I am developing a small REST API with Lumen and a Electron/JS client. I do have a LoginController that should authenticate the user and return a JWT token when successfully logged in.
The server saves a bcrypt password in the database. How should the client transfer the password to the server? I tried to bcrypt the password on the client side and send it to the server, but I cannot compare two hashes, as they are different when salted.
To compare the hashed password in the database with the password the user has entered in the client application, I've to transfer the password in plain text. Is that really the way to go? I'll always need the plain password on the server for comparison?
One improvement would be to send a (not salted) SHA256 hash to the server. But this also means, that the server treats the SHA256 hash as plain password and therefore has to store the bcrypt of the SHA256 hash in the database.
Could one please describe the step how the client should send the password to the server in more detail?