Hash and salt passwords (#3)

* Store hashed password * Move and rename constant --------- Co-authored-by: Florian Raith <florianraith00@gmail.com>

Hash and salt passwords (#3)
48253258 · Marius Friess · GitHub · e7c0dd50 · 48253258 · 48253258
Unverified Commit 48253258 authored 1 year ago by Marius Friess Committed by GitHub 1 year ago
--- a/database/seeders/DatabaseSeeder.ts
+++ b/database/seeders/DatabaseSeeder.ts
@@ -3,14 +3,18 @@ import { Seeder } from '@mikro-orm/seeder';
 import { User } from '../../src/user/user.entity';
 import { Category } from '../../src/category/category.entity';
 import { Room } from '../../src/room/room.entity';
+import * as bcrypt from 'bcrypt';
+import { UserService } from '../../src/user/user.service';

 export class DatabaseSeeder extends Seeder {
  async run(em: EntityManager): Promise<void> {
+    const password = await bcrypt.hash('12345', UserService.SALT_OR_ROUNDS);
+
    em.create(User, {
      email: 'test@example.com',
      name: 'Test User',
      organization: 'Test Organization',
-      password: '12345',
+      password,
      role: 'admin',
    });


--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -31,6 +31,7 @@
    "@nestjs/passport": "^9.0.3",
    "@nestjs/platform-express": "^9.4.2",
    "@nestjs/swagger": "^6.3.0",
+    "bcrypt": "^5.1.0",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.14.0",
    "cookie-parser": "^1.4.6",
@@ -46,6 +47,7 @@
    "@nestjs/cli": "^9.5.0",
    "@nestjs/schematics": "^9.2.0",
    "@nestjs/testing": "^9.4.2",
+    "@types/bcrypt": "^5.0.0",
    "@types/cookie-parser": "^1.4.3",
    "@types/express": "^4.17.17",
    "@types/jest": "^28.1.8",

--- a/src/auth/auth.service.ts
+++ b/src/auth/auth.service.ts
@@ -6,6 +6,7 @@ import { User } from '../user/user.entity';
 import { Request } from 'express';
 import { REQUEST } from '@nestjs/core';
 import { JwtToken } from './jwt.strategy';
+import * as bcrypt from 'bcrypt';

 @Injectable()
 export class AuthService {
@@ -18,11 +19,10 @@ export class AuthService {
  public async login({ email, password }: LoginUser): Promise<AuthPayload> {
    const user = await this.users.findByEmail(email);

-    // TODO: password hashing and salting
-    if (user?.password !== password) {
+    const isMatch = await bcrypt.compare(password, user.password);
+    if (!isMatch) {
      throw new UnauthorizedException('Invalid credentials');
    }
-
    return this.createToken(user);
  }


--- a/src/user/user.service.ts
+++ b/src/user/user.service.ts
@@ -4,9 +4,12 @@ import { EntityRepository } from '@mikro-orm/mysql';
 import { User } from './user.entity';
 import { InjectRepository } from '@mikro-orm/nestjs';
 import { CreateUser } from '../auth/auth.dto';
+import * as bcrypt from 'bcrypt';

 @Injectable()
 export class UserService {
+  public static readonly SALT_OR_ROUNDS = 9;
+
  constructor(
    private readonly em: EntityManager,
    @InjectRepository(User)
@@ -22,13 +25,13 @@ export class UserService {
  }

  public async create(data: CreateUser): Promise<User> {
-    const user = new User(
-      data.name,
-      data.email,
-      data.organization,
+    const password = await bcrypt.hash(
      data.password,
+      UserService.SALT_OR_ROUNDS,
    );

+    const user = new User(data.name, data.email, data.organization, password);
+
    await this.em.persistAndFlush(user);

    return user;