hashedpassword | A small Go package for hashed passwords | Identity Management library

I am using a postgres database and writing backend code using spring data jpa.

Community table:

I'm using node.js to code a simple login/ sign up program that stores the account details (username, email, and password) on a MongoDB database. I've made sure I've downloaded MongoDB correctly, but I can't figure out what's wrong with my code... there are no errors thrown but the name, email, and hashedPassword aren't being inserted into the users database.

Here's my code from my server.js file:

I am getting an error while i try to create an user. userValidation is not a function at exports.createUser this is a function in the validation.js file which it takes a parameter data body-VALUES and then to validate each input of the body. but i don't know why i am getting this error.

here is the callback function for the post request /create-user

The requiring modules

I'm trying to update a nested array in a document only if the array does not already include the item like so:

I'm using nodejs built-in crypto, zlib and fs package to encrypt a large file using these codes.

I have used bcrypt package with GO gin, the weird thing is when I Bcrypt any password it takes like 500ms to 900ms in response

the code:

Been trying to use Mongoose findByIdAndUpdate to update the document by ID, the operation runs without error but change is not reflected on database.

on server log i can only see users.findOne logged when I run the API, shouldn't mongoose run update along with it aswell. I can get/create/delete user without any issue.

interface

I am currently creating a class that handles password related functions (hashing and verification). My knowledge is very basic in this field.

After some research it was obvious to me that I should use an already good hashing library. I chose bycrypt. It was also recommended that I should use a unique salt for each password, and also a global pepper that is not stored inside the database. My code runs fine and does what it is supposed to.

My question is, am I peppering and salting my password correctly? Right now I first pepper the password with sha256 and then I run bycrypt on that with a unique salt. I've read that sha256 is not made for password hashing so it is not secure in our case, but what should I use instead of it? As somebody who has no knowledge in password hashing is this secure, or should I change something?

EDIT: If my code is too long this is the condensed part I am questioning:

I was trying to move away from firebase authentication. So I exported all firebase users with their email, hashedPassword, saltKey, all the other necessary information.

After all, I migrated them to database and tried to implement auth flow using JWT and Express.js.

What I did is I used firebase-scrypt npm to validate hashedPassword with saltkey and firebase auth configuration I get from the original firebase app.

What whatever I input as password, it is validated all true and I can't make auth flow working.

If someone faced this issue and help me figure out this one, I really appreciate it.

Thanks for taking a careful look.

p.s. code attached below