node.bcrypt.js icon indicating copy to clipboard operation
node.bcrypt.js copied to clipboard
verified publisher icon kelektiv

How to check if user did not use the password before

Open frodoe7 opened this issue 2 years ago • 3 comments

When the user change his password he add a new password to the table before adding it, I need to ensure he did not use that password before

so, I have array of hashes and the original password

here's the function which hashify the password

export const hashify = async (password: string) => 
{
    const salt = await bcrypt.genSalt(Number(process.env.SALT_ROUNDS));
    return await bcrypt.hash(password, salt);
}

here's the function which search if the password is used before or not

export const searchHashes = async (password: string, hashes: string[]) => {
  const results = await Promise.all(
    hashes.map(async (hash: string) => {
      return await bcrypt.compare(password, hash);
    })
  );

  return results.some(result => result === true);
}

That solution is not working

NodeJS version : 20.10.0 Bcrypt version : 5.1.1

frodoe7 avatar Jan 06 '24 09:01 frodoe7

@recrsn Do you think, I have to use another library to achieve this approach?

frodoe7 avatar Jan 13 '24 08:01 frodoe7

It doesn't depend on this library

castilloedwin avatar Jan 28 '24 05:01 castilloedwin

it's more a conceptual probleme isn't depend on the library. here is some tips you can use for your issue :

User Password Management Enhancement

Update User Schema

Add a field to store previous passwords in your user schema. For example, you can name this field previousPasswords and define it as an array of strings.

const userSchema = new Schema({
  // ...
  password: {
    type: String,
    required: true,
  },
  previousPasswords: [String], // Field to store previous passwords
  // ...
});

Search Previous Passwords when it change

When a user attempts to change, you can check if they are using a previous password.

const isPreviousPassword = user.previousPasswords.some(async (prevPassword) => {
  return await bcrypt.compare(newPassword, prevPassword);
});

if (isPreviousPassword) {
  // The new password is a previous password
  // Handle this accordingly (e.g., return an error)
} else {
  // The new password is valid
  // Continue with the normal authentication process
}

Update Password Update Logic

When a user changes their password, instead of just hashing the new password, you can also add the old password to the previousPasswords array.

const newPassword = "newPassword"; // Get the new password from the user

// Hashify and update the current password
user.password = await hashify(newPassword);

// Add the old password to the list of previous passwords
user.previousPasswords.push(oldPassword);

// Save the changes to the database
await user.save();

With this approach, you no longer need to simultaneously search through all stored hashes, as you have the previous passwords directly associated with the user.

Note: Replace hashify and searchPreviousPasswords with your actual functions for hashing and searching previous passwords in your application.

MdialloC19 avatar Jan 31 '24 23:01 MdialloC19