I’m new to back-end development, so this might be a non-issue, but I noticed that when a new user registers with Google or GitHub the password is set as a UUID, but it isn’t hashed.
Isn’t this a problem if an attacker gets access to the database?
Am I missing something? Maybe some middleware hashes the password automatically?
So if an attacker gets access to the database, you’re correct in thinking that they would have access to the user’s dummy password. However the field is technically the hashed password, not the password. So any calls to log in with that password would fail because it would always fail in the verify function and there would be no hash and salt for Bcrypt to compare to, so it’s pretty useless.
You could have the password if you wanted to before storing it, but it doesn’t make a difference security wise.
I hadn’t thought about that, I guess it’s common practice, but I find it very fascinating!
Thank you for the explanation!