英文:
BCRYPTJS: returning same hash for different passwords
问题
I didn't find anyone with similar problem on google, what happens is no matter the password user inputs it returns hash as if that is correct password, but you can input anything and it will still return same hashed password of that mail when it's found in database.
For example:
Password input: asd
bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm
Password input: astastas
bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm
code:
exports.login = (req, res, next) => {
const email = req.body.email;
const password = req.body.password;
Users.findOne({ email: email }).then(result => {
if (!result) {
throw new Error('No user with that email');
}
else if (crypt.compare(password, result.password)) {
const token = jwebtoken.sign({ email: result.email },
'thisisatokenyoucantfake', { expiresIn: '1h' });
res.status(200).json({ token: token });
console.log(password);
console.log(result.password);
} else {
throw an Error('No user');
}
}).catch(err => console.log(err));
};
mongodb atlas is used for storing hashed passwords, encrypt length is 12.
if anyone needs a solution:
exports.login = (req, res, next) => {
const email = req.body.email;
const password = req.body.password;
Users.findOne({ email: email }).then(result => {
if (!result) {
throw new Error('No user with that email');
} else {
return crypt.compare(password, result.password);
}
}).then(result => {
if (result) {
const token = jwebtoken.sign({ email: result.email },
'thisisatokenyoucantfake', { expiresIn: '1h' });
res.status(200).json({ token: token });
} else {
throw new Error('Wrong password');
}
}).catch(err => console.log(err));
};
英文:
I didn't find anyone with similar problem on google, what happens is no matter the password user inputs it returns hash as if that is correct password, but you can input anything and it will still return same hashed password of that mail when it's found in database.
For example:
Password input: asd
bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm
Password input: astastas
bcrypt: $2a$12$EkucFAxlupmAzec1CDnBmuYugwAO4cXj.5bt/thg8l/dG0JDhMScm
code:
exports.login = (req, res, next) => {
const email = req.body.email;
const password = req.body.password;
Users.findOne({ email: email }).then(result => {
if (!result) {
throw new Error('No user with that email');
}
else if (crypt.compare(password, result.password)) {
const token = jwebtoken.sign({ email: result.email },
'thisisatokenyoucantfake', { expiresIn: '1h' });
res.status(200).json({ token: token });
console.log(password);
console.log(result.password);
} else {
throw new Error('No user');
}
}).catch(err => console.log(err));
};
mongodb atlas is used for storing hashed passwords, encrypt length is 12.
if anyone needs solution:
exports.login = (req, res, next) => {
const email = req.body.email;
const password = req.body.password;
Users.findOne({ email: email }).then(result => {
if (!result) {
throw new Error('No user with that email');
} else {
return crypt.compare(password, result.password);
}
}).then(result => {
if (result) {
const token = jwebtoken.sign({ email: result.email },
'thisisatokenyoucantfake', { expiresIn: '1h' });
res.status(200).json({ token: token });
} else {
throw new Error('Wrong password');
}
}).catch(err => console.log(err));
};
答案1
得分: 4
bcrypt.compare 是异步的 - 它返回一个 promise。你的 if 语句会始终返回 true,因为 promise 是一个真值。你需要使用 await 或 .then() 来解析这个 promise 以获取布尔值结果。
此外,你正在记录输入的明文密码和存储的哈希值 - 存储的哈希值 应该 总是相同的,因为这就是它的目的。
英文:
bcrypt.compare is asynchronous - it returns a promise. Your if statement will always return true because a promise is a truthy value. You need to resolve the promise using either await or .then() to get the resulting boolean.
Also you're logging the input plaintext password and the stored hash - the stored hash should always be the same as that's the point.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论