Giters

jdconley / node-argon2

Node.js bindings for Argon2 hashing algorithm

Home Page:https://www.npmjs.com/package/argon2

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

node-argon2

NPM package Coverage status Code Quality Dependencies Codewake

  • Linux: Linux build status
  • Windows: Windows build status

Bindings to the reference Argon2 implementation.

Want to use it on command line? Instead check node-argon2-cli.

Usage

It's possible to hash a password using both Argon2i (default) and Argon2d, sync and async, and to verify if a password matches a hash, and also generate random cryptographically-safe salts. Salts must be at least 8-byte long buffers.

To hash a password:

const argon2 = require('argon2');
const salt = new Buffer('somesalt');

argon2.hash('password', salt).then(hash => {
  // ...
}).catch(err => {
  // ...
});

// ES7

try {
  const hash = await argon2.hash('password', salt);
} catch (err) {
  //...
}

You can choose between Argon2i and Argon2d by passing an object as the third argument with the argon2d key set to whether or not you want Argon2d:

argon2.hash('password', salt, {
  argon2d: true
}.then(hash => {
  // ...
}).catch(err => {
  // internal failure
});

// ES7

try {
  const hash = await argon2.hash('password', salt, {
    argon2d: true
  });
} catch (err) {
  // internal failure
}

The argon2d option is flexible and accepts any truthy or falsy values.

You can provide your own salt as the second parameter. It is highly recommended to use the salt generating methods instead of a hardcoded, constant salt:

argon2.generateSalt().then(salt => {
  // ...
});

// ES7

const salt = await argon2.generateSalt();

You can also pass a desired salt length as parameter. Although the default of 16 is enough and very safe, Argon2 will use all salt bytes.

argon2.generateSalt(32).then(salt => {
  // ...
});

// ES7

const salt = await argon2.generateSalt(32);

You can change the Promise with any-promise. Try using Bluebird or Q for enhanced functionality.

You can also modify time, memory and parallelism constraints passing the object as the third parameter, with keys timeCost, memoryCost and parallelism, respectively defaulted to 3, 12 (meaning 2^12 KB) and 1 (threads):

const options = {
  timeCost: 4, memoryCost: 13, parallelism: 2, argon2d: true
};

argon2.generateSalt().then(salt => {
  argon2.hash('password', salt, options).then(hash => {
    // ...
  });
});

// ES7

const hash = await argon2.hash('password', await argon2.generateSalt(), options);

The default parameters for Argon2 can be accessed with defaults:

console.log(argon2.defaults);
// => { timeCost: 3, memoryCost: 12, parallelism: 1, argon2d: false }

To verify a password:

argon2.verify('<big long hash>', 'password').then(match => {
  if (match) {
    // password match
  } else {
    // password did not match
  }
}).catch(err => {
  // internal failure
});

// ES7

try {
  if (await argon2.verify('<big long hash>', 'password')) {
    // password match
  } else {
    // password did not match
  }
} catch (err) {
  // internal failure
}

First parameter must have been generated by an Argon2 encoded hashing method, not raw.

When you hit an internal failure, the message is properly set. If it is not or you do not understand it, feel free to open an issue.

Differences from node-argon2-ffi

This library is implemented natively, meaning it is an extension to the node engine. Thus, half of the code are C++ bindings, the other half are Javascript functions. node-argon2-ffi uses ffi, a mechanism to call functions from one language in another, and handles the type bindings (e.g. JS Number -> C++ int).

The interface of both are very similar, notably node-argon2-ffi splits the argon2i and argon2d function set, but the differences stop there. Also, while node-argon2-ffi suggests you promisify crypto.randomBytes, this library has generateSalt which is exactly the same.

Performance-wise, the libraries are equal. You can run the same benchmark suite if you are curious, but both can perform around 130 hashes/second on an Intel Core i5-4460 @ 3.2GHz with default options.

Before installing

You MUST have a node-gyp global install before proceeding with install, along with GCC >= 4.8 / Clang >= 3.3. On Windows, you must compile under Visual Studio 2015 or newer.

node-argon2 works only and is tested against Node >=4.0.0.

OSX

To install GCC >= 4.8 on OSX, use homebrew:

$ brew install gcc

Once you've got GCC installed and ready to run, you then need to install node-gyp, you must do this globally:

$ npm install -g node-gyp

Finally, once node-gyp is installed and ready to go, you can install this library, specifying the GCC or Clang binary to use:

$ CXX=g++-6 npm install argon2

NOTE: If your GCC or Clang binary is named something different than g++-6, you'll need to specify that in the command.

License

Work licensed under the MIT License. Please check [P-H-C/phc-winner-argon2] (https://github.com/P-H-C/phc-winner-argon2) for license over Argon2 and the reference implementation.

About

Node.js bindings for Argon2 hashing algorithm

https://www.npmjs.com/package/argon2

License:MIT License

Languages

Language:JavaScript 52.7%Language:C++ 47.3%