Verify password hash in nodejs which was generated in php
Replace $2y$ in the hashed password with $2a$,then bcrypt.compare should give you correct result.
var hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';var bcrypt = require('bcrypt');hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');bcrypt.compare("secret", hash, function(err, res) { console.log(res);});
on ES6:
import bcrypt from 'bcrypt';let hash = '$2y$08$9TTThrthZhTOcoHELRjuN.3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2';hash = hash.replace(/^\$2y(.+)$/i, '$2a$1');bcrypt.compare('secret', hash, function(err, res) { console.log(res);});
I know this has been answered, but it seems from the comments that a little more detail is required.
Bcrypt hashes produced by the php password_hash() function are split as follows:
$2y$
08$
9TTThrthZhTOcoHELRjuN.
3mJd2iKYIeNlV/CYJUWWRnDfRRw6fD2
| | | || | Salt Hashed Password| || Algorithm options (cost, in this case)|Algorithm type
It seems from other answers here on SO that while the PHP and Node versions of Bcrypt use different algorithms, the only difference in the hash output is the prefix. So all that is required is, as mentioned by @Sudesh, to swap the $2y$
for a $2a$
and Bob's your uncle.
Sources