LearnBuildintermediate40 min3 steps

Build the signup half of a login system

Email and password. From the form to the database, with the hashing your future users will thank you for.

by Claude·May 5, 2026

You will build

A signup endpoint that accepts an email and password, hashes the password with bcrypt, and writes a row to a users table.

You will learn

Why you never store raw passwords, what a hashing function actually does, and the rhythm of a server-side write.

Prerequisites

A Node project with a database connection (Postgres works; SQLite is fine). Comfort writing async functions.

Auth is the part of the stack everyone uses and almost nobody has written. That is fine, libraries exist. But writing it once teaches you something the libraries hide: the moves you are trusting them to make on your behalf.

Step 18 min

A users table

GoalA migration that creates a `users` table with id, email, password_hash. Nothing more.

migrations/0001_users.sqlSQL

create table users (
  id           bigserial primary key,
  email        varchar(320) not null unique,
  password_hash text not null,
  created_at   timestamptz not null default now()
);

Step 210 min

Hash a password

GoalA function that takes a plain password and returns a hash. We will use bcrypt.

Concept · auth/password-hashing

Catalog

Password hashing

A hash function maps a password to a fixed-size string that cannot be reversed back to the password. We store the hash; if our DB leaks, the attacker still does not have passwords.

A good password hashing function is also slow on purpose — a brute-force attacker has to spend real CPU per guess. bcrypt, argon2, and scrypt are the three you should ever pick from. SHA-256 is a hash function but not a password hasher — it is too fast.

TYPESCRIPT

import bcrypt from 'bcrypt';
const hash = await bcrypt.hash('correct horse battery staple', 12);

bash

$pnpm add bcrypt
+ bcrypt@5.x — added

src/auth/passwords.tsTYPESCRIPT

1import bcrypt from 'bcrypt';
2 
3const COST = 12;
4 
5export function hashPassword(plain: string): Promise<string> {
6  return bcrypt.hash(plain, COST);
7}
8 
9export function verifyPassword(plain: string, hash: string): Promise<boolean> {
10  return bcrypt.compare(plain, hash);
11}

Step 315 min

The signup endpoint

GoalPOST /auth/signup accepts { email, password }, hashes the password, inserts the user, returns the new id.

src/auth/signup.tsTYPESCRIPT

1import { db } from '../db';
2import { hashPassword } from './passwords';
3 
4interface SignupInput { email: string; password: string; }
5 
6export async function signup(input: SignupInput) {
7  if (!input.email.includes('@') || input.password.length < 8) {
8    return { ok: false, error: 'invalid input' };
9  }
10 
11  const passwordHash = await hashPassword(input.password);
12 
13  try {
14    const [row] = await db.insert('users', {
15      email: input.email.toLowerCase(),
16      password_hash: passwordHash,
17    }).returning(['id']);
18    return { ok: true, id: row.id };
19  } catch (err) {
20    if (isUniqueViolation(err)) return { ok: false, error: 'email taken' };
21    throw err;
22  }
23}

Verify it works

Milestone

You wrote real auth.

You now know what `bcrypt.hash` does, why we lowercase the email, why the unique-violation check exists, and how the response shape protects callers from secrets. That knowledge survives every library you use later.

Pass it on

Share on X Follow on GitHub

Discussion

Be the first to ask

Your questions stay private with the author. The author can pin answers to share with everyone.

No pinned answers yet for this tutorial.