wordpress password encryption in NodeJS

Question

How to do user authentication from wordpress database in nodeJS.

I need to validate user if username/password is correct, using wordpress database. Wordpress is using PHPass PHP library to encrypt passwords. But I need to match password in NodeJS.

Answer 1

Edit: Today there is an implementation which supports Wordpress portable hashes: wordpress-hash-node.

Previous reply:

Sigh... I took an interest in this, and spent half an hour pouring through PHPass source code. Then I googled for node phpass.

Edit: On closer inspection, this seems to only implement bcrypt encryption, while the PHPass default (which I think Wordpress uses) is something they call "Portable Hashes". node-phpass throws 'Portable hashes are not implemented' when you ask for Portable Hashes. I suggest you implement that for node-phpass and send a pull request.

Answer 2

For Wordpress 4.9.5, in NodeJS after

npm i wordpress-hash-node

var hasher = require('wordpress-hash-node');
let wordpressHashPass = "$P$BzPE3JGpq4CUpvpMHhtPh3lZmIoG.s1";
let wordpressPlainTextPass = '(&@fZsImcKq7K3Lmd&qBe!Jx';
var checked = hasher.CheckPassword(wordpressPlainTextPass, wordpressHashPass); //This will return true
console.log(checked); // returns true

var hasher = require('wordpress-hash-node');
let wordpressHashPass = "$P$BzPE3JGpq4CUpvpMHhtPh3lZmIoG.s1";
let wordpressPlainTextPass = 'goodday';
var checked = hasher.CheckPassword(wordpressPlainTextPass, wordpressHashPass); //This will return false
console.log(checked); // returns false

wordpressHashPass is the MD5 hashed password that you can find in the wp_users table of Wordpress for a user.

wordpressPlainTextPass is the plain text password that the user types in the password field.

The method CheckPassword compares the plain text password and the hash password. It returns true if it coincides and false if it does not coincides.