0

I am using loopback hasher as 

import { PasswordHasher } from './hash.password.bcryptjs';

This has a function generate hash 

credentials.password = await this.passwordHasher.hashPassword(credentials.password);

I am giving input as pass@1010 for password for generate hash but it is generating different hash every time.But the hash for same string should be same.

Code for class

import { genSalt, hash } from 'bcryptjs';
import { compare } from 'bcryptjs';
import { inject } from '@loopback/core';
import { PasswordHasherBindings } from '../keys';

/**
 * Service HashPassword using module 'bcryptjs'.
 * It takes in a plain password, generates a salt with given
 * round and returns the hashed password as a string
 */
export type HashPassword = (
  password: string,
  rounds: number,
) => Promise<string>;
// bind function to `services.bcryptjs.HashPassword`
export async function hashPassword(
  password: string,
  rounds: number,
): Promise<string> {
  const salt = await genSalt(rounds);
  return await hash(password, salt);
}

export interface PasswordHasher<T = string> {
  hashPassword(password: T): Promise<T>;
  comparePassword(providedPass: T, storedPass: T): Promise<boolean>;
}

export class BcryptHasher implements PasswordHasher<string> {
  constructor(
    @inject(PasswordHasherBindings.ROUNDS)
    private readonly rounds: number,
  ) { }

  async hashPassword(password: string): Promise<string> {
    const salt = await genSalt(10);
    return await hash(password, salt);
  }

  async comparePassword(
    providedPass: string,
    storedPass: string,
  ): Promise<boolean> {
    const passwordIsMatched = await compare(providedPass, storedPass);
    return passwordIsMatched;
  }
}
TechChain
  • 8,404
  • 29
  • 103
  • 228
  • So how can i keep it same ? – TechChain Nov 14 '19 at 06:27
  • 2
    Why do you care, and why would you want that? The whole point of a random salt is precisely to make sure that two identical passwords do not lead to the same hash. It's a security feature. – JB Nizet Nov 14 '19 at 06:30
  • I want o avoid a sql query. As of now we fetch pass hash from db and compare it with string pass. I am not able to understand how it comparing – TechChain Nov 14 '19 at 06:31
  • bcrypt is a one way hashing, so you have to store the hashed password in database and then comparison, takes the salt from hashed password and use it to hash given string. Then both hashes are compared. – MjZac Nov 14 '19 at 06:34
  • It's comparing by getting the random salt stored into the hashed password, then salting and hashing the given password with that stored salt, and testing if the new hashed result is equal to the stored one. https://en.wikipedia.org/wiki/Bcrypt – JB Nizet Nov 14 '19 at 06:34
  • Can i get definition for doing the same so that i can compare manually ? Can i write my own function to get the salt from hash and decode it to a string – TechChain Nov 14 '19 at 06:45
  • BCrypt is open-source. You can reimplement it yourself if you want to. But why would you do that? – JB Nizet Nov 14 '19 at 06:57

1 Answers1

0

The problem is that you use a new salt with each hash. If you want get stable hash, you need to generate the salt once then re-use it in next round.

hackape
  • 18,643
  • 2
  • 29
  • 57