I just created a handler that stores a username and password in mysql. The handler function performs the standard bcrypt password hash:

我刚刚创建了一个在mysql中存储用户名和密码的处理程序。处理函数执行标准的bcrypt密码哈希:

bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
  // Store hash in your password DB. 
});

Bcrypt also offers the standard code to compare the plaintext with the hash like so:

Bcrypt还提供标准代码来比较明文和散列,如下所示:

bcrypt.compare(myPlaintextPassword, hash, function(err, res) {
    // res == true 
});

On an abstract level if I were to do the above compare function I would need to do the following:

在抽象层面,如果我要做上面的比较功能,我需要做以下事情:

• Get user input username and plain text password

获取用户输入的用户名和纯文本密码

• Send query to database SELECT * FROM users WHERE username = 'SomeName'

将查询发送到数据库SELECT * FROM users WHERE username ='SomeName'

• Get back some username and hashed password

获取一些用户名和哈希密码

• Compare hashed password and authenticate user

比较哈希密码和验证用户

The problem with that is that any user specific data cannot be retrieved before authentication so I will need to chain an additional query in order to retrieve any extra user sensitive data and this process would seem janky. And it seems unsafe because the client then has the hashed password at this point when there should be no need to bring back the password.

问题是在身份验证之前无法检索任何特定于用户的数据,因此我需要链接一个额外的查询以检索任何额外的用户敏感数据,这个过程看起来很简陋。并且它似乎不安全,因为客户端此时具有散列密码,此时不需要带回密码。

I would like to:

我想要:

• Get user input username and plain text password

获取用户输入的用户名和纯文本密码

• Send query to database

  将查询发送到数据库

  SELECT * FROM users 
  WHERE username = 'SomeName' 
  AND password = COMPARISON_FUNCTION_THAT_WORKS_WITH_BCRYPT('plaintext')
  

• Get back some username and any user specific data

获取一些用户名和任何用户特定数据

• and I am done

我完成了

Am I completely missing the boat here, because if I am then what exactly are the 360k downloaders of this software doing for password encryption / user login process?

我在这里完全错过了这条船,因为如果我那么这个软件的360k下载器究竟在做什么用于密码加密/用户登录过程?

1 个解决方案

#1

---