2

I have a laravel website which transfer all its data to Hybird mobile app using html css and js. Mobile app works in offline mode. I have to perform authentication in mobile which is based on data transfered from website. But laravel uses bcrypt hash. How can i make similar hasher to match password in javascript?? Is it possible to make similar hasher in javascript or somebody have done this already??

Improve this question
2
  • I think we need more information, so laravel is php (php tag is missing in your post), so what is your "mobile app" ? for which platform? And then you mention a website. what website? the website where you use laravel/php to output data to be received by your mobile app? Commented Nov 12, 2015 at 11:29
  • May i see the code that you have so far ? Commented Nov 12, 2015 at 11:31

3 Answers 3

Reset to default
5

Trying to answer your vague question (assuming you are looking for a bcrypt library for javascript):

1) there is one bcrypt library for javascript here: https://github.com/nevins-b/javascript-bcrypt found here: bCrypt implementation in Javascript

I would assume (but am not sure) that laravel uses the php built-ins password_hash() and password_verify(), thus outputting a special format which containts the used salt like this example from php doc:

$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

You can look at the php documentation for both: https://secure.php.net/manual/en/function.password-verify.php https://secure.php.net/manual/en/function.password-hash.php

You would need to adapt the hash-string so that you can use it inside the javascript bcrypt function to verify a user-provided password in your mobile app.

Update

The salt is stored inside the hash, so you can extract it for your javascript verification - just take the first 22 characters after the prefix "$2y$10$" (salt is "saltsaltsaltsaltsaltse" in this example):

echo password_hash('JohnDoe', PASSWORD_DEFAULT, ['salt' => 'saltsaltsaltsaltsaltse']);
# will output $2y$10$saltsaltsaltsaltsaltseQMyqgPkFxQ1hfP2yBcGxgbJZGe1uGXq

UPDATE

Thanks to hassans research, the javascript library is found to be compatible with hashes from phps password_hash() without splitting the hash and/or prividing the salt separately. To avoid the "Invalid salt revision" error for php-generated hashes within the js lib, one has to replace $2y with $2a in the hash prefix. Hashes from the js lib can be used by php without replacing.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

thanks for your responce. i tried this javascript library. In this library there is some example scripts. One is to varify password against hash. So if i try to varify password against the hash from my database it gives me "invalid salt revision" alert. I dont think i have set any salt in my laravel application. Do you have any idea??
You can show your appreciation by upvoting my answer at first. And then, i cannot answer your comment, because I dont know how laravel saves its hashes or if it uses afore-mentioned php functions. You have to give more input, for example, show us one complete of your hashes.
I dont think that you have read the php functions I mentioned. If you did, you can see that salts are generated automatically by those functions!
Ok i you have downloaded and used this js library, the method that matches the hash against password does not take salt to match. Anyways i searched for the exception "invalid salt revision" and found this answer github.com/ircmaxell/password_compat/issues/49 . Now hashes generated by PHP are able to match using this js library by replacing $2y to $2a and hashes generated from this js library are able to be recognized by php by replacing $2a to $2y. So i am marking your answer as correct. You can modify your answer to include this so that any one can solve it without reading comments.
I am unable to edit my comment so adding another one. Hashes generated by js library can be be varified without replacing @2a to $2y. Php recognize them both ways. Thanks for your help dear.
|
1

I think all authentication should be done on the backend server(in this case using laravel). You should not transfer your users information to the client mobile app for offline authentication. There are several problems that may arise, confidential data can be exposed, most recently registered user information may not be present on the offline mobile app, etc.

Now I will suggest you to authenticate/register the user by being online and then do the other operation in offline mode. Check the authentication periodically after 6 or 7 days.

But if you still need that every bcrypt algorithm should result in the same hash, so here is a discussion that should help.

NOTE: Authentication should not be done on client side.

Improve this answer

3 Comments

Actually application will sync data periodically to get updated data. More ever application is not a public application, but will be used by specific people only. And it must work offline because where this application will be used, at that place there is no assurity of internet access availability everytime. So this is a requirement to authenticate the current user in offline mode.
I think in this case, the mobile app is not a 2-tier client-server architecture, but should be an offline usable independent app. so it should offer encryption or protection for the data, thus one needs to authenticate to open the data. This seems totally ok to me.
Ok, instead of authentication; encryption should be used in that case.
1

I think what you need to do is to make an API call to bucrypt.

First call ajax from your app with the request data

eg(using jQuery):

var stringToHash = 'mypassword'; 
$.ajax({
   type: "GET",
   data:{password:stringToHash },
   success: function(response){
      console.log('here you get response');
     /*now the hash code*/
      console.log(response.data);

   }
});

In Laravel api Controller(laravel 5)

public function hashPassword()
 {
      $hashPassword =  bcrypt(Input::get('password'));

      return response()->json([
                        'status' => 'success', 
                        'data' => $hashPassword
                        ]);

 }
Improve this answer

1 Comment

You didn't get the question completely. Read the question again and the above answers as well.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.