DEV Community

Cover image for Hide password in MongoDb
Abayomi Ogunnusi
Abayomi Ogunnusi

Posted on

Hide password in MongoDb

As developers, there are times or reasons why we don't want our passwords to be accessible by default when creating our APIs. Here are some ways we can hide our passwords.

hide


🎯 Prerequisite

NodeJs + Express Knowledge
MongoDb + Mongoose [Basic CRUD functionality knowledge]


In this post, I am using mongoose. Mongoose provides a straight-forward, schema-based solution to model your application data. It includes built-in type casting, validation, query building, business logic hooks and more, out of the box Read more here. Basically, mongoose is an ODM [Object Data Modelling] library that helps to write simple queries other than the native/raw MongoDb queries.

Method 1

Image description
Here we are using the mongoose to find all users and removing all passwords using the select. The - sign basically negates the function. It means ignore the password from the objects being fetched.


Method 2

Image description
Here we de-structured response object coming from our database using javascript spread operator and ignored the password.


Method 3

Image description
This method 3 is an alternative way of writing Method 1 using the select query method.


Conclusion

I hope this post was helpful. Thanks for reading.

Resources

Mongoose Documentation

Javascript Spread syntax - MDN

Mongoose-npmjs

Discussion (3)

Collapse
moopet profile image
Ben Sinclair

Could you explain what's happening in any of these screenshots? I've only limited exposure to MongoDB so I don't know if you're doing something it supports out-the-box or something else.

How is the password stored? Is it hashed or encrypted in some way? The usual way of checking a user's password is to apply the same hashing algorithm to the entered string and compare the result rather than to compare the literal password, because that requires you to store it in some what that's reversible.

If you're talking about APIs, then access tokens would be more practical, wouldn't they?

As an aside, if you include your code as Markdown code snippets (with the three backticks) then they'll be accessible to users who use screen readers or who want to zoom or change the contrast of their text.

Collapse
nstvnsn profile image
Nathan Stevenson • Edited on

How is the password stored? Is it hashed or encrypted in some way? The usual way of checking a user's password is to apply the same hashing algorithm to the entered string and compare the result rather than to compare the literal password, because that requires you to store it in some what that's reversible.

While true, you would still need to access the hashed password to compare against, right? So, while you may need that field for authentication, you wouldn't want that field to be returned when returning a list of Users (i.e. searching for other Users to follow/add/etc.)

I'm making an assumption, but I think thats what the author meant.

If you're talking about APIs, then access tokens would be more practical, wouldn't they?

I'm still learning, so correct me if I'm wrong. Outside of using your Google or other account to sign in to an app with the token you get from that service, a user would need to use a password to create an account and authenticate with when signing in. Either way, there would need to be a list of hashed passwords to authenticate against.

Mind you, I'd probably keep them in a table separate from Users with just 3 columns: id (PK), user_id (FK), and password_hash. Then there's no need to strip anything from a query for Users because the passwords are stored separately.

Collapse
drsimplegraffiti profile image
Abayomi Ogunnusi Author

@moopet Thanks for your contribution. I will revamp this post. By the way I made a snapshot from my code base. I would leave resources to get you started with mongodb in the resource section. Thanks