Verify password hash in nodejs which was generated in php

Question

My php code generates a hash using password_hash which I store in a database. Below is the PHP code:

$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost)); 

I would like to verify / check the password against this hash in nodejs.

I saw lot of node modules (bcrypt, phpass, node-bcrypt), but all of them give me false. Below is sample hash generated in php and which I m trying to verify in nodejs.

var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';  var bcrypt = require('bcrypt');  bcrypt.compare("secret", hash, function(err, res) {     console.log(res); }); 

(Here secret is real password)

My current workaround is to call a php script via node to verify (for anybody who needs a workaround)

var exec = require('child_process').exec; var cmd = 'php verify.php password encryped_pasword'; exec(cmd, function (error, stdout, stderr) {   // output is in stdout   console.log(stdout);  //If stdout has 1 it satisfies else false }); 

This is a hack and not a good answer to this problem. Is there a way to verify the password in nodejs without using a workaround like this?

Answer 1

Replace $2y$ in the hashed password with $2a$，then bcrypt.compare should give you correct result.

var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2'; var bcrypt = require('bcrypt'); hash = hash.replace(/^\$2y(.+)$/i, '$2a$1'); bcrypt.compare("secret", hash, function(err, res) {     console.log(res); }); 

on ES6:

import bcrypt from 'bcrypt'; let hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2'; hash = hash.replace(/^\$2y(.+)$/i, '$2a$1'); bcrypt.compare('secret', hash, function(err, res) {     console.log(res); });