Mongoose passport local: retrieve password

Question

I'm using passport-local-mongoose to store my user data in MongoDB. I need to retrive password for send it on email if user forgot it. It stores in a salt field. How can I get it out of salt?

P.S. Can't use bcrypt, because it doesn't works at node > 0.10.x

Answer 1

Any form of converting back the password to its original text is not only unsafe but the whole point of storing the salted hash of it is to make that difficult/impossible in the first place.

Instead what you want to do is to send/email the user a password reset link so that they can re-create the new password themselves.

It basically entails creating a unique token which you email to the user. You also store that token to the user object in order to verify later. Something like this (pseudo-code):

app.post('/reset-password', function(req, res){
    var email = req.body.email; // you had the user enter their email
    User.findByEmail(email, function(err, user){
        user.token = new Token(); // some library to create a token
        mail(user.email, 'Please visit http://example.com/reset-password/' + user.token); 
    });
});

So when the user gets the email and visits http://example.com/reset-password/xxxxxxxx you can verify the user with that token and have them create a new password.

app.post('/reset-password/:token', function(req, res){
    var token = req.params.token;
    var password = req.body.password; // you had the user enter a new password
    User.findByToken(token, function(err, user){
        user.hash = new HashFromPassword(password); // some function to create hash from password;
    });
});

And so you now have the user successfully reset their own password.

For more implementation details checkout this article: How To Implement Password Reset In Node.js