I have a laravel website which transfer all its data to Hybird mobile app using html css and js. Mobile app works in offline mode. I have to perform authentication in mobile which is based on data transfered from website. But laravel uses bcrypt hash. How can i make similar hasher to match password in javascript?? Is it possible to make similar hasher in javascript or somebody have done this already??
答案 0 :(得分:4)
Trying to answer your vague question (assuming you are looking for a bcrypt library for javascript):
1) there is one bcrypt library for javascript here: https://github.com/nevins-b/javascript-bcrypt found here: bCrypt implementation in Javascript
I would assume (but am not sure) that laravel uses the php built-ins password_hash() and password_verify(), thus outputting a special format which containts the used salt like this example from php doc:
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
You can look at the php documentation for both: https://secure.php.net/manual/en/function.password-verify.php https://secure.php.net/manual/en/function.password-hash.php
You would need to adapt the hash-string so that you can use it inside the javascript bcrypt function to verify a user-provided password in your mobile app.
Update
The salt is stored inside the hash, so you can extract it for your javascript verification - just take the first 22 characters after the prefix "$2y$10$" (salt is "saltsaltsaltsaltsaltse" in this example):
echo password_hash('JohnDoe', PASSWORD_DEFAULT, ['salt' => 'saltsaltsaltsaltsaltse']);
# will output $2y$10$saltsaltsaltsaltsaltseQMyqgPkFxQ1hfP2yBcGxgbJZGe1uGXq
UPDATE
Thanks to hassans research, the javascript library is found to be compatible with hashes from phps password_hash() without splitting the hash and/or prividing the salt separately.
To avoid the "Invalid salt revision" error for php-generated hashes within the js lib, one has to replace $2y with $2a in the hash prefix. Hashes from the js lib can be used by php without replacing.
答案 1 :(得分:1)
I think all authentication should be done on the backend server(in this case using laravel). You should not transfer your users information to the client mobile app for offline authentication. There are several problems that may arise, confidential data can be exposed, most recently registered user information may not be present on the offline mobile app, etc.
Now I will suggest you to authenticate/register the user by being online and then do the other operation in offline mode. Check the authentication periodically after 6 or 7 days.
But if you still need that every bcrypt algorithm should result in the same hash, so here is a discussion that should help.
NOTE: Authentication should not be done on client side.
答案 2 :(得分:1)
我认为您需要做的是对bucrypt进行API调用。
例如(使用jQuery):
var stringToHash = 'mypassword';
$.ajax({
type: "GET",
data:{password:stringToHash },
success: function(response){
console.log('here you get response');
/*now the hash code*/
console.log(response.data);
}
});
public function hashPassword()
{
$hashPassword = bcrypt(Input::get('password'));
return response()->json([
'status' => 'success',
'data' => $hashPassword
]);
}