windows vs ubuntu weirdness

dstroot / express-bootstrap-passport

express 3.0.x, bootstrap 2.2.x and passport authentication (local strategy) to couchDB - fully working!

15 stars 11 forks source link

windows vs ubuntu weirdness #1

Open merrittholmes opened 11 years ago

merrittholmes commented 11 years ago

Hi, Your example is great and it works perfectly when run from a windows server, however I ported over to ubuntu and now when I register my password hash goes from:

Þ!ÿ-Í'¿JÊs5,ÅÕ®ÀR°cÊó^jÿBÑóäMùÂ;ãk'q+v r×¨óµ=¬YfúÅÖ0}+·¬±$º/4×é¤j¡Gþ7ÿ`þBÿÀí> 94ÈYâ ÜLÝ"ÙpõÖ¨éY-ìÏó{

[47, 88, 49, 74, 176, 198, 114, 151, 96, 206, 239, 158, 35, 212, 198, 97, 231, 255, 161, 209, 68, 38, 9, 133, 19, 45, 98, 206, 124, 94, 114, 43, 122, 234, 164, 83, 83, 97, 147, 16, 250, 231, 6, 69, 80, 41, 89, 133, 107, 247, 211, 141, 32, 154, 197, 56, 89, 113, 58, 3, 190, 230, 183, 22, 74, 189, 246, 225, 252]

when using ubuntu instead of windows and when I login it always says my password is wrong

Any ideas whats going on here?

dstroot commented 11 years ago

Yep - I ran into this as well I think. Updated versions of the components (node, express, etc.) cause a problem with the crypto library if I recall. Not sure I recall how I fixed it. If I remember I'll update you. Check the comments on the crypto libraries.

merrittholmes commented 11 years ago

Yep it is a bug in node 10.

It can be worked around by altering the hash function in the pwd library. I believe the actual bug has been fixed, just not merged yet.

Sent from my iPhone

On 25 Jun 2013, at 01:41, dstroot notifications@github.com wrote:

Yep - I ran into this as well I think. Updated versions of the components (node, express, etc.) cause a problem with the crypto library if I recall. Not sure I recall how I fixed it. If I remember I'll update you. Check the comments on the crypto libraries.

— Reply to this email directly or view it on GitHub.

alexhornbake commented 10 years ago

I just ran in to a similar issue (OS X), where CouchDB (user.hash) was returning an array like: "[150, 50, 10, ... ]" and the crypto library (pass.hash) was returning a SlowBuffer like: "<SlowBuffer 96 a3 7c 2b ad 62I". The "==" comparison was always returning false. I managed to resolve it by changing the Passport LocalStrategy to do a deeper check on each octet.

I'm no expert... but if you guys think this is more stable, I'll do a pull request. Any ideas on a better way to do this?

(Edit: In index.js), here is the function I added to check if the user's submitted hash'd password equals the hash stored in the DB.

function isHashEqual(hash1,hash2)
{
    var len = hash1.length;
    if(hash2.length !== len){
      return false;
    }
    for(var i=0; i<=len; i++){
      if(hash1[i] !== hash2[i])
          return false;
    }
    return true;
}

dstroot commented 10 years ago

Alex - I'd be happy to support a pull request. I think I used a different approach in a recent project - check out the auth example in the ExpressJS repository: https://github.com/visionmedia/express/tree/master/examples

That might give a good hint where to go with this - but in any case I'd be happy to get this fixed so it's a good working example.

Cheers.