bcrypt-ts
Optimized bcrypt written in typescript. Working in both Node.js and browser.
Heavily inspired by bcrypt.js.
Security considerations
Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the
iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with
increasing computation power. (see)
While bcrypt-ts is compatible to the C++ bcrypt binding, it is providing pure JavaScript and thus slower about 30%, effectively reducing the number of iterations that can be processed in an equal time span.
The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated
hashes is 60 characters.
Highlights
- 0 dependencies, with ONLY 8KB Gzip size
- Written in typescript
- Provide tree-shakable ES module
Usage
Node.js
On Node.js, the inbuilt crypto module's randomBytes interface is used to obtain secure random numbers.
Browser
In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers. If no cryptographically secure source of randomness is available, the package will throw an error.
How to choose between them
-
If you are using this package in pure Node.js environment, then you will probably use the node bundle.
-
If you are using bundler like webpack and vite, then you will probably use the browser bundle.
-
If you meet any issues that a incorrect bundle is used, you can use bcrypt-ts/node
and bcrypt-ts/browser
to force the correct bundle.
Usage - Sync
To hash a password:
import { genSaltSync, hashSync } from "bcrypt-ts";
const salt = genSaltSync(10);
const hash = hashSync("B4c0//", salt);
To check a password:
import { compareSync } from "bcrypt-ts";
compareSync("B4c0//", hash);
compareSync("not_bacon", hash);
Auto-gen a salt and hash at the same time:
import { hashSync } from "bcrypt-ts";
const hash = hashSync("bacon", 8);
Usage - Async
To hash a password:
import { genSalt, hash } from "bcrypt-ts";
genSalt(10)
.then((salt) => hash("B4c0//", salt))
.then((hash) => {
});
To check a password:
import { compare } from "bcrypt-ts";
const hash = "xxxxxx";
compare("B4c0//", hash).then((result) => {
});
compare("not_bacon", hash).then((result) => {
});
Auto-gen a salt and hash:
import { hash } from "bcrypt-ts";
hash("bacon").then((hash) => {
});
Note: Under the hood, asynchronisation splits a crypto operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of JS event loop queue, thus efficiently sharing the computational resources with the other operations in the queue.
API
export const compareSync: (content: string, hash: string) => boolean;
export const compare: (
content: string,
hash: string,
progressCallback?: ((percent: number) => void) | undefined,
) => Promise<boolean>;
export const hashSync: (
contentString: string,
salt?: string | number,
) => string;
export const hash: (
contentString: string,
salt: number | string,
progressCallback?: ((progress: number) => void) | undefined,
) => Promise<string>;
export const getRounds: (hash: string) => number;
export const getSalt: (hash: string) => string;
export const genSaltSync: (rounds?: number) => string;
export const genSalt: (rounds?: number) => Promise<string>;
License
New-BSD / MIT (see)