Preview
Open Original
- 08 Dec, 2025 *
a simple documentation on hashing password before saving into db
- A user schema model has been defined, using mongoose, it looks something like this:
const userSchema = new mongoose.Schema({
email: {
type: String,
required: true,
unique: true,
minlength: 4,
lowercase: true,
},
username: {
type: String,
required: true,
unique: true,
minlength: 4,
trim: true,
},
password: {
type: String,
required: true,
minlength: 6,
},
createdAt: {
type: Date,
default: Date.now,
},
role: {
default: "student",
enum: ["student", "admin"],
type: String...- 08 Dec, 2025 *
a simple documentation on hashing password before saving into db
- A user schema model has been defined, using mongoose, it looks something like this:
const userSchema = new mongoose.Schema({
email: {
type: String,
required: true,
unique: true,
minlength: 4,
lowercase: true,
},
username: {
type: String,
required: true,
unique: true,
minlength: 4,
trim: true,
},
password: {
type: String,
required: true,
minlength: 6,
},
createdAt: {
type: Date,
default: Date.now,
},
role: {
default: "student",
enum: ["student", "admin"],
type: String,
},
premiumCourses: {
type: [String],
default: [],
},
});
It is a no brainer to not save the plain password in the database, so we have to encrypt the password before it get recorded into the db storage.
so i’ll be using bcrpyt hashing algorithm to hash the password...
to install "bcrypt" in a nodejs environment, we have to run:
npm install bcrypt
the goal is to encrpyt the password before entering the database, so we be using the pre-save function to do just that
userSchema.pre("save", async function (next) {
if (!this.isModified("password")) {
return next();
}
try {
const salt = await bcrypt.genSalt(10);
this.password = await bcrypt.hash(this.password, salt);
} catch (error) {
next(error);
}
});
module.exports = mongoose.model(User, userSchema);
At the second line in the code above, the this keyword is referring to the userschema document, particularly password object section, it checks as the document loads, before saving a new user if the password part is not modified, if it is not modified then there is no need to rehash an already hashed password, so it jumps to the next middleware due to the next() keyword called.
Now if the document is just loading and the password happens to be modified, a ‘salt’: strings of chars is generated based on our desired cost factor.
A cost factor typically ranges from (4 - 16) when encrpyting using bcrpyt, it is a function that handles the number of computational rounds when a hashing our password, it is calculated using 2 raise to the power of n, so a cost factor of 10 means the password get hashed and rehashed 1024 times, higher cost factor gives better security but slow computational rounds
then the targetted passowrd get hashed using three element ( hashing (sha256): a cryptographic hash function use to generate unique fixed size hash values, salting: series of characters, and cost factor: computational rounds)