AdonisJS 5: Solution for use (adonis 4 and laravel) compatible bcrypt

[reg2005]

When I migrated my old website to Adonis 5. I found what I can't sign in my site, because Adonis 5 use another bcrypt library than Adonis 4

I got error:

error: Incompatible 2y identifier found in the hash

Compare one password in between versions

AdonisJS 4

 $2y$08$pzoCZf0i/jRg2mXRlE8a**********J8GAxKFC7ESSOfhq/CkALyC

AdonisJS 5:

$bcrypt$v=98$r=10$xXFWLkjNPH**********$4nSfCJnwPV3yfRvV+O/aWAhXEWSX3pc

It's not compatible.

My solution:

npm i bcryptjs

Add file to libs/Bcrypt.ts:

/*
 *   Copyright (c) 2020 Evgeniy Ryumin <cmp08[at]ya.ru>
 *   All rights reserved.

 *   Permission is hereby granted, free of charge, to any person obtaining a copy
 *   of this software and associated documentation files (the "Software"), to deal
 *   in the Software without restriction, including without limitation the rights
 *   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 *   copies of the Software, and to permit persons to whom the Software is
 *   furnished to do so, subject to the following conditions:
 
 *   The above copyright notice and this permission notice shall be included in all
 *   copies or substantial portions of the Software.
 
 *   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 *   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 *   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 *   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 *   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 *   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 *   SOFTWARE.
 */
import { HashDriverContract, BcryptConfig } from '@ioc:Adonis/Core/Hash'
import bcrypt from 'bcryptjs'

/**
 * Hash plain values using [bcryptjs](https://www.npmjs.com/package/bcryptjs).
 */
export class Bcrypt2HashDriver implements HashDriverContract {
	public config: BcryptConfig
	public ids = ['bcrypt']
	public params = { rounds: 'r' }
	public version = 98
	constructor(config: BcryptConfig) {
		this.config = config
	}

	public async hash(value: string) {
		process.emitWarning('DeprecationWarning', 'Hash.hash() is deprecated. Use Hash.make() instead')
		return this.make(value)
	}

	/**
	 * Hash plain value using bcrypt.
	 */
	public async make(value: string, config: BcryptConfig | null = null): Promise<string> {
		let rounds = 0

		/**
		 * In order to be back compatible, we have to accept strings and numbers
		 * as config rounds.
		 */
		if (typeof config === 'string' || typeof config === 'number') {
			rounds = Number(config)
		} else {
			rounds = config?.rounds || this.config.rounds || 10
		}

		return new Promise(function (resolve, reject) {
			bcrypt.hash(value, rounds, function (error, hash) {
				if (error) {
					return reject(error)
				}
				resolve(hash)
			})
		})
	}

	public needsReHash(hashedValue: string): boolean {
		if (hashedValue.startsWith('$2y')) {
			return true
		}
		return false
	}

	/**
	 * Verify an existing hash with the plain value. Though this
	 * method returns a promise, it never rejects the promise
	 * and this is just for the sake of simplicity, since
	 * bcrypt errors are not something that you can act
	 * upon.
	 */
	public verify(hash: string, value: string): Promise<boolean> {
		return new Promise(function (resolve) {
			bcrypt.compare(value, hash, function (error, response) {
				if (error) {
					return resolve(false)
				}
				resolve(response)
			})
		})
	}
}

And make provider like this:

import { IocContract } from '@adonisjs/fold'
import { Bcrypt2HashDriver } from './../libs/Bcrypt2HashDriver/Bcrypt'
import Hash from '@ioc:Adonis/Core/Hash'
export default class AppProvider {
	constructor(protected $container: IocContract) {}

	public register() {
		// Register your own bindings
	}

	public boot() {
		// IoC container is ready
		const hashInstance: typeof Hash = this.$container.use('Adonis/Core/Hash')
		hashInstance.extend('bcrypt', (_manager, _mappingName, config) => {
			return new Bcrypt2HashDriver(config)
		})
		hashInstance.use('bcrypt')
	}

	public shutdown() {
		// Cleanup, since app is going down
	}

	public ready() {
		// App is ready
	}
}

That's all 👋

[thetutlage]

@reg2005 That's great. Can you create a PR for the same in the hash module?

We can basically enable this using the legacy mode. For example: The config will accept an additional param legacy: true and then on the basis of that we will change the implementation of hash

[reg2005]

@reg2005 That's great. Can you create a PR for the same in the hash module?

We can basically enable this using the legacy mode. For example: The config will accept an additional param legacy: true and then on the basis of that we will change the implementation of hash

Yes I made this as new Hash driver (seems to me it's easier for use)! Please see PR

[reg2005]

I believe it would be better to create another module that hold all of this legacy stuff instead of having it inside the official one.
The legacy module would also rehash user password with the new library to properly migrate them.

Is re-hash possible? We can make hash from clear password (not hashed). Or not? 🤔

[thetutlage]

So rehash will only work, if we add at the time of logging in the user. This is how the flow may look like

• User attempts to login with their plain password
• We verify the password
• Then we use the plain password to rehash it using the new driver
• We update the user record.

This is a standard process many products follow to upgrade user passwords. However, I am not sure, this is something people would want to do when upgrading framework version.

I suggest we should support legacy passwords with a flag and mention about it in the docs. Give people some window to upgrade the passwords and then remove the legacy support. What you think @RomainLanz ?

[RomainLanz]

Yes, migrating data is also something we need to have in mind.
We can add a Legacy driver in the Hash module that use old drivers (bcrypt and argon2).
I'll work on a PR to add those soon.

[jairochaves2]

Hello, @RomainLanz, has a solution been developed for this?

[kmorpex]

[lucaswx2]

have you finded a solution for it?

[henriquetroiano]

@lucaswx2 maybe i'm late, but if you have the problem with this.$container, the correct syntax is this.app.container.

[AbidKhairyAK]

modified version of @amitappaspect and @reg2005 code for adonis js v6.

1. create new file on /driver/LaravelHashDriver.ts

import {
  HashDriverContract,
  ManagerDriverFactory
} from '@adonisjs/core/types/hash'

/**
 * need to polyfill the require function
 */
import { createRequire } from "module";
const require = createRequire(import.meta.url);
const bcrypt = require('bcrypt');


const previousAlgorithm = '$2y$12$' // bcrypt algorithm from the few characters on the start of the previously encrypted password
const currentAlgorithm  = '$2b$12$' // this is for the current encrypted password
const saltRounds        = 12        // match the salt rounds of the previous algorithm, it's on the second $ sign


export class LaravelHashDriver implements HashDriverContract {


  /**
   * Convert raw value to Hash, 
   * used when creating new password for user
   */
  async make(value: string): Promise<string> {
    const _hashedValue = bcrypt.hashSync(value, saltRounds);
    return _hashedValue;
  }

  /**
   * Verify if the plain value matches the provided hash, 
   * used on login
   */
  async verify( hashedValue: string, plainValue: string ): Promise<boolean> {
    let currentHash = hashedValue;

    if (hashedValue.includes(previousAlgorithm)) {
        currentHash = hashedValue.replace(previousAlgorithm, currentAlgorithm);
    }

    return await bcrypt.compareSync(plainValue, currentHash);
  }

  /**
   * idk the logic for this, so i just put it to default value
   */
  needsReHash(): boolean {
    return false;
  }
  isValidHash(): boolean {
    return true
  }
}

/**
 * Factory function so you dont need to intiate it before using it
 */
export function LaravelHashFunction (): ManagerDriverFactory {
  return () => {
    return new LaravelHashDriver()
  }
}

2. modify your /config/hash.ts

import { LaravelHashFunction } from '../driver/LaravelHashDriver.js'

// ... other code ...

const hashConfig = defineConfig({
  default: 'laravel_hash',

  list: {
    laravel_hash: LaravelHashFunction()
  },
})

// ... other code ...

3. IF you are authenticating using auth finder, then update your /app/models/user.ts too

const AuthFinder = withAuthFinder(() => hash.use('laravel_hash'), {
  uids: ['email'],
  passwordColumnName: 'password',
})

credit : adonisjs/auth#144 (comment)