User passwords in the browser

[bajtos]

At the moment, the User model includes internal methods hasPassword and hashPassword in the browserified bundle too. The implementation uses bcryptjs, which adds about 50kb to the bundle (un-minified) and another 650kb through crypto-browserify (see #1247).

I'd like us to consider whether these two methods make sense to be called in the browser, how should we replicate changes made to a user model, and ideally come up with an implementation that does not require bcryptjs when running in the browser.

[ritch]

I'd be fine if we just threw when calling those methods in the browser.

[ritch]

Then replace bcrypt with a noop or a throw-only function.

[BerkeleyTrue]

Whats the word on this?

[bajtos]

@BerkeleyTrue I think this has to wait for LB 3.0, unless we can come up with a way how to preserve the current behaviour and provide a feature flag to enable the new mode without hasPassword/hashPassword.