How does plataformatec devise encrypt passwords?

Question

In this example the password is abcd1234 and this is what devise stored in the database

email: edu@example.com
encrypted_password: 9fead460b4eafc9fb4f188e4d6f24536f5849ed7
password_salt: k_c7dqyNKiQbSC_r8grH

I'm trying to build a node.js application that checks the plain password against the encrypted data so a javascript example would be appreciated.

Answer 1

The application was using the sha1 encryptor and I made this javascript version of it:

function createHash (password, salt) {
  let pepper = ''
  let digest = ''
  const STRETCHES = 10
  for (let i = 0; i < STRETCHES; i++) {
    digest = crypto
      .createHash('sha1')
      .update(`--${salt}--${digest}--${password}--${pepper}--`)
      .digest('hex')
  }
  return digest
}

Answer 2

It uses OpenBSD bcrypt() password hashing algorithm

Here is encryptor.rb code:

# frozen_string_literal: true

require 'bcrypt'

module Devise
  module Encryptor
    def self.digest(klass, password)
      if klass.pepper.present?
        password = "#{password}#{klass.pepper}"
      end
      ::BCrypt::Password.create(password, cost: klass.stretches).to_s
    end

    def self.compare(klass, hashed_password, password)
      return false if hashed_password.blank?
      bcrypt   = ::BCrypt::Password.new(hashed_password)
      if klass.pepper.present?
        password = "#{password}#{klass.pepper}"
      end
      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
      Devise.secure_compare(password, hashed_password)
    end
  end
end

You could find more there

And here is more about bcrypt.js

Example from their readme:

To check a password:

// Load hash from your password DB.
bcrypt.compareSync("B4c0/\/", hash); // true
bcrypt.compareSync("not_bacon", hash); // false