Nith88 · jeevaniteeshs128-spec · May 12, 2026
diff --git a/Milestone 06/Passwords in Plain Sight/.gitignore b/Milestone 06/Passwords in Plain Sight/.gitignore
@@ -0,0 +1,3 @@
+node_modules/
+.env
+.DS_Store
diff --git a/Milestone 06/Passwords in Plain Sight/backend/controllers/authController.js b/Milestone 06/Passwords in Plain Sight/backend/controllers/authController.js
@@ -34,13 +34,13 @@ export const login = async (req, res) => {
   try {
     const { email, password } = req.body
 
-    const user = await User.findOne({ email })
+    const user = await User.findOne({ email }).select('+password')
     if (!user) {
       return res.status(401).json({ message: 'Invalid credentials' })
     }
 
-    // Direct string comparison — unsafe
-    if (user.password !== password) {
+    const isMatch = await user.matchPassword(password)
+    if (!isMatch) {
       return res.status(401).json({ message: 'Invalid credentials' })
     }
 

diff --git a/Milestone 06/Passwords in Plain Sight/backend/models/User.js b/Milestone 06/Passwords in Plain Sight/backend/models/User.js
@@ -1,4 +1,5 @@
 import mongoose from 'mongoose'
+import bcrypt from 'bcryptjs'
 
 const userSchema = new mongoose.Schema(
   {
@@ -11,10 +12,24 @@ const userSchema = new mongoose.Schema(
     password: {
       type: String,
       required: true,
-      // No minlength, no select: false, no pre-save hook
+      minlength: 8,
+      select: false,
     },
   },
   { timestamps: true }
 )
 
+userSchema.pre('save', async function (next) {
+  if (!this.isModified('password')) {
+    return next()
+  }
+
+  this.password = await bcrypt.hash(this.password, 12)
+  next()
+})
+
+userSchema.methods.matchPassword = async function (enteredPassword) {
+  return bcrypt.compare(enteredPassword, this.password)
+}
+
 export default mongoose.model('User', userSchema)