Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Hashing Passwords Stored in Couchbase Server With Node.js

DZone's Guide to

Hashing Passwords Stored in Couchbase Server With Node.js

You should never store plain text passwords in your database. By using the Bcrypt hashing algorithm on your passwords you can add a tremendous amount of security for your users. Read on to learn more.

· Database Zone
Free Resource

Traditional relational databases weren’t designed for today’s customers. Learn about the world’s first NoSQL Engagement Database purpose-built for the new era of customer experience.

WAll passwords should be hashed before entering a database because you have to consider the scenario where some malicious user attempts to gain entry into your data. Passwords are sensitive pieces of information that you don't want people to see.

Now, let's not confuse encryption with hashing. Encrypting something assumes it can later be decrypted. Although this is better than leaving as plain text, what we really want is something that cannot be decrypted. This is what hashing offers us.

Hashing With Bcrypt

For this example, we're going to use the more popular bcryptjs library for Node.js. However, it follows the same rules as other standard Bcrypt libraries. You pass in a string to be hashed and usually a salt as well.

For the example of bcryptjs you would do something like this, per the documentation:

var bcrypt = require("bcryptjs");
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync("my-password", salt);

The hash produced from that would not be human-readable and thus safe to store within a database. But, how do you compare the passwords in the scenario where you need to implement a user login?

Validating Against Saved Passwords

Bcrypt libraries always have a function for comparing a plain text password against a hash. This is how you would validate a password in the scenario of user login.

bcrypt.compareSync("wrong-password", hash);
bcrypt.compareSync("my-password", hash);

The above two lines were pretty much taken from the documentation. In the first line, the comparison will fail and return false back to the user. In this event you know the values are wrong without even knowing what the hashed password really is. In the event of the second line, the passwords match and you'll get a true response back.

A Working Example

Let's make a working example from what we've learned above. Create a new directory somewhere and in it create a new package.json file with the following JSON:

{
    "name": "password-hashing-example",
    "version": "1.0.0",
    "description": "An example of using the Node.js SDK for Couchbase and Bcrypt to hash passwords",
    "author": "Couchbase, Inc.",
    "license": "MIT",
    "dependencies": {
        "bcryptjs": "^2.3.0",
        "couchbase": "^2.0.8",
        "uuid": "^2.0.1"
    }
}

The important parts are the dependencies. We're including bcryptjs for hashing, couchbase for communication to Couchbase via our application, and uuid for generating unique document keys.

Now, we need to create a new file called config.json in our project directory and include the following JSON:

{
    "couchbase": {
        "server": "127.0.0.1:8091",
        "bucket": "restful-sample"
    }
}

You should swap out the server and bucket with whatever you plan to use.

Now for the fun stuff! Create a file called app.js as this is where all our code is going to go. Keep in mind that this is an example, so functionality will be limited. Add the following JavaScript code to the app.js file:

var couchbase = require("couchbase");
var bcrypt = require("bcryptjs");
var uuid = require("uuid");
var config = require("./config");

var bucket = (new couchbase.Cluster(config.couchbase.server)).openBucket(config.couchbase.bucket);

var jsonData = {
    id: uuid.v4(),
    username: "nraboy",
    password: bcrypt.hashSync("my-password", 10)
}

bucket.insert("user::" + jsonData.id, jsonData, function(error, result) {
    bucket.get("user::" + jsonData.id, function(error, result) {
        console.log("Password Match -> " + bcrypt.compareSync("wrong-password", result.value.password));
        console.log("Password Match -> " + bcrypt.compareSync("my-password", result.value.password));
    });
});

We're essentially just creating a JSON document with a hashed password and inserting it into Couchbase Server. After inserting is complete, we get the document and compare passwords.

Conclusion

You should never store plain text passwords in your database. It doesn't matter how secure your database is or what type of database you're using. By using the Bcrypt hashing algorithm on your passwords you can add a tremendous amount of security for your users.

The bcryptjs library for Node.js is just one of many suitable libraries that can accomplish this job.

Learn how the world’s first NoSQL Engagement Database delivers unparalleled performance at any scale for customer experience innovation that never ends.

Topics:
couchbase ,database ,password management

Published at DZone with permission of Nic Raboy, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}