[英]NodeJS LDAP authentication using Passport and password encryption
I'm looking at PassportJS for authentication and have a login form with username and password. 我正在寻找PassportJS进行身份验证,并具有一个包含用户名和密码的登录表单。 But if I look at the documentation, I see that the password is passed in clear text. 但是,如果我看一下文档,会发现密码是以明文形式传递的。 Which means if anyone does a console.log(password), the password will be visible. 这意味着如果有人执行console.log(password),则密码将可见。 How do I ensure the password submitted by login form is encrypted? 如何确保登录表单提交的密码已加密?
var passport = require('passport')
, LocalStrategy = require('passport-local').Strategy;
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) {
return done(null, false, { message: 'Incorrect username.' });
}
if (!user.validPassword(password)) {
return done(null, false, { message: 'Incorrect password.' });
}
return done(null, user);
});
}
));
1) From the client to server 1)从客户端到服务器
Use SSL. 使用SSL。
2) From the server to disk / database 2)从服务器到磁盘/数据库
When creating the password, hash it first and save the hash to disk. 创建密码时,请先对其进行哈希处理,然后将哈希保存到磁盘。
Later, when validating a user, compare the hash of the submitted password against the hash on disk. 稍后,在验证用户时,将提交的密码的哈希值与磁盘上的哈希值进行比较。
From the passport-local examples it would look something like this if using bcrypt
: 在本地护照示例中 ,如果使用bcrypt
,则将类似于以下内容:
// Bcrypt middleware
userSchema.pre('save', function(next) {
var user = this;
if(!user.isModified('password')) return next();
bcrypt.genSalt(SALT_WORK_FACTOR, function(err, salt) {
if(err) return next(err);
bcrypt.hash(user.password, salt, function(err, hash) {
if(err) return next(err);
user.password = hash;
next();
});
});
});
// Password verification
userSchema.methods.comparePassword = function(candidatePassword, cb) {
bcrypt.compare(candidatePassword, this.password, function(err, isMatch) {
if(err) return cb(err);
cb(null, isMatch);
});
};
Note: you'll need to use bcrypt or some other encryption module in addition to passport-local...but that's not super complicated and the example from the passport-local repo provides pretty much all you'll need to get started. 注意:除了本地护照以外,您还需要使用bcrypt或其他加密模块...但这并不是超级复杂,本地护照存储库中的示例提供了入门所需的几乎所有内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.