Improvement: PHC string handling & verify fn

[malobre]

A nice DX improvement would be to provide verify and hash functions that handles PHC strings.

Here's a wrapper I currently use which only depends on the rfc4648 package for base64 (by far the best implementation I could find) :

PHC string handlers

```ts // This is free and unencumbered software released into the public domain. // // Anyone is free to copy, modify, publish, use, compile, sell, or // distribute this software, either in source code form or as a compiled // binary, for any purpose, commercial or non-commercial, and by any // means. // // In jurisdictions that recognize copyright laws, the author or authors // of this software dedicate any and all copyright interest in the // software to the public domain. We make this dedication for the benefit // of the public at large and to the detriment of our heirs and // successors. We intend this dedication to be an overt act of // relinquishment in perpetuity of all present and future rights to this // software under copyright law. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. // IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR // OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, // ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR // OTHER DEALINGS IN THE SOFTWARE. // // For more information, please refer to import { base64 } from "rfc4648"; import loadArgon2idWasm, { Argon2idParams } from "argon2id"; const argon2id = await loadArgon2idWasm(); export const hash = (params: Argon2idParams) => { const digest = argon2id(params); return "$".concat( [ "argon2id", `v=${0x13}`, [ `m=${params.memorySize}`, `t=${params.passes}`, `p=${params.parallelism}`, ].join(","), base64.stringify(params.salt, { pad: false }), base64.stringify(digest, { pad: false }), ].join("$"), ); }; // NOT CONSTANT-TIME ! export const verify = ( password: Uint8Array, phcString: string, secret?: Uint8Array, ) => { const [id, version, paramsString, saltB64, digestB64] = phcString .substring(1) .split("$", 5); if (id !== "argon2id") throw `unknown hashing function: ${id}`; if (version !== `v=${0x13}`) throw `unknown argon2id version: ${version}`; const params = Object.fromEntries( paramsString.split(",").map((param) => param.split("=", 2)), ); if (!("m" in params)) throw "missing `m` parameter"; if (!("t" in params)) throw "missing `t` parameter"; if (!("p" in params)) throw "missing `p` parameter"; const memorySize = Number.parseInt(params.m); const passes = Number.parseInt(params.t); const parallelism = Number.parseInt(params.p); const ad = "data" in params ? base64.parse(params.data, { loose: true }) : undefined; const salt = base64.parse(saltB64, { loose: true }); const digest = base64.parse(digestB64, { loose: true }); const expectedDigest = argon2id({ password, salt, secret, ad, memorySize, passes, parallelism, tagLength: digest.length, }); for (let i = 0; i < digest.length; i++) { if (digest[i] !== expectedDigest[i]) return false; } return true; }; export default { hash, verify, }; ```

By the way, thank you for this high quality package :)

[mitar]

Yes, PHC would be great to have to have interoperability with server-side code.