Comparing version
'use strict' | ||
const { randomBytes } = require('crypto') | ||
const { randomBytes, timingSafeEqual } = require('crypto') | ||
const { promisify } = require('util') | ||
@@ -69,5 +69,5 @@ const bindings = require('bindings')('argon2') | ||
}) | ||
return expected.equals(hash) | ||
return timingSafeEqual(expected, hash) | ||
} | ||
module.exports = { defaults, limits, hash, needsRehash, verify, ...types } |
{ | ||
"name": "argon2", | ||
"version": "0.20.0", | ||
"version": "0.20.1", | ||
"description": "An Argon2 library for Node", | ||
@@ -5,0 +5,0 @@ "main": "argon2.js", |
110
README.md
@@ -15,4 +15,4 @@ # node-argon2 | ||
### Usage | ||
It's possible to hash a password using both Argon2i (default) Argon2d and Argon2id, sync | ||
and async, and to verify if a password matches a hash. | ||
It's possible to hash using either Argon2i (default), Argon2d and Argon2id, and | ||
verify if a password matches a hash. | ||
@@ -23,10 +23,2 @@ To hash a password: | ||
argon2.hash('password').then(hash => { | ||
// ... | ||
}).catch(err => { | ||
// ... | ||
}); | ||
// ES7 or TypeScript | ||
try { | ||
@@ -38,88 +30,9 @@ const hash = await argon2.hash("password"); | ||
``` | ||
You can choose between Argon2i, Argon2d and Argon2id by passing an object as the third | ||
argument with the `type` key set to which type you want to use: | ||
```js | ||
argon2.hash('password', { | ||
type: argon2.argon2d | ||
}).then(hash => { | ||
// ... | ||
}).catch(err => { | ||
// internal failure | ||
}); | ||
// ES7 or TypeScript | ||
To see how you can modify the output (hash length, encoding) and parameters | ||
(time cost, memory cost and parallelism), | ||
[read the wiki](https://github.com/ranisalt/node-argon2/wiki/Options) | ||
try { | ||
const hash = await argon2.hash('password', { | ||
type: argon2.argon2d | ||
}); | ||
} catch (err) { | ||
// internal failure | ||
} | ||
``` | ||
The `type` option is flexible and accepts 0, 1 or 2 for Argon2d, Argon2i and Argon2id respectively. | ||
You can also get the hash as a raw Node Buffer by passing 'true' to the 'raw' option: | ||
```js | ||
argon2.hash('password', { | ||
raw: true | ||
}).then(hash => { | ||
// ... hash is a Buffer | ||
}).catch(err => { | ||
// internal failure | ||
}); | ||
// ES7 or TypeScript | ||
try { | ||
const hash = await argon2.hash('password', { | ||
raw: true | ||
}); | ||
} catch (err) { | ||
// internal failure | ||
} | ||
``` | ||
You can change the Promise with | ||
[any-promise](https://www.npmjs.com/package/any-promise). Try using Bluebird or | ||
Q for enhanced functionality. | ||
You can also modify time, memory and parallelism constraints passing the object | ||
as the third parameter, with keys `timeCost`, `memoryCost` and `parallelism`, | ||
respectively defaulted to 3, 4096 (KiB) and 1 (threads): | ||
```js | ||
const options = { | ||
timeCost: 4, memoryCost: 2 ** 13, parallelism: 2, type: argon2.argon2d | ||
}; | ||
argon2.hash('password', options).then(hash => { | ||
// ... | ||
}); | ||
// ES7 or TypeScript | ||
const hash = await argon2.hash("password", options); | ||
``` | ||
The default parameters for Argon2 can be accessed with `defaults`: | ||
```js | ||
console.log(argon2.defaults); | ||
// => { timeCost: 3, memoryCost: 4096, parallelism: 1, type: argon2.argon2i } | ||
``` | ||
To verify a password: | ||
```js | ||
argon2.verify('<big long hash>', 'password').then(match => { | ||
if (match) { | ||
// password match | ||
} else { | ||
// password did not match | ||
} | ||
}).catch(err => { | ||
// internal failure | ||
}); | ||
// ES7 or TypeScript | ||
try { | ||
@@ -135,8 +48,3 @@ if (await argon2.verify("<big long hash>", "password")) { | ||
``` | ||
First parameter must have been generated by an Argon2 encoded hashing method, | ||
not raw. | ||
When you hit an internal failure, the message is properly set. If it is not or | ||
you do not understand it, feel free to open an issue. | ||
### TypeScript Usage | ||
@@ -181,4 +89,5 @@ A TypeScript type declaration file is published with this module. If you are | ||
The interface of both are very similar, notably node-argon2-ffi splits the | ||
argon2i and argon2d function set, but this module also has the argon2id option. Also, while | ||
node-argon2-ffi suggests you promisify `crypto.randomBytes, this library does that internally. | ||
argon2i and argon2d function set, but this module also has the argon2id option. | ||
Also, while node-argon2-ffi suggests you promisify `crypto.randomBytes`, this | ||
library does that internally. | ||
@@ -194,6 +103,5 @@ Performance-wise, the libraries are equal. You can run the same benchmark suite | ||
**node-argon2** works only and is tested against Node >=4.0.0. | ||
**node-argon2** works only and is tested against Node >=8.0.0. | ||
#### OSX | ||
To install GCC >= 4.8 on OSX, use [homebrew](http://brew.sh/): | ||
@@ -200,0 +108,0 @@ ```console |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
208119
3.17%27
3.85%524
82.58%1
-50%139
-39.83%