董海洋
108 lines
2.8 KiB
JavaScript
108 lines
2.8 KiB
JavaScript
/**
|
||
* 密码加密和验证工具函数
|
||
* @module services/utils/password
|
||
*/
|
||
|
||
const crypto = require('crypto')
|
||
|
||
const N = 16384
|
||
const r = 8
|
||
const p = 1
|
||
const KEYLEN = 64
|
||
const SALT_LEN = 16
|
||
const MD5_LEN = 32
|
||
|
||
/**
|
||
* 计算 MD5 哈希
|
||
* @param {string} str - 输入字符串
|
||
* @returns {string} MD5 哈希值(十六进制)
|
||
*/
|
||
function md5(str) {
|
||
return crypto.createHash('md5').update(str).digest('hex')
|
||
}
|
||
|
||
/**
|
||
* 使用 scrypt 计算哈希
|
||
* @param {string} password - 密码
|
||
* @param {Buffer} [saltBuf] - 可选的 salt
|
||
* @returns {Object} { salt, hash }
|
||
*/
|
||
function scryptHash(password, saltBuf) {
|
||
const salt = saltBuf || crypto.randomBytes(SALT_LEN)
|
||
const derived = crypto.scryptSync(String(password), salt, KEYLEN, { N, r, p, maxmem: 64 * 1024 * 1024 })
|
||
return { salt, hash: derived }
|
||
}
|
||
|
||
/**
|
||
* 哈希密码(使用 scrypt)
|
||
* @param {string} password - 密码
|
||
* @returns {string} 编码后的密码哈希
|
||
*/
|
||
function hashPassword(password) {
|
||
const { salt, hash } = scryptHash(password)
|
||
const saltB64 = salt.toString('base64').replace(/=+$/, '')
|
||
const hashB64 = hash.toString('base64').replace(/=+$/, '')
|
||
return `scrypt$${N}$${r}$${p}$${saltB64}$${hashB64}`
|
||
}
|
||
|
||
/**
|
||
* 验证 scrypt 密码
|
||
* @param {string} password - 密码
|
||
* @param {string} encoded - 编码后的密码哈希
|
||
* @returns {boolean} 是否验证通过
|
||
*/
|
||
function verifyScrypt(password, encoded) {
|
||
try {
|
||
const parts = encoded.split('$')
|
||
if (parts.length !== 6 || parts[0] !== 'scrypt') return false
|
||
const saltB64 = parts[4]
|
||
const expectedB64 = parts[5]
|
||
const salt = Buffer.from(saltB64, 'base64')
|
||
const expected = Buffer.from(expectedB64, 'base64')
|
||
const { hash } = scryptHash(password, salt)
|
||
if (hash.length !== expected.length) return false
|
||
return crypto.timingSafeEqual(hash, expected)
|
||
} catch {
|
||
return false
|
||
}
|
||
}
|
||
|
||
/**
|
||
* 验证密码(支持 scrypt 和旧版 MD5)
|
||
* @param {string} password - 密码
|
||
* @param {string} stored - 存储的密码哈希
|
||
* @returns {boolean} 是否验证通过
|
||
*/
|
||
function verifyPassword(password, stored) {
|
||
if (!stored) return false
|
||
if (stored.startsWith('scrypt$')) return verifyScrypt(password, stored)
|
||
if (/^[a-f0-9]{32}$/i.test(stored)) return md5(password).toLowerCase() === stored.toLowerCase()
|
||
return false
|
||
}
|
||
|
||
/**
|
||
* 检查是否是旧版 MD5 哈希
|
||
* @param {string} stored - 存储的密码哈希
|
||
* @returns {boolean} 是否是旧版哈希
|
||
*/
|
||
function isLegacyHash(stored) {
|
||
return stored && /^[a-f0-9]{32}$/i.test(stored)
|
||
}
|
||
|
||
/**
|
||
* 检查是否需要重新哈希密码
|
||
* @param {string} stored - 存储的密码哈希
|
||
* @returns {boolean} 是否需要重新哈希
|
||
*/
|
||
function needsRehash(stored) {
|
||
return !stored || !stored.startsWith('scrypt$')
|
||
}
|
||
|
||
module.exports = {
|
||
hashPassword,
|
||
verifyPassword,
|
||
isLegacyHash,
|
||
needsRehash,
|
||
md5
|
||
}
|