Learning JWT Part 5 - Mongoose Hook & hash password

Learning JWT Part 5 - Mongoose Hook & hash password === ![](https://i.imgur.com/qFSfCl5.png) --- ###### tags: `JWT` ## Middleware > Reference: [Mongoose-middleware](https://mongoosejs.com/docs/middleware.html#middleware) Middleware are functions which are passed control during execution of asynchronous functions. ### Pre Functions are executed one after another, when each middleware calls `next()`. In our case, we can use **pre** and **post** which stand for "User is about to be created and saved" and "User is created and saved in DB", then we can implement more actions when we fire **pre** middleware or **post** middleware, i.e. to hash our password. ```javascript= // User.js // Fire function "before" doc saved in db // this refers to the user instance userSchema.pre('save', function(next){ console.log('User is about to be created and saved', this); next(); }) // Fire function "after" doc saved in db userSchema.post('save', function(doc, next){ console.log('User is created and saved', doc); next(); }) ``` Then open postman and try to add a new user. ![](https://i.imgur.com/tDcjq4l.png) In terminal you will see info as below. ![](https://i.imgur.com/q6IZPKe.png) Notice that when **pre** middleware is fired, there's no **__v:0**, what is this stands for? This refers to **versionKey**, you can find more info in [mongoose-versionKey](https://mongoosejs.com/docs/guide.html#versionKey). The versionKey is **a property set on each document** when **first created** by Mongoose. This keys value contains the internal revision of the document. ## 4 Types of moongoose middleware 1. Document middleware 2. Model middleware 3. Aggregate middleware 4. Query middleware. We have seen **pre** and **post**, but what is **save**? **Save** is one of the document functions that supported by **document middleware**. You can check more info in [mongoose-types of middleware](https://mongoosejs.com/docs/middleware.html#types-of-middleware). --- ## Hashing password Why do we need to hash password in database? Is it already safe in a database? Not really, it's quite often and common to hear database has been hacked, therefore, everything in a database has to be encrypted, especially password. We already know that we can implement more actions when fires **pre** middleware, because when it fires, user info is not yet store in db. General speaking, it's not enough to just hash password, because hacker can reverse engineer simple hash password, therefore we can generate a salt attach to the password before it's hased. ![](https://i.imgur.com/nguQe1O.png) >[What-are-salted-passwords-and-password-hashing](https://www.okta.com/blog/2019/03/what-are-salted-passwords-and-password-hashing/) Let's open terminal and install the following library. - `npm i bcrypt` ```javascript= // User.js const bcrypt = require("bcrypt"); userSchema.pre('save', async function(next) { const salt = await bcrypt.getSalt(); console.log(salt) this.password = await bcrypt.hash(this.password, salt); console.log('User with hased password', this); next(); }) ``` Open postman and try to signup a new user, we can see the password has been hashed. ![](https://i.imgur.com/N2DwZYR.png) We can see that the **salt** has attached to hashed password. ![](https://i.imgur.com/aRfdhFn.png) Now, let's check db, passwords are being hashed. ![](https://i.imgur.com/lvBN8Kv.png)