bcrypt 密码比较函数总是返回 false

Question

I am using node, mysql as the server and DB and ionic on the front end. I've managed to register a user with a hash using bcrypt and attempting to authenticate the user to log them in.

When comparing the password that user enters, in bcryptJS it seems like we cannot decrypt their password. When I console.log password and the result of user lookup in my db, I am comparing the password that the user enters with the hash that's stored so i am always retuning a 400 status to the front end.

Authentication code:

app.post('/login', function(req, res) {
  connection.connect(function(err) {
    let email = req.body.email;
    let password = req.body.password;

    connection.query("SELECT * FROM sometable WHERE username = ? ", [email], function(error, results, fields) {


       bcrypt.compare(req.body.password, results[0].password, function(err, result) {
         console.log('>>>>>> ', password)
         console.log('>>>>>> ', results[0].password)
         if(result) {
           return res.send();
         }
         else {
           return res.status(400).send();
         }
       })
    });

  });
});

What's the proper way to compare the password user enters with the hash that's stored in my db?

Thanks for your help.

edit:

I've tried the below code (adding a password strings) and I'm still getting the false result... What am I missing here?

 bcrypt.compare('somePassword', 'somePassword', function(err, res) {
          if(res) {
            console.log('true')
          } else {
           console.log('false')
          }
        });

Answer 1

Check to ensure you have the password before doing the comparison to know if the passwords match.

see my modification below

 app.post('/login', function(req, res) { connection.connect(function(err) { let email = req.body.email; let password = req.body.password; connection.query("SELECT * FROM sometable WHERE username = ? ", [email], function(error, results, fields) { if (results[0].password) { bcrypt.compare(req.body.password, results[0].password, function(err, result) { console.log('>>>>>> ', password) console.log('>>>>>> ', results[0].password) if(result) { return res.send(); } else { return res.status(400).send(); } }) } }); }); });

Answer 2

So, as discussed in the comments of the question, the issue turned out to be the format of the column used to store the hashed password.

If you set your column to char(50) for instance, some databases will just silently remove anything beyond 50 chars, or add spaces to get to 50 chars if you have less.

This then breaks the comparison with the hashed version.

Answer 3

Sorry guys! i had the some proble nut it was comming from mysql it was because i had a column callded password which was in CHAR(50) so if the hash is long than to 50 char it was truncating it, whyle hashed password are very long so i have changed the field from CHAR(50) to VARCHAR(255); Then everything start work fine

Answer 4

app.post('/login', function(req, res) {
  connection.connect(function(err) {
    let email = req.body.email;
    let password = req.body.password;

    connection.query("SELECT * FROM sometable WHERE username = ? ", [email], function(error, results, fields) {
    if(error) throw error;
    else { 
        if(results.length > 0) { 
        bcrypt.compare(req.body.password, results[0].password, function(err, result) {
         if(result) {
           return res.send({ message: "Login Successful" });
         }
         else {
           return res.status(400).send({ message: "Invalid Password" });
         }
        });
    } else {
        return res.status(400).send({ message: "Invalid Email" });
    } 
    }
});
});
});