I absolutely agree. An even better structure wouldn’t have a raw password field on the user object at all.
- 0 Posts
- 3 Comments
Joined 1 year ago
Cake day: October 13th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
In addition to the excellent points made by steventhedev and koper:
user.password = await hashPassword(user.password);
Just this one line of code alone is wrong.
- It’s unclear, but quite likely that the type has changed here. Even in a duck typed language this is hard to manage and often leads to bugs.
- Even without a type change, you shouldn’t reuse an object member like this. Dramatically better to have password and hashed_password so that they never get mixed up. If you don’t want the raw password available after this point, zero it out or delete it.
- All of these style considerations apply 4x as strongly when it’s a piece of code that’s important to the security of your service, which obviously hashing passwords is.
Mostly, they don’t