Closed andreimilto closed 4 years ago
I also have the same issue. It is not an issue with the hash that is generated, because I was able to verify it using an online Argon2 hash generator & verifier
I agree with @MiltoA that is is a bug. The overload for Verify
should automatically determine the hash length based on the encoded hash.
Good catch. One line oversight fixed (plus 3 line unit test
If parameter
hashLength
has a value different from the default one (32
) when a password hash is computed, then subsequent verification of the password using this hash fails, e.g.:Here
isPasswordValid
contains the valuefalse
.The only workaround is to use an overload of
Verify
withconfig
parameter that allows specifying the length of the hash manually:Here
isPasswordValid
is set totrue
. This workaround is not always easy to use. For instance, it may be problematic to specify the hash length manually, if the hash is fetched from a DB column in which hashes of different lengths are stored.All in all, the described behavior looks like a bug to me. I think a user expects any overload of
Verify
method (even the one that allows specifying the hash length manually through theconfig
parameter) to determine the hash length automatically from the supplied modular hash-string, e.g.:$argon2id$v=19$m=65536,t=3,p=1$i7b+qK1wdFdRO4+d6d+EIQ$lftJwq/kAzpF2mUYlZ7/6Q
.lftJwq/kAzpF2mUYlZ7/6Q
.16
.