In this part of the session, you will add secure password storage and a basic login endpoint to the Snippets API.
We will:
- Implement a
/loginendpoint that validates a user’s credentials. - Demonstrate why insecure passwords are a security issue
- Hash passwords using
bcrypt.
We can use already existing users table. Username can be user email, while password can be stored in the token column.
Create a route (for example in routes/auth.js) that:
- Reads
usernameandpasswordfrom the request body. - Looks up the user by username in the database.
In the implemented solution, or, using the module examples - demonstrate how fast insecure password could be cracked. You can download any of the suitable password list (suggested rockyou-50.txt) and execute
node auth-sessions-brute-force.js user_name /path/to/your/wordlist
Install bcrypt in the Snippets API project and import it in your auth route module.
Update at least one user with a hashed password (for example a small Node program that calls bcrypt.hash and update the row).
- Modify the login functionality
- Use
bcrypt.compareto compare the provided password with the storedpassword_hash. - Returns:
401 Unauthorizedwith a generic error message on failure.200 OK(or201) with a small success payload on success.
You do not need to generate tokens here yet – this is just about secure credential checking.
If using MD5 hashing algorythm, it is great to demonstrate that even hashed, if password is weak - it could be easily cracked Take the created password hash (considering that it was a simple password like qwerty123, password123 etc) and paste it here - Crack Station
- Add at least one extra user to the database and test logging in as both.
- Think about:
- What error messages you send back (security vs usability).