othman.suseno/calypso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
calypso/backend/internal/auth/password.go
Warp Agent c962a223c6 start working on the frontend side
2025-12-24 19:53:45 +00:00

108 lines
2.5 KiB
Go
Raw Permalink Blame History

package auth
import (
"crypto/rand"
"crypto/subtle"
"encoding/base64"
"errors"
"fmt"
"strings"
"github.com/atlasos/calypso/internal/common/config"
"golang.org/x/crypto/argon2"
)
// HashPassword hashes a password using Argon2id
func HashPassword(password string, params config.Argon2Params) (string, error) {
// Generate a random salt
salt := make([]byte, params.SaltLength)
if _, err := rand.Read(salt); err != nil {
return "", fmt.Errorf("failed to generate salt: %w", err)
}
// Hash the password
hash := argon2.IDKey(
[]byte(password),
salt,
params.Iterations,
params.Memory,
params.Parallelism,
params.KeyLength,
)
// Encode the hash and salt in the standard format
// Format: $argon2id$v=<version>$m=<memory>,t=<iterations>,p=<parallelism>$<salt>$<hash>
b64Salt := base64.RawStdEncoding.EncodeToString(salt)
b64Hash := base64.RawStdEncoding.EncodeToString(hash)
encodedHash := fmt.Sprintf(
"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
argon2.Version,
params.Memory,
params.Iterations,
params.Parallelism,
b64Salt,
b64Hash,
)
return encodedHash, nil
}
// VerifyPassword verifies a password against an Argon2id hash
func VerifyPassword(password, encodedHash string) (bool, error) {
// Parse the encoded hash
parts := strings.Split(encodedHash, "$")
if len(parts) != 6 {
return false, errors.New("invalid hash format")
}
if parts[1] != "argon2id" {
return false, errors.New("unsupported hash algorithm")
}
// Parse version
var version int
if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
return false, fmt.Errorf("failed to parse version: %w", err)
}
if version != argon2.Version {
return false, errors.New("incompatible version")
}
// Parse parameters
var memory, iterations uint32
var parallelism uint8
if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &iterations, &parallelism); err != nil {
return false, fmt.Errorf("failed to parse parameters: %w", err)
}
// Decode salt and hash
salt, err := base64.RawStdEncoding.DecodeString(parts[4])
if err != nil {
return false, fmt.Errorf("failed to decode salt: %w", err)
}
hash, err := base64.RawStdEncoding.DecodeString(parts[5])
if err != nil {
return false, fmt.Errorf("failed to decode hash: %w", err)
}
// Compute the hash of the provided password
otherHash := argon2.IDKey(
[]byte(password),
salt,
iterations,
memory,
parallelism,
uint32(len(hash)),
)
// Compare hashes using constant-time comparison
if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
return true, nil
}
return false, nil
}
Reference in New Issue View Git Blame Copy Permalink