將bcrypt改成pbkdf2，去除對native module的相依性

Author: pH200

controllers/sign.js

@@ -10,7 +10,7 @@ var crypto = require('crypto');
 var config = require('../config').config;
 var message_ctrl = require('./message');
 var mail_ctrl = require('./mail');
-var bcrypt = require('bcrypt');
+var pbkdf2 = require('../libs/pbkdf2');
 
 // private
 
@@ -116,12 +116,12 @@ exports.signup = function (req, res, next) {
         return;
       }
 
-      // bcrypt the pass
-      bcrypt.genSalt(config.genSalt, function (err, salt) {
+      // PBKDF2 encryption
+      pbkdf2.genSalt(config.genSalt, function (err, salt) {
         if (err) {
           return next(err);
         }
-        bcrypt.hash(pass, salt, function (err, hash) {
+        pbkdf2.hash(pass, salt, function (err, hash) {
           if (err) {
             return next(err);
           }
@@ -132,6 +132,7 @@ exports.signup = function (req, res, next) {
           user.name = name;
           user.loginname = loginname;
           user.pass = hash;
+          user.salt = salt;
           user.email = email;
           user.avatar = avatar_url;
           user.active = false;
@@ -195,7 +196,7 @@ exports.login = function (req, res, next) {
     if (!user || user.pass === undefined) {
       return res.render('sign/signin', { error: '這個用戶不存在。' });
     }
-    bcrypt.compare(pass, user.pass, function (err, equal) {
+    pbkdf2.compare(pass, user.pass, user.salt, function (err, equal) {
       if (err) {
         return next(err);
       }
@@ -339,16 +340,17 @@ exports.reset_pass = function (req, res, next) {
         return res.render('notify/notify', {error : '錯誤的激活鏈接'});
       }
 
-      bcrypt.genSalt(config.genSalt, function (err, salt) {
+      pbkdf2.genSalt(config.genSalt, function (err, salt) {
         if (err) {
           return next(err);
         }
-        bcrypt.hash(psw, salt, function (err, hash) {
+        pbkdf2.hash(psw, salt, function (err, hash) {
           if (err) {
             return next(err);
           }
 
           user.pass = hash;
+          user.salt = salt;
           user.retrieve_key = null;
           user.retrieve_time = null;
           user.active = true; // 用戶激活

controllers/user.js

@@ -18,7 +18,7 @@ var EventProxy = require('eventproxy').EventProxy;
 var check = require('validator').check;
 var sanitize = require('validator').sanitize;
 var crypto = require('crypto');
-var bcrypt = require('bcrypt');
+var pbkdf2 = require('../libs/pbkdf2');
 
 function get_user_by_id(id, cb) {
   User.findOne({_id: id}, cb);
@@ -259,7 +259,7 @@ exports.setting = function (req, res, next) {
         return next(err);
       }
 
-      bcrypt.compare(old_pass, user.pass, function (err, equal) {
+      pbkdf2.compare(old_pass, user.pass, user.salt, function (err, equal) {
         if (err) {
           return next(err);
         }
@@ -280,12 +280,13 @@ exports.setting = function (req, res, next) {
           return;
         }
 
-        bcrypt.genSalt(config.genSalt, function (err, salt) {
+        pbkdf2.genSalt(config.genSalt, function (err, salt) {
           if (err) {
             return next(err);
           }
-          bcrypt.hash(new_pass, salt, function (err, hash) {
+          pbkdf2.hash(new_pass, salt, function (err, hash) {
             user.pass = hash;
+            user.salt = salt;
             user.save(function (err) {
               if (err) {
                 return next(err);

libs/pbkdf2.js

@@ -0,0 +1,42 @@
+/*jslint node: true, regexp: true, nomen: true, indent: 2, vars: true */
+
+'use strict';
+
+var crypto = require('crypto');
+// Bcrypt Adoptions:
+// bcrypt.genSalt(rounds, seed_length, callback(err, salt))
+// bcrypt.hash(data, salt, callback(err, encrypted))
+// bcrypt.compare(data, encrypted, function(err, same))
+
+module.exports = {
+  keylen: 256,
+  iterations: 4096,
+  genSalt: function (size, callback) {
+    crypto.randomBytes(size, function (err, buf) {
+      if (err) {
+        return callback(err);
+      }
+      return callback(null, buf.toString('base64'));
+    });
+  },
+  hash: function (data, salt, callback) {
+    // For iteration count settings, see:
+    // http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256
+    crypto.pbkdf2(data, salt, this.iterations, this.keylen, function (err, derivedKey) {
+      if (err) {
+        return callback(err);
+      }
+      // derivedKey is string, but stores binary data
+      var buffer = new Buffer(derivedKey);
+      return callback(null, buffer.toString('hex'), salt);
+    });
+  },
+  compare: function (data, encrypted, salt, callback) {
+    this.hash(data, salt, function (err, hash) {
+      if (err) {
+        return callback(err);
+      }
+      return callback(null, (encrypted === hash));
+    });
+  }
+};

models/user.js

@@ -10,6 +10,7 @@ var UserSchema = new Schema({
   name: { type: String, index: true },
   loginname: { type: String, unique: true },
   pass: { type: String },
+  salt: { type: String },
   email: { type: String, unique: true },
   url: { type: String },
   profile_image_url: {type: String},

package.json

@@ -14,7 +14,6 @@
     "nodemailer": "0.3.5",
     "data2xml": "0.4.0",
     "xss": ">=0.0.2",
-    "bcrypt ": "*",
     "facebook-group-sync": "*"
   },
   "devDependencies": {