问题
I have a database from django and I want to work with it from Node.js. I have a task: authenticate users. Known from database: algorithm pbkdf2_sha256, salt, 10000 iterations and base64-encoded hash. What steps I must to do in JS to encode some password to given base64-hash?
UPD: found the solution in here: python (django) hashlib vs Nodejs crypto but Django-generated hash and JS-generated hash not match...
Django generate next:
pbkdf2_sha256$10000$NmzpPCQiTe2R$U8ipSsOy3Xz7FwWDHdH/dTei8Xh4Q7NGtdzrCacSfvo=
JS:
pbkdf2_sha256$10000$NmzpPCQiTe2R$w4jCgWjDilrDmcOBd8K+I8OdwpkKwoVQZMKWH3FvYcKoAMKcwqlewobDocOEGMKZfQ==
Password: Simple123
回答1:
By using pbkdf2-sha256 (from your own link) I'm able to generate a hash that is identical to the one you have from Django.
var pbkdf2 = require('pbkdf2-sha256');
var validatePassword = function (key, string) {
var parts = string.split('$');
var iterations = parts[1];
var salt = parts[2];
return pbkdf2(key, new Buffer(salt), iterations, 32).toString('base64') === parts[3];
};
var djangoPass = 'pbkdf2_sha256$10000$NmzpPCQiTe2R$U8ipSsOy3Xz7FwWDHdH/dTei8Xh4Q7NGtdzrCacSfvo=';
console.log(validatePassword('Simple123', djangoPass)); // Logs: true
The above code should be sufficient to validate passwords stored in Django using Node.
回答2:
I recently created a project to make this easier. My project is available for node and is called node-django-hashers. The code is below:
https://github.com/kalvish21/hashers
A sample usage:
var hashers = require('node-django-hashers');
var h = new hashers.PBKDF2PasswordHasher();
var hash1 = h.encode("password", h.salt());
console.log(h.verify("password", hash1)); // returns true
console.log(h.verify("wrong_password", hash1)); // returns false
This is compatible with django password hashing.
回答3:
I faced a similar task where I have to authenticate users against Django passwords in Java. After trying unsuccessfully to achieve this goal using the default pbkdf2_sha256 hasher in Django, I ended up changing the method used to hash the Django password to be able to easily replicate the same algorithm in Java.
As described in Django documentation you can modify the order in which PASSWORD_HASHERS are defined in settings.py, I put this hasher in first position:
'django.contrib.auth.hashers.SHA1PasswordHasher'
In this way the password hash stored in the Django database is something like this:
sha1$upSZarr0w7CZ$304b22b1a9e7e5387e79f50e691043d3faf83c48
If you already have some passwords in the database they will be automatically converted by Django at first user login.
You can easily tokenize the hash using $ as separator; the first token is always sha1 (the algorithm used), the second token is the salt and the last token is the actual hash.
To match a password you can verify that
304b22b1a9e7e5387e79f50e691043d3faf83c48
is the SHA1 sum of the salt concatenated with the expected password:
SHA1(upSZarr0w7CZ + password) = 304b22b1a9e7e5387e79f50e691043d3faf83c48
In our case the security implications of using a weaker algorithm for password hashing was acceptable.
来源:https://stackoverflow.com/questions/17544537/django-pbkdf2-sha256-js-implementation