Open savoygrizzly opened 2 years ago
The following works as expected and does not return true
:
var hash = bcryptjs.hashSync("something");
var result = bcryptjs.compareSync("something_", hash);
console.log(result); // logs false
Note, though, that the maximum input length is 72 bytes as explained in the README, so if the input is longer than that, remaining bytes are truncated, which might explain the behavior.
When using
bcrypt.compare(password, user.password)
with the original hashed user.password beingsomething
and the supplied password beingsomething__
orsomething_
,bcrypt.compare
will return true.Just wondering if this is intended behavior, if it is I'd consider this VERY bad practice.