BCRYPTJS:对不同的密码返回相同的哈希值

huangapple go评论89阅读模式
英文:

BCRYPTJS: returning same hash for different passwords

问题

I didn't find anyone with similar problem on google, what happens is no matter the password user inputs it returns hash as if that is correct password, but you can input anything and it will still return same hashed password of that mail when it's found in database.

For example:

Password input: asd

bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm

Password input: astastas

bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm

code:

exports.login = (req, res, next) => {
    const email = req.body.email;
    const password = req.body.password;

    Users.findOne({ email: email }).then(result => {
        if (!result) {
            throw new Error('No user with that email');
        }
        else if (crypt.compare(password, result.password)) {
            const token = jwebtoken.sign({ email: result.email },
                'thisisatokenyoucantfake', { expiresIn: '1h' });
                
            res.status(200).json({ token: token });
            console.log(password);
            console.log(result.password);
        } else {
            throw an Error('No user');
        }
    }).catch(err => console.log(err));
};

mongodb atlas is used for storing hashed passwords, encrypt length is 12.

if anyone needs a solution:

exports.login = (req, res, next) => {
    const email = req.body.email;
    const password = req.body.password;

    Users.findOne({ email: email }).then(result => {
        if (!result) {
            throw new Error('No user with that email');
        } else {
            return crypt.compare(password, result.password);
        }
    }).then(result => {
        if (result) {
            const token = jwebtoken.sign({ email: result.email },
                'thisisatokenyoucantfake', { expiresIn: '1h' });
                
            res.status(200).json({ token: token });
        } else {
            throw new Error('Wrong password');
        }
    }).catch(err => console.log(err));
};
英文:

I didn't find anyone with similar problem on google, what happens is no matter the password user inputs it returns hash as if that is correct password, but you can input anything and it will still return same hashed password of that mail when it's found in database.

For example:

Password input: asd

bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm

Password input: astastas

bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm

code:

    exports.login = (req, res, next) => {
        const email = req.body.email;
        const password = req.body.password;
    
        Users.findOne({ email: email }).then(result => {
            if (!result) {
                throw new Error('No user with that email');
            }
            else if (crypt.compare(password, result.password)) {
                const token = jwebtoken.sign({ email: result.email },
                    'thisisatokenyoucantfake', { expiresIn: '1h' });
                    
                res.status(200).json({ token: token });
                console.log(password);
                console.log(result.password);
            } else {
                throw new Error('No user');
            }
        }).catch(err => console.log(err));
    };

mongodb atlas is used for storing hashed passwords, encrypt length is 12.

if anyone needs solution:

exports.login = (req, res, next) => {
    const email = req.body.email;
    const password = req.body.password;

    Users.findOne({ email: email }).then(result => {
        if (!result) {
            throw new Error('No user with that email');
        } else {
            return crypt.compare(password, result.password);
        }
    }).then(result => {
        if (result) {
            const token = jwebtoken.sign({ email: result.email },
                'thisisatokenyoucantfake', { expiresIn: '1h' });
                
            res.status(200).json({ token: token });
        } else {
            throw new Error('Wrong password');
        }
    }).catch(err => console.log(err));
};

答案1

得分: 4

bcrypt.compare异步的 - 它返回一个 promise。你的 if 语句会始终返回 true,因为 promise 是一个真值。你需要使用 await.then() 来解析这个 promise 以获取布尔值结果。

此外,你正在记录输入的明文密码和存储的哈希值 - 存储的哈希值 应该 总是相同的,因为这就是它的目的。

英文:

bcrypt.compare is asynchronous - it returns a promise. Your if statement will always return true because a promise is a truthy value. You need to resolve the promise using either await or .then() to get the resulting boolean.

Also you're logging the input plaintext password and the stored hash - the stored hash should always be the same as that's the point.

huangapple
  • 本文由 发表于 2020年1月4日 00:11:24
  • 转载请务必保留本文链接:https://go.coder-hub.com/59581764.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定