71 lines
1.9 KiB
TypeScript
71 lines
1.9 KiB
TypeScript
// password.ts
|
|
//
|
|
// Password hashing using Node.js scrypt (no external dependencies).
|
|
// Format: $scrypt$N$r$p$salt$hash (all base64)
|
|
|
|
import {
|
|
randomBytes,
|
|
type ScryptOptions,
|
|
scrypt,
|
|
timingSafeEqual,
|
|
} from "node:crypto";
|
|
|
|
// Configuration
|
|
const SALT_LENGTH = 32;
|
|
const KEY_LENGTH = 64;
|
|
const SCRYPT_PARAMS: ScryptOptions = {
|
|
N: 16384, // CPU/memory cost parameter (2^14)
|
|
r: 8, // Block size
|
|
p: 1, // Parallelization
|
|
};
|
|
|
|
// Promisified scrypt with options support
|
|
function scryptAsync(
|
|
password: string,
|
|
salt: Buffer,
|
|
keylen: number,
|
|
options: ScryptOptions,
|
|
): Promise<Buffer> {
|
|
return new Promise((resolve, reject) => {
|
|
scrypt(password, salt, keylen, options, (err, derivedKey) => {
|
|
if (err) {
|
|
reject(err);
|
|
} else {
|
|
resolve(derivedKey);
|
|
}
|
|
});
|
|
});
|
|
}
|
|
|
|
async function hashPassword(password: string): Promise<string> {
|
|
const salt = randomBytes(SALT_LENGTH);
|
|
const hash = await scryptAsync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
|
|
|
|
const { N, r, p } = SCRYPT_PARAMS;
|
|
return `$scrypt$${N}$${r}$${p}$${salt.toString("base64")}$${hash.toString("base64")}`;
|
|
}
|
|
|
|
async function verifyPassword(
|
|
password: string,
|
|
stored: string,
|
|
): Promise<boolean> {
|
|
const parts = stored.split("$");
|
|
if (parts[1] !== "scrypt" || parts.length !== 7) {
|
|
throw new Error("Invalid password hash format");
|
|
}
|
|
|
|
const [, , nStr, rStr, pStr, saltB64, hashB64] = parts;
|
|
const salt = Buffer.from(saltB64, "base64");
|
|
const storedHash = Buffer.from(hashB64, "base64");
|
|
|
|
const computedHash = await scryptAsync(password, salt, storedHash.length, {
|
|
N: parseInt(nStr, 10),
|
|
r: parseInt(rStr, 10),
|
|
p: parseInt(pStr, 10),
|
|
});
|
|
|
|
return timingSafeEqual(storedHash, computedHash);
|
|
}
|
|
|
|
export { hashPassword, verifyPassword };
|