0

Probably I am missing something here.

Got an Express server with MongoDB and i'm using passport to authenticate. I'm using one of the standard code example to signup and it seems ok, but I can see the password I type in the password field (plain text) in my DB.
I expected it to be encrypted...

Am i doing something wrong?

Community
  • 1
  • 1
chenop
  • 4,743
  • 4
  • 41
  • 65
  • Mongodb does not treat passwords any different from other text. You would have to handle encryption yourself. You can look at this [question](http://stackoverflow.com/questions/6951563/storing-passwords-with-node-js-and-mongodb). Answers attempt to solve a similar issue. And storing passwords is not a good idea. Better store their salted hash. – user568109 Jan 11 '14 at 19:22
  • Basically the mongodb merely provides storage. You have to use bcrypt or other library to handle the security. – user568109 Jan 11 '14 at 19:24

1 Answers1

1

You have to hash the password yourself. Here is how to do it using brcypt:

function hashPassword (password) {
    return bcrypt.hashSync(password, bcrypt.genSaltSync());
}

So before you save your user to the DB simply invoke that function like so:

 user.password = hashPassword(thepassword);
rg88
  • 20,742
  • 18
  • 76
  • 110