Built-in password hashing function [auth project]

[thangngoc89]

I believe that a good first step in an authentication system would be having secure password hashing function according to latest security recommendation. I've spent several hours making one for my Dream server so I want to share it here for feedbacks:

The interface looks like this:

type error;

type params = {
  time_cost: int,
  memory_cost_kiB: int,
  parallelism: int,
  hash_len: int,
  salt_len: int,
};

let recommend_params: params;
let minimum_params: params;

let hash: (~params: params=?, string) => result(string, error);
let verify: (~hash: string, ~password: string) => result(bool, error);

let error_to_string: error => string;

Here is this gist for full implementation

By default calling hash with a string would use recommend_params .

[aantron]

Thanks! I will give this a thorough look as we address the auth gap. We need this or something like it for simple password authentication (as opposed to social login or TOTP).

[aantron]

This issue or work related to it is also a good opportunity to make sure argon2 can be linked properly in all environments and on all systems. The comment is based on the difficulties linking with it observed on Discord. libargon2 should probably be vendored as done with libuv in Luv, if at all possible.

[thangngoc89]

I have made an esy-argon2 package here https://github.com/thangngoc89/esy-argon2 . You can install it in any esy project to get libargon2 without messing up with your OS package manager. Though I didn’t test this on Windows so I might now work

[thangngoc89]

Update: libsodium provides pwhash* functions that uses argon2 under the hood.

ocaml-sodium exposes it but iirc, it’s only argon2i , works need to be done to expose argon2d and argon2id