Home > Back-end >  how to check if the password matches before changing to new one passport
how to check if the password matches before changing to new one passport

Time:11-18

I'm building an application and I'm struggling with the password update with passport and MongoDB. I want to check if the user has entered his actual password and it matches what is stored in the DB before setting a new one.

This is what I've got so far:

if (req.body.password == req.user.password) {
  if (req.body.newPassword.normalize() == req.body.confirmPassword.normalize()) {
    // Verifying if the new password matches the confirmation one
    // before actually changing the password (This part works)
  }
} else {
  // Handling if the old password does not match the DB
}
res.redirect('/profile')

I 've been trying thing like:

passport.use(new LocalStrategy(
  function(username, password, done) {
    User.findOne({
      username: req.user.email
    }, function(err, user) {
      if (err) {
        return done(err);
      }
      if (!user) {
        return done(null, false);
      }
      if (!user.verifyPassword(req.body.password)) {
        return done(null, false);
      }
      return done(null, user);
    });
  }

Still, not working... Any hints? :)

EDIT

I've been using crypto in atempt to get the same hash that the one stored in MongoDB. To register a new user, I use passport.

let hash = crypto.createHmac('sha256', secret)
               .update('I love cupcakes') // I have no idea of what this this line does, actually...
               .digest('hex');
console.log(hash);

I guess that at some point I should pass the DB-stored salt to a fonction to verify the the password he submited is the same that the one stored, I just have no clue how to do it...

CodePudding user response:

Try to hash the received req.body.password using the secret and see if it matches the already hashed password saved in the DB. If it does, it's the same old password.

CodePudding user response:

With a lot internet search, I came up with this:

async function fooChangePW(req,res){
req.user.changePassword(req.body.password, req.body.newPassword)
.then(() => {
    console.log('password changed');
})
.catch((error) => {
    console.log(error);
})
  res.redirect('/profile')
}

Since the user is already authenticated, whe can go with req.user.changePassword(oldPassword, newPassword).

  • Related