Question
I'm porting over a Django site to Node.js and I am trying to re implement the Django set password method in Node. This is the Django code
https://stackoverflow.com/questions/15395194
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianfrom django.utils.crypto import (
pbkdf2, get_random_string)
import hashlib
password = 'text1'
algorithm = "pbkdf2_sha256"
iterations = 10000
salt = 'p9Tkr6uqxKtf'
digest = hashlib.sha256
hash = pbkdf2(password, salt, iterations, digest=self.digest)
hash = hash.encode('base64').strip()
print "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
and here's the Node.js code I have so far:
var password = 'text1';
var hashed = crypto.createHash('sha256').update(password, 'utf8').digest();
var salt = 'p9Tkr6uqxKtf';
var algorithm = "pbkdf2_sha256";
var iterations = 10000;
crypto.pbkdf2(hashed, salt, iterations, 32, function(err, encodedPassword) {
var newPass = new Buffer(encodedPassword).toString('base64');
console.log(encodedPassword);
// console.log(Buffer(encodedPassword, 'binary').toString('hex'));
var finalPass = algorithm +'$'+ iterations +'$'+ salt +'$'+ newPass;
console.log(finalPass);
});
My solution in Node doesn't output the same results as the Python / Django code. At this point I'm pretty much over my head and any help would be very much appreciated. Thanks in advance.
Solution
Here is a better solution using pbkdf2-sha256:
var pbkdf2 = require('pbkdf2-sha256');
var password = 'text1';
var salt = 'p9Tkr6uqxKtf';
var algorithm = "pbkdf2_sha256";
var iterations = 10000;
var hashed = pbkdf2(password, new Buffer(salt), iterations, 32).toString('base64');
var finalPass = algorithm +'$'+ iterations +'$'+ salt +'$'+ hashed;
The above code should be sufficient to validate passwords stored in Django using Node.
OTHER TIPS
So my solution to this was to create a python script that takes the salt and users password and returns the hashed password. I call this script from node and parse the results. I check if the hashed password starts with: pbkdf2_sha256, then I validate it against what my python script returned, if it validates use my new systems hashing function to reset the password.
Use pbkdf2-sha256 instead. Had the exact same problem you were dealing with (Django -> NodeJS) and that did the trick for me! :)
Following bababa's answer, my approach was to create a Python script as well using
"from django.contrib.auth import hashers"
The functions hashers.check_password() and hashers.make_password() provide the functionality needed to validate or create passwords against a Django installation.
More documentation on this functions can be found on https://docs.djangoproject.com/en/1.5/topics/auth/passwords/
Thank you @paldepind for your answer that helped me! However, the pbkdf2-sha256 module is deprecated. And while it is replaced with pbkdf2, that isn't necessary either; Node provides the built-in crypto module with a pbkdf2 function which works if you give it the correct parameters. Here's the code with the OP's password. I've also verified this code with my own passwords:
const crypto = require("crypto");
// Given the following password, using algorithm pbkdf2_sha256:
// pbkdf2_sha256$10000$p9Tkr6uqxKtf$9OTqv/1X3jvhdyWRm1vwQzMYO9cOzth7hYpoFe0qboA=
var password = "text1";
var salt = "p9Tkr6uqxKtf";
var iterations = 10000;
crypto.pbkdf2(password, salt, iterations, 32, "sha256", (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey.toString("base64"));
});
You can also use pbkdf2Sync.
