Password Reset In NodeJS

Question

I have made a set up to update a user\'s password using NodeJS/Passport. I followed this great guide: http://sahatyalkabov.com/how-to-implement-password-reset-in-nodejs/.

Answer 1

I didn't (or haven't) find any problem with your code, but I have a suggestion to trace the bug.

This block of code is risky. You may accidentally update the password field and trigger the rehash password process.

UserSchema.pre('save', function(next) {
   var user = this;
   var SALT_FACTOR = 12; // 12 or more for better security

   if (!user.isModified('password')) return next();

   console.log(user.password) // Check accident password update

   bcrypt.genSalt(SALT_FACTOR, function(err, salt) {
      if (err) return next(err);

      bcrypt.hash(user.password, salt, null, function(err, hash) {
         if (err) return next(err);
         user.password = hash;
         next();
      });
   });
});

Put a console.log right after the if (!user.isModified('password')) to check for unexpected password update. Now retry forget the password and see if any bug in there.

*TD;LR Separate update password into a new method instead of putting it in the pre-save since you may accidentally update a new password along with other fields

*Update: Thanks #imns for suggesting a better SALT_FACTOR number.