iceddev / bcrypt-as-promised Goto Github PK

When attempting to install bcrypt-as-promised on nodesource/trusty Docker container I get the following error:

npm WARN cannot run in wd [email protected] node-gyp rebuild (wd=/usr/src/app/node_modules/bcrypt-as-promised/node_modules/bcrypt)

Using bcrypt as normal works fine. I wonder if bcrypt just needs to be upgraded.

During install, npm logs the notice:

warning bcrypt-as-promised > [email protected]: bcrypt < v2.0.0 is susceptible to bcrypt wrap-around bug. Upgrade to bcrypt >= v2.0.0 for improved support for newer bcrypt hashes

There's another security issue with a nested dependency, growl -> https://nodesecurity.io/advisories/146

The bcrypt package now supports promises:

with promises

bcrypt uses whatever Promise implementation is available in global.Promise. NodeJS >= 0.12 has a native Promise implementation built in. However, this should work in any Promises/A+ compliant implementation.
Async methods that accept a callback, return a Promise when callback is not specified if Promise support is available.

bcrypt.hash(myPlaintextPassword, saltRounds).then(function(hash) {
   // Store hash in your password DB.
});

There also hasn't been an update to this package in 2 years. It's still getting a lot of downloads, which means a lot of vulnerabilities --- this package should either be upgraded or deprecated.

I like having a promise version of bcrypt, but I want to suggest an API change. The .compare() method should contain a boolean in the resolved promise indicating match/no match, and a rejected promise should be reserved for errors only.

• This more closely maps to the API exposed by bcrypt
• This is a better use of promises.

In my app, I will take different actions if there is an error than if there is a mismatched password.

I would recommend changing the interface and bumping the version to 2, since this would be a breaking change.

I have the following:

Node: 6.1.0
NPM: 3.8.1
Node-webkit: 0.12.3
Windows 7 x64
Visual Studio 2013

Here is my authenticate method:

    authenticate: function(login, password) {
            var bcrypt = require('bcrypt-as-promised');
            return User.findOne({where: {
               login: login,
            }}).then(function(user) {
               if(user === null) return false;
               return bcrypt.compare(password, user.password)
               .then(function() {
                  return true; // password matches
               })
               .catch(function() {
                  return false; // invalid password
               });
            });
         },

Console tests are working fine but whenever I run node-webkit I get this error:

message: "Module version mismatch. Expected 43, got 48."
stack: "Error: Module version mismatch. Expected 43, got 48.
at Error (native)
at Module.load (module.js:346:32)
at Function.Module._load (module.js:301:12)
at Module.require (module.js:356:17)
at require (module.js:375:17)
at bindings (D:\Node\Project S\node_modules\bindings\bindings.js:76:44)
at Object.<anonymous> (D:\Node\Project S\node_modules\bcrypt\bcrypt.js:3:35)
at Module._compile (module.js:451:26
at Object.Module._extensions..js (module.js:469:10)
at Module.load (module.js:346:32)
at Function.Module._load (module.js:301:12)
at Module.require (module.js:356:17)
at require (module.js:375:17)
at Object.<anonymous> (D:\Node\Project S\node_modules\bcrypt-as-promised\index.js:5:14)
at Module._compile (module.js:451:26)
at Object.Module._extensions..js (module.js:469:10)"

I tried to rebuild and recompile bcrypt module separately but no luck.