UNPKG

pbkdf2-password-hash

Version:

hash password with pbkdf2

github.com/commenthol/pbkdf2-password-hash

commenthol/pbkdf2-password-hash

74 lines (65 loc) 2.32 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import crypto from 'crypto' import { promisify } from 'util' import timingSafeEqual from 'compare-timing-safe' const pbkdf2 = promisify(crypto.pbkdf2) const randomBytes = promisify(crypto.randomBytes) const SEP = '$' const OPTIONS = { iterations: 120000, // ~ 10hashes/sec @ 2GHz keylen: 64, // 512 bits digest: 'sha512', saltlen: 64 } /** * Generate a new password hash for `password` using PBKDF2 * Safety is obtained by large number of iterations and large key length for PBKDF2 * @param {String} password * @param {String} [salt] - optional salt * @param {Object} [opts] * @param {Number} [opts.iterations=120000] - PBKDF2 number of iterations (~10 hashes/sec @ 2GHz) * @param {String} [opts.digest=sha512] - PBKDF2 digest * @param {Number} [opts.keylen=64] - PBKDF2 key length * @param {Number} [opts.saltlen=64] - salt length in case `salt` is not defined * @return {Promise} hashed password in `<digest>$<iterations>$<keylen>$<salt>$<hash>` notation */ function hash (password, salt, opts) { if (typeof salt === 'object') { opts = salt salt = undefined } const _opts = Object.assign({}, OPTIONS, opts) const { digest, iterations, keylen } = _opts let promise if (!salt) { promise = randomBytes(_opts.saltlen) } else { promise = new Promise((resolve) => resolve(Buffer.from(salt || '', 'base64'))) } return promise .then((saltBuf) => { salt = saltBuf.toString('base64') return pbkdf2(String(password), saltBuf, iterations, keylen, digest) }) .then((buf) => { const hash = buf.toString('base64') const str = [digest, iterations, keylen, salt, hash].join(SEP) return str }) } /** * validate `password` against `passwordHash` * @param {String} password - plain-text password * @param {String} passwordHash - hashed password * @return {Promise} true if hash matches password */ function compare (password, passwordHash) { const [digest, _iterations, _keylen, salt] = passwordHash.split(SEP) // eslint-disable-line no-unused-vars const iterations = parseInt(_iterations, 10) const keylen = parseInt(_keylen, 10) return hash(password, salt, { digest, iterations, keylen }) .then((hash) => timingSafeEqual(hash, passwordHash) ) } export const passwordHash = { hash, compare } export default passwordHash