There are two things that pop out at me:
Never ever ever use a synchronous method in real code. (
genSaltSync
) Cryptographic methods are computationally expensive; doing them on the JS thread is a recipe for disaster. A very small number of concurrent login attempts will grid your server to a halt.You are treating the user's IP address as a constant, but this is not a valid assertion. Between DHCP, mobile devices that change networks frequently, VPNs, and proxy servers, you have no way of knowing whether a user's next request will come from the same IP.
The support nightmare you'll have from users who get randomly denied access is (IMO) not worth the speculative security gain. As long as you've properly configured SSL and set your cookies
Secure
andHttpOnly
, the risk of a stolen token is small.