node.js 中的 Django 密码
Django password in node.js
我正在尝试从我以前在 node.js 中的 django web 应用程序进行一些身份验证。我让 PBKDF2-sha256 工作,但我无法让 BCryptSHA256PasswordHasher 在 Node.js 中工作。我尝试了以下方法:
var Bcrypt = require('bcrypt');
var sha256 = require('sha256');
var pass = sha256("test password")
// from django ("bcrypt_sha256$b$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66")
var hash = "b$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66"
Bcrypt.compare(pass, hash, function (err, isMatch) {
if (err) {
return console.error(err);
}
console.log('do they match?', isMatch);
});
上面有什么我遗漏的吗?我正在获取密码的 sha256 并使用 bcrypt 进行测试。 Django中对应的代码如下:
def verify(self, password, encoded):
algorithm, data = encoded.split('$', 1)
assert algorithm == self.algorithm
bcrypt = self._load_library()
# Hash the password prior to using bcrypt to prevent password truncation
# See: https://code.djangoproject.com/ticket/20138
if self.digest is not None:
# We use binascii.hexlify here because Python3 decided that a hex encoded
# bytestring is somehow a unicode.
password = binascii.hexlify(self.digest(force_bytes(password)).digest())
else:
password = force_bytes(password)
# Ensure that our data is a bytestring
data = force_bytes(data)
# force_bytes() necessary for py-bcrypt compatibility
hashpw = force_bytes(bcrypt.hashpw(password, data))
return constant_time_compare(data, hashpw)
更新
我不知道为什么,但是当我将盐稍微更改为以下内容时:
var hash = "a$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66"
一切正常!我在开始时将 2b 更改为 2a 。为什么这个有效而另一个无效?我有什么遗漏吗?
- ident (str) – Specifies which version of the BCrypt algorithm will be used when creating a new hash. Typically this option is not needed,
as the default ("2a") is usually the correct choice. If specified, it
must be one of the following:
- "2" - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. "2a" - some
implementations suffered from a very rare security flaw. current
default for compatibility purposes.
- "2y" - format specific to the crypt_blowfish BCrypt implementation, identical to "2a" in all but name.
- "2b" - latest revision of the official BCrypt algorithm (will be default in Passlib 1.7).
我正在尝试从我以前在 node.js 中的 django web 应用程序进行一些身份验证。我让 PBKDF2-sha256 工作,但我无法让 BCryptSHA256PasswordHasher 在 Node.js 中工作。我尝试了以下方法:
var Bcrypt = require('bcrypt');
var sha256 = require('sha256');
var pass = sha256("test password")
// from django ("bcrypt_sha256$b$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66")
var hash = "b$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66"
Bcrypt.compare(pass, hash, function (err, isMatch) {
if (err) {
return console.error(err);
}
console.log('do they match?', isMatch);
});
上面有什么我遗漏的吗?我正在获取密码的 sha256 并使用 bcrypt 进行测试。 Django中对应的代码如下:
def verify(self, password, encoded):
algorithm, data = encoded.split('$', 1)
assert algorithm == self.algorithm
bcrypt = self._load_library()
# Hash the password prior to using bcrypt to prevent password truncation
# See: https://code.djangoproject.com/ticket/20138
if self.digest is not None:
# We use binascii.hexlify here because Python3 decided that a hex encoded
# bytestring is somehow a unicode.
password = binascii.hexlify(self.digest(force_bytes(password)).digest())
else:
password = force_bytes(password)
# Ensure that our data is a bytestring
data = force_bytes(data)
# force_bytes() necessary for py-bcrypt compatibility
hashpw = force_bytes(bcrypt.hashpw(password, data))
return constant_time_compare(data, hashpw)
更新
我不知道为什么,但是当我将盐稍微更改为以下内容时:
var hash = "a$mUg9hoKn0tt2/VwWaNb6Euie4.jtQjfU6.CY1pT0EH8GPORqAsh66"
一切正常!我在开始时将 2b 更改为 2a 。为什么这个有效而另一个无效?我有什么遗漏吗?
- ident (str) – Specifies which version of the BCrypt algorithm will be used when creating a new hash. Typically this option is not needed, as the default ("2a") is usually the correct choice. If specified, it must be one of the following:
- "2" - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. "2a" - some implementations suffered from a very rare security flaw. current default for compatibility purposes.
- "2y" - format specific to the crypt_blowfish BCrypt implementation, identical to "2a" in all but name.
- "2b" - latest revision of the official BCrypt algorithm (will be default in Passlib 1.7).