search

srcagency / credentials

Secure password hashing and verification in Node.js.
8 stars 3 forks source link

3.x.x is not backwards compatible with 2.x.x #5

Closed dagingaa closed 5 years ago

dagingaa commented 5 years ago

If you try to verify hashes generated by credentials@2.0.0 the verify function with return false.

This can be easily replicated by running the following code on Runkit:

https://runkit.com/embed/zgp4an2ckb58

In case Runkit doesn't work, you can try to verify the following hash with 3.0.2:

{"salt":"8Nqw3LkHwILdMvZaibpFUGyVeMqYi5KsZwUqF9Esxnlkxt/tjEmO0Hjmdjqm6/FezgSfHrIoUQTyinsKJxvR6GJt","hash":"lXXvFBZecCsmyX+A/24TWVvvNTaixBLdYQD0sGSKNaAj58u4TXQBwI8vCFTwy0xsDHvsczoHKZufNoai1uxr1+3t","keyLength":66,"hashMethod":"pbkdf2","iterations":919715}

password is "foo".

tjconcept commented 5 years ago

That's one of the reasons the major version was bumped. However, you can easily migrate your old data:

old.hash('foo')
    .then(json => verify(migrate(json), 'foo'))
    .then(console.log)

function migrate(json) {
    const data = JSON.parse(json)
    return JSON.stringify({
        ...data,
        salt: Buffer.from(data.salt, 'utf8').toString('base64'),
    })
}