CODEWITHSUNDEEP
node.jspassword-protectioncryptojspassword-encryptionpassword-hash
rajat joshi
rajat joshi

Reputation: 1

How to fix password replay or playback in nodejs

i'm hashing the the user password using bcrypt and stored it into DB. during login i encrypt password in front end and decrypt it before compare using crypto-js and compared password with bcrypt.compare(), it will allow to login the user when its true. the above will fine, i stucked in the scenario where user login with same encrypted password many times their password replay will occure how to fix it.

hash the password and sotreit into db

exports.changePassword= function(data, callback){
   bcrypt.genSalt(saltRounds, (err, salt)=> {
       if(err){
         return err
       }
       bcrypt.hash(data.new_pass, salt, function(err, hash) {
          /////db query
          return db.query('update user set password=?,password_flag=1 where user_code=?'
          , [hash,data.user_id], callback);
      });
   )}
}

login code

var log = require('../logger')
var error = require('../models/error');
const encryptDecryptService = require('../services/encryptDecryptService');

exports.loing = function(data, callback) {
   const passwordData = encryptDecryptService.decrypt(envConfig.ConfigParams.CYPHER_KEY.DECRYPT_KEY, req.body.password);
   const password = passwordData.toString(CryptoJS.enc.Utf8);
   query = 'Select r.officer_code, r.password, r.name, r.district_code, r.subdistrict_code,  from user r where r.officer_cude=?';             
   db.query(query, [data.user_id], function(err, rows) {
      if (typeof rows[0] != 'undefined') {
         bcrypt.compare(password, rows[0].password, function(err, result) {
             if (err) {
                 error.saveError(JSON.stringify(err), '/login/login');
                 log.error(err);
                 return callback(err,{status: false});
            }
            if (result) {
               db.query('Insert into login_history(ip_address, user_id, user_type) values ("' + data.client_ip + '",' + rows[0].officer_code + ',' + data.usertype + ')', function(err, rows1) {
                  const JWTToken = jwt.sign({
                     username: rows[0].name,
                     _id: rows[0].officer_code,
                     usertype: rows[0].usertype,
                     district_code: rows[0].district_code,
                     subdistrict_code: rows[0].subdistrict_code,
                     project: "HORTI"
                     },'secret', {
                     expiresIn: '2h'
                  });
                  return callback(null,[{
                     success: 'Welcome',
                     token: JWTToken
                 }]);
               });
            }
            else {
               return callback({status: false, failed: 'Unauthorized Access'});
           }
        });
     }
     else { return callback({status: false})}
   });
}

my encrypt decrypt code

const CryptoJS = require("crypto-js");
exports.decrypt= function ( passphrase , encrypted_json_string) {
    const obj_json = JSON.parse(encrypted_json_string);
    const encrypted = obj_json.cipherText;
    const salt = CryptoJS.enc.Hex.parse(obj_json.salt);
    const iv = CryptoJS.enc.Hex.parse(obj_json.iv);
    const key = CryptoJS.PBKDF2(passphrase, salt, {
        hasher: CryptoJS.algo.SHA512,
        keySize: 64 / 8,
        iterations: 10000,
    });
    let decrypted = CryptoJS.AES.decrypt(encrypted, key, {iv: iv});
    let a = decrypted.toString(CryptoJS.enc.Utf8);
    return a;
}
exports.encrypt= function(passphrase, json_string) {
    const salt = CryptoJS.lib.WordArray.random(256);
    const iv = CryptoJS.lib.WordArray.random(16);
    const key = CryptoJS.PBKDF2(passphrase, salt, {
        hasher: CryptoJS.algo.SHA512,
        keySize: 64 / 8,
        iterations: 10000,
    });
    const encrypted = CryptoJS.AES.encrypt(json_string, key, {
        mode: CryptoJS.mode.CBC,
        keySize: 256,
        padding: CryptoJS.pad.Pkcs7,
        iv: iv,
    });
    return JSON.stringify({
        cipherText: encrypted.toString(),
        salt: salt.toString(),
        iv: iv.toString(),
    });
}

HERE im sending data in api

{   
    "password": "{"cipherText":"XXXXXXXXXX","salt":"XXXX","iv":"XX"}",
    "user_id": "1234",
    "usertype": "1"
}

i want to fix password replay. please help

provide a way to fix the password replay with an example.

Upvotes: 0

Views: 49

Answers (0)

Related Questions