edge/pkg/module/auth/http/passwd/argon2id/hasher.go

package argon2id

import (
	"crypto/rand"
	"crypto/subtle"
	"encoding/base64"
	"fmt"
	"strings"

	"forge.cadoles.com/arcad/edge/pkg/module/auth/http/passwd"
	"github.com/pkg/errors"
	"golang.org/x/crypto/argon2"
)

const (
	Algo passwd.Algo = "argon2id"
)

func init() {
	passwd.Register(Algo, &Hasher{})
}

var (
	ErrInvalidHash         = errors.New("invalid hash")
	ErrIncompatibleVersion = errors.New("incompatible version")
)

type params struct {
	memory      uint32
	iterations  uint32
	parallelism uint8
	saltLength  uint32
	keyLength   uint32
}

var defaultParams = params{
	memory:      64 * 1024,
	iterations:  3,
	parallelism: 2,
	saltLength:  16,
	keyLength:   32,
}

type Hasher struct{}

// Hash implements passwd.Hasher
func (*Hasher) Hash(plaintext string) (string, error) {
	salt, err := generateRandomBytes(defaultParams.saltLength)
	if err != nil {
		return "", errors.WithStack(err)
	}

	hash := argon2.IDKey([]byte(plaintext), salt, defaultParams.iterations, defaultParams.memory, defaultParams.parallelism, defaultParams.keyLength)

	// Base64 encode the salt and hashed password.
	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
	b64Hash := base64.RawStdEncoding.EncodeToString(hash)

	// Return a string using the standard encoded hash representation.
	encodedHash := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, defaultParams.memory, defaultParams.iterations, defaultParams.parallelism, b64Salt, b64Hash)

	return encodedHash, nil
}

// Match implements passwd.Hasher.
func (*Hasher) Match(plaintext string, hash string) (bool, error) {
	matches, err := comparePasswordAndHash(plaintext, hash)
	if err != nil {
		return false, errors.WithStack(err)
	}

	return matches, nil
}

var _ passwd.Hasher = &Hasher{}

func generateRandomBytes(n uint32) ([]byte, error) {
	buf := make([]byte, n)

	if _, err := rand.Read(buf); err != nil {
		return nil, errors.WithStack(err)
	}

	return buf, nil
}

func comparePasswordAndHash(password, encodedHash string) (match bool, err error) {
	p, salt, hash, err := decodeHash(encodedHash)
	if err != nil {
		return false, errors.WithStack(err)
	}

	otherHash := argon2.IDKey([]byte(password), salt, p.iterations, p.memory, p.parallelism, p.keyLength)

	if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
		return true, nil
	}

	return false, nil
}

func decodeHash(encodedHash string) (p *params, salt, hash []byte, err error) {
	vals := strings.Split(encodedHash, "$")
	if len(vals) != 6 {
		return nil, nil, nil, ErrInvalidHash
	}

	var version int
	_, err = fmt.Sscanf(vals[2], "v=%d", &version)
	if err != nil {
		return nil, nil, nil, err
	}
	if version != argon2.Version {
		return nil, nil, nil, ErrIncompatibleVersion
	}

	p = &params{}
	_, err = fmt.Sscanf(vals[3], "m=%d,t=%d,p=%d", &p.memory, &p.iterations, &p.parallelism)
	if err != nil {
		return nil, nil, nil, err
	}

	salt, err = base64.RawStdEncoding.Strict().DecodeString(vals[4])
	if err != nil {
		return nil, nil, nil, err
	}
	p.saltLength = uint32(len(salt))

	hash, err = base64.RawStdEncoding.Strict().DecodeString(vals[5])
	if err != nil {
		return nil, nil, nil, err
	}
	p.keyLength = uint32(len(hash))

	return p, salt, hash, nil
}
feat: add basic local login handler in dev cli 2023-03-20 16:40:08 +01:00			`package argon2id`

			`import (`
			`"crypto/rand"`
			`"crypto/subtle"`
			`"encoding/base64"`
			`"fmt"`
			`"strings"`

			`"forge.cadoles.com/arcad/edge/pkg/module/auth/http/passwd"`
			`"github.com/pkg/errors"`
			`"golang.org/x/crypto/argon2"`
			`)`

			`const (`
			`Algo passwd.Algo = "argon2id"`
			`)`

			`func init() {`
			`passwd.Register(Algo, &Hasher{})`
			`}`

			`var (`
			`ErrInvalidHash = errors.New("invalid hash")`
			`ErrIncompatibleVersion = errors.New("incompatible version")`
			`)`

			`type params struct {`
			`memory uint32`
			`iterations uint32`
			`parallelism uint8`
			`saltLength uint32`
			`keyLength uint32`
			`}`

			`var defaultParams = params{`
			`memory: 64 * 1024,`
			`iterations: 3,`
			`parallelism: 2,`
			`saltLength: 16,`
			`keyLength: 32,`
			`}`

			`type Hasher struct{}`

			`// Hash implements passwd.Hasher`
			`func (*Hasher) Hash(plaintext string) (string, error) {`
			`salt, err := generateRandomBytes(defaultParams.saltLength)`
			`if err != nil {`
			`return "", errors.WithStack(err)`
			`}`

			`hash := argon2.IDKey([]byte(plaintext), salt, defaultParams.iterations, defaultParams.memory, defaultParams.parallelism, defaultParams.keyLength)`

			`// Base64 encode the salt and hashed password.`
			`b64Salt := base64.RawStdEncoding.EncodeToString(salt)`
			`b64Hash := base64.RawStdEncoding.EncodeToString(hash)`

			`// Return a string using the standard encoded hash representation.`
			`encodedHash := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, defaultParams.memory, defaultParams.iterations, defaultParams.parallelism, b64Salt, b64Hash)`

			`return encodedHash, nil`
			`}`

			`// Match implements passwd.Hasher.`
			`func (*Hasher) Match(plaintext string, hash string) (bool, error) {`
			`matches, err := comparePasswordAndHash(plaintext, hash)`
			`if err != nil {`
			`return false, errors.WithStack(err)`
			`}`

			`return matches, nil`
			`}`

			`var _ passwd.Hasher = &Hasher{}`

			`func generateRandomBytes(n uint32) ([]byte, error) {`
			`buf := make([]byte, n)`

			`if _, err := rand.Read(buf); err != nil {`
			`return nil, errors.WithStack(err)`
			`}`

			`return buf, nil`
			`}`

			`func comparePasswordAndHash(password, encodedHash string) (match bool, err error) {`
			`p, salt, hash, err := decodeHash(encodedHash)`
			`if err != nil {`
			`return false, errors.WithStack(err)`
			`}`

			`otherHash := argon2.IDKey([]byte(password), salt, p.iterations, p.memory, p.parallelism, p.keyLength)`

			`if subtle.ConstantTimeCompare(hash, otherHash) == 1 {`
			`return true, nil`
			`}`

			`return false, nil`
			`}`

			`func decodeHash(encodedHash string) (p *params, salt, hash []byte, err error) {`
			`vals := strings.Split(encodedHash, "$")`
			`if len(vals) != 6 {`
			`return nil, nil, nil, ErrInvalidHash`
			`}`

			`var version int`
			`_, err = fmt.Sscanf(vals[2], "v=%d", &version)`
			`if err != nil {`
			`return nil, nil, nil, err`
			`}`
			`if version != argon2.Version {`
			`return nil, nil, nil, ErrIncompatibleVersion`
			`}`

			`p = &params{}`
			`_, err = fmt.Sscanf(vals[3], "m=%d,t=%d,p=%d", &p.memory, &p.iterations, &p.parallelism)`
			`if err != nil {`
			`return nil, nil, nil, err`
			`}`

			`salt, err = base64.RawStdEncoding.Strict().DecodeString(vals[4])`
			`if err != nil {`
			`return nil, nil, nil, err`
			`}`
			`p.saltLength = uint32(len(salt))`

			`hash, err = base64.RawStdEncoding.Strict().DecodeString(vals[5])`
			`if err != nil {`
			`return nil, nil, nil, err`
			`}`
			`p.keyLength = uint32(len(hash))`

			`return p, salt, hash, nil`
			`}`