javascript - 在 Javascript 中重建/验证 Ruby on Rails Bcrypt 密码哈希

Question

我必须重建一个从 Ruby on Rails 到 Node.js 的项目。Bcrypt 用于在 Ruby 项目中散列密码，我正在尝试重建相同的散列，以便我可以复制散列密码，并且用户可以在节点版本上使用相同的凭据登录。

此哈希 $2a$11$j2IA8cPRFFC4YOXTl5kb9eF02fwNdLyFAPOvflQ3h/QdX8mE1SNK2 用于密码 Test1234。我检查了 Ruby on Rails 代码，我看到了以下用于散列密码的函数

一般信息

COST = 11
SALT = 1234567890

创建散列

def password_hash(password)
  pwd = "#{password}#{SALT}"
  ::BCrypt::Password.create(pwd, cost: COST)
end

密码是否匹配？

def password_match?(password = nil)
  password ||= @params[:password]
  encrypted_password = get_encrypted_password
  return false if !encrypted_password || encrypted_password.size < 8

  pwd = "#{password}#{SALT}"
  BCrypt::Password.new(encrypted_password) == pwd
end

def get_encrypted_password
  return unless @account

  @account.encrypted_password
end

据我对 Ruby 的了解，这意味着在 password_match 函数中，pwd 将是 Test12341234567890 和 BCrypt::Password.new($2a $11$j2IA8cPRFFC4YOXTl5kb9eF02fwNdLyFAPOvflQ3h/QdX8mE1SNK2) 检查 Test12341234567890 (pwd) 是否与哈希匹配。

当我使用像 https://bcrypt.online/ 这样的在线 Bcrypt 验证器并输入散列值和 pwd 值时，我没有得到匹配项。

我还尝试使用 Javascript 包中的 bcrypt.compare 方法，但这也不起作用。

我错过了什么？

Answer 1

所以我们做了一个 oopsie 并在评论中解决了这个问题。这是对这一切的回顾作为答案。

我:

I tried your password_hash function with "Test1234" and the salt youprovided. Got$2a$11$bhdYASCaEPv/0HXv3OFtIupv8CgHFoEWkMonShKnNN1fkmRIg.07S as aresult, ran it through the online verifier you linked and got "Thesupplied hash matches with supplied plain text".

BCrypt::Password.new(password_hash("Test1234")) =="Test12341234567890" Also works out fine and returns true.

Also tried Node.js with bcryptjs and didbcrypt.compareSync('Test12341234567890',"$2a$11$bhdYASCaEPv/0HXv3OFtIupv8CgHFoEWkMonShKnNN1fkmRIg.07S"). Alsoworks out fine and returns true.

托雷:

Yes that's a new hash you created with the same methods. But for somereason the already created hash$2a$11$j2IA8cPRFFC4YOXTl5kb9eF02fwNdLyFAPOvflQ3h/QdX8mE1SNK2 forpassword Test1234 that is currently stored in the database doesn'tpass the online verification test and the compareSync test in node.js

我:

That should give you the idea that the problem is not with the Ruby'shash creation function, nor is it with the Node's hash testingfunction, but somewhere else (which is technically outside the scopeof this question). Maybe your database doesn't store the full hash forsome reason, or stores it in a wrong way. Maybe something somewherestrips or escapes some characters in the hash, leaving you withincomplete one. Maybe some of the aforementioned happens to the salt.Maybe the hash in the database was generated by a different or olderhash function. Maybe the salt has changed.

托雷:

Thanks for the comment! With your comment I found out that they used adifferent salt than the one inside the .env file. It was stored in theconfig variables of Heroku. Everything is working now!