2

I have a database that used in .net core web site, now I need check login with node js How to check password hash in node.js, I found a function for doing that but doesn't work for .net core AspNetUsers, only do in last asp.net

Chirag Patel
  • 373
  • 5
  • 20
Mohsen Mosaddegh
  • 51
  • 1
  • 6

2 Answers2

2

as this post: JavaScript: How to generate Rfc2898DeriveBytes like C#?

but for .net core need to change because in .net core ^1 for hashing use v3, so code should change to:

// The value stored in [dbo].[AspNetUsers].[PasswordHash]
    const hashedPwd =   "AQAAAAEAACcQAAAAENX1Hdhgta05DYzYzVOI5kfv1mM0oc2OCIF8tKvNZeSTMWoczGZk+6yy9DMWtLeVQQ==";
    const hashedPasswordBytes = new Buffer(hashedPwd, 'base64');        
    const hexChar = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F"];

    let salt_string = "";
    let storedSubKeyString = "";

    // build strings of octets for the salt and the stored key
    for (let i = 1; i < hashedPasswordBytes.length; i++) {
        if (i > 12 && i <= 28) {

            salt_string += hexChar[(hashedPasswordBytes[i] >> 4) & 0x0f] + hexChar[hashedPasswordBytes[i] & 0x0f]
        }
        if (i > 0 && i > 28) {
            storedSubKeyString += hexChar[(hashedPasswordBytes[i] >> 4) & 0x0f] + hexChar[hashedPasswordBytes[i] & 0x0f];
        }
    }

    // password provided by the user        
    const password = 'password';       

    var nodeCrypto = crypto.pbkdf2Sync( 
            new Buffer(password), 
            new Buffer(salt_string, 'hex'), 10000, 256, 'SHA256');


    var derivedKeyOctets = nodeCrypto.toString('hex').toUpperCase();


    if (derivedKeyOctets.indexOf(storedSubKeyString) === 0) {
        return "passwords match!";
    } else {
        return "passwords DO NOT match!";
    }
Mohsen Mosaddegh
  • 51
  • 1
  • 6
1

The node-password-hash (although it is deprecated) is one simple/great module which will get the password hashing done in easy steps for you.

It also provides functions for generating a hashed passwords and verifying a plain-text password against a hashed password. In addition to that as an additional security measure, a random salt is generated when the password is hashed. The hashed password is a combination of both the cryptographic algorithm that was used as well the salt, so all you have to do is to just verify a plain-text password is the hashed password itself.

Hope this helps!

David R
  • 14,711
  • 7
  • 54
  • 72