Question

我正在尝试使用节点js创建身份验证，我注意到如果我控制日志req.body它会在提交后显示密码。有什么方法可以防止这种情况？或者我可能做错了什么？这里是一个我的代码示例：

router.post('/register', function(req, res) {
var salt = bcrypt.genSaltSync(10);
var hash = bcrypt.hashSync(req.body.password, salt);
console.log(req.body)
var user = new models.User({
username:  req.body.username,
email:      req.body.email,
password:   hash,
password2: req.body.password2
});
req.checkBody('email', 'Email is required').notEmpty();
req.checkBody('email', 'Email is not valid').isEmail();
req.checkBody('username', 'Username is required').notEmpty();
req.checkBody('password', 'Password is required').notEmpty();
req.checkBody('password2','not match').equals(req.body.password);
user.save(function(err,user) {
...

Answer 1

解决方案不是在您的模型或数据库中存储纯文本密码。的自从

Answer 2

您不需要创建新的哈希变量。

如果需要使用bcrypt.hashSync，则可以对密码进行哈希处理，因此可以尝试以下一种方法：

router.post('/register', function(req, res) {
  var salt = bcrypt.genSaltSync(10);
  // --------
  req.body.password = bcrypt.hashSync(req.body.password, salt);
  // --------
  console.log(req.body);
  var user = new models.User({
    username:  req.body.username,
    email:      req.body.email,
    password:   req.body.password,
    password2: req.body.password2
  }); 
  req.checkBody('email', 'Email is required').notEmpty();
  req.checkBody('email', 'Email is not valid').isEmail();
  req.checkBody('username', 'Username is required').notEmpty();
  req.checkBody('password', 'Password is required').notEmpty();
  req.checkBody('password2','not match').equals(req.body.password);
  user.save(function(err,user) {
    ...

node js安全问题

2 个答案: