27

我的 php 代码生成一个哈希password_hash,我使用它存储在数据库中。下面是PHP代码:

$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));

我想根据 nodejs 中的这个哈希验证/检查密码。

我看到了很多节点模块(bcrypt、phpass、node-bcrypt),但它们都给了我错误。下面是在 php 中生成的示例哈希,我正在尝试在 nodejs 中进行验证。

var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';

var bcrypt = require('bcrypt');

bcrypt.compare("secret", hash, function(err, res) {
    console.log(res);
});

(这里的秘密是真正的密码)

我目前的解决方法是通过节点调用 php 脚本来验证(对于任何需要解决方法的人)

var exec = require('child_process').exec;
var cmd = 'php verify.php password encryped_pasword';
exec(cmd, function (error, stdout, stderr) {
  // output is in stdout
  console.log(stdout);
 //If stdout has 1 it satisfies else false
});

这是一个hack,而不是这个问题的好答案。有没有办法在不使用这样的解决方法的情况下验证 nodejs 中的密码?

4

2 回答 2

57

将散列密码中的 $2y$ 替换为 $2a$,然后 bcrypt.compare 应该会给出正确的结果。

var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';
var bcrypt = require('bcrypt');
hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');
bcrypt.compare("secret", hash, function(err, res) {
    console.log(res);
});

在 ES6 上:

import bcrypt from 'bcrypt';
let hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';
hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');
bcrypt.compare('secret', hash, function(err, res) {
    console.log(res);
});
于 2014-12-07T10:42:40.987 回答
27

I know this has been answered, but it seems from the comments that a little more detail is required.

Bcrypt hashes produced by the php password_hash() function are split as follows:

$2y$ 08$ 9TTThrthZhTOcoHELRjuN. 3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2

|     |     |                     |
|     |     Salt                  Hashed Password
|     |
|     Algorithm options (cost, in this case)
|
Algorithm type

It seems from other answers here on SO that while the PHP and Node versions of Bcrypt use different algorithms, the only difference in the hash output is the prefix. So all that is required is, as mentioned by @Sudesh, to swap the $2y$ for a $2a$ and Bob's your uncle.

Sources

http://php.net/manual/en/faq.passwords.php

$2y bcrypt hashes in Node.js

Comparing BCrypt hash between PHP and NodeJS

于 2016-09-26T09:59:10.370 回答