It would be better to use bcrypt, beause its more secure as it's slower (uses more computing cycles).
Your code could also be better:

You wouldn't need salt field in User model, because it's saved into the same field as password does.

For authentication, something like:

var mongoose = require('mongoose'),
  bcrypt = require('bcryptjs');

var userSchema = mongoose.Schema({
  email: String,

I'm not sure if this will be included when the book is finished, but getting the config values for the .env file requires getting values from a lot of different sources and different configurations. It would be helpful if there was better documentation around that process.

I would love to submit a PR for it, but I haven't been able to figure all of it out myself yet.

The facebook page says:

App not set up: This app is still in development mode, and you don't have access to it. Switch to a registered test user or ask an app admin for permissions.

The Readme says:

maxInterval: specifies the maximum amount of time an account can be locked. Default 30000 (5 minutes)

But if it's the amount of milliseconds, then 30 000 ms is only 30 seconds but not 300 (which would be 5 minutes).

This isn't a bug, but it took me quite a long time to figure out, so thought others have struggled with the same issue.

When using the authenticate method, one must remember to both return the result, and call the function with the context. I thought it may be useful to include this explicitly in the documentation.

I created a [Stack Overflow question](https://stackoverflow.com/questions

I retrieved the ICAO's master list version icaopkd-002-ml-000137.ldif which was referred to as "The latest collection of CSCA Master Lists." I attempted to parse from LDIF into the PEM format using scripts/extract.py and it caught some encoding errors see below.

# b'unable to load certificate
# \r\n14136:error:0D078094:asn1 encoding routines:asn1_item_embed_d2i:sequence length mismat

I find the project really useful, the stack is very good for making scalable projects easily. It took some time however to get the hang of it since I'm not very experienced with nest. I think it will help other users start their projects right away with some sort of documentation similar to https://github.com/sahat/hackathon-starter

When running 'npm run dev' you will receive a 'DeprecationWarning: open() is deprecated in mongoose...' Update lines 9-15 in server/db/index.js to below per mongoose docs (http://mongoosejs.com/docs/4.x/docs/connections.html#use-mongo-client).

`if (process.env.MONGODB_URI) {
mongoose.connect(process.env.MONGODB_URI, { useMongoClient: true })
MONGO_URL = process.env.MONGODB_URI
} else {
m