@Pitaj @baris Just to be completely clear, bcrypt.compare is this the only possible way for checking password?
I was thinking it is possible to generate hash from given password that is exactly the same as the hash written to database. Then I could just search the database for that hash , and if it exist that whatever user that has that password is logged in - I wouldn't have to find user first and load saved hash in database to supply to compare function.
Huh, I'm hope I'm being clear. 
@PitaJ
I just did that and here's what I got:
./nodebb setup
2022-02-19T08:23:39.774Z [435729] - info: NodeBB Setup Triggered via Command Line
Welcome to NodeBB v1.19.3!
This looks like a new installation, so you'll have to answer a few questions about your environment before we can proceed.
Press enter to accept the default setting (shown in brackets).
2022-02-19T08:23:39.786Z [435729] - info: [install/checkSetupFlagEnv] checking env vars for setup info...
2022-02-19T08:23:39.786Z [435729] - error: [install/checkSetupFlagEnv] required values are missing for automated setup:
2022-02-19T08:23:39.790Z [435729] - error: admin:username
2022-02-19T08:23:39.793Z [435729] - error: admin:password
2022-02-19T08:23:39.794Z [435729] - error: admin:password:confirm
2022-02-19T08:23:39.795Z [435729] - error: admin:email
It worked out with this code:
const shaPassword = crypto.createHash('sha512').update(password).digest('hex');
console.log("true or false: ");
console.log(await bcrypt.compare(shaPassword, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG"));
Compare's second argument is fetched from database and that's it... Honestly I don't really know how it complicated this much for me, there's something that I did wrong, now it's ok. Thanks a lot!
@PitaJ No, just got hash, not a salt. How can I get the salt if salt is always random?... Probably I do missing something here...
passwordSHA512 = "b33bcf64f2744712deb66354b1d6a6d0";
passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex');
console.log(passwordSHA512); // 455800380a39d8c49b976eb4bc31b98710ceb5beecd88c823c50ca2bdfd7cf1a581d92d9f64df5cfb2f9e50dfc3b2240e119b5ceffc99e584b310838f999aebc
const match = bcrypt.compareSync(passwordSHA512, "$2a$12$56c7LRlpF9Mt47eeXDBgBuIBsuf3NPU4hAFzQRyxM7pZWMwhz3EOG");
console.log(match); // false
match should be true, not false.
I'm definitely stuck, anybody care to provide professional help? I'm willing to pay to overcome this hurdle.
I just tried what I described and it's not working 
OK, just let me be clear on the step really I'm not fully sure it's ok?
user-entered password is put through
crypto.createHash('sha512').update(password).digest('hex');
then I use that as the first argument for bcrypt.compare() function, and the second argument is password fetched from NodeBB database, and if true is returned entered password is matched against stored password.
Still I don't understand how is it possible to compare if I don't have original salt, but if it could work like how I described it, it's good enough for me.
@PitaJ I'm playing with NodeBB from version 1.19.1, so I guess it was always that SHA512 was enabled? ... I imported users through Write API, and within every user stored object I have password:shaWrapped property set to 1.
Thanks for your replies, it was useful and I'm making some progress here. Please stay with me a bit more so I can finish this, help's appreciated here very much
Right now I'm struggling with SHA512 hashing, here's the code that I took from password.js to do hashing:
passwordSHA512 = crypto.createHash('sha512').update(passwordSHA512).digest('hex');
console.log(passwordSHA512); // 4ffcc3cce9a56025aa0126c2fe7ec247e8a6e5ee6fdd5e854bb3761b66e5c5c4909189ad054e44a473cc29fd461fccf1965aebe5b17dfbaac9b994112c5a33a3
const salt = bcrypt.genSaltSync(12);
const hash = bcrypt.hashSync(passwordSHA512, salt);
console.log(salt); // $2a$12$ZDFzbDOVrZSZ.L.RFWQiqe
console.log(hash); // $2a$12$ZDFzbDOVrZSZ.L.RFWQiqej/ed5M6b/C06Hz/mRCuOd1fMVpzVF/.
So it's used in completely the same way as in password.js, but what I finally get is some other hash string, which is not the same as hash string generated by NodeBB which is saved in its database.
As I've previously said, the length of hash I get after SHA512 is applied looks suspicious to me, and it's 128 chars long hex value which I don't know how it's supposed to be supplied to bcrypt because of 72 chars limit. Probably that HEX value is somehow converted to shorter string? But if it's somehow automatic, it's supposed to work, but what I get is completely some other value than I need to get.
Just a little bit of help needed here:
src/user/password.js: return await Password.hash(nconf.get('bcrypt_rounds') || 12, password);
Means that if bcrypt_rounds is not found in nconf, 12 rounds is used?
Any help on where nconf configuration is stored?
@gotwf Well I don't exactly need to know the depths of such algorithms, what I need is just a little bit of information on how to successfully use functions that are involved here... think password.js have some crucial information, I see what libraries are used and what is most important, think that would be sufficient but I guess I'll have few more questions here most probably.
So I guess if I get something like this from online SHA512 generator: 4ffcc3cce9a56025aa0126c2fe7ec247e8a6e5ee6fdd5e854bb3761b66e5c5c4909189ad054e44a473cc29fd461fccf1965aebe5b17dfbaac9b994112c5a33a3
It looks like it can be converted to 64 (ascii?) characters...
But if I hash password using SHA512 (https://passwordsgenerator.net/sha512-hash-generator/), I get 128 characters, how then bcrypt hashes 128 chars when 73 is the limit?
Sorry this must sound like some crappy question But definitely I just can't wrap my head around it now, seems it's so simple but yet complicated.
Anyways, is salt somehow important when making checks if passwords match against database or not? In other words, how would I know what (random?) salt is generated when hash is made for the first time and written to database?
I see the number of rounds for bcrypt is custom, but where and how it is set?
Tried this also:
https://www.devglan.com/online-tools/bcrypt-hash-generator
Online Bcrypt Hashed Matcher can't match passwords no way.
Seems like I'm not getting how it all works here. First of all, bcrypt generates hashes according to salt, but where that salt is set? And how then someone is actually checked against database on login, client must know what is salt also, right?
I need to manually replicate login system of NodeBB on another site. I just want to use user database of NodeBB on some other site.
Are you sure it's that simple?
I'm importing users from .csv file over Write API and the passwords that are listed in .csv are getting encrypted and written into password property of User object, but when I encrypt the same password manually and compare with what is saved in database, it's not the same.
I think something more is happening there besides bcrypt. I used this site to check: https://bcrypt-generator.com/. Tried up to 17 rounds.
Since I want to use NodeBB database for authenticating users on the other site, I need to know what is the algorhythm. Thanks!
Looking for solutions for this problem I tried nodebb-plugin-session-sharing plugin, which is supposed to generate JWT token if I understand correctly, I didn't manage yet to generate it although I think I correctly configured it.
Anyways, what I see in the cookie storage is cookie named express.sid which itself seems that it's not JWT cookie, but of some other kind, what I would want to know is it possible to decode that cookie on different subdoman of the same site, what I have is forum.domain.com (where NodeBB is installed) and app.domain.com which is running Node.js application.
I need a simplest solution I can get, I don't want to mess with SSO systems like FusionAuth of Keycloak, I want to use NodeBB's user registration system.