Thanks for the compliment! Means a lot to me and definitely makes me want to keep creating this stuff (for free of course 💪)

Thank you for your comment! I always worry that I'm getting too detailed but really try to explain the "why" behind things.

@@zachgoll Some people like the demonstrations and other people like to learn exactly what things do - so they can fix them when they go wrong. You can't please all the people - especially on KZbin! Just make the videos as you see fit

Hope you enjoy!

Thank you very much helped me a lot! :)

i got some err. IDE cant resolve variable User in this line. "const User = connection.models.User;" -> Unresolved variable User

Change the name of form fields 'username' to 'uname' and 'password' to 'pw'

@@ShubhamPalriwala thank you

In short, it was mainly to keep things as simple as possible. Most would argue that bcrypt (currently) has a better password hashing algorithm that is more resistant to brute force attacks. That said, NodeJS is a very robust framework and it is definitely in the best interest of the maintainers of the project to keep the Node crypto library secure. For most people watching this video, I don't think the choice will have any profound effects on the outcome of their project.

Why not use passport local mongoose package??

These strategies are used in tons of production apps, so they are pretty secure. That said, there’s a lot more considerations to make on a security front than just the authentication side of things, but likely aren’t going to apply unless you’re working on a mature project that would be a target of hacking

@@zachgoll Thank you for replying. I am going to look into security more at some point to learn about different types of attacks and how to build defenses for them. For now, I wanted to make sure the authentication part is decently secure and my mind is at ease.

yes u can

Did you figure this out? Mine also didn't work and I had to have verifyCalback as a function not a variable

@@jefferiushere2k7 the name field on username and password inputs need to be "pw" and "uname" for those to work.

i fixed it i just had to drop the collection and regenerate it no problem now thank you

Would you mind telling me the time stamp of the video you are asking about? Would love to help but I made this video a while ago and can’t remember

session record gets deleted from db automatically when cookie gets expired

From my understanding, you DO need the exact value of the salt to decrypt. bcrypt stores the salt within the "hash" as opposed to the Node crypto library, which requires them to be passed separately. See this post - stackoverflow.com/a/6832628/7437737 The salt is not meant to be hidden, so it doesn't matter where you store it as long as you can retrieve it when it comes time to decrypt the hash. The reason we have salts in the first place is to prevent a "rainbow table attack", which is basically where an attacker pre-computes the hashes of millions of plaintext passwords and then simply loops through the table to try and brute-force attack a password. If you use a salt, that hacker would need to re-compute that entire table for EACH salt. Computationally, this makes it far too expensive for the hacker to brute force attack a database of passwords.

@@zachgoll Sorry for the late answer Zach. Honesly, in my implementation I did not record salt in db and still I could decrypt it with compareSync. But as I wrote the codes long time ago I need to double check it and back to you. Still thanks for your effort to clear passport mess!

@@zachgoll I thought that salt was meant for the case where a hacker (or even developer) has gotten access to hashed passwords. In case of bcrypt, this hacker will not have access to salt - because its generated, never stored. The salt can be easily removed from de-crypted string - because its of fixed length - you don't need to know it (I think). BUT the hacker will need the salt for "rainbow table attack" - things won't match otherwise - he has to compare the resulting hash. SO after this, even a developer who has access to password hash will not be able to match the hashes to the ones from a "rainbow table" even if the original password matches. Am I right?

While I’m not disagreeing, what is your reasoning for this?

@@zachgoll I think it is way better to use a key stretching algo such as bycrypt. Couldn't explain it better than this post why SHA512 has some flaws compared to bycrypt dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm

PS: loving your introduction to passport videos, keep it up ! :D

@@mateogomez-randulfe7394 nice! Thanks for the resource. I think the consensus among the developer community is definitely bcrypt, but I wanted to show that it was possible (and probably okay for most smaller apps) using Node alone