0

When i renew password I cant login back. giving response password is not match error but if I dont renew my password I can login.

Step 1 (Register)

  Customer.findOne({$or:[{email:user.email},{username:user.username}]},function(err,data){
    if(!data){
      var tokencreator = generateUUID();
      var customer = new Customer({
        userid:uuidv4(),
        username:req.body.username,
        email:req.body.email,
        password:hashpass(req.body.password),
        token:tokencreator,
        registerdate:new Date(),
        lastlogin:new Date()
      })
   customer.save()

Database You can see work register.

enter image description here

Step 2 (Renew Password)

app.post('/passnewer', function(req,res){
  console.log(req.body)
  Customer.findOne({passtoken:req.body.token},function(err,data){
    if(data){
      if(req.body.password != data.username){
        if(req.body.password = comparepass(req.body.password,data.password)){
          res.send({"Success":"Your New Password Cannot Be The Same As Your Old Password!","redirect":"false"});
        }
        else{
          Customer.findOne({passtoken:req.body.token},function(err,data){
          data.password = hashpass(req.body.password);
          data.save();
          });
          res.send({"Success":"Password Renewal Successful You Are Redirected!","redirect":"true"});
        }
      }
      else{
        res.send({"Success":"Your password cannot be the as your username!","redirect":"false"});
      }
    }
    else{
      res.send({"Denied":"İnvalid token!"});
    }
  })
})

Response You can see database password changed.

enter image description here

Database

enter image description here

Step 3 (Login Account) when I try to log in, it gives error.

app.post('/userlogin', function(req,res){
  Customer.findOne({email:req.body.email},function(err,data){
        if(data){
      if(data.password = comparepass(req.body.password,data.password)){
        if(data.status != "Active"){
          res.send({"Success":"Email verification need!"})
        }
        else{
          req.session.isLoggedIn = true;
          req.session.userID = data.userid;
          Customer.findOne({userid:req.session.userID},function(err,data){
          data.lastlogin = new Date();
          data.save()
          });
          res.send({"Success":"Login Success","redirect":"true"});
        }
            }else{
        res.send({"Success":"Password error!"});
            }
      }else{
        res.send({"Success":"E-Mail error!"});
        }
    });
})

Response

enter image description here

Schema My schema

var mongoose = require("mongoose")
var Schema = mongoose.Schema;

var customerSchema = new Schema({
    userid:String,
    username:String,
    email:String,
    password:String,
    address:String,
    registerdate:String,
    tickets:Array,
    token:String,
    passtoken:String,
    status: {
        type: String, 
        enum: ['Pending', 'Active'],
        default: 'Pending'
      },
      lastlogin:{
        type: String, 
        default: 'TBD'
      },
})

var Customer = mongoose.model('Customer',customerSchema)

module.exports = Customer

hash and compare functions Bcrypt functions

function hashpass(passnohash){
  return bcrypt.hashSync(`${hashprefix}${passnohash}`, saltRounds)
}

function comparepass(passnohash, passhash){
  return bcrypt.compareSync(`${hashprefix}${passnohash}`, passhash)
}
Improve this question

2 Answers 2

Reset to default
1

I would console.log the new password hash getting saved to the database and then console.log the hash when you try to log back in (in step 3). See whether they're the same or not.

Then have a look at these lines in particular:

  1. In POST /userlogin request handler:

    if(data.password = comparepass(req.body.password,data.password)){

  2. In POST /passnewer request handler:

    if(req.body.password = comparepass(req.body.password,data.password)){

Both of the above lines make assignments (not comparisons). So it seems like you overwrite the password with the return value of comparepass (comparepass seems to return a boolean).

This may be a potential bug (if I'm reading things correctly), since req.body.password seems to get overwritten with true/false, meaning you save the hash of true/false (and not the hash of the user's new password) when you call data.save().

(If comparepassword returns a boolean, you can use its return value directly within the if statement. No need to compare it to data.password or req.body.password.)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

In route POST /passnewer' you overwrite req.body.passwordbyif(req.body.password = comparepass(req.body.password,data.password))`

Now your new password will become true (or false), then you hash and save this password to your record in the database.

if(comparepass(req.body.password,data.password))

That enough, why you always assign a variable in if condition?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.