为什么即使两个密码字符串完全匹配,我也会从 bcrypt 比较中得到 isMatch null?
[英]Why am I getting isMatch null from bcrypt compare even though two password string matches perfectly?
问题描述
I'm trying to authenticate the user based on a password.
我正在尝试根据密码对用户进行身份验证。 I'm using bcrypt compare to compare user requested password and one in mongodb but even though two password matches perfectly I get null value, here is the code which I"m trying我正在使用 bcrypt compare 来比较用户请求的密码和 mongodb 中的一个密码,但即使两个密码完全匹配,我也得到 null 值,这是我正在尝试的代码
userSchema.methods.comparePassword = function (passw, cb) {
var user = this;
console.log((passw === user.password) ? 'passwords match' : 'passwords dont match' );
bcrypt.compare(passw, user.password, function (err, isMatch) {
console.log(passw +" "+ user.password +" " +isMatch )
if(err) {
return cb(err)
}
cb(null, isMatch)
})
}
I get the console output as below我得到控制台 output 如下
sh37xb sh37xb null
which are user-entered password, password in database for that user, and isMatch value which is null instead it has to be the opposite since both passwords match perfectly.它们是用户输入的密码,该用户在数据库中的密码,以及 isMatch 值,即 null 而它必须相反,因为两个密码完全匹配。 when I checked this password with the ternary condition it says 'passwords match' but not with bcrypt.compare.当我使用三元条件检查此密码时,它显示“密码匹配”,但不使用 bcrypt.compare。 What am I doing wrong?我究竟做错了什么? can anyone help me to point out my mistake??谁能帮我指出我的错误??
2 个解决方案
解决方案1
2 已采纳 2021-03-08 15:35:29
When the user signup you save the hashed version of it not the actual text.当用户注册时,您保存它的散列版本而不是实际文本。
const password = req.body.password
// This hasedPassword will be saved to database
const salt = await bcrypt.genSalt(10)
const hashedPassword = await bcrypt.hash(password, salt)
When the user tries to log in, bcrypt compare the user-entered password to the hashedPassword当用户尝试登录时,bcrypt 将用户输入的密码与 hashedPassword 进行比较
const saveHashedPassword = user.password
const enteredPassword = passw
bcrypt.compare(enteredPassword, saveHashedPassword, function(err, result) {
// Do your logic
if(err) {
return cb(err)
}
cb(null, isMatch)
})
解决方案2
1 2021-03-08 15:14:55
The 2nd parameter to bcrypt.compare should be hashed and not a plain text string. bcrypt.compare的第二个参数应该是散列的,而不是纯文本字符串。
Bcrypt compare does not compare a plain text password with another plain text password. Bcrypt compare 不会将纯文本密码与另一个纯文本密码进行比较。 It calculates the hash of a plain text password and compares that with an earlier hash that you supply as the 2nd parameter to see if the hashes match.它计算纯文本密码的 hash 并将其与您作为第二个参数提供的较早的 hash 进行比较,以查看哈希是否匹配。
The typical reason for using bcrypt compare is that it is more secure than string comparison.使用 bcrypt compare 的典型原因是它比字符串比较更安全。 For that to be true, the password database needs to contain hashed passwords, not plain text passwords.为此,密码数据库需要包含散列密码,而不是纯文本密码。 A database of plain text passwords is a tempting thing to steal.纯文本密码数据库很容易被窃取。 A database of hashed strings is less useful.散列字符串的数据库不太有用。
The npm page for bcrypt gives this example: bcrypt 的 npm 页面给出了这个例子:
To check a password:
// Load hash from your password DB.
bcrypt.compare(myPlaintextPassword, hash, function(err, result) {
// result == true
});
bcrypt.compare(someOtherPlaintextPassword, hash, function(err, result) {
// result == false
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.