// This is free and unencumbered software released into the public domain.
//
// Anyone is free to copy, modify, publish, use, compile, sell, or
// distribute this software, either in source code form or as a compiled
// binary, for any purpose, commercial or non-commercial, and by any
// means.
//
// In jurisdictions that recognize copyright laws, the author or authors
// of this software dedicate any and all copyright interest in the
// software to the public domain. We make this dedication for the benefit
// of the public at large and to the detriment of our heirs and
// successors. We intend this dedication to be an overt act of
// relinquishment in perpetuity of all present and future rights to this
// software under copyright law.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
// OTHER DEALINGS IN THE SOFTWARE.
//
// For more information, please refer to <https://unlicense.org>
import { base64 } from "rfc4648";
import loadArgon2idWasm, { Argon2idParams } from "argon2id";
const argon2id = await loadArgon2idWasm();
export const hash = (params: Argon2idParams) => {
const digest = argon2id(params);
return "$".concat(
[
"argon2id",
`v=${0x13}`,
[
`m=${params.memorySize}`,
`t=${params.passes}`,
`p=${params.parallelism}`,
].join(","),
base64.stringify(params.salt, { pad: false }),
base64.stringify(digest, { pad: false }),
].join("$"),
);
};
// NOT CONSTANT-TIME !
export const verify = (
password: Uint8Array,
phcString: string,
secret?: Uint8Array,
) => {
const [id, version, paramsString, saltB64, digestB64] = phcString
.substring(1)
.split("$", 5);
if (id !== "argon2id") throw `unknown hashing function: ${id}`;
if (version !== `v=${0x13}`) throw `unknown argon2id version: ${version}`;
const params = Object.fromEntries(
paramsString.split(",").map((param) => param.split("=", 2)),
);
if (!("m" in params)) throw "missing `m` parameter";
if (!("t" in params)) throw "missing `t` parameter";
if (!("p" in params)) throw "missing `p` parameter";
const memorySize = Number.parseInt(params.m);
const passes = Number.parseInt(params.t);
const parallelism = Number.parseInt(params.p);
const ad =
"data" in params ? base64.parse(params.data, { loose: true }) : undefined;
const salt = base64.parse(saltB64, { loose: true });
const digest = base64.parse(digestB64, { loose: true });
const expectedDigest = argon2id({
password,
salt,
secret,
ad,
memorySize,
passes,
parallelism,
tagLength: digest.length,
});
for (let i = 0; i < digest.length; i++) {
if (digest[i] !== expectedDigest[i]) return false;
}
return true;
};
export default {
hash,
verify,
};
A nice DX improvement would be to provide
verifyandhashfunctions that handles PHC strings.Here's a wrapper I currently use which only depends on the
rfc4648package for base64 (by far the best implementation I could find) :PHC string handlers
By the way, thank you for this high quality package :)