我试图弄清楚如何使用加密模块在NodeJ中加密和散列密码.我可以通过以下方式创建哈希密码:
UserSchema.pre('save', function(next) {
var user = this;
var salt = crypto.randomBytes(128).toString('base64');
crypto.pbkdf2(user.password, salt, 10000, 512, function(err, derivedKey) {
user.password = derivedKey;
next();
});
});
然而,我对以后如何验证密码感到困惑.
UserSchema.methods.validPassword = function(password) {
// need to salt and hash this password I think to compare
// how to I get the salt?
}
在您使用的任何持久化机制(数据库)中,您都会将生成的哈希值与salt和迭代次数一起存储,这两项都是明文.如果每个密码使用不同的salt(您应该这样做),您还必须保存该信息.
然后比较新的纯文本密码,使用相同的salt(和迭代)对其进行哈希,然后将字节序列与存储的字节序列进行比较.
To generate the password (pseudo)
function hashPassword(password) {
var salt = crypto.randomBytes(128).toString('base64');
var iterations = 10000;
var hash = pbkdf2(password, salt, iterations);
return {
salt: salt,
hash: hash,
iterations: iterations
};
}
To validate password (pseudo)
function isPasswordCorrect(savedHash, savedSalt, savedIterations, passwordAttempt) {
return savedHash == pbkdf2(passwordAttempt, savedSalt, savedIterations);
}