Cannot specify LongPasswordStrategy on Verifier

[Indigo744]

Hello,

First of all, thanks for this library.

In my code, I need to be able to specify the LongPasswordStrategy to TruncateStrategy so the lib behave like others (in others softwares in different languages).

It all works well when saving the hash, I can do BCrypt.with(LongPasswordStrategies.truncate()).hash(...) just fine.

But when I want to verify a hash, I can't specify the strategy!
One would expect BCrypt.with(LongPasswordStrategies.truncate()).verifyer().verify(pw, hashData); to works, but alas no.

Looking quickly in the code, I can see that you simply use the withDefaults() without offering any choice to the user: https://github.com/patrickfav/bcrypt/blob/master/modules/bcrypt/src/main/java/at/favre/lib/crypto/bcrypt/BCrypt.java#L551

Is there something I'm missing? I would think the library should be able to verify its own generated hash depending on the strategy used...

Thanks.

[patrickfav]

Hi Guillaume,

No, you are absolutely right, you found a conceptional error and I don't see an easy workaround for you apart from checking by hand. I will think about a solution and update this ticket as soon as I have one.

[Indigo744]

Thanks for your feedback.

As a workaround, we directly apply the strategy before giving the password to the lib:

byte[] passwordShort = LongPasswordStrategies.truncate().derive(password.getBytes(StandardCharsets.UTF_8));
boolean isOk = BCrypt.verifyer().verify(passwordShort, hash.getBytes()).verified;

But of course, we are still limited by the issue #22 (for which we don't have an easy workaround, excepted modifying the lib...).

[patrickfav]

PR is ready (#23), @Indigo744 I invite you to do a review if you like. Otherwise I will merge it beginning of next week.

[Indigo744]

Thank you. I reviewed it, looks good!

[patrickfav]

Will be released with v0.9.0

[Indigo744]

Thank you!