Oh so you want to compare the stored password with the entered password and if it’s correct login? I think for that you would need to store the password in another property and compare with that and for security reasons maybe you can store the password in that property like the encoded version of it. ( Because the password property doesn’t show when adding filters, conditions ) I’m not sure if this is the better way and maybe @Victor , @Flawless or others can help here?
Edit : I’m guessing that does the Login action doesn’t do this automatically? ( Checking the email and password is in the users collection )
Rule #1: never, never, never store passwords in clear text anywhere.
Rule #2: if you need to store passwords in clear text, please see Rule #1.
Here is how this works (simplified version).
Passwords aren’t stored in database properties. Instead, the hash of the password is stored. Hash is being created from the original password by using a mathematical function. This function works very fast one-way (password → hash), but it is almost impossible to make the reverse operation (hash back to password). Also generated hash is unique (so 2 different words can’t have same hash).
So when a user enters the password to log in, it is not two passwords which are compared to check if the password is correct. Login function creates hash from input, and then compares two hashes. Password hash is what is stored in Adalo’s Password field.
So there is no possibility to compare anything with password directly.
Frankly speaking, the OTP password recovery flow which I’ve described a couple of years ago is not all that secure (OTP is stored in clear text). The risk is much lower though because password recovery is relatively rare procedure, so most of the OTPs will be useless if users database is compromised.
I need to create a video about more secure password recovery flow, when I have some time
Great info as usual Victor! So even creating a temp password (with a password field) to send to the new user which they then use at the login which forces them to change their password isn’t a good idea?
