Expand description
Argon2id password hashing + verification.
Kept tiny on purpose — no in-memory store, no plugin glue. Password
hashes live on the application’s own entity (conventionally a
passwordHash column on User), so persistence is the same story
as every other row. Router endpoints under /api/auth/password/*
call these helpers to mint the hash + verify at login.
Functions§
- dummy_
hash - A PHC-format hash of a throwaway string — used to equalize response
timing when a login is attempted with an email that isn’t registered.
Without this,
known-email + wrong-passwordtakes ~50ms (Argon2) andunknown-emailtakes <1ms, letting an attacker enumerate the user set by response time alone. - hash_
password - Hash a password using Argon2id with a random salt. Returns a PHC-format string carrying the algorithm, params, salt, and hash.
- verify_
password - Verify a password against an Argon2 PHC-format hash. Constant-time
comparison is handled internally by Argon2’s
verify_password.