MySql、NodeJS、ExpressJS 和 bcrypt：处理用户登录的最佳方式是什么？

Question

My solution works, but I'm not sure this is safe and appropriate. On the front end I have a ReactJS app that send with axios a request with the login and password. On the back end I have NodeJS + ExpressJS handling the request as follows:

router.post('/', function(req, res, next) {
  // get the records that match the login provided
  const sql = "SELECT name, surname, login, password, blocked FROM users WHERE login=?";
  query(sql, [req.body.login])
  .then((result)=> {
    // if there are 1 or more results, compare the passwords with bcrypt
    if (result.length > 0) {
      bcrypt.compare(req.body.password, result[0].password, function(err, success) {
        if (success) {
          // if the user is not blocked, send the status 200 with user's data
          result[0].blocked ?
            res.status(401).json({type: 'Warning', message: 'Your account has been blocked. Plase contact the admins.'})
            :
            res.status(200).json({name: result[0].name, surname: result[0].surname, email: result[0].email});
        } else {
          // send an error if the password is wrong
          res.status(401).json({type: 'Error', message: 'Please check that your login and password are correct.'});
        } 
      });
    } else {
      // send an error if the login was not found
      res.status(401).json({type: 'Error', message: 'Please check that your login and password are correct.'});
    }
  }); 

});

Is it enough/safe to query the db for the provided login (it's unique) with if (result.length > 0) ?

Is it ok to have the error message contained in the server response like this?

res.status(401).json({type: 'Warning', message: 'Your account has been blocked. Plase contact the admins.'})

I have the chance to let the user know if he typed the correct login but the wrong password; should I let him know that? I think it would give to malicious users the knowledge that the login actually exists, so for now I just send a generic login/pwd error. Is this ok?

Is ok to send the user's data from the server to the client if the login was successful?

Answer 1

Is it ok to have the error message contained in the server response like this?

I have the chance to let the user know if he typed the correct login but the wrong password; should I let him know that? I think it would give to malicious users the knowledge that the login actually exists, so for now I just send a generic login/pwd error. Is this ok?

Your implementation is good enough. It's also a good practice letting users know why they are unable to login without giving out too much information EVEN when it's a problem with their supplied credentials (something you are doing already).

Is it enough/safe to query the db for the provided login (it's unique) with if (result.length > 0)?

• Yes, this is fine too. You may also want to add a LIMIT 1 to your query to give you a little performance boost since there is no point having your DB scan through all the records when you expect only one result.

It is also a good practice to only send the minimum amount of information and request for more on demand.

As a general observation of your code, you would benefit from the following:

• Doing some error checking on your request object before querying the database at all (good practice too) as there is no guarantee that a valid or well formatted username/password would be sent with the request.

• Moving the responses into another file to make your code cleaner and maintainable.