TTC
Theo's Typesafe Cult6d ago
Juke

Password Handling

I have a simple site with an input for a password and then on submit, it goes to this: 
import { NextResponse } from "next/server";

export async function POST(request: Request) {
  const { password } = await request.json();

  // Replace with your secure password check.
  if (password === process.env.PASSWORD) {
    const response = NextResponse.json({ success: true });

    // Set a cookie called "authenticated". In production, you may
    // want to sign or encrypt cookies.
    response.cookies.set("authenticated", "true", {
      httpOnly: true,
      path: "/",
      maxAge: 5 * 60 * 24, // 24 hours
    });

    return response;
  }

  return NextResponse.json({ success: false }, { status: 401 });
}
import { NextResponse } from "next/server";

export async function POST(request: Request) {
  const { password } = await request.json();

  // Replace with your secure password check.
  if (password === process.env.PASSWORD) {
    const response = NextResponse.json({ success: true });

    // Set a cookie called "authenticated". In production, you may
    // want to sign or encrypt cookies.
    response.cookies.set("authenticated", "true", {
      httpOnly: true,
      path: "/",
      maxAge: 5 * 60 * 24, // 24 hours
    });

    return response;
  }

  return NextResponse.json({ success: false }, { status: 401 });
}
o3 wrote some comments here and suggested a "secure password check" as well as signing or encrypting cookies. What I want to understand is that, why would I need to do a "secure password check" if my password is stored in a .env that is only on my server? Also do I really need to sign or encrypt my cookies, what are some things that could go wrong if I don't? I just opened dev tools and manually set it and that bypasses the password lol, I'll have to look into how to do this after all lol For secure password check, I'm assuming just hashing the password and then check the input password's hash against it, is that good enough? I never did something like this before and so I'm unsure what "best practices" would be for this.
1 Reply
Juke
JukeOP6d ago
I just realized 5 * 60 * 25 isn't 24 hours, it's 5 hours, I'll fix that typo soon oops After reading a few articles and watching a video, I ended up using bcrypt to hash the password and jose to use JWT to encrypt my cookie.

Did you find this page helpful?