DevTinder Project - Password Encryption and Authentication

Code Demonstration Link

• DevTinder Backend Repository

Overview

This document outlines the key learnings and best practices for encrypting passwords and managing authentication in the DevTinder app. The process involves validating user input, securely storing passwords, and verifying credentials during login.

1. Signup Data Validation

Step 1: Validate User Input

Before processing any user-provided data, it is essential to validate it to maintain security and data integrity.

1. Helper Functions:

   • Create reusable helper functions to check individual fields (e.g., email, password strength).
   • These functions ensure the input meets the required format or constraints, simplifying validations throughout the app.

2. Validator Library:

   • Use the validator library for comprehensive and pre-built validation functions.
   • Common validations:
     • Check if the email is valid.
     • Ensure the password meets specific security criteria (e.g., length, character requirements).
     • Validate optional fields like profile URLs or phone numbers.

const validator = require("validator")
const validateSignupData = (req) => {
    const { firstName, lastName, emailId, password } = req.body;

    if (!firstName || !lastName) {
        throw new Error("Enter a vaid first or last name")
    } else if (!validator.isEmail(emailId)) {
        throw new Error("Enter a valid Email ID")
    } else if (!validator.isStrongPassword(password)) {
        throw new Error("Enter a strong password")
    }
}
module.exports = {
    validateSignupData
}

2. Password Encryption

Why Encrypt Passwords?

Storing plaintext passwords is highly insecure. Encrypting passwords ensures that even if the database is compromised, sensitive user data remains protected.

Step 2: Hashing Passwords

1. Using bcryptjs:

   • Install the bcryptjs package, which provides robust password hashing functionalities.
   • It is lightweight and specifically designed for Node.js applications.

2. bcrypt.hash:

   • The bcrypt.hash function is used to transform the plaintext password into an irreversible hashed string.
   • Arguments:
     • Plain Password: The raw password entered by the user during signup.
     • Salt Rounds: Determines the complexity of the hashing process. A higher value makes the hash stronger but increases computation time. (Recommended value: 10–12 for general use cases.)

 const passwordHash = await bcrypt.hash(password, 10)

Step 3: Storing Hashed Passwords

• After hashing, store the hashed string in the database instead of the plaintext password.
• The hashed string cannot be reverted to the original password, ensuring it remains secure even if exposed.

3. Login Authentication

Step 4: Verifying Passwords

1. bcrypt.compare:
   • The bcrypt.compare function is used during login to match:
     • The plaintext password provided by the user.
     • The hashed password stored in the database.
   • This ensures the user credentials are validated without ever exposing the original password.

const isValidPassword = await bcrypt.compare(password, user.password)

1. Advantages of Using bcrypt.compare:
   • Secure: Ensures no plaintext password is exposed during the process.
   • Efficient: Designed to handle comparisons quickly without compromising security.

Benefits of Encrypting Passwords

1. Enhanced Security

• Passwords are stored as hashed strings, reducing the risk of sensitive information being exposed in case of a database breach.

2. Compliance

• Password hashing complies with security standards and regulations (e.g., GDPR, HIPAA) that mandate secure handling of user data.

3. Trustworthiness

• Protecting user credentials builds trust and ensures users feel confident in the platform’s security.

Conclusion

By implementing input validation and password encryption, the DevTinder app ensures that sensitive user data is handled securely. Utilizing robust libraries like bcryptjs and validator minimizes risks and aligns with best practices for modern web application security.