Bcryptjs vs bcrypt

[Antoine Aflalo]

Hello Nick, Dave,

I have a question about the user authentication using adminAuth with credential type (as describe in the documentation).

On my raspberry pi, I have some issue with bcryptjs. It is really slow and take a lot of CPU to generate a valid hash.

Is there a reason why you are using bcryptjs instead of bcrypt ? they works the same way, only bcrypt is a C++ module for node that works faster and take less resource.

Best Regards,

--

Antoine Aflalo

[Lawrence Griffiths]

Antoine just to say I've used bcrypt in node-red functions to create hashes no issue.

 

Lawrence

[chris mobberley]

Hi Antoine,

I dont think the Pi is able to cope as you say with this. There have been similar issues seen when running ghost blogging platform. Users often switched out the module required and reported that authentication worked perfect after that.

This may be a case of the similar change being made here.

Chris 

[Antoine Aflalo]

Just to give a comparison between the 2 libraries :

Bcrypt

pi@raspy ~/node-red $ time node -e "console.log(require('bcrypt').hashSync(process.argv[1], 8));" your-password-here

$2a$08$4WMv6S1YH65Scy4DxK1hgO4R0O6dfO0gDaylWN906iAqAbJyMKi3K

real    0m4.185s

user    0m1.660s

sys     0m0.570s

BcryptJS

pi@raspy ~/node-red $ time node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

$2a$08$CJnRR4ZbatLbK94R5KJXNeKuS.NnkeFP5ggyIf176u9eZq5/2qEr2

real    0m24.832s

user    0m11.040s

sys     0m3.860s

This is the reason of my question, what is the reason behind using BcryptJS instead of Bcrypt ?

--
http://nodered.org
---
You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Antoine Aflalo

[Antoine Aflalo]

And this the part of the documentation I was talking about : 

http://nodered.org/docs/security.html

--

Antoine Aflalo

[Nicholas O'Leary]

Thanks for raising this Antoine.

There was not much reasoning behind picking one over the other. I suspect I simply followed the lead taken by Ghost in using bcryptjs.

Will look at moving over to bcrypt - just want to make sure it doesn't cause issues on windows being a native module. We want to avoid forcing windows users to need the whole visual studio setup in order to compile modules at install time. Assuming bcrypt is packaged with pre built binaries, all will be well.

Nick

[Antoine Aflalo]

Unfortunately, the problem lies for Windows : 

• Windows users will need the options for c# and c++ installed with their visual studio instance.

But on my windows machine, I didn't notice any difference between the 2 libs.

Maybe provide a installation script to install bcrypt or bcryptjs depending on the OS : https://stackoverflow.com/questions/15176082/npm-package-json-os-specific-dependency

I replaced bcryptjs by bcrypt in red/api/auth/users.js  and everything work flawlessly since they have exactly the same method's signature.

[Dave C-J]

A quick test would seem to indicate that adding it as an optionalDependencies does the right thing (IE doesn't break) on windows...

makes the install on Pi even slower.... 

So the code would need to be modified to try to require and fail gracefully.

[Nicholas O'Leary]

Dave, bcrypt (whichever version) is not an optional dependency. it does break something as it leaves windows users unable to use adminAuth.

Needs some proper thought over how to do this. Post install script seems the most viable, albeit not ideal.

Nick

--

[Nicholas O'Leary]

Or do you mean to list both as optional deps, and then in the code load which ever is present, with bcrypt given preference to bcryptjs?

To unsubscribe from this group and stop receiving emails from it, send an email to node-red+unsubscribe@googlegroups.com.

[Dave C-J]

Nick

it would seem to offer up the same api... so in users.js just need

var bcrypt;

try { bcrypt = require('bcrypt'); }

catch(e) { bcrypt = require('bcryptjs'); }

and then have bcryptjs as a dependency and bcrypt as an optional

no script needed 

[Dave C-J]

Now raised as Issue #585 - https://github.com/node-red/node-red/issues/585