Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to check if user did not use the password before #1021

Open
frodoe7 opened this issue Jan 6, 2024 · 3 comments
Open

How to check if user did not use the password before #1021

frodoe7 opened this issue Jan 6, 2024 · 3 comments

Comments

@frodoe7
Copy link

frodoe7 commented Jan 6, 2024
edited
Loading

When the user change his password he add a new password to the table
before adding it, I need to ensure he did not use that password before

so, I have array of hashes and the original password

here's the function which hashify the password

export const hashify = async (password: string) => 
{
    const salt = await bcrypt.genSalt(Number(process.env.SALT_ROUNDS));
    return await bcrypt.hash(password, salt);
}

here's the function which search if the password is used before or not

export const searchHashes = async (password: string, hashes: string[]) => {
  const results = await Promise.all(
    hashes.map(async (hash: string) => {
      return await bcrypt.compare(password, hash);
    })
  );

  return results.some(result => result === true);
}

That solution is not working

NodeJS version : 20.10.0
Bcrypt version : 5.1.1
@frodoe7
Copy link
Author

frodoe7 commented Jan 13, 2024
edited
Loading

@recrsn Do you think, I have to use another library to achieve this approach?

@castilloedwin
Copy link

It doesn't depend on this library

@MdialloC19
Copy link

MdialloC19 commented Jan 31, 2024
edited
Loading

it's more a conceptual probleme isn't depend on the library. here is some tips you can use for your issue :

User Password Management Enhancement

Update User Schema

Add a field to store previous passwords in your user schema. For example, you can name this field previousPasswords and define it as an array of strings.

const userSchema = new Schema({
  // ...
  password: {
    type: String,
    required: true,
  },
  previousPasswords: [String], // Field to store previous passwords
  // ...
});

Search Previous Passwords when it change

When a user attempts to change, you can check if they are using a previous password.

const isPreviousPassword = user.previousPasswords.some(async (prevPassword) => {
  return await bcrypt.compare(newPassword, prevPassword);
});

if (isPreviousPassword) {
  // The new password is a previous password
  // Handle this accordingly (e.g., return an error)
} else {
  // The new password is valid
  // Continue with the normal authentication process
}

Update Password Update Logic

When a user changes their password, instead of just hashing the new password, you can also add the old password to the previousPasswords array.

const newPassword = "newPassword"; // Get the new password from the user

// Hashify and update the current password
user.password = await hashify(newPassword);

// Add the old password to the list of previous passwords
user.previousPasswords.push(oldPassword);

// Save the changes to the database
await user.save();

With this approach, you no longer need to simultaneously search through all stored hashes, as you have the previous passwords directly associated with the user.

Note: Replace hashify and searchPreviousPasswords with your actual functions for hashing and searching previous passwords in your application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frodoe7 @castilloedwin @MdialloC19