Nodejs bcrypt library

I use the nodejs bcrypt library for better password protection.

I am not sure i understand exactly how to use it, but i got this so far:

//A module containing this login function:

login: function(credentials,req,res) {

    //"credentials" is containing email and password from login form

    var query = 'SELECT password, email FROM users WHERE email = ? LIMIT 1';

    client.query(query,[credentials.email], function(err, results) {

        if (results[0]) {

            //Compare passwords
        if (bcrypt.compareSync(credentials.password, results[0].password)) {

                //Set session data and redirect to restricted area

            }
        }
    });
}

I removed all the error handling here in the example so that its easier to read the code.

1.This works and i am able to login and set the session. But is this all there is to it? Am i missing something?

2.Looks like the salt is prepended to the password when generating hash. Dont I have to save the salt in db?

Any help appreciated

Answers

Yes, this is all there is to it! The salt you generate when encrypting the password originally is used to prevent against rainbow table attacks; you do not need to persist it.

Posted on by Michelle Tilley