php-passwd
v1.0.0
Published
A node compatibility layer to verify and hash php compatible password hashes
Downloads
1
Maintainers
Readme
php-passwd
Verify password hashed generated in PHP, and hash passwords in the same format.
Designed to be future proof for new hashing algorithms.
php-passwd
is a solution for every kind of webapp which has a user database with passwords hashed with PHP's password_hash. Instead of starting from scratch, just use this package to get compatibility with PHP.
Installation
yarn add php-passwd
Usage
import php_password from 'php-passwd';
const hash = php_password.hash('password123');
// php_password.hash(password, [algorithm], [options]);
Output:
"$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy"
If algorithm isn't defined, "PASSWORD_DEFAULT" will be used
If no options is supplied, a cryptographically secure salt will be generated with the minimum recommended cost value.
To verify a password against an existing hash in a database o.l:
import php_password from 'php-passwd';
const hash = "$2y$10$8mNOnsos8qo4qHLcd32zrOg7gmyvfZ6/o9.2nsP/u6TRbrANdLREy";
if (php_password.verify('password123', hash)){
// Authentication OK
} else {
// Authentication FAILED
}
Options
import php_password from 'php-passwd';
/*
* Valid algorithms are "PASSWORD_DEFAULT", and "PASSWORD_BCRYPT"
* "PASSWORD_DEFAULT" is just an alias to "PASSWORD_BCRYPT", to be more
* compatible with PHP
*/
const hash = php_password.hash('password123', 'PASSWORD_DEFAULT', {
cost: 10,
salt: 'qwertyuiopasdfghjklzxc'
});
Output:
"$2y$10$qwertyuiopasdfghjklzxO3U1f6PD/l04UrnxUgya51pjyLtkGNQi"
WARNING It is not recommended to generate a salt manually. The default salt that is generated is a tested, and proven cryptographically secure value. Use this option with care. The cost value should be set to a value that makes the hashing take at least 50ms.
Check if password needs rehash
If you have a mix of passwords hashed with different algorithms (md5, sha256, etc...), or with a different cost value, you can check if they comply with your password policy by checking if they need a rehash. If they do, you can prompt your user to update their password.
import php_password from 'php-passwd';
const user_password = 'password123';
const hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 10 });
if (php_password.verify(user_password, hash){
if (php_password.needsRehash(hash, 'PASSWORD_DEFAULT', { cost: 11 }) {
// Password needs to be rehashed
hash = php_password.hash(user_password, 'PASSWORD_DEFAULT', { cost: 11 });
}
}