search

kelektiv / node.bcrypt.js

bcrypt for NodeJs
MIT License
7.38k stars 510 forks source link

How to check if user did not use the password before #1021

Open frodoe7 opened 6 months ago

frodoe7 commented 6 months ago

When the user change his password he add a new password to the table before adding it, I need to ensure he did not use that password before

so, I have array of hashes and the original password

here's the function which hashify the password

export const hashify = async (password: string) => 
{
    const salt = await bcrypt.genSalt(Number(process.env.SALT_ROUNDS));
    return await bcrypt.hash(password, salt);
}

here's the function which search if the password is used before or not

export const searchHashes = async (password: string, hashes: string[]) => {
  const results = await Promise.all(
    hashes.map(async (hash: string) => {
      return await bcrypt.compare(password, hash);
    })
  );

  return results.some(result => result === true);
}

That solution is not working

NodeJS version : 20.10.0 Bcrypt version : 5.1.1

frodoe7 commented 5 months ago

@recrsn Do you think, I have to use another library to achieve this approach?

castilloedwin commented 5 months ago

It doesn't depend on this library

MdialloC19 commented 5 months ago

it's more a conceptual probleme isn't depend on the library. here is some tips you can use for your issue :

User Password Management Enhancement

Update User Schema

Add a field to store previous passwords in your user schema. For example, you can name this field previousPasswords and define it as an array of strings.

const userSchema = new Schema({
  // ...
  password: {
    type: String,
    required: true,
  },
  previousPasswords: [String], // Field to store previous passwords
  // ...
});

Search Previous Passwords when it change

When a user attempts to change, you can check if they are using a previous password.

const isPreviousPassword = user.previousPasswords.some(async (prevPassword) => {
  return await bcrypt.compare(newPassword, prevPassword);
});

if (isPreviousPassword) {
  // The new password is a previous password
  // Handle this accordingly (e.g., return an error)
} else {
  // The new password is valid
  // Continue with the normal authentication process
}

Update Password Update Logic

When a user changes their password, instead of just hashing the new password, you can also add the old password to the previousPasswords array.

const newPassword = "newPassword"; // Get the new password from the user

// Hashify and update the current password
user.password = await hashify(newPassword);

// Add the old password to the list of previous passwords
user.previousPasswords.push(oldPassword);

// Save the changes to the database
await user.save();

With this approach, you no longer need to simultaneously search through all stored hashes, as you have the previous passwords directly associated with the user.

Note: Replace hashify and searchPreviousPasswords with your actual functions for hashing and searching previous passwords in your application.