Hi. This is probably a stupid question, but we have been migrating our forum from XenForo over to Discourse. We have a backend server for authorization which involves connecting to the database and verifying credentials against the users table.
XenForo’s bcrypt algorithm worked as expected, and without any hassle. When we migrated over to Discourse however, the PBKDF2 algorithm did not seem to match my expectations. Same exact password, same exact salt, same exact number of iterations and length, but the output hash is different.
I tried various different implementations of PBKDF2 algorithm, but they all output the exact same (different from Discourse’s) hash. Including my own implementation.
I would rather avoid mechanisms like OAuth2 or SSO due to additional overhead and additional work that it imposes upon us.
Has anyone used Discourse for such use cases, and if you have, how did you solve this problem?
We primarily used Go’s crypto/bcrypt implementation for Xenforo. The same hashes from various pbkdf2 algorithm implementations suggests me that Go possibly stores strings or casts strings to bytes in a somewhat different way.
I’ll have to try that tomorrow (it’s late over here). If OpenSSL gives me the desired result, then I would have to seek OpenSSL bindings for Go, or I would have to switch to an entirely different language (that has OpenSSL bindings) for the backend.
Nevermind. I had to use the hex representation of the salt as the argument, not the decoded salt like I was doing in the post above. Now the hashes are equal.