How to make password validation in NodeJS with Mongoose

Question

I have registration form with username, mail, password and password2. I want to verify passwords that they actually match. I verify practically everything in Mongoose Scheme but I cannot find any useful information in documentation how to grab password2 without actually saving it to database. (I have function to crypt password which runs only before saving)

    const userSchema = new mongoose.Schema({
    username: {
        type: String,
        unique: true,
        required: true,
        trim: true,
        validate(value) {
            if (!validator.isAlphanumeric(value , 'pl-PL')) {
                throw new Error('Name cannot contain special characters.')
            }
        }
    },
    email: {
        type: String,
        unique: true,
        required: true,
        trim: true,
        lowercase: true,
        validate(value) {
            if (!validator.isEmail(value)) {
                throw new Error('Email is invalid')
            }
        }
    },
    password: {
        type: String,
        required: true, 
        validate(value) {
            console.log(value)
            if(value !== this.password2) {
                throw new Error("Passwords don't match. Try again.")
            }

            if(value.length < 8) {
                throw new Error("Passwords is too short. At least 8 characters.")
            }
        }
    },
    tokens: [{
        token: {
            type: String,
            required: true
        }
    }]
    })

Answer 1

You can check password and password2 in your register route, and if they are same you can continue to register.

A sample register route would be like this:

router.post("/register", async (req, res) => {

  try {
    const { username, email, password, password2 } = req.body;

    if (password !== password2) return res.status(400).send("Passwords dont match");

    let user = await User.findOne({ email });
    //or
    //let user = await User.findOne({ username });

    if (user) return res.status(400).send("User already registered.");

    user = new User({ username, email, password });

    user = await user.save();

    //todo: at this point you may generate a token, and send to the client in response header or body

    res.send(user);
  } catch (err) {
    console.log(err);
    res.status(500).send("Server error");
  }

});

Answer 2

You don't need to make password2 a part of userSchema. The better way is to make a compare password function like this:

UserSchema.methods.comparePassword = function(plaintext, callback) {
    return callback(null, Bcrypt.compareSync(plaintext, this.password));
};

also you can make a use of Schema.pre:

UserSchema.pre("save", function(next) {
    if(!this.isModified("password")) {
        return next();
    }
    this.password = Bcrypt.hashSync(this.password, 10);
    next();
});

After this, you need to call the compare function from user controller. Something like this (depending on your logic):

        var user = await UserModel.findOne({ username: request.body.username }).exec();
        if(!user) {
            return response.status(400).send({ message: "The username does not exist" });
        }
        user.comparePassword(request.body.password, (error, match) => {
            if(!match) {
                return response.status(400).send({ message: "The password is invalid" });
            }
        });

For details you can read this excellent article.