import { randomBytes, pbkdf2Sync, randomInt } from "node:crypto";

// Settings (tune as needed)
const ITERATIONS = 100_000; // Slow enough to deter brute force
const KEYLEN = 64; // 512-bit hash
const DIGEST = "sha512";

/**
 * Generate a hash from a plaintext password.
 * @param {String} password
 * @returns String
 */
export function hash(password) {
    const salt = randomBytes(16).toString("hex"); // 128-bit salt
    const hash = pbkdf2Sync(
        password,
        salt,
        ITERATIONS,
        KEYLEN,
        DIGEST,
    ).toString("hex");
    return `${ITERATIONS}:${salt}:${hash}`;
}

/**
 * Verify that a password is correct against a given hash.
 *
 * @param {String} password
 * @param {String} hashed_password
 * @returns Boolean
 */
export function verify(password, hashed_password) {
    const [iterations, salt, hash] = hashed_password.split(":");
    const derived = pbkdf2Sync(
        password,
        salt,
        Number(iterations),
        KEYLEN,
        DIGEST,
    ).toString("hex");
    return hash === derived;
}