All geek questions in one place

Laravel & Meteor Password Hashing

I have two applications: one in Laravel 5.2 and one in Meteor. I want to collect hashes for passwords that are compatible with both platforms.

Database stores hashes separately

  • password for Laravel.
  • meteor_password for Meteor.

Both platforms use bcrypt with 10 rounds by default, but Meteor seems to have a simple password before bcrypt.

If Meteor creates an abc password hash, I can sha256 a simple password and compare it with abc using Laravel's internal functions, i.e. Auth::attempt()

 $sha256 = hash('sha256', $request->get('password'), false);

It works. Laravel successfully authenticates the user.

However, if I register a new user in Laravel and save the meteor_password hash, when authenticating against this hash in Meteor, it fails with the "Login Forbidden" error message. This error is an incorrect credential.

I create a hash just like I did when I tested it in Laravel.

 $meteor_password = bcrypt(hash('sha256', $plain, false));

It seems strange that he will work in one direction, and not in another, so I assume that I have something missing.

+5
source share
1 answer

In 2011, an error was discovered in the implementation of PHP BCrypt, so they changed the original indicator of version 2a to 2x and 2y , which is used today to indicate that the password hashed with a fixed version.

Therefore, the hash generated by PHP 2y should be identical to that generated by node 2a .

The prefix must be changed for proper processing by the NPM module (used by Meteor), since it does not confirm 2y .

 $meteor_password = bcrypt(hash('sha256', $plain, false)); // replace it useing something like: $meteor_password = str_replace('$2y', '$2a', $meteor_password); // or $meteor_password[2] = 'a';
+3
source

Source: https://habr.com/ru/post/1242383/

More articles:


All Articles