Como comparar um hash js com hasj php

The hash.digest( ) method is an inbuilt function of the crypto module’s Hash class. This is used to create the digest of the data which is passed when creating the hash. For example, when we create a hash we first create an instance of Hash using crypto.createHash() and then we update the hash content using the update( ) function but till now we did not get the resulting hash value, So to get the hash value we use the digest function which is offered by the Hash class.

This function takes a string as an input which defines the type of the returning value for example hex or base64. If you leave this field you will get Buffer as a result.

Syntax:

hash.digest([encoding])

Parameter: This function takes the following one parameter:

• encoding: This method takes an optional parameter that defines the type of returning output. You can use ‘hex’ or ‘base64’ as a parameter.

Module Installation: Install the required module using the following command:

npm install crypto

Return Value: This function returns a String when the parameter is passed and returns a Buffer object when no parameter is passed. Suppose we passed parameter base64 then the return value will be a string of base64 encoding.

Example 1: Generating hash values of the string GeeksForGeeks in the form of a hex and base64.

index.js// Importing the crypto library const crypto = require("crypto") // Defining the algorithm let algorithm = "sha256" // Defining the key let key = "GeeksForGeeks" // Creating the digest in hex encoding let digest1 = crypto.createHash(algorithm).update(key).digest("hex") // Creating the digest in base64 encoding let digest2 = crypto.createHash(algorithm).update(key).digest("base64") // Printing the digests console.log("In hex Encoding : \n " + digest1 + "\n") console.log("In base64 encoding: \n " + digest2)

Run the index.js file using the following command:

node index.js

Output:

In hex Encoding : 0112e476505aab51b05aeb2246c02a11df03e1187e886f7c55d4e9935c290ade In base64 encoding: ARLkdlBaq1GwWusiRsAqEd8D4Rh+iG98VdTpk1wpCt4=

Example 2: Creating a digest by not passing the encoding key.

index.js// Importing the crypto library const crypto = require("crypto") // Defining the algorithm let algorithm = "sha256" // Defining the key let key = "GeeksForGeeks" // Creating the digest in hex encoding let digest = crypto.createHash(algorithm).update(key).digest() // Printing the digests console.log(digest)

Run the index.js file using the following command:

node index.js

Output:

<Buffer 01 12 e4 76 50 5a ab 51 b0 5a eb 22 46 c0 2a 11 df 03 e1 18 7e 88 6f 7c 55 d4 e9 93 5c 29 0a de>

Reference: //nodejs.org/api/crypto.html#crypto_hash_digest_encoding

Article Tags :

(PHP 5 >= 5.5.0, PHP 7, PHP 8)

password_verify — Verifies that a password matches a hash

password_verify(string $password, string $hash): bool

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

This function is safe against timing attacks.

password

The user's password.

hash

A hash created by password_hash().

Returns true if the password and hash match, or false otherwise.

Example #1 password_verify() example

<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq'password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!''Invalid password.'?>

The above example will output:

I’m in a situation where a Node app and a PHP app are sharing a database. The PHP app handles the user registration and hashes the password using password_hash().

The password_hash() function uses the bcrypt algorithm if you specify PASSWORD_DEFAULT or PASSWORD_BCRYPT.

With Node, the bcrypt NPM module can be used to compare the hash and the plain password, with a little gotcha.

There are multiple versions of bcrypt: //en.wikipedia.org/wiki/Bcrypt#Versioning_history

PHP uses $2y$ while this NPM module uses $2a$. They are still compatible though, so we can just replace this part of the hash.

Example

password.php:

<?php $password = "qwertyuiop"; $hash = password_hash($password, PASSWORD_BCRYPT); // PASSWORD_DEFAULT is equivalent as of now // //www.php.net/manual/en/function.password-hash.php echo $hash;

password.js:

const bcrypt = require("bcrypt"); const exec = require("child_process").exec; const password = "qwertyuiop"; const cmd = "/usr/local/bin/php ./password.php"; exec(cmd, (err, stdout, stderr) => { // See //en.wikipedia.org/wiki/Bcrypt#Versioning_history const hash = stdout.replace("$2y$", "$2a$"); bcrypt.compare(password, hash).then(function (res) { // Should output true console.log(res); }); });

It’s working 👍

[email protected] ~/l/password-hash> node password.js true

The reverse operation can of course be done using the same technique.

Source: Stack Overflow

I think your problem is in the salt. Usually you have to store the salt you used to hash the first time and reuse it the second time around. The reason for the salt is to make sure that the hash doesn't map to the original pass if some hacker would retrieve it from a compromised system (using a rainbow table attack). See Why do we use the "salt" to secure our passwords?

If you would try

var salt = crypto.randomBytes(128).toString('base64'); var hashPwd = function hashPwd(salt, pwd) { var hmac = crypto.createHmac('sha256', salt); return hmac.update(pwd).digest('hex'); }; //use password , create salt, hash and compare with the existing var passHash = hashPwd(salt,data.Password); console.log('the password is', user.PassHash === passHash);

It would work as long as you don't restart the server (assuming you store the salt var outside scope of the function invoked to respond to the http request).

A better solution (imo) is what bcrypt is doing. There you generate a salt per password, but to verify that a password is correct you use compare, which uses the salt stored in the hash. This way you can use different salts with each password, meaning you don't have to worry as much about a salt being compromised.

npm install bcrypt

…

var bcrypt = require('bcrypt'); var hash = bcrypt.hashSync("my password"); bcrypt.compareSync("my password", hash); // true bcrypt.compareSync("not my password", hash); // false

There is also compareAsync and other async variants. See also: //www.npmjs.com/package/bcrypt-nodejs