nestjs-blog

nestjs-blog copied to clipboard

Thanks for putting this example together. This line is comparing the password in the database against itself, so it will always assume credentials are valid.

https://github.com/bashleigh/nestjs-blog/blob/fbacc0337ef3ecbd367b36369440929ccf517d31/src/auth/auth.service.ts#L25

  if (!await this.userService.compareHash(auth.password, user.password)) {
      throw new BadRequestException('Invalid credentials');
    }

That would pass in the plain text password as first param, and the hash pulled from the DB as 2nd param.

async compareHash(password: string, hash: string):

Also, you needed an await on that line as well. Without the await the code will overrun your check and return a signed JWT.

I tested in with swagger and the method seems to work fine with those changes.

Actually, the compareHash still should have failed since it would be comparing a hash against a hash (and compareHash expects plain text pass as first param, and hash as second). The reason it was succeeds was due to the missing await.

Honestly I was building this repo for a talk, I done the talk and since I haven't worked on it. I did get to the point where I was integrating authentication and was using another repo https://github.com/bashleigh/areyouinfordinner-api as a base for it but it's a bit out of date.

No idea why I did user.password, user.password was likely just by passing it but yea it could be the fact I forgot the await that this didn't work!

You're free to make a PR if you'd like? Or I'll give it a go but I can't promise when I'll get around to it!