Node.js bcrypt compare returns false for correct password

Question

I'm using bcrypt to hash and compare user passwords, however after i register a new user and then attempt to login, the bcrypt compare function returns false even though the password is correct.

1) Creating a new user

function NewUser(request, reply) {
    let e = decodeURIComponent(request.params.q_email)
    let p = decodeURIComponent(request.params.q_password)

    dbCheckUserExists(e,
    (yes) => {
        return reply("User already exists")
    },
    (no) => {
        bcrypt.hash(p, 3, (err, hash) => {
            if (err) {
                return reply("Error creating new user")
            } else {
                dbCreateUser(request, reply, e, hash)
            }
        });
    });
}

function dbCreateUser(request, reply, email, pwdHash) {
    var sql = "INSERT INTO Users(Version, Email, Password, Balance) VALUES (?,?,?,?)"
    var args = [1, email, pwdHash, 0]
    sql = mysql.format(sql, args)
    executeSql(sql,
        (err, rows, fields) => {
            if (err) {
                return reply("Error creating new user")
            } else {
                return reply("Successfully created new user")
            }
        }
    );
}

2) Logging in

function dbLogin(request, reply, yes, no) {
    let e = decodeURIComponent(request.payload.q_email)
    let p = decodeURIComponent(request.payload.q_password)
    //reply('email: ' + e + ' password: ' + p)

    var sql = "SELECT Password FROM Users WHERE Email = ? LIMIT 1"
    sql = mysql.format(sql, e)

    executeSql(sql,
        (err, rows, fields) => {
            if (err) {
                throw err
            } else {
                if (rows.length == 0) {
                    //no()
                    reply("email not found")
                } else {
                    bcrypt.compare(p, rows[0].Password, (err, res) => {
                        if (res == true) {
                            reply("correct password")
                            //dbCreateSession(request, reply, yes, no)
                        } else if (res == false){
                            reply("incorrect password: " + p + " " + rows[0].Password)
                        }
                        else {
                            //no()
                            reply("neither true nor false")
                        }
                    });
                }
            }
        }
    );
}

I have created a user with email "hello" and password "world" and running the following query

SELECT Email, Password FROM `Users` WHERE Email = 'hello'

returns the following

hello   $2a$04$JwaMtM577eqLRNd0m5tbTewP1IxBMSAwyW9kczPjOPjDgu9I

however when i attempt to login i get the following (custom response)

incorrect password: world $2a$04$JwaMtM577eqLRNd0m5tbTewP1IxBMSAwyW9kczPjOPjDgu9I

Can anyone see where i am going wrong?

Answer 1

Increase the size of password field in database i.e

varchar(125)

Answer 2

Maybe you ended up with an invalid hash, try to generate the hash with bcrypt also :

bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
  // Store hash in your password DB. 
});

You can then try to check in a simple manner if the hash you have in the db matches a hardcoded version of the input you will be using ( password variable: p as a string 'world' )

bcrypt.compare('world', hash, function(err, result) {
 if (err) { throw (err); }
 console.log(result);
});

If it works (it probably will), then try to do the same with the input from the request.

You should get more insight in what is going wrong.

Answer 3

I've been staring at the screen for too long!

The problem was the Password field in the database was being truncated (55 chars instead of 60)