2

I have a database that used in .net core web site, now I need check login with node js How to check password hash in node.js, I found a function for doing that but doesn't work for .net core AspNetUsers, only do in last asp.net

Improve this question

2 Answers 2

Reset to default
2

as this post: JavaScript: How to generate Rfc2898DeriveBytes like C#?

but for .net core need to change because in .net core ^1 for hashing use v3, so code should change to:

// The value stored in [dbo].[AspNetUsers].[PasswordHash]
    const hashedPwd =   "AQAAAAEAACcQAAAAENX1Hdhgta05DYzYzVOI5kfv1mM0oc2OCIF8tKvNZeSTMWoczGZk+6yy9DMWtLeVQQ==";
    const hashedPasswordBytes = new Buffer(hashedPwd, 'base64');        
    const hexChar = ["0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F"];

    let salt_string = "";
    let storedSubKeyString = "";

    // build strings of octets for the salt and the stored key
    for (let i = 1; i < hashedPasswordBytes.length; i++) {
        if (i > 12 && i <= 28) {

            salt_string += hexChar[(hashedPasswordBytes[i] >> 4) & 0x0f] + hexChar[hashedPasswordBytes[i] & 0x0f]
        }
        if (i > 0 && i > 28) {
            storedSubKeyString += hexChar[(hashedPasswordBytes[i] >> 4) & 0x0f] + hexChar[hashedPasswordBytes[i] & 0x0f];
        }
    }

    // password provided by the user        
    const password = 'password';       

    var nodeCrypto = crypto.pbkdf2Sync( 
            new Buffer(password), 
            new Buffer(salt_string, 'hex'), 10000, 256, 'SHA256');


    var derivedKeyOctets = nodeCrypto.toString('hex').toUpperCase();


    if (derivedKeyOctets.indexOf(storedSubKeyString) === 0) {
        return "passwords match!";
    } else {
        return "passwords DO NOT match!";
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The node-password-hash (although it is deprecated) is one simple/great module which will get the password hashing done in easy steps for you.

It also provides functions for generating a hashed passwords and verifying a plain-text password against a hashed password. In addition to that as an additional security measure, a random salt is generated when the password is hashed. The hashed password is a combination of both the cryptographic algorithm that was used as well the salt, so all you have to do is to just verify a plain-text password is the hashed password itself.

Hope this helps!

Improve this answer

1 Comment

thank you, but i need a lib that check .net core hashed password

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.