如何在 NodeJS 应用程序中验证 PHP 散列密码

Question

My application ran on PHP for years, and I used the recommended password hashing API as of PHP 5.5 to store my users' passwords. For instance:

$password = password_hash("my password", PASSWORD_DEFAULT);

As a result, my database is full of passwords such as this:

$2y$10$sjzYz7g/kVxpJUynC/...........pjKPh0z1QuU.Mlt7TVAiPW

Now I am moving my application to run on NodeJS 12.3.0 instead of PHP and I now use the bcrypt library like this:

const saltRounds = 10;
const password = await bcrypt.hash("my password", saltRounds);

The same password hashes to something like:

$2b$10$SYZH5Mj4Dy8dkKyRv1O/.........XNGPVBe8nPJjpnEjPZxx.

I thought that the algo, salt and rounds used were within the string so that the transition would be seamless. However, when I try to verify a password that had been stored by PHP, the correct password fails verification:

// result === false
const result = await bcrypt.compare("my password", phpStoredHash);

I really hope I don't have to force all users to reset their passwords. How can I verify the passwords PHP stored in my NodeJS application?

Answer 1

Use bcryptjs package instead. It can compare php generated hashes correctly.

const bcrypt = require('bcryptjs')

const hashPHP = "$2y$10$Lsn001yN38WssfQmJ5hM5.Ywa3AKB76YD/zUC9QNS5BPRr9QMWOTa"
console.log(bcrypt.compareSync("my password", hashPHP));  // outputs: true

Answer 2

This does not have any salt rounds,PASSWORD_DEFAULT uses BCRYPT

$password = password_hash("my password", PASSWORD_DEFAULT);

Try to make following change:

$password = password_hash("my password", PASSWORD_BCRYPT);