No salt value stored in mongodb collection!.

[akuznetsov-gridgain]

After upgrading to 1.0.2 I got:

Connection closed: 401 - Authentication failed: Authentication not possible. No salt value stored in mongodb collection!

Workaround: use 1.0.1

Seems that smth was broked between 1.0.1 & 1.0.2

[GastonFerrari]

Similar issue here, salt and hash are actually stored in mongodb but mongoose doesn't fetch the values because they're not in the schema.

[ChrisHubinger]

I'm working on a fix for that (at the moment writing a test to cover this issue) without selecting those fields per default (=fetch then from MongoDB during authenticate when not available yet).

The cause is that the salt & hash fields are defined with "select: false" and therefore the model fetched by mongoose does no longer contain the fields for comparison.

Tricky thing is that the tests do not cover this issue because in the tests the user instance gets created and the authentication is run against the in-memory object (which contains the fields from the setPassword call in setup) and not a clean fetched user instance from MongoDB.

[saintedlama]

Manually reverted the pull request in question. Released 1.2.0

[ChrisHubinger]

+1
should i finish my solution with loading the required fields in the authentication method when not available? Could send you the PR in the next few hours if you like...
IMHO not loading the salt & hash is real important issue as it is just too easy (and actually lots of n00bs just do it) that people simply return the loaded model as it is back to the client e.g. leaking their secrets...

The need to hit the database in "authenticate" is in relation to the security implications more then acceptable.

[saintedlama]

👍

[BrandonCopley]

3.0.0 seems to solve this.

[akuznetsov-gridgain]

I think this issue could be closed. Should I close this issue? or @saintedlama should do this?

[saintedlama]

Thanks for reminding me to close the issue 💃