v1.x => v4 upgrade strategy, how?

[whyhankee]

Hi, i'm having a project that's depending on passport-local-mongoose v1.3.x. I want to upgrade to 4.x

The README clearly states: In these cases plan some migration strategy and/or use the sha1 option for the digest algorithm

I'm a bit lost on how such a strategy should be implemented, can anyone point me in the right direction?

Thanks.

[BrandonCopley]

Upgrade to 4.x and then set your digest Algorithm to sha1. This will get the code working, after that you should plan for a way for your users to upgrade their passwords. Take a look at @toddbluhm 's pull request and you can see that numerous of us are having this issue of needing to upgrade users passwords.

[mjlescano]

Maybe this is useful, I overriden the plugin to check if the user is using sha256 digest, and if not, it migrates it on login: https://github.com/DemocracyOS/democracyos/blob/master/lib/auth/mongoose.js

[wootwoot1234]

I'm confrunted with the same issue. I'm/was new to mongoose and followed a tutorial that used versions:

"passport": "~0.1.17",
"passport-local": "~0.1.6",
"passport-local-mongoose": "~0.2.5",

Yikes!

Now I have users using my app and I want to make sure the security is up to date.

In case others are looking for the pr that @BrandonCopley was talking about here's a link.

@mjlescano Thanks for sharing your code. I'm trying to figure out how to add it to my project. Is there an easy way to include your code in my project?

[wootwoot1234]

@mjlescano required the mongoose.js file you linked to and replaced the following:

const passportLocalMongoose = require('passport-local-mongoose');
...
User.plugin(passportLocalMongoose);

with

const authMongoose = require('./mongoose');
...
User.plugin(authMongoose);

Then I installed the latest version of passport:

"passport": "^0.3.2",
"passport-local": "^1.0.0",
"passport-local-mongoose": "^4.1.0",

But when I try to login, I just get an error:

Error:  That email and password combination is invalid.  Try something else.

I feel like I'm close, what did I miss?

[wootwoot1234]

Do more debugging and it doesn't seem to have over written the authenticate() method. It not being called when I try to login...

@whyhankee, did you ever find a solution to this?

[mjlescano]

@wootwoot1234 that's weird, I would need a little more context to give a hand; maybe you are calling the plugin somewhere else, or calling another instance of passport-local-mongoose.

Maybe this helps, these are the files we're using to setup the auth:

• https://github.com/DemocracyOS/democracyos/blob/master/lib/auth/mongoose.js
• https://github.com/DemocracyOS/democracyos/blob/master/lib/auth/strategy.js
• https://github.com/DemocracyOS/democracyos/blob/master/lib/models/user.js

[wootwoot1234]

@mjlescano, thanks for the help. This is what I have:

https://gist.github.com/wootwoot1234/d6ce91b7a83f5dcbcbe742bd449a94bf

You can see I've reverted back to what I had for now but left the changes I made to user.js commented out. I'm sure it's something simple that I'm doing wrong but I'm just having a hard time wrapping my head around passport.

[mjlescano]

@wootwoot1234 the auth-mongoose I'd provided uses email as the login key, and I think you're using username, just remove this line to use the default value and it should work.

[wootwoot1234]

@mjlescano, That worked great! Thanks so much!!