Decrypt Encrypted Password on MongoDB and then compare it with the password which user has entered

Question

I am new to ExpressJS. I have made an API which inserts user's email and encrypted password into MongoDB. Now I want to decrypt the password which is stored on MongoDB and compare it with the password user has entered. I have no idea how to do that, so any help would be appreciated. Here is my code :

const express = require("express");
const router = express.Router();
var CryptoJS = require("crypto-js");

// Importing Model
const User = require('../models/model.js');


// Find User
router.post('/find' , (req , res) => {    // This is the method which checks the DB for user's email and password
    User.find({email : req.body.email , password : req.body.password})
        .then((users) => {
            if (users.length != 0) {
                res.json({result : true});
            }
            else {
                res.json({result : false});
            }
        })
});


//  Add User
router.post('/' , (req , res) => {
var ciphertext = CryptoJS.AES.encrypt(req.body.password , 'secret key 123').toString();   // Encryption
const newUser = new User({
    email : req.body.email,
    password : ciphertext,
})

newUser.save().then((user) => res.json(user))
});


//  Exporting Router
module.exports = router;

This is the method provided by crypto-js for decryption :

var bytes  = CryptoJS.AES.decrypt(ciphertext, 'secret key 123');
var originalText = bytes.toString(CryptoJS.enc.Utf8);

I need to decrypt using this code in my POST (Find User) Route.

please don't do that. Instead of encrypting/decrypting passwords, store a hash of the password and compare hashes — jps, Nov 04 '20 at 09:00

score 0 · Answer 1 · answered Nov 04 '20 at 09:03

First things first, Your find user route should be GET and not POST, POST is used to send data to a server to create/update a resource.

Quick overview about HTTP methods, here

To decrypt your data, crypto-js provides a decrypt method. So check this code out

// Encrypt
const password = "This is my password"

var ciphertext = CryptoJS.AES.encrypt(password, 'secret key 123').toString();
 
// Decrypt
var bytes  = CryptoJS.AES.decrypt(ciphertext, 'secret key 123');
var originalText = bytes.toString(CryptoJS.enc.Utf8);

console.log(password === originalText) // returns true

<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js"></script>

score 0 · Answer 2 · answered Nov 04 '20 at 09:12

Hi usually we don't want to be able to decrypt a users password but compare an hashed version with the given password that we hashed as well. This is because encription is less secure then hashing in an event of a data breach.

I use bcrypt to hash my passwords and check it against an other password.

const validPassword = await bcrypt.compare(
  req.body.password, // the plane text password that we get from the client
  user.password,     // the hashed password from our database
)

if (!validPassword)  // return to the user that the password is invalid
  return res
    .status(status.BadRequest)
    .send('Invalid email or password')

To create the users hashed password:

// generate a salt that will be added to the password
const salt = await bcrypt.genSalt()
const hash = await bcrypt.hash(
  item.password, // the plain text password we got from the user
  salt
)

// now we can save 'hash' (the hashed password) to our database with the users information

Read more on the difference of hashing and encryption.

Decrypt Encrypted Password on MongoDB and then compare it with the password which user has entered

2 Answers2