1

Im moving an app from Python Flask to ExpressJS. I need some help with password hashing and veryfying. In Flask, you can do this:

from werkzeug import generate_password_hash, check_password_hash
pass = 'abcd'
pass_hash = generate_password_hash(pass)
check_password_hash(pass_hash, pass)

And in 4 lines you have a boolean response checking if the password corresponds to the hash.

Now to NodeJS: I know how to create a sha256 hash, a HMAC hash or a cypher, but how would i check the password?

Improve this question

2 Answers 2

Reset to default
2

It is also easy to acheve it in node. Use https://github.com/ncb000gt/node.bcrypt.js/ Here is example for koa.

let bcrypt = require('co-bcrypt');

let storedHash = yield bcrypt.hash("user_password", 10, null);   // to get hash

let isValid = yield bcrypt.compare("user_password", storedHash);  // to compare

In case you would like to use pbkdf2, here is another example.

const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, key) => {
  if (err) throw err;
  console.log(key.toString('hex'));  // 'c5e478d...1469e50'
});

Documentation: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

co-bcrypt implements bcrypt, but the wekzeug functions from the question use PBKDF2 with HMAC-SHA1. These two methods are completely different (but have the same purpose).
2

This is how I verify the bcrypt passwords in NodeJS that were created in Python Flask with bcrypt. Hope that helps.

const { pbkdf2Sync } = require('node:crypto');

function validatePassword(password, passwordHash) {
  // example: pbkdf2:sha256:150000$weUYb4Vf$cf99f5c4b956b9af7fae3a2ff8d8ba921fd7967a1e001f2af2fdc39754f8fecd

  const code2 = passwordHash.split('$');
  // [0]pbkdf2:sha256:150000,
  // [1]weUYb4Vf
  // [2]cf99f5c4b956b9af7fae3a2ff8d8ba921fd7967a1e001f2af2fdc39754f8fecd
  const code1 = code2[0].split(':');
  // [0]pbkdf2
  // [1]sha256
  // [2]150000
  const salt = code2[1];
  const iterations = parseInt(code1[2], 10);
  const keyLen = 32;
  const digest = code1[1];
  const value = code2[2];

  const derivedKey = pbkdf2Sync(
    password,
    salt,
    iterations,
    keyLen,
    digest
  ).toString('hex');

  return value === derivedKey;
}

This is how I generate the Flask Login bcrypt hashes.

const { pbkdf2Sync } = require('node:crypto');
const randonstring = require('randomstring');

const password = <TYPE_YOUR_PASSWORD_HERE>;

const headerKey = 'pbkdf2:sha256:150000$';
const salt = randonstring.generate(8);
const iterations = parseInt(150000, 10);
const keyLen = 32;
const digest = 'sha256';

const derivedKey = pbkdf2Sync(
    password,
    salt,
    iterations,
    keyLen,
    digest
  ).toString('hex');

const fullKey = headerKey + derivedKey;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.