PBKDF2 hash generation using base64, not raw bytes for salt

[coldfire84]

I've been struggling with the use of passport-local-mongoose generated hashes in both EMQX4 and the mosquitto-go-auth plugin to enable MQTT login. You're thinking, what does this have to do with Passport Local Mongoose... right? :)

Having reviewed the code, and tracked the pbkdf2 hash generation, I can see that the 'setPassword' method converts generated salt bytes to base64/ hex (as per options.ecoding), saves this to MongoDB (desirable) but then uses the base64/ hex encoded salt against the pbkdf2 library (not desirable).

The issue here, from what I can tell, is that the pbkdf2 library expects salt in raw bytes format. If salt is not raw bytes the library will generate raw bytes, but using the default encoding which is defined within the module itself as either utf-8 or binary. Irrespective of utf-8 or binary formats, this creates a hash that is only usable within the confines of the application itself, where the hash generation and comparison uses the same process.

I'm unsure whether this is intentional behavior. If not, and accepting remedying this would be a breaking change, I wonder if a potential solution would be to create an option that is along the lines of 'useRawSalt : true/ false (with false the default, to ensure no impact for existing users)' that would then send/ use raw bytes instead of base64/ hex salt for pbkdf2 hash generation.

An example here of the difference in resulting hash: https://repl.it/repls/MeagerStandardDrivers

[coldfire84]

I'll put together a pull request with proposed changes.