Open jrans opened 7 years ago
Passwords need to be hashed when they are inserted into the Database.
But they need to be in plaintext
when you are comparing to an existing password that is stored in the DB so hashing it prematurely and discarding the plaintext
is kinda useless ... 😕
see: https://github.com/ncb000gt/node.bcrypt.js/#to-check-a-password
@nelsonic yep realised, though maybe with asynchronous validation functions we could use the compare method of bcrypt with a db request could be useful to validate the login request with joi? See progress of async extensions (could be also be used for checking username unique etc) but yes original proposal flawed!
Use bcrypt to hash fields before saving confidential information which should not be stored in db like password.
Have functionality to hash any payload based on fields config but have put on shelf. #58
Now will only hash "password" field before saying as our sole means of verification.