[bug] Fix bug in verifyPassword

2026-02-10 18:05:07 +08:00 · 2025-10-02 11:56:36 +03:00
parent 5b18f02da1
commit f01af975ba
1 changed files with 5 additions and 6 deletions
--- a/AdminPanel/server/sources/passwordManager.js
+++ b/AdminPanel/server/sources/passwordManager.js
@ -96,7 +96,7 @@ async function verifyPassword(password, hash) {
      return false;
    }
-    const [, iterationsStr, saltBase64, expectedHashBase64] = parts;
+    const [, , iterationsStr, saltBase64, expectedHashBase64] = parts;
    const iterations = parseInt(iterationsStr, 10);
    if (!iterations || !saltBase64 || !expectedHashBase64) {
@ -108,13 +108,12 @@ async function verifyPassword(password, hash) {
    // Derive key from password with same parameters
    const derivedKey = await pbkdf2(password, saltBuffer, iterations, PBKDF2_KEYLEN, PBKDF2_DIGEST);
    const computedHashBase64 = derivedKey.toString('base64').replace(/\+/g, '.').replace(/=/g, '');
-    // Compare using timing-safe comparison
+    // Decode expected hash from base64 (restore + from .)
-    const expectedBuffer = Buffer.from(expectedHashBase64);
+    const expectedHashBuffer = Buffer.from(expectedHashBase64.replace(/\./g, '+'), 'base64');
    const computedBuffer = Buffer.from(computedHashBase64);
-    return crypto.timingSafeEqual(expectedBuffer, computedBuffer);
+    // Compare using timing-safe comparison (compare raw buffers, not base64 strings)
    return crypto.timingSafeEqual(derivedKey, expectedHashBuffer);
  } catch {
    return false;
  }