Require hashes instead of plain text passwords #33
Description
Hi,
thanks for the library. I am implementing a simple auth mechanism but was wondering if there is any easy way to have bcrypt hashes in the code instead of the plain text passwords. Unfortunately, there is no built-in support like below.
basicAuth({
useBcrypt: true,
users: ALLOWED_USERS,
})I ended with this implementation. It's not hard to do but I can imagine some developers starting with the programming may not be able to do that in a reasonable time or are not interested to do it in the first place because providing plain-text passwords in the code is so easy :)
import * as bcrypt from 'bcrypt';
basicAuth({
authorizeAsync: true,
authorizer: async (username, password, authorize) => {
const passwordHash = ALLOWED_USERS[username];
const passwordMatches = await bcrypt.compare(password, passwordHash);
return authorize(null, passwordMatches);
},
})I like how you basically teach people about timing attacks but I think it should be noted also that storing plain text passwords is not a good idea. So what I would like to propose is to implement hashed based passwords by default to teach people about this best practice. Something like below. What do you think?
basicAuth({
users: {user: '$2b$13$AL6K99UVLEjngKPgKST39O13E4CyjnaRX..qM/ij7F3IyAbL8LGri'},
})I prepared a simple npm script to generate the password with the hash. You could create similar one to provide CLI for users to generate their hashes.
"password": "node -e \"const bcrypt = require('bcrypt'); const password = Array(25).fill('+-_!?,.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz').map((x) => x[Math.floor(Math.random() * x.length)]).join(''); const hash = bcrypt.hashSync(password, 13); console.log({password, hash});\""