[英]How to check if a string is already hashed in Node.js using crypto
I am developing an application in which users are allowed o change their passwords.我正在开发一个允许用户更改密码的应用程序。
I am using Node.js with mongoose
and crypto
.我正在使用 Node.js 和mongoose
和crypto
。
In order to generate hashes for the passwords, I've hooked into model's pre('save') event.为了生成密码的哈希值,我已经连接到模型的 pre('save') 事件。 So basically when you use this:所以基本上当你使用它时:
var user = new User({password: '123'});
user.save(); // the password will be encrypted automatically
Having the ability to change the password, I need to find a way if the user has actually changed the password or modified any other fields.具有更改密码的能力,我需要找到一种方法,如果用户实际上已经更改了密码或修改了任何其他字段。 Example:例子:
var user = User.findById('1234567', function(error, user){
user.name = 'Hello';
user.save(); // this will hash the password again, although it is not necessary
})
I am using Node.js's module called crypto
to generate hash for passwords:我正在使用名为crypto
的 Node.js 模块生成密码 hash:
crypto.pbkdf2(password, salt, 5000, 512, 'sha512', function(error, buffer){
this.mixins.callback.call(callback, [error, buffer.toString('base64')]);
}.bind(this));
Is there a way to check if the password
is already a hashed?有没有办法检查password
是否已经过哈希处理?
If not, I will generate the hash again.如果没有,我将再次生成 hash。
Thanks谢谢
This is inherently bad approach. 这本质上是不好的方法。 Just call the field password_hash
and always pass hash explicitly. 只需调用字段password_hash
并始终显式传递哈希即可。 Otherwise you might accidentally begin to store unhashed password after some minor configuration change. 否则,在进行一些小的配置更改后,您可能会意外地开始存储未加密的密码。
Also it's generally not possible to distinguish hash from unhashed string if you allow arbitrary strings as passwords. 如果允许使用任意字符串作为密码,通常也无法将哈希与未哈希的字符串区分开。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.