feathersjs-ecosystem/feathers-authentication-management

Specify custom hash function to HashPassword when resetting password

Closed this issue · 2 comments

Steps to reproduce

Call resetPwdLong with a valid token and password,
the /users PATCH is called with a password hashed.

feathers-authentication-local hashPassword hook allows to pass a custom hash: function,
we should be able to pass the same function through management.

Expected behavior

Give a hash function to be passed to hashPassword when resetting the password.

Actual behavior

It uses bcrypt by default and there is no way to specify a specific function.

System configuration

Tell us about the applicable parts of your setup.

Module versions (especially the part that's not working):
"feathers-authentication": "^1.1.1"
"feathers-authentication-jwt": "^0.3.1"
"feathers-authentication-local": "^0.3.2"
"feathers-authentication-management": "^0.1.6"

Hi there,

I would like to give more details, now I am using the latest version,
I am now, indeed able to pass a custom hash function through:

  this.configure(authentication({
    ...login,
    local: {
      hash: password => myCustomHash(password),
    },
  }));

The problem is, this method will be used to both encrypt resetToken and the new password once reseted.

But, when comparing the reset token, once it's sent back, comparePasswords is called and it uses by default bcrypt.compare and there is no way to change that function.

So either my password encryption is wrong or the token cannot be compared.

    "feathers": "^2.2.3",
    "feathers-authentication": "^1.3.1",
    "feathers-authentication-hooks": "^0.1.5",
    "feathers-authentication-jwt": "^0.3.2",
    "feathers-authentication-local": "^0.4.4",
    "feathers-authentication-management": "^1.0.0",

Thanks for your help.

This issue has been handled in the a-l-m rewrite. Full details at https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md.

Please make any comments at a-l-m.