2

I have some legacy python script to one way encrypt passwords for db storage

import base64, hashlib

def encrypt(passw):

    secret = "SECRET_KEY_HERE"
    passw = secret + passw
    passw = passw.encode('utf-8')
    m = hashlib.sha256()
    m.update(passw)
    encoded = base64.b64encode(m.digest()).decode('utf-8')
    return (encoded)

I managed to put together a c# version for an existing 3rd party package we are using

private static string Encrypt(string clearText)
        {
            SHA256 sHA256 = SHA256.Create();

            byte[] sourceArray = sHA256.ComputeHash(Encoding.UTF8.GetBytes(EncryptionKey + clearText));

            return Convert.ToBase64String(sourceArray);
        }

These both return the same results. I am trying to put together a web front end using next and have added an encrypt function to the register / login page

const crypto = require('crypto');

export const encrypt = (password: string) :string => {
    const key = process.env.PASS_KEY;
    return crypto.createHash('sha256').update(key + password).digest('base64')  
}

this returns a different result to the other two functions.

I have checked all the usual sources and all that I have found is that what I have put together should work fine.

Can anyone please shed any light on why this is not working

UPDATE:

Just to add to my confusion, I added the js function to a react form in codesandbox and it returns the correct result.

The function is currently only called via the nextauth authorize function to verify the login of a user like this

const confirmPasswordHash = (plainPassword: string , hashedPassword: string) => {
    
        const res = plainPassword && hashedPassword.localeCompare(encrypt(plainPassword))
        return res === 0 ? true:false
    
}
Improve this question
4
  • 1
    I could be wrong, but assigning "SECRET_KEY_HERE" instead of the environment variable to key in the JS function, got me the same results as in the Python one, so I'd check what's in process.env.PASS_KEY. Commented Dec 29, 2022 at 13:03
  • it looks like that is what is going on. If I enter the key directly in the function it is correct. If I add it via the env.local file it fails. The confusing point in this is that If I console out the key before hashing, it does show the same value as If it was hard coded so what could be causing the value to change from the env import Commented Dec 29, 2022 at 13:20
  • 1
    @JonathanCiapetti do you want to post that as an answer, I've been checking and it seems that bringing it in from env is truncating part of the key because of a dollar sign. I'd like you to get the points for pointing me in the right direction Commented Dec 29, 2022 at 13:33
  • I was about to say "yes", but then I thought that yes, it's me who pointed you in the right direction, but it's you who discovered what the actual bug (the $ issue) and tested its solution, so I think you answering your own question, explaining what the bug was (citing the comments, sure), and accepting the answer, would be even better. Commented Dec 29, 2022 at 13:44

1 Answer 1

Reset to default
2

Jonathan Ciapetti pointed me in the right direction to solve this. The problem did indeed lie within the process.env call.

The key being used includes a dollar sign which was, in turn, truncating part of the string being passed in. I solved this be escaping the dollar sign in the key and now it all works as expected.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.