Javascript 使用 Node.js 和 MongoDB 存储密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6951563/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Storing passwords with Node.js and MongoDB
提问by fancy
I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.
我正在寻找一些关于如何使用 node.js 和 mongodb 安全存储密码和其他敏感数据的示例。
I want everything to use a unique salt that I will store along side the hash in the mongo document.
我希望所有东西都使用一个独特的盐,我将把它与 mongo 文档中的哈希一起存储。
For authentication do I have to just salt and encrypt the input and match it to a stored hash?
对于身份验证,我是否必须对输入进行加盐和加密并将其与存储的哈希匹配?
Should I ever need to decrypt this data and if so how should I do it?
我是否需要解密这些数据,如果需要,我应该怎么做?
How are the private keys, or even salting methods securely stored on the server?
私钥,甚至加盐方法如何安全地存储在服务器上?
I've heard the AES and Blowfish are both good options, what should I use?
我听说 AES 和 Blowfish 都是不错的选择,我应该使用什么?
Any examples of how to design this would be wonderfully helpful!
任何有关如何设计它的示例都会非常有帮助!
Thanks!
谢谢!
采纳答案by Peter Lyons
Use this: https://github.com/ncb000gt/node.bcrypt.js/
使用这个:https: //github.com/ncb000gt/node.bcrypt.js/
bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.
bcrypt 是少数几个专注于这个用例的算法之一。您永远无法解密您的密码,只能验证用户输入的明文密码是否与存储/加密的哈希匹配。
bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).
bcrypt 使用起来非常简单。这是我的 Mongoose 用户架构中的一个片段(在 CoffeeScript 中)。一定要使用异步函数,因为 bycrypt 很慢(故意)。
class User extends SharedUser
defaults: _.extend {domainId: null}, SharedUser::defaults
#Irrelevant bits trimmed...
password: (cleartext, confirm, callback) ->
errorInfo = new errors.InvalidData()
if cleartext != confirm
errorInfo.message = 'please type the same password twice'
errorInfo.errors.confirmPassword = 'must match the password'
return callback errorInfo
message = min4 cleartext
if message
errorInfo.message = message
errorInfo.errors.password = message
return callback errorInfo
self = this
bcrypt.gen_salt 10, (error, salt)->
if error
errorInfo = new errors.InternalError error.message
return callback errorInfo
bcrypt.encrypt cleartext, salt, (error, hash)->
if error
errorInfo = new errors.InternalError error.message
return callback errorInfo
self.attributes.bcryptedPassword = hash
return callback()
verifyPassword: (cleartext, callback) ->
bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)->
if error
return callback(new errors.InternalError(error.message))
callback null, result
Also, read this article, which should convince you that bcrypt is a good choiceand help you avoid becoming "well and truly effed".
另外,阅读这篇文章,它应该会让你相信 bcrypt 是一个不错的选择,并帮助你避免变得“好而真实”。
回答by chovy
This is the best example I've come across to date, uses node.bcrypt.js http://devsmash.com/blog/password-authentication-with-mongoose-and-bcrypt
这是迄今为止我遇到的最好的例子,使用 node.bcrypt.js http://devsmash.com/blog/password-authentication-with-mongoose-and-bcrypt
