Creating Accounts - april1703/SpotiReels GitHub Wiki

To be able to track their music, a user needs an account. This includes having a username, password, and proper encryption methods for access control (ie. salt, pepper, and hashing), and having registration and login functionalities. A user database was created using MySQL, and has been containerized using Docker Compose. As well as, the login and registration functionalities can be found in the backend "server.js" file, and are POST calls for "/login" and "/register."

SQL Database

This is a sql database that has been containerized with docker; in order to run the app, this must be healthy. Instructions on how to start up the database can be found in the "Docker" tab of this wiki. The "User" SQL database has 3 variables associated with it:

username = VARCHAR(256): the plaintext of the user's username
password = CHAR(32): the BCrypt hash for the user's password
salt = CHAR(12): a unique 12-char string attached to the password before hashing 

Registration

This function takes a JSON body with two variables: "usernameInput" and "passwordInput", in this order. Then, the function does a regex check on the input, so as to protect from SQL injecting. Next, the function makes a request to the SQL user database for the specified username. This checks if the user already exists; if so, the function will return a status of <>. If not, the function will generate a random 12-character salt, and hash the password using BCrypt. This is done by concatenating the generated salt, the inputted password, and the server secret pepper, and passing the result into BCrypt.hash. After this, another SQL request is made to store the username, hash, and salt. If the database returns a success, then the function will return a status of 200; on error or failure, the proper HTTP status is replied.

Login

This function takes a JSON body with two variables: "usernameInput" and "passwordInput", in this order. Then, the function does a regex check on the input, so as to protect from SQL injecting. Next, the function makes a request to the SQL user database for the specified username. This returns a salt and a BCrypt hash. To check for the correct password, the input password is concatenated with the database's salt and a server secret, pepper, and pushed into the BCrypt compare function with the hash. On success, a 200 status is replied; on error or failure, the proper HTTP status is replied.