I am asked to hide the email of the user in a database. (MEAN stack).
I am a newbie and I had some difficulties to manage some packages like maskdata, crypto.js... and at some point I have been inspired by a function.
In my code, for the user controllers, I have 2 functions: one for the signup (called signup), and one for the login (called login)
For the signup:
I am taking the email in the body of the request: req.body.email, and I do pass this as ab argument in a function called obfuscator, the idea being to have instead of the mail a serie of numbers and letters, then I do save what does return the function with this argument as the value for the mail of the user in the database.
For the login:
I am taking the email in the body of the request, and I check what does return this req.body.email, once passed in the function obfuscator, then I do search in the database this result as a user's mail value.
I see that it is working, so is there something obviously wrong with my code, or is it acceptable?
I guess that is some really poor protection, but at least, the email of the user does not appear clearly in the database.
Here is my code:
function obfuscator(sentence) {
var mail = [];
for (let i in sentence) {
mail += sentence.charCodeAt(i).toString(process.env.BASE)
}
return mail
}
// inscription d'un utilisateur
exports.signup = (req, res, next) => {
bcrypt.hash(req.body.password, 10) // on hashe le mot de passe avec un salt de 10
.then(hash => {
const user = new User({
email: obfuscator(req.body.email), // on sauve un mail encodé
password: hash // et on assigne le hash obtenu comme valeur de la propriété password de l'objet user
});
console.log(user)
user.save() // et on sauve tout ça dans la base de données
.then(() => res.status(201).json({ message: 'new user created' }))
.catch(error => res.status(400).json({ error }));
})
.catch(error => res.status(500).json({ error }));
};
// connexion de l'utilisateur
exports.login = (req, res, next) => {
User.findOne({ email : obfuscator(req.body.email)}) // on recherche l'équivalent du mail encodé
.then(user => { // on recherche une objet de modèle User, ayant pour propriété "email" avec la même valeur que req.body.email
if (!user) { // pas trouvé ? = message: user not found
return res.status(401).json({ message: 'user not found' });
}
bcrypt.compare(req.body.password, user.password) // si on trouve, on prend le password et avec bcrypt on compare le passord and le requête avec le password du user trouvé dans la base de données
.then(valid => {
if (!valid) { // si le password n'est pas validé = message: incorrect password
return res.status(404).json({ message: "incorrect password" });
} // et si c'est valide....
res.status(200).json({
userId: user._id, // dans la réponse on renvoir le user._id (ce _id est donc l'id généré dans mongoDB)
token: jwt.sign( // et on renvoie un token d'authentification
{ userId: user._id },
process.env.TOKEN,
{ expiresIn: '24h' } // avec une date d'expiration
)
});
})
.catch(error => res.status(500).json({ error }));
})
.catch(error => res.status(500).json({ error }));
};
I do answer my own question:
The function is working. If it's needed to hide (to obfuscate), for example, the emails in the database, it works, it does the job.
Anyway, it should be better to use a proven efficient package to do this job instead of the one mentioned in the question.