Password hashing with bcrypt

Question

Guys I'm trying to make a password hash with BCRYPT, but the user real password is sent to PostgresSQL what can I do to fix it? Did I write it wrong?

import { Model, Sequelize } from 'sequelize';

const bcrypt = require('bcrypt');

class User extends Model {
  static init(sequelize) {
    super.init(
      {
        name: Sequelize.STRING,
        email: Sequelize.STRING,
        password: Sequelize.VIRTUAL,
        password_hash: Sequelize.STRING,
        provider: Sequelize.BOOLEAN,
      },
      {
        sequelize,
      }
    );

    this.addHook('beforeSave', async (user) => {
      if (user.password) {
        user.password_hash = await bcrypt.hash(user.password, 8);
      }
      return this;
    });
  }
}

export default User;

Answer 1

Based on your comment,

I think you didn't understand how bcrypt works.

To register a user you do

await bcrypt.hash(user.password, 8)

This will generate you the hashed version of the user's password.

Now save that in the database (call it whatever you want, password/hashed_password)

You only need the hashed version in the database. bcrypt knows how to verify whether or not a raw string is equals to a hashed string.

Therefore when you do your login code you'll need to call

await bcrypt.compare(req.body.password, db.password, (err, same) => {
 if(err) res.sendStatus(500)

 if(same){
  res.send("LOGIN SUCCSESSFULL!")
 }else{
  res.send("WRONG USERNAME/PASSWORD!")
 }
})

I just wrote this from the top of my head but it should work.