My php code generates a hash using password_hash which I store in a database. Below is the PHP code:
$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
I would like to verify / check the password against this hash in nodejs.
I saw lot of node modules (bcrypt, phpass, node-bcrypt), but all of them give me false. Below is sample hash generated in php and which I m trying to verify in nodejs.
var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';
var bcrypt = require('bcrypt');
bcrypt.compare("secret", hash, function(err, res) {
console.log(res);
});
(Here secret is real password)
My current workaround is to call a php script via node to verify (for anybody who needs a workaround)
var exec = require('child_process').exec;
var cmd = 'php verify.php password encryped_pasword';
exec(cmd, function (error, stdout, stderr) {
// output is in stdout
console.log(stdout);
//If stdout has 1 it satisfies else false
});
This is a hack and not a good answer to this problem. Is there a way to verify the password in nodejs without using a workaround like this?
Replace $2y$ in the hashed password with $2a$,then bcrypt.compare should give you correct result.
var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';
var bcrypt = require('bcrypt');
hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');
bcrypt.compare("secret", hash, function(err, res) {
console.log(res);
});
on ES6:
import bcrypt from 'bcrypt';
let hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';
hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');
bcrypt.compare('secret', hash, function(err, res) {
console.log(res);
});
I know this has been answered, but it seems from the comments that a little more detail is required.
Bcrypt hashes produced by the php password_hash() function are split as follows:
$2y$ 08$ 9TTThrthZhTOcoHELRjuN. 3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2
| | | |
| | Salt Hashed Password
| |
| Algorithm options (cost, in this case)
|
Algorithm type
It seems from other answers here on SO that while the PHP and Node versions of Bcrypt use different algorithms, the only difference in the hash output is the prefix. So all that is required is, as mentioned by @Sudesh, to swap the $2y$ for a $2a$ and Bob's your uncle.
Sources
http://php.net/manual/en/faq.passwords.php
$2y bcrypt hashes in Node.js
Comparing BCrypt hash between PHP and NodeJS
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷、活的狠高调 的文章《Verify password hash in nodejs which was generated》','https://www.manongdao.com/article-298866.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}