0

I have a sign up and login form that uses passport.js authentication and bcrypt to encrypt the password, but I noticed that my POST method form submission comes displays the password value in plain-text rather than the bcrypt encryption. I am testing this locally, but plan on enabling https. Should I be nervous about this? Is there a certain adjustment that I should make to my form tags that I am not including?

form data

Form:

<h1>Login</h1>
            <form action="/login" method="post">
                <input type="text" class="form-control" id="login-username"  name="email" value="" placeholder="Email">
                <br />
                <input type="password" class="form-control" id="login-password"  name="password" value="" placeholder="Password">
                <div class="login-buttons">
                    <button type="submit">Login</button>
                </div>
            </form>

Here is my login route:

siteRoutes.route('/login')

    .get(function(req, res){
        res.render('pages/site/login.hbs',{
            error: req.flash('error')
        });
    })

    .post(passport.authenticate('local', {
        successRedirect: '/app',
        failureRedirect: '/login',
        failureFlash: 'Invalid email or password.'
    }));

Passportjs login authentication:

//Login logic
passport.use('local', new LocalStrategy({
    passReqToCallback: true,
    usernameField: 'email'
},  function(req, email, password, done) {
        console.log("Database query triggered");
        //Find user by email
        models.User.findOne({
            where: { 
            email: req.body.email
            }
        }).then(function(user) {
            if (!user) {
                done(null, false, { message: 'The email you entered is incorrect' }, console.log("Unknown User"));
            } else if (!user.validPassword(password)){
                done(null, false, console.log("Incorrect Password"));
            } else {
                console.log("User match");
                done(null, user);
            }
        }).catch(function(err) {
            console.log("Server Error");
            return done(null, false);
        });
    }));
cphill
  • 5,596
  • 16
  • 89
  • 182

1 Answers1

1

Standard practice, no need to worry. Go check what you send out when logging in to Facebook for example. Just make sure to use SSL in production, it's there to protect that sensitive information.

You need the plain text password in your application to verify it matches the hash. If you would send the hash and just compare that against a hash in database your database would effectively contain plain text passwords for each user. After all, the hash is just a string.

For more of an explanation of the comparison, check https://stackoverflow.com/a/6833165/3349511

Community
  • 1
  • 1
vesse
  • 4,871
  • 26
  • 35