I've been working with Retool for the past few months and have created a login page that includes a user ID and password field. Currently, the password is stored in the database in plain text, but I want to securely store it using bcrypt. I also need help with setting up queries for encrypting the password with bcrypt when saving it to the database and decrypting it during login to verify the user's credentials.
Could someone guide me on how to implement bcrypt for password hashing and verification in Retool?
Could you give me more details on the use case you have for this login page?
Are you trying to implement your own version of custom auth to validate users for Resource/Queries?
I would definitely recommend using either our build in OAuth or Custom Auth flows for giving users permissions and logging them in.
If you want to use a custom library, I would imagine you would need to import in the JS library for Bcrypt and run JS Query blocks on insertion and retrieval from a database.
I’m currently using a MongoDB database to handle login user retrieval and updates. For password encryption, I use the bcrypt library to hash and compare passwords, as shown below:
For now, the login flow checks the entered password by comparing it against the hashed password stored in the database. This is done when users attempt to log in.
However, as you mentioned, I understand that Retool provides built-in OAuth and custom authentication flows, which are generally more secure and easier to manage for permissions and user login. If I were to switch to those options, it could simplify authentication and security management, especially if I'm working with external resources or queries.
Would you recommend transitioning to Retool’s built-in OAuth or Custom Auth? Also, is there any specific method to use MongoDB authentication with these built-in features, or would it still require a custom flow for my setup?
There are a ton of variables that go into which option for auth works best for your use case. I can try to cover some to help you make the right choice.
It depends on what permissions you want to give users, are they going to be editing apps, or interacting with components using queries/running resource? How many different types/levels of authority could users be grouped into?
Custom Auth gives you a ton of control for the steps users must go through and control over the auth token, how long it lasts and how it can be re-freshed.
Googles OAuth 2.0 has a time limit of 2 hours before users need to re-auth back in to use any resources that require this validation check. It is faster to set up for simple re-direct to log in/sign in with a gmail account to get a token passed in to Retool.
I am not familiar with MongoDB auth it would likely be an option you can build in to a 'Custom Auth' flow.
Definitely read over the docs for the two options as there are tons of small details to keep in mind, hope this helps!
it would likely be an option you can build in to a 'Custom Auth' flow.