('something went wrong');
} else {
console.log('successfully added a user!');
res.redirect('/');
}
})
}
})();
The user create function is working fine, saving in the passwords encrypted. But during Login it is not properly comparing the encrypted password against the input. Lets user through regardless of any password.
Also how would I go about showing errors incase of user not found and also for password not matching(this is a secondary Q.
Primary concerned about even wrong password being accepted.
Thanks for the Help.
You are checking if there is any error during password matching but not checking if the input password matches the hashed one.
user.comparePassword(req.body.password, function(err, isMatch){
if(err){
return console.log("Password dont match");
}
if (isMatch) {
// password matches. Log the user in
}
});

Bypass mongoose getter

I was trying to use mongoose getter to cast all user password before send out. It works perfectly.
However, on method "comparePassword", I need the passwordstring to compare sothen I can authenticate.
Is there a way to bypass the getter under certain conditions in mongoose? Thanks in advance!
Code Example:
function castpassword (pw) {
return 'keyboard cat';
}
var AccountSchema = new Schema({
password: { type: String, get: castpassword }
});
AccountSchema.methods.comparePassword = function (candidatePassword, cb) {
// random hash vs keyborad cat === not authenticated
crypt.compare(candidatePassword, this.password, function (err, isMatch) {
if (err) return cb(err);
cb(null, isMatch);
});
};
....
Account.findById( someId, function (err, found) {
console.log(found.password); // 'keyboard cat'
});
You can use mongoose 'lean' to skip all mongoose magic and just pull out a json object.
Account
.findById(someId)
.lean()
.exec(function (err, found) {
console.log(found.password); // actual password
// you can not use mongoose functions here ex:
// found.save() will fail
})
Another option would be to set password to 'select: false' in the schema.
var AccountSchema = new Schema({
password: { type: String, select: false }
});
This way anytime you pull out the document the password field would not be there at all unless you specifically as for it.
Account
.findById(someId, function (err, found) {
console.log(found.password); // undefinded
})
Account
.findById(someId)
.select('password') // explicitly asking for password
.exec(function (err, found) {
console.log(found.password); // actual password
})
Using this.toObject() in mongoose will bypass all getter and setter settings in mongoose since it change it to plain JSON data
AccountSchema.methods.comparePassword = function (candidatePassword, cb) {
// keyboard cat vs keyboard cat === authenticated
crypt.compare(candidatePassword, this.toObject().password, function (err, isMatch) {
if (err) return cb(err);
cb(null, isMatch);
});
};

How to set run multiple controller functions in nodejs

I am currently working on boiler plate code of mean.io and implementing passwordresetemail to it. When ever user asks for password reset with email as parameter, I create a salt(resetid) and send him an email having that salt as reset link.
I have user's email in the req but want to append other information of the user(user._id) before it enters into actual createemail controller function. I want following function(userbyemail) to be run before it goes into createResetPasswordEmailLink
/**
* Find user by email
*/
exports.userByEmail = function(req, res, next, email) {
User
.findOne({
email: email
})
.exec(function(err, user) {
if (err) return next(err);
if (!user) return next(new Error('Failed to load User with email ' + email));
req.user = user;
next();
});
};
exports.createResetPasswordEmailLink = function(req, res) {
var resetPassword = new ResetPassword(req.body);
resetPassword.resetId = new User().makeSalt();
**resetPassword.user = req.user._id; // currently req.user is null**
console.log(resetPassword.userId);
resetPassword.save(function(err) {
if (err) {
// handle error
}
res.status(200);
return res.redirect('/');
});
};
Following is my resetPassword schema
var ResetPasswordSchema = new Schema({
created: {
type: Date,
default: Date.now
},
resetId: {
type: String,
default: '',
trim: true
},
user: {
type: Schema.ObjectId,
ref: 'User'
}
});
My routes is defined as follows
// Setting up the users resetpasswordlink
app.route('/createresetpasswordemaillink')
.post(users.createResetPasswordEmailLink);
I could solve this issue with app.params. App.params is exactly defined for this kind of usage.
I added
// Setting up the userId param
app.param('email', users.userByEmail);
to my routes and it automatically executed this function before the req is passed on to regular controllers.
From the documentation, App.param is defined as
app.param([name], callback)
Map logic to route parameters. For example when :user is present in a route path you may map user loading logic to automatically provide req.user to the route, or perform validations on the parameter input.

Categories