使用 Node.js 和 MongoDB 存储密码

Storing passwords with Node.js and MongoDB(使用 Node.js 和 MongoDB 存储密码)
本文介绍了使用 Node.js 和 MongoDB 存储密码的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

我正在寻找一些如何使用 node.js 和 mongodb 安全存储密码和其他敏感数据的示例.

I'm looking for some examples of how to securely store passwords and other sensitive data using node.js and mongodb.

我希望所有内容都使用唯一的盐,我将在 mongo 文档中与哈希一起存储.

I want everything to use a unique salt that I will store along side the hash in the mongo document.

对于身份验证,我是否必须对输入进行加盐和加密并将其与存储的哈希匹配?

For authentication do I have to just salt and encrypt the input and match it to a stored hash?

我是否需要解密这些数据?如果需要,我应该怎么做?

Should I ever need to decrypt this data and if so how should I do it?

私钥,甚至加盐方法如何安全地存储在服务器上?

How are the private keys, or even salting methods securely stored on the server?

我听说 AES 和 Blowfish 都是不错的选择,我应该使用什么?

I've heard the AES and Blowfish are both good options, what should I use?

任何有关如何设计的示例都会非常有帮助!

谢谢!

推荐答案

使用这个:https://github.com/ncb000gt/node.bcrypt.js/

bcrypt 是少数几个专注于这个用例的算法之一.您永远无法解密您的密码,只能验证用户输入的明文密码是否与存储/加密的哈希值匹配.

bcrypt is one of just a few algorithms focused on this use case. You should never be able to decrypt your passwords, only verify that a user-entered cleartext password matches the stored/encrypted hash.

bcrypt 使用起来非常简单.这是我的 Mongoose 用户模式的一个片段(在 CoffeeScript 中).请务必使用异步函数,因为 bycrypt 很慢(故意).

bcrypt is very straightforward to use. Here is a snippet from my Mongoose User schema (in CoffeeScript). Be sure to use the async functions as bycrypt is slow (on purpose).

class User extends SharedUser
  defaults: _.extend {domainId: null}, SharedUser::defaults

  #Irrelevant bits trimmed...

  password: (cleartext, confirm, callback) ->
    errorInfo = new errors.InvalidData()
    if cleartext != confirm
      errorInfo.message = 'please type the same password twice'
      errorInfo.errors.confirmPassword = 'must match the password'
      return callback errorInfo
    message = min4 cleartext
    if message
      errorInfo.message = message
      errorInfo.errors.password = message
      return callback errorInfo
    self = this
    bcrypt.gen_salt 10, (error, salt)->
      if error
        errorInfo = new errors.InternalError error.message
        return callback errorInfo
      bcrypt.encrypt cleartext, salt, (error, hash)->
        if error
          errorInfo = new errors.InternalError error.message
          return callback errorInfo
        self.attributes.bcryptedPassword = hash
        return callback()

  verifyPassword: (cleartext, callback) ->
    bcrypt.compare cleartext, @attributes.bcryptedPassword, (error, result)->
      if error
        return callback(new errors.InternalError(error.message))
      callback null, result

另外,请阅读 这篇文章,它应该让你相信 bcrypt 是一个很好的选择并帮助您避免变得真正有效".

Also, read this article, which should convince you that bcrypt is a good choice and help you avoid becoming "well and truly effed".

这篇关于使用 Node.js 和 MongoDB 存储密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

Using discord.js to detect image and respond(使用 discord.js 检测图像并响应)
Check if user ID exists in Discord server(检查 Discord 服务器中是否存在用户 ID)
Guild Member Add does not work (discordjs)(公会成员添加不起作用(discordjs))
Creating my first bot using REPLIT but always error Discord.JS(使用 REPLIT 创建我的第一个机器人,但总是错误 Discord.JS)
How do I code event/command handlers for my Discord.js bot?(如何为我的 Discord.js 机器人编写事件/命令处理程序?)
How to find a User ID from a Username in Discord.js?(如何从 Discord.js 中的用户名中查找用户 ID?)