How do you handle confirmation Email authentication?


I hope I am in the right forum.

Basically, I have learnt that people will not store password inside the database. However, I have learnt that when we send an activation link we will normally attach an encrypted password ? and then compare with the email inside the database and then insert a “boolean value” to indicate the user has already been authenticated.

So, if we are not allow to store the encrypted password, how do we send it together with the activation link ?

I am really confuse about this part and would appreciate someone who has done it before to guide me the flow and the right way to handle things.

Thanks !

I don’t know know what you mean, passwords are stored hashed and with a salt…
also the activation link doesn’t need a password in it, if i remember correctly…

You do store the user’s password, only that it’s hashed with a salt and as far as I know it’s completely safe to do it, even storing the salt seems to be something common (depending on your needs). Anyways, what you are looking for is “account verification”, check this post from Stack Overflow, there’s one user who explains the process very well.

Thank you for your help, Gilbert1391. That is a very useful link.

Hello Gilbert,

It’s me again. I just want to clarify if it is ok to not asking for a password from the user before generating a salt or hash password? So, that means I will always have a constant and then I send the generated one to user and compare it with the stored one later.

Hope to have your view on this.


I’m not sure what you are asking. You should hash the user password when creating a new user no matter what, otherwise when you save an user in the database the password is going to be a plain text, if someone hacks into your database they would be able to see all that information (your users’s passwords) and login into their accounts, it’s not safe.

That is why you hash the user password. When you hash the password you should also generate a random salt to add to the hash. Because if you don’t, and again someone hacks into your database, they can take an encrypted hashed password and decrypt it using a site like this, by adding the salt (Which is just a random string) it wouldn’t be possible to decrypt the hash.

import User from "./models/user";

async signUp(userModel) {
 const { email, password } = userModel;

  const user = new User();
  const salt = await bcrypt.genSalt(); = email;
  user.password = await bcrypt.hash(password, salt);


The code above is a simple example of how you go about hash and salts, it can be confusing, believe me I know. If you are not very familiar with these concepts I would highly recommend you to watch some videos or read some articles about it, there are plenty of resources out there.

What is that you are trying to do?