Laravel &流星密码哈希 [英] Laravel & Meteor password hashing

问题描述

我有两个应用程序，一个在 Laravel 5.2 中，一个在 Meteor 中.我想收集与两个平台兼容的密码的哈希值.

I have two applications, one in Laravel 5.2 and one in Meteor. I want to collect hashes for passwords which are compatible with both platforms.

数据库分别存储哈希值

• 密码 适用于 Laravel.
• meteor_password 用于 Meteor.

• password for Laravel.
• meteor_password for Meteor.

默认情况下，两个平台都使用 10 轮的 bcrypt，但 Meteor 似乎在 bcrypt 之前 sha256 普通密码.

Both platforms use bcrypt with 10 rounds by default, but Meteor appears to sha256 the plain password before bcrypt.

如果 Meteor 创建密码哈希 abc，我可以 sha256 普通密码，并使用 Laravel 的内部结构将其与 abc 进行比较，即 Auth::attempt()

If Meteor creates password hash abc, I can sha256 the plain password, and compare it with abc using Laravel's internals, i.e. Auth::attempt()

$sha256 = hash('sha256', $request->get('password'), false);

这有效.Laravel 成功验证用户身份.

This works. Laravel successfully authenticates the user.

但是，如果我在 Laravel 中注册一个新用户并存储散列 meteor_password，当在 Meteor 中对该散列进行身份验证时，它会失败并显示错误消息禁止登录".此错误似乎意味着凭据不正确.

However, if I register a new user in Laravel, and store the hash meteor_password, when authenticating against that hash in Meteor, it fails with the error message "Login Forbidden". This error appears to be mean incorrect credentials.

我创建哈希的方式与我在 Laravel 中验证它时所做的相同.

I'm creating the hash in the same way as I did when I verified it in Laravel.

$meteor_password = bcrypt(hash('sha256', $plain, false));

它以一种方式工作而不是另一种方式似乎很奇怪，所以我认为我遗漏了一些东西.

It seems strange that it'd work one way and not the other so I assume I'm missing something.

推荐答案

2011 年，在 PHP 的 BCrypt 实现中发现了一个 bug，所以他们 改变 原来的2a 版本指示符为2x 和2y，今天使用，表示密码是由固定版本散列.

In 2011, a bug was discovered in PHP's BCrypt implementation, so they changed the original 2a version indicator to 2x and 2y, which is used today, to indicate that the password was hashed by the fixed version.

因此，PHP的2y生成的hash应该和node的2a生成的hash一致.

Therefore, the hash generated by PHP's 2y should be identical to the one generated by node's 2a.

为了被 NPM 模块(由 Meteor 使用)正确处理，应该更改前缀，因为它 不承认2y.

The prefix should be changed in order to be correctly processed by the NPM module (used by Meteor), as it does not acknowledge 2y.

$meteor_password = bcrypt(hash('sha256', $plain, false));
// replace it useing something like:
$meteor_password = str_replace('$2y', '$2a', $meteor_password);
// or
$meteor_password[2] = 'a';

这篇关于Laravel &流星密码哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！