f-a-m assumes bcrypt
jnardone opened this issue · comments
Steps to reproduce
Feathers auth v4 allows substitutions and subclassing of things like localStrategy, which can include swapping out hashing algorithms.
class Argon2LocalStrategy extends LocalStrategy {
async comparePassword(entity, password) {
const { entityPasswordField, errorMessage } = this.configuration;
// find password in entity, this allows for dot notation
const hash = get(entity, entityPasswordField, '');
if (!hash) {
throw new NotAuthenticated(errorMessage);
}
const result = await argon2.verify(hash, password);
if (result) {
return entity;
}
throw new NotAuthenticated(errorMessage);
}
async hashPassword(password, params) {
return argon2.hash(password, { timeCost: 8, memoryCost: 1 << 16, parallelism: 1 });
}
}
However, compare-passwords.js hardcodes in bcrypt:
Feathers auth management should really allow passing in the strategy so that it has access to the appropriate hash generation and comparison functions.
Expected behavior
It should use the appropriate hashing and comparison functions.
Actual behavior
Fails because it's not a bcrypt password.
System configuration
feathers-auth-management 2.0.1
feathers authentication 4.3.10
node.js 12.13.0
Also... no commits to this or the rewrite since early 2019, I guess this is dead and I have to figure out an alternative?
Closing this because we just decided to rip out FAM and roll our own. Too bad, this could be useful with a little love.