fix: implement password hashing and verification for user registration

Author: leggetter

examples/demos/dashboard-integration/init-databases.sql

@@ -64,12 +64,16 @@ CREATE TABLE users
   email VARCHAR(255) NOT NULL UNIQUE,
   "emailVerified" TIMESTAMPTZ,
   image TEXT,
+  hashed_password TEXT,
   "createdAt" TIMESTAMPTZ DEFAULT NOW(),
   "updatedAt" TIMESTAMPTZ DEFAULT NOW(),
 
   PRIMARY KEY (id)
 );
 
+-- Create index on email for faster lookups
+CREATE INDEX idx_users_email ON users (email);
+
 -- Connect to outpost database to set up schema permissions
 \c outpost;
 GRANT ALL ON SCHEMA public TO outpost;

examples/demos/dashboard-integration/src/app/api/auth/register/route.ts

@@ -1,4 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
+import bcrypt from "bcryptjs";
 import { createUser, getUserByEmail } from "../../../../lib/db";
 import { createTenant } from "../../../../lib/outpost";
 import { generateTenantId } from "../../../../lib/utils";
@@ -15,14 +16,18 @@ export async function POST(request: NextRequest) {
     if (existingUser) {
       return NextResponse.json(
         { message: "User already exists" },
-        { status: 400 },
+        { status: 400 }
       );
     }
 
-    // Create user in database
+    // Hash the password before storing
+    const hashedPassword = await bcrypt.hash(validatedData.password, 12);
+
+    // Create user in database with hashed password
     const user = await createUser({
       email: validatedData.email,
       name: validatedData.name,
+      hashedPassword,
     });
 
     // Create tenant in Outpost using the user ID
@@ -41,7 +46,7 @@ export async function POST(request: NextRequest) {
           userId: user.id,
           tenantId,
           email: validatedData.email,
-        },
+        }
       );
     } catch (outpostError) {
       logger.error("Failed to create Outpost tenant during registration", {
@@ -56,7 +61,7 @@ export async function POST(request: NextRequest) {
 
     return NextResponse.json(
       { message: "User created successfully" },
-      { status: 201 },
+      { status: 201 }
     );
   } catch (error: any) {
     logger.error("Registration error", { error, errorMessage: error?.message });
@@ -65,13 +70,13 @@ export async function POST(request: NextRequest) {
       // Validation error
       return NextResponse.json(
         { message: "Validation failed", errors: error.errors },
-        { status: 400 },
+        { status: 400 }
       );
     }
 
     return NextResponse.json(
       { message: "Internal server error" },
-      { status: 500 },
+      { status: 500 }
     );
   }
 }

examples/demos/dashboard-integration/src/lib/auth.ts

@@ -25,12 +25,18 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
           return null;
         }
 
-        // For demo purposes, we'll skip password verification
-        // In a real app, you'd verify the hashed password here
-        // const isPasswordValid = await bcrypt.compare(credentials.password as string, user.hashedPassword)
-        // if (!isPasswordValid) {
-        //   return null
-        // }
+        // Verify the password against the hashed password
+        if (!user.hashedPassword) {
+          return null;
+        }
+
+        const isPasswordValid = await bcrypt.compare(
+          credentials.password as string,
+          user.hashedPassword
+        );
+        if (!isPasswordValid) {
+          return null;
+        }
 
         return {
           id: user.id.toString(),

examples/demos/dashboard-integration/src/lib/db.ts

@@ -14,15 +14,16 @@ export interface User {
   email: string;
   emailVerified?: Date | null;
   image?: string | null;
+  hashedPassword?: string | null;
   createdAt: Date;
   updatedAt: Date;
 }
 
 export async function getUserTenant(userId: string): Promise<User | null> {
   try {
     const result = await pool.query(
-      'SELECT id, name, email, "emailVerified", image, "createdAt", "updatedAt" FROM users WHERE id = $1',
-      [userId],
+      'SELECT id, name, email, "emailVerified", image, hashed_password as "hashedPassword", "createdAt", "updatedAt" FROM users WHERE id = $1',
+      [userId]
     );
     return result.rows[0] || null;
   } catch (error) {
@@ -38,10 +39,10 @@ export async function createUser(userData: {
 }): Promise<User> {
   try {
     const result = await pool.query(
-      `INSERT INTO users (email, name, "createdAt", "updatedAt") 
-       VALUES ($1, $2, NOW(), NOW()) 
-       RETURNING id, name, email, "emailVerified", image, "createdAt", "updatedAt"`,
-      [userData.email, userData.name || null],
+      `INSERT INTO users (email, name, hashed_password, "createdAt", "updatedAt")
+       VALUES ($1, $2, $3, NOW(), NOW())
+       RETURNING id, name, email, "emailVerified", image, hashed_password as "hashedPassword", "createdAt", "updatedAt"`,
+      [userData.email, userData.name || null, userData.hashedPassword || null]
     );
     const newUser = result.rows[0];
     logger.info("User created successfully", {
@@ -58,8 +59,8 @@ export async function createUser(userData: {
 export async function getUserByEmail(email: string): Promise<User | null> {
   try {
     const result = await pool.query(
-      'SELECT id, name, email, "emailVerified", image, "createdAt", "updatedAt" FROM users WHERE email = $1',
-      [email],
+      'SELECT id, name, email, "emailVerified", image, hashed_password as "hashedPassword", "createdAt", "updatedAt" FROM users WHERE email = $1',
+      [email]
     );
     return result.rows[0] || null;
   } catch (error) {