Node.JS / Passport / Sequelize – Login with wrong password

Your link is broken (preferably – do not use link shorteners and paste the whole link in, or even better – inline the relative information in the question).

But I see your problem anyway:

  1. not the cause, but still relevant – you’re creating the User variable twice (not sure why you’d need it anyway since the user is available already – are you trying to alias or something?)

  2. the actual problem – your isPasswordValid function is async, but you’re not calling it with await – this results in a Promise<boolean> getting returned instead of just a boolean, and a Promise is always truthy, thus this

if (!isValidPassword(user.password, password)) {

will always evaluate to false, meaning the user passes the login.


suggestion: If you’re using bCrypt.compareSync, the name itself suggests it is synchronous, meaning you do not need your function to be async. Here’s what you need:

-var isValidPassword = async function(userpass, password) {
+var isValidPassword = function(userpass, password) {
    return bCrypt.compareSync(password, userpass);
}

this would fix the problem. But we’re not done yet.

Having used bcrypt myself, I should warn that the synchronous comparison (and hashing) should not be used in the context of a nodejs server, because they can slow your server down and/or block it for other users while some are trying to sign up / login etc., because the synchronous methods occupy the main thread and until that task is completed, your server cannot do anything else. For this reason, the asynchronous methods should be used (and not only with bcrypt, but with most utilities etc. when we’re in the environment of a nodejs server).


In general, authentication/authorization is really easy to slip up with (just like in your case), and before you get more familiar with the general concepts of the programming language you’re using apart from other factors aswell – I’d recommend to avoid trying to implement this critical layer yourself (assuming if you’re shipping your application to production! For learning purposes it’s fine:) ).

I’d also recommend finding a more up-to-date tutorial aswell.

Best of luck!

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top