UNPKG

hashy

Version:

Hash passwords the right way (Argon2 & bcrypt support)

github.com/JsCommunity/hashy

JsCommunity/hashy

185 lines (133 loc) 5.35 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# Hashy [![Node compatibility](https://badgen.net/npm/node/hashy)](https://npmjs.org/package/hashy) [![License](https://badgen.net/npm/license/hashy)](https://npmjs.org/package/hashy) [![PackagePhobia](https://badgen.net/packagephobia/install/hashy)](https://packagephobia.now.sh/result?p=hashy) [![Package Version](https://badgen.net/npm/v/hashy)](https://npmjs.org/package/hashy) [![Build Status](https://travis-ci.org/JsCommunity/hashy.png?branch=master)](https://travis-ci.org/JsCommunity/hashy) [![Latest Commit](https://badgen.net/github/last-commit/JsCommunity/hashy)](https://github.com/JsCommunity/hashy/commits/master) > Hash passwords the right way (Argon2 & bcrypt support) Hashy is small [Node.js](http://nodejs.org/) library which aims to do passwords hashing _[the correct way](https://wiki.php.net/rfc/password_hash)_. It has been heavily inspired by the new [PHP password hashing API](http://www.php.net/manual/en/book.password.php) but, following the Node.js philosophy, hashing is done asynchronously. Furthermore, to make the interfaces as easy to use as possible, async functions can either be used with callbacks or they return [promises](https://en.wikipedia.org/wiki/Promise_%28programming%29) which will make them super easy to work with [async functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function)! Supported algorithms: - [Argon2](https://en.wikipedia.org/wiki/Argon2) - [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) ## Why a new library? The other ones I found were too complicated and/or were missing important features. The main missing feature is the `needRehash()` function: cryptography is a fast-moving science and algorithms can quickly become obsolete or their parameters needs to be adjusted to compensate the performance increase of recent computers (e.g. [bcrypt cost factor](http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/)). This is exactly what this function is for: checking whether a hash uses the correct algorithm (and options) to see if we need to compute a new hash for this password. ## Install Installation of the npm package: ``` > npm install --save hashy ``` Hashy requires promises support, for Node versions prior to 0.12 [see this page](https://github.com/JsCommunity/promise-toolbox#usage) to enable them. ## How to use it? First, you may take a look at examples: using [callbacks](https://github.com/JsCommunity/hashy/blob/master/examples/callbacks.js), [promises](https://github.com/JsCommunity/hashy/blob/master/examples/promises.js) or [async functions](https://github.com/JsCommunity/hashy/blob/master/examples/async.js) (requires Node >= 7.6). ### Creating a hash ```js hashy.hash(password, function (error, hash) { if (error) { return console.log(error); } console.log("generated hash: ", hash); }); ``` `hash()` handles additionaly two parameters which may be passed before the callback: 1. `algo`: which algorithm to use, it defaults to `'bcrypt'`; 2. `options`: additional options for the current algorithm, for bcrypt it defaults to `{cost: 10}.`. ### Checking a password against a hash ```js hashy.verify(password, hash, function (error, success) { if (error) { return console.error(err); } if (success) { console.log("you are now authenticated!"); } else { console.warn("invalid password!"); } }); ``` ### Getting information about a hash ```js const info = hashy.getInfo(hash); ``` ### Checking whether a hash is up to date As I said [earlier](#why-a-new-library), we must be able to check whether the hash is up to date, i.e. if it has been generated by the last algorithm available with the last set of options. ```js if (hashy.needsRehash(hash)) { // Rehash. } ``` It handles the optional `algo` and `options` parameters like [`hash()`](#creating-a-hash). ### Changing default options. The default options for a given algorithm is available at `hashy.options[>algo<]`. ```js // Sets the default cost for bcrypt to 12. hashy.options.bcrypt.cost = 12; ``` ## Using promises Same interface as above but without the callbacks! ```javascript // Hashing. hashy.hash(password).then(function (hash) { console.log('generated hash:' hash) }) // Checking. hashy.verify(password, hash).then(function (success) { if (success) { console.log('you are now authenticated!') } else { console.warn('invalid password!') } }) ``` As you can see, you don't even have to handle errors if you don't want to! ## Using async functions **Note:** only available since Node.js 7.6. Same interface as promises but much more similar to a synchronous code! ```javascript // Hashing. (async function () { const hash = await hashy.hash(password); console.log("generated hash:", hash); })()( // Checking. async function () { if (await hashy.verify(password, hash)) { console.log("you are now authenticated!"); } else { console.warn("invalid password!"); } }, )(); ``` ## Contributing Contributions are _very_ welcome, either on the documentation or on the code. You may: - report any [issue](https://github.com/JsCommunity/hashy/issues) you've encountered; - fork and create a pull request. ## License Hashy is released under the [MIT license](https://en.wikipedia.org/wiki/MIT_License).