npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

argon2-ffi

v2.0.0

Published

Node.js bindings for argon2 password hashing and proof-of-work algorithm

Downloads

644

Readme

argon2-ffi Build Status

Node.js bindings for argon2, the winner of the Password Hashing Competition (PHC), and the current recommendation for password storage by the Open Web Application Security Project (OWASP).

argon2-ffi supports NodeJS LTS releases and the current NodeJS release. Calling CPU-intensive tasks like password hashing and validation are performed asynchronously by dispatching the work to a separate thread pool using node-ffi, which in turn uses libuv, so your main application can continue to do other work while these tasks are executed. All asynchronous operations return Promises, with a type defined by any-promise.

Installation

npm install --save argon2-ffi

Usage

This module exports argon2i and argon2d. These are two variants of argon2 with different use-cases and tradeoffs. To find which one you should use, refer to the argon2 repo.

Hashing a password

const { argon2i } = require("argon2-ffi");
// const argon2d = require('argon2-ffi').argon2d; if you'd like to use argon2d
const crypto = require("crypto");
const util = require("util");

const getRandomBytes = util.promisify(crypto.randomBytes);

async function main() {
  const password = "password1"; // Can also be a Buffer
  const salt = await getRandomBytes(32);
  const hashedPassword = await argon2i.hash(password, salt);
  console.log(hashedPassword);
}

main();

In this example, crypto.randomBytes is used to generate a salt. This is the best practice as the salt is guaranteed to be cryptographically secure. However, you can of course use your own buffer.

.hash takes a few options, too! You can specify timeCost (default 3), memoryCost (default 4096), parallelism (default 1), and hashLength (default 32). Changing any of these parameters will have an effect on the output hash.

const { argon2i } = require("argon2-ffi");
const crypto = require("crypto");
const util = require("util");

const getRandomBytes = util.promisify(crypto.randomBytes);

async function main() {
  const password = Buffer.from("password1");
  const options = {
    timeCost: 4,
    memoryCost: 16384,
    parallelism: 2,
    hashLength: 64,
  };
  const salt = await getRandomBytes(32);
  const hashedPassword = await argon2i.hash(password, salt, options);
  console.log(hashedPassword);
}

main();

The result of running .hash is a string that encodes all of the options used to produce the hash, so to verify passwords later, this string is all you need, as we'll see in the next section.

Verifying a password

const { argon2i } = require("argon2-ffi");

async function main() {
  const encodedHash =
    "$argon2i$v=19$m=4096,t=3,p=1$c2FsdHlzYWx0$oG0js25z7kM30xSg9+nAKtU0hrPa0UnvRnqQRZXHCV8";
  const password = Buffer.from("password1");
  const isCorrect = await argon2i.verify(encodedHash, password);
  console.log(isCorrect ? "Correct password!" : "Incorrect password");
}

main();

Differences from node-argon2

argon2-ffi was originally written to address an issue with running node-argon2 in a web server. This was a non-starter for my own projects. By using node-ffi, argon2-ffi was able to circumvent the problems node-argon2 had with Promises. node-argon2 has since resolved this issue. argon2-ffi also returned Promises with any-promise, but this has since been implemented in node-argon2 as well. Today, the practical differences between the two libraries are only in the public APIs.

Contributing

To build:

git submodule init
git submodule update
node-gyp rebuild