Is there bcrypt support?

Wappler General
#1

Hi,

I saw an old thread saying bcrypt support was implemented on Wappler 2:

I’m building a web app that uses an existing database with user’s passwords hashed with bcrypt.

So, is there bcrypt support on Wappler? I can only find Argon2 - I’m using NodeJS.

Also, the security provider has a checkbox “Use Password Hash Verify”, but it doesn’t allow the selection of the hashing algorithm? So, how does one selects the algorithm to check against?

Security provider:

Screenshot
Screenshot1860×476 35.4 KB

Cryptography hash check component:

Screenshot2
Screenshot21716×520 43.6 KB

#2

Bcrypt is only available for PHP (7.2+)

As for Password Hash Verify, that’s available for argon2 and you can find how to use it here:

#3

Thanks, Teodor.

If I grab a bcrypt package from npm and install it, is there a way to call bcrypt functions from Server Actions? So I can hash $_POST[‘password’] and pass it to security provider or something

Example package:

#4

You will have to build a Server Connect custom extension. But it is possible indeed. If you have previous programming experience it should be no problem for you.

1 Like
#5

Is there a reason why you choose bcrypt over argon2? Argon2 is newer and better then bcrypt for password hashing.

I’m experimenting with adding bcrypt, scrypt and pbkdf2 as extra algorithms for the password hashing, scrypt and pbkdf2 are directly available in the core of nodejs amd bcrypt as a module (native and/or plain js). Not sure if there is a large demand for these algos since most of the time users here ask for argon2 support.

#6

I think that adding more options will maybe make people go for less secure options out of familiarity.

What about just adding(by design) a verify function for those older algos, but not the hashing one? That way people could verify passwords before hashing them to a safer option.

For those that still want to hash they could resort to a custom extension.

#7

Hi Patrick,

I need bcrypt to maintain backwards compatibility with an existing Laravel app database.

I’m re-creating this web app in Wappler, but I would probably keep using bcrypt for a while just in case I need to temporarily rollback to the Laravel app in case of a bug appears or similar situation.

For now, I’ve just managed to create a custom module for Wappler. The bcrypt hash/verification is different from PHP’s implementation, so I had to apply a couple of workarounds to maintain PHP compatibility:

// Verify
hash = hash.replace(/^\$2y(.+)$/i, '$2a$1'); // PHP to NodeJS bcrypt
// Hash
hashed = hashed.replace('$2a$', '$2y$'); // NodeJS to PHP bcrypt
hashed = hashed.replace('$2b$', '$2y$'); // NodeJS to PHP bcrypt

The .hjson part of the custom module was hell (seriously, it’s too confusing for newcomers, even following the documentation), I had to steal @JonL’s Argon2 .hjson - and I probably forgot to use async, guess I need to change that :sweat_smile:

If there’s anyone interested in this, I suppose I could publish it on Wappler extensions after I finish it :slight_smile:

1 Like