Closed rmuchall closed 2 years ago
That could be good, my only concern would be accidentally invalidating existing user passwords. Is there a guide explicitly for converting from bcryptjs to node crypto?
By design the cryptographic hash is a one-way operation. There is no way to convert the hashed password back to plain text in order to re-hash it using a different algorithm. Perhaps you could implement a method to invalidate all existing passwords and/or an increase in major version (semver) to indicate a breaking change if you decide to switch.
What I was thinking was getting the exact same algorithm from crypto that bcryptjs uses, but I guess that's a bit much.
Something I didn't mention on reddit was that this engine is already being used by a game, and I don't want to invalidate hundreds of passwords.
For the time being, bcryptjs is fine. It doesn't have dependencies, and it's worked so far. So for now, I won't change this unless there's a massive upgrade at some point.
Before NodeJs has its own crypto library it was popular to use third party libraries for cryptographic functionality. However, NodeJs now has a good crypto library built in. Consider switching from bcryptjs to crypto. This will remove a dependency from your library in favor of functionality from the standard library.
See: https://nodejs.org/api/crypto.html#crypto_crypto_scrypt_password_salt_keylen_options_callback