stuff

server/utils/password.js

@@ -0,0 +1,30 @@
+import { randomBytes, pbkdf2Sync, randomInt } from 'node:crypto';
+
+// Settings (tune as needed)
+const ITERATIONS = 100_000; // Slow enough to deter brute force
+const KEYLEN = 64; // 512-bit hash
+const DIGEST = 'sha512';
+
+/**
+ * Generate a hash from a plaintext password.
+ * @param {String} password 
+ * @returns String
+ */
+export function hash(password) {
+  const salt = randomBytes(16).toString('hex'); // 128-bit salt
+  const hash = pbkdf2Sync(password, salt, ITERATIONS, KEYLEN, DIGEST).toString('hex');
+  return `${ITERATIONS}:${salt}:${hash}`;
+}
+
+/**
+ * Verify that a password is correct against a given hash.
+ * 
+ * @param {String} password 
+ * @param {String} hashed_password 
+ * @returns Boolean
+ */
+export function verify(password, hashed_password) {
+  const [iterations, salt, hash] = hashed_password.split(':');
+  const derived = pbkdf2Sync(password, salt, Number(iterations), KEYLEN, DIGEST).toString('hex');
+  return hash === derived;
+}