Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django password in node.js

I'm trying to do some authentication from my previous django web app in node. I got PBKDF2-sha256 working but I'm not able to get the BCryptSHA256PasswordHasher working in Node. I tried the following:

var Bcrypt = require('bcrypt');
var sha256 = require('sha256');

var pass = sha256("test password")

// from django ("bcrypt_sha256$$2b$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66")
var hash = "$2b$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66" 
Bcrypt.compare(pass, hash, function (err, isMatch) {
    if (err) {
        return console.error(err);
    }
    console.log('do they match?', isMatch);
});

Is there something i'm missing with the above? I'm taking the sha256 of the password and testing with bcrypt. The corresponding code in Django is below:

def verify(self, password, encoded):
    algorithm, data = encoded.split('$', 1)
    assert algorithm == self.algorithm
    bcrypt = self._load_library()

    # Hash the password prior to using bcrypt to prevent password truncation
    #   See: https://code.djangoproject.com/ticket/20138
    if self.digest is not None:
        # We use binascii.hexlify here because Python3 decided that a hex encoded
        #   bytestring is somehow a unicode.
        password = binascii.hexlify(self.digest(force_bytes(password)).digest())
    else:
        password = force_bytes(password)

    # Ensure that our data is a bytestring
    data = force_bytes(data)
    # force_bytes() necessary for py-bcrypt compatibility
    hashpw = force_bytes(bcrypt.hashpw(password, data))

    return constant_time_compare(data, hashpw)

UPDATE

I have no idea why, but when I change the salt slightly to the following:

var hash = "$2a$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66" 

everything works! I changed the 2b to 2a at the beginning. Why is this working and the other isn't? Is there something i'm missing?

like image 854
KVISH Avatar asked Feb 18 '16 16:02

KVISH


1 Answers

From the excellent Passlib library:

  1. ident (str) – Specifies which version of the BCrypt algorithm will be used when creating a new hash. Typically this option is not needed, as the default ("2a") is usually the correct choice. If specified, it must be one of the following:
    • "2" - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. "2a" - some implementations suffered from a very rare security flaw. current default for compatibility purposes.
    • "2y" - format specific to the crypt_blowfish BCrypt implementation, identical to "2a" in all but name.
    • "2b" - latest revision of the official BCrypt algorithm (will be default in Passlib 1.7).
like image 173
Abdelouahab Avatar answered Oct 13 '22 21:10

Abdelouahab