> You don't need to compare, just feed the resulting hash to AES and see if the output is any good.
You need to arrange to store the salt somewhere to take this (correct) approach to using a PBKDF. The nodeJS bcrypt implementation provides an all-in-one API which was used here, in which you let it handle salting and it "just works" by storing passwords in the style of Unix crypt - but without you understanding why. This probably results in fewer nodeJS apps where the passwords are stored as plaintext or something dumb, but it doesn't afford the understanding you'd need to get encryption keys the same each time a user runs the program.
My guess is that the author realised they didn't understand what was happening here, and so they ripped it out perhaps intending to reintroduce it later once they had other parts working to their satisfaction, and then they never did.
You are correct though that in the absence of a good PBKDF bad guys who get your encrypted password database can "just" brute force the master password relatively inexpensively and this makes the program unsafe for essentially all ordinary users.
You need to arrange to store the salt somewhere to take this (correct) approach to using a PBKDF. The nodeJS bcrypt implementation provides an all-in-one API which was used here, in which you let it handle salting and it "just works" by storing passwords in the style of Unix crypt - but without you understanding why. This probably results in fewer nodeJS apps where the passwords are stored as plaintext or something dumb, but it doesn't afford the understanding you'd need to get encryption keys the same each time a user runs the program.
My guess is that the author realised they didn't understand what was happening here, and so they ripped it out perhaps intending to reintroduce it later once they had other parts working to their satisfaction, and then they never did.
You are correct though that in the absence of a good PBKDF bad guys who get your encrypted password database can "just" brute force the master password relatively inexpensively and this makes the program unsafe for essentially all ordinary users.