当前位置 : 主页 > 网页制作 > Nodejs >

node.js中的Django密码

来源:互联网 收集:自由互联 发布时间:2021-06-16
我正在尝试从我之前在节点中的 django Web应用程序进行一些身份验证.我得到了PBKDF2-sha256,但是我无法让Node中的BCryptSHA256PasswordHasher工作.我尝试了以下方法: var Bcrypt = require('bcrypt');var
我正在尝试从我之前在节点中的 django Web应用程序进行一些身份验证.我得到了PBKDF2-sha256,但是我无法让Node中的BCryptSHA256PasswordHasher工作.我尝试了以下方法: 

var Bcrypt = require('bcrypt');
var sha256 = require('sha256');

var pass = sha256("test password")

// from django ("bcrypt_sha256$$2b$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66")
var hash = "$2b$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66" 
Bcrypt.compare(pass, hash, function (err, isMatch) {
    if (err) {
        return console.error(err);
    }
    console.log('do they match?', isMatch);
});

上面有什么我想念的吗?我正在使用密码的sha256并使用bcrypt进行测试. Django中的相应代码如下:

def verify(self, password, encoded):
    algorithm, data = encoded.split('$', 1)
    assert algorithm == self.algorithm
    bcrypt = self._load_library()

    # Hash the password prior to using bcrypt to prevent password truncation
    #   See: https://code.djangoproject.com/ticket/20138
    if self.digest is not None:
        # We use binascii.hexlify here because Python3 decided that a hex encoded
        #   bytestring is somehow a unicode.
        password = binascii.hexlify(self.digest(force_bytes(password)).digest())
    else:
        password = force_bytes(password)

    # Ensure that our data is a bytestring
    data = force_bytes(data)
    # force_bytes() necessary for py-bcrypt compatibility
    hashpw = force_bytes(bcrypt.hashpw(password, data))

    return constant_time_compare(data, hashpw)

UPDATE

我不明白为什么,但是当我将盐略微改为以下时:

var hash = "$2a$12$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66"

一切正常!我在开始时将2b更改为2a.为什么这个工作而另一个不工作?有什么我想念的吗?

从 excellent Passlib library:

  1. ident (str) – Specifies which version of the BCrypt algorithm will be used when creating a new hash. Typically this option is not needed,
    as the default (“2a”) is usually the correct choice. If specified, it
    must be one of the following:

    • “2” – the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. “2a” – some
      implementations suffered from a very rare security flaw. current
      default for compatibility purposes.
    • “2y” – format specific to the crypt_blowfish BCrypt implementation, identical to “2a” in all but name.
    • “2b” – latest revision of the official BCrypt algorithm (will be default in Passlib 1.7).
上一篇:node.js – 在express.js中渲染一些视图和404个其他视图
下一篇:node.js – 节点应用程序无法读取Docker镜像中的文件系统
网友评论
相关栏目
最近更新
热门文章