I'm reading source code of meanjs and my question is the hashPassword method with the code:
UserSchema.methods.hashPassword = function(password) {
if (this.salt && password) {
return crypto.pbkdf2Sync(password, this.salt, 10000, 64).toString('base64');
} else {
return password;
}
};
Here I can't understand why it is returning password, in case this.salt && password is false? As I understand, that is a problem and perhaps it should stop saving the user, right?
I had some issues with this method and change it to this
if (this.password && this.password.length > 6) {
if (!this.salt || this.salt.length === 0) {
this.salt = crypto.randomBytes(16).toString('base64');
this.password = this.hashPassword(this.password);
}
}
The bug is that if you ever try to save user again after initial save you will not be able to login with that user details. What would happen it would use salt to encrypt already encrypted password which is in my opinion is wrong.
So two options to handle that issue one is that you always set user password to empty string before you call save or you do what I did or something along those lines.