@se-oss/htpasswd 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Shahrad Elahi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,105 @@
+<h1 align="center">
+  <sup>@se-oss/htpasswd</sup>
+  <br>
+  <a href="https://github.com/shahradelahi/ts-htpasswd/actions/workflows/ci.yml"><img src="https://github.com/shahradelahi/ts-htpasswd/actions/workflows/ci.yml/badge.svg?branch=main&event=push" alt="CI"></a>
+  <a href="https://www.npmjs.com/package/@se-oss/htpasswd"><img src="https://img.shields.io/npm/v/@se-oss/htpasswd.svg" alt="NPM Version"></a>
+  <a href="/LICENSE"><img src="https://img.shields.io/badge/License-MIT-blue.svg?style=flat" alt="MIT License"></a>
+  <a href="https://bundlephobia.com/package/@se-oss/htpasswd"><img src="https://img.shields.io/bundlephobia/minzip/@se-oss/htpasswd" alt="npm bundle size"></a>
+  <a href="https://packagephobia.com/result?p=@se-oss/htpasswd"><img src="https://packagephobia.com/badge?p=@se-oss/htpasswd" alt="Install Size"></a>
+</h1>
+
+_@se-oss/htpasswd_ is a high-performance, modern TypeScript library for managing HTTP Basic Authentication password files with zero runtime dependencies on system binaries.
+
+---
+
+- [Installation](#-installation)
+- [Usage](#-usage)
+- [Documentation](#-documentation)
+- [Contributing](#-contributing)
+- [License](#license)
+
+## 📦 Installation
+
+```bash
+pnpm add @se-oss/htpasswd
+```
+
+<details>
+<summary>Install using your favorite package manager</summary>
+
+**npm**
+
+```bash
+npm install @se-oss/htpasswd
+```
+
+**yarn**
+
+```bash
+yarn add @se-oss/htpasswd
+```
+
+</details>
+
+## 📖 Usage
+
+### Core API
+
+The core API is environment agnostic and works in Edge runtimes, Browsers, and Node.js.
+
+```ts
+import { parse, verify } from '@se-oss/htpasswd';
+
+// Verify a password against a hash
+const isValid = verify('password', '$apr1$salt$H6otmod9v9.WAn1o6Jtyf.');
+
+// Parse htpasswd content
+const entries = parse('user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=');
+```
+
+### File System API
+
+Node.js specific utilities for direct file manipulation with atomic writes.
+
+```ts
+import { addUser, authenticate } from '@se-oss/htpasswd/fs';
+
+// Authenticate a user from a file
+const isValid = await authenticate('.htpasswd', 'username', 'password');
+
+// Add or update a user
+await addUser('.htpasswd', 'username', 'password', 'bcrypt');
+```
+
+### CLI Usage
+
+The package includes a CLI tool for managing `.htpasswd` files from the terminal.
+
+```bash
+# Create a new file with a bcrypt user
+pnpm dlx @se-oss/htpasswd -c .htpasswd username password
+
+# Add a user with MD5 (APR1) encryption
+pnpm dlx @se-oss/htpasswd -m .htpasswd user2 pass2
+```
+
+### Supported Algorithms
+
+- **Bcrypt:** Modern and secure (default).
+- **APR1:** Apache's MD5-based algorithm.
+- **SHA1:** Standard SHA1 hashing.
+- **Plaintext:** Supported for legacy purposes (requires `unsafe` option in `parse`).
+
+## 📚 Documentation
+
+For all configuration options and detailed API references, please see [the API docs](https://www.jsdocs.io/package/@se-oss/htpasswd).
+
+## 🤝 Contributing
+
+Want to contribute? Awesome! To show your support is to star the project, or to raise issues on [GitHub](https://github.com/shahradelahi/ts-htpasswd).
+
+Thanks again for your support, it is much appreciated! 🙏
+
+## License
+
+[MIT](/LICENSE) © [Shahrad Elahi](https://github.com/shahradelahi) and [contributors](https://github.com/shahradelahi/ts-htpasswd/graphs/contributors).

package/dist/chunk-7BDWK2L2.js

@@ -0,0 +1,100 @@
+// src/index.ts
+import { verifyApr1 } from "@se-oss/apr1";
+import bcrypt from "bcryptjs";
+
+// src/sha1.ts
+import { sha1 } from "@se-oss/sha1";
+
+// src/utils.ts
+import { safeCompare } from "@se-oss/timing-safe-compare";
+function detectAlgorithm(hash) {
+  if (hash.startsWith("$2y$") || hash.startsWith("$2a$") || hash.startsWith("$2b$")) {
+    return "bcrypt";
+  }
+  if (hash.startsWith("$apr1$")) {
+    return "md5";
+  }
+  if (hash.startsWith("{SHA}")) {
+    return "sha1";
+  }
+  if (hash.length === 13) {
+    return "crypt";
+  }
+  return "plain";
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return btoa(String.fromCharCode(...bytes));
+}
+
+// src/sha1.ts
+function verifySha1(password, hash) {
+  return safeCompare(generateSha1(password), hash);
+}
+function generateSha1(password) {
+  const digest = sha1(password);
+  const b64 = bytesToBase64(digest);
+  return `{SHA}${b64}`;
+}
+
+// src/index.ts
+function verify(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return bcrypt.compareSync(password, hash);
+    case "md5":
+      return verifyApr1(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return safeCompare(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+async function verifyAsync(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return bcrypt.compare(password, hash);
+    case "md5":
+      return verifyApr1(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return safeCompare(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+function parse(content, options = {}) {
+  return content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).map((line) => {
+    const [username, ...rest] = line.split(":");
+    const hash = rest.join(":");
+    const algorithm = detectAlgorithm(hash);
+    if (algorithm === "plain" && !options.unsafe) {
+      throw new Error(
+        `Plaintext password detected for user "${username}". Use options.unsafe to allow this.`
+      );
+    }
+    return { username, hash, algorithm };
+  });
+}
+function stringify(entries) {
+  return entries.map((entry) => `${entry.username}:${entry.hash}`).join("\n");
+}
+
+export {
+  generateSha1,
+  verify,
+  verifyAsync,
+  parse,
+  stringify
+};

package/dist/chunk-TY6MHXM4.js

@@ -0,0 +1,108 @@
+import {
+  generateSha1,
+  parse,
+  stringify,
+  verify,
+  verifyAsync
+} from "./chunk-7BDWK2L2.js";
+
+// src/fs.ts
+import { readFile, rename, writeFile } from "fs/promises";
+import { generateApr1 } from "@se-oss/apr1";
+import bcrypt from "bcryptjs";
+async function readEntries(filepath, handleEnoent = false) {
+  try {
+    const content = await readFile(filepath, "utf-8");
+    return parse(content, { unsafe: true });
+  } catch (error) {
+    if (handleEnoent && error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+}
+async function writeAtomic(filepath, content) {
+  const tempPath = `${filepath}.${Math.random().toString(36).slice(2)}.tmp`;
+  await writeFile(tempPath, content);
+  await rename(tempPath, filepath);
+}
+async function updateAndSave(filepath, username, hash, algorithm) {
+  const entries = await readEntries(filepath, true);
+  const existingIndex = entries.findIndex((e) => e.username === username);
+  if (existingIndex !== -1) {
+    entries[existingIndex].hash = hash;
+    entries[existingIndex].algorithm = algorithm;
+  } else {
+    entries.push({ username, hash, algorithm });
+  }
+  await writeAtomic(filepath, stringify(entries) + "\n");
+}
+async function authenticate(filepath, username, password) {
+  const entries = await readEntries(filepath);
+  const entry = entries.find((e) => e.username === username);
+  if (!entry) {
+    return false;
+  }
+  return verify(password, entry.hash);
+}
+async function authenticateAsync(filepath, username, password) {
+  const entries = await readEntries(filepath);
+  const entry = entries.find((e) => e.username === username);
+  if (!entry) {
+    return false;
+  }
+  return verifyAsync(password, entry.hash);
+}
+async function addUser(filepath, username, password, algorithm = "bcrypt") {
+  let hash;
+  switch (algorithm) {
+    case "bcrypt":
+      hash = bcrypt.hashSync(password, 10);
+      break;
+    case "md5":
+      hash = generateApr1(password);
+      break;
+    case "sha1":
+      hash = generateSha1(password);
+      break;
+    case "plain":
+      hash = password;
+      break;
+    default:
+      throw new Error(`Unsupported algorithm for generation: ${algorithm}`);
+  }
+  await updateAndSave(filepath, username, hash, algorithm);
+}
+async function addUserAsync(filepath, username, password, algorithm = "bcrypt") {
+  let hash;
+  switch (algorithm) {
+    case "bcrypt":
+      hash = await bcrypt.hash(password, 10);
+      break;
+    case "md5":
+      hash = generateApr1(password);
+      break;
+    case "sha1":
+      hash = generateSha1(password);
+      break;
+    case "plain":
+      hash = password;
+      break;
+    default:
+      throw new Error(`Unsupported algorithm for generation: ${algorithm}`);
+  }
+  await updateAndSave(filepath, username, hash, algorithm);
+}
+async function removeUser(filepath, username) {
+  const entries = await readEntries(filepath);
+  const newEntries = entries.filter((e) => e.username !== username);
+  await writeAtomic(filepath, stringify(newEntries) + "\n");
+}
+
+export {
+  authenticate,
+  authenticateAsync,
+  addUser,
+  addUserAsync,
+  removeUser
+};

package/dist/cli.cjs

@@ -0,0 +1,230 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli.ts
+var readline = __toESM(require("readline"), 1);
+var import_node_stream = require("stream");
+var tty = __toESM(require("tty"), 1);
+var import_node_util = require("util");
+
+// src/fs.ts
+var import_promises = require("fs/promises");
+var import_apr12 = require("@se-oss/apr1");
+var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
+
+// src/index.ts
+var import_apr1 = require("@se-oss/apr1");
+var import_bcryptjs = __toESM(require("bcryptjs"), 1);
+
+// src/sha1.ts
+var import_sha1 = require("@se-oss/sha1");
+
+// src/utils.ts
+var import_timing_safe_compare = require("@se-oss/timing-safe-compare");
+function detectAlgorithm(hash) {
+  if (hash.startsWith("$2y$") || hash.startsWith("$2a$") || hash.startsWith("$2b$")) {
+    return "bcrypt";
+  }
+  if (hash.startsWith("$apr1$")) {
+    return "md5";
+  }
+  if (hash.startsWith("{SHA}")) {
+    return "sha1";
+  }
+  if (hash.length === 13) {
+    return "crypt";
+  }
+  return "plain";
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return btoa(String.fromCharCode(...bytes));
+}
+
+// src/sha1.ts
+function generateSha1(password) {
+  const digest = (0, import_sha1.sha1)(password);
+  const b64 = bytesToBase64(digest);
+  return `{SHA}${b64}`;
+}
+
+// src/index.ts
+function parse(content, options = {}) {
+  return content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).map((line) => {
+    const [username, ...rest] = line.split(":");
+    const hash = rest.join(":");
+    const algorithm = detectAlgorithm(hash);
+    if (algorithm === "plain" && !options.unsafe) {
+      throw new Error(
+        `Plaintext password detected for user "${username}". Use options.unsafe to allow this.`
+      );
+    }
+    return { username, hash, algorithm };
+  });
+}
+function stringify(entries) {
+  return entries.map((entry) => `${entry.username}:${entry.hash}`).join("\n");
+}
+
+// src/fs.ts
+async function readEntries(filepath, handleEnoent = false) {
+  try {
+    const content = await (0, import_promises.readFile)(filepath, "utf-8");
+    return parse(content, { unsafe: true });
+  } catch (error) {
+    if (handleEnoent && error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+}
+async function writeAtomic(filepath, content) {
+  const tempPath = `${filepath}.${Math.random().toString(36).slice(2)}.tmp`;
+  await (0, import_promises.writeFile)(tempPath, content);
+  await (0, import_promises.rename)(tempPath, filepath);
+}
+async function updateAndSave(filepath, username, hash, algorithm) {
+  const entries = await readEntries(filepath, true);
+  const existingIndex = entries.findIndex((e) => e.username === username);
+  if (existingIndex !== -1) {
+    entries[existingIndex].hash = hash;
+    entries[existingIndex].algorithm = algorithm;
+  } else {
+    entries.push({ username, hash, algorithm });
+  }
+  await writeAtomic(filepath, stringify(entries) + "\n");
+}
+async function addUserAsync(filepath, username, password, algorithm = "bcrypt") {
+  let hash;
+  switch (algorithm) {
+    case "bcrypt":
+      hash = await import_bcryptjs2.default.hash(password, 10);
+      break;
+    case "md5":
+      hash = (0, import_apr12.generateApr1)(password);
+      break;
+    case "sha1":
+      hash = generateSha1(password);
+      break;
+    case "plain":
+      hash = password;
+      break;
+    default:
+      throw new Error(`Unsupported algorithm for generation: ${algorithm}`);
+  }
+  await updateAndSave(filepath, username, hash, algorithm);
+}
+
+// src/cli.ts
+async function main() {
+  const { values, positionals } = (0, import_node_util.parseArgs)({
+    options: {
+      create: { type: "boolean", short: "c" },
+      batch: { type: "boolean", short: "b" },
+      bcrypt: { type: "boolean", short: "B" },
+      md5: { type: "boolean", short: "m" },
+      sha: { type: "boolean", short: "s" },
+      plain: { type: "boolean", short: "p" },
+      help: { type: "boolean", short: "h" }
+    },
+    allowPositionals: true
+  });
+  if (values.help || positionals.length < 2) {
+    console.log(`
+Usage: htpasswd [options] [file] [username]
+       htpasswd -b [options] [file] [username] [password]
+
+Options:
+  -c, --create    Create a new file.
+  -b, --batch     Use batch mode (read password from command line).
+  -B, --bcrypt    Use bcrypt encryption (default).
+  -m, --md5       Use MD5 encryption.
+  -s, --sha       Use SHA encryption.
+  -p, --plain     Use plaintext.
+  -h, --help      Show this help message.
+`);
+    return;
+  }
+  const [file, username] = positionals;
+  let password = positionals[2];
+  if (!password) {
+    if (values.batch) {
+      console.error("Error: Password is required in batch mode.");
+      process.exit(1);
+    }
+    if (!tty.isatty(process.stdin.fd)) {
+      console.error("Error: Password input requires a terminal.");
+      process.exit(1);
+    }
+    password = await getHiddenPassword("New password: ");
+    const confirm = await getHiddenPassword("Re-type new password: ");
+    if (password !== confirm) {
+      console.error("Error: Passwords don't match.");
+      process.exit(1);
+    }
+  }
+  let algorithm = "bcrypt";
+  if (values.md5) algorithm = "md5";
+  else if (values.sha) algorithm = "sha1";
+  else if (values.plain) algorithm = "plain";
+  try {
+    await addUserAsync(file, username, password, algorithm);
+    console.log(`User ${username} ${values.create ? "created" : "updated"} successfully.`);
+  } catch (error) {
+    console.error(`Error: ${error.message}`);
+    process.exit(1);
+  }
+}
+var MutableStream = class extends import_node_stream.Writable {
+  muted = false;
+  _write(chunk, encoding, callback) {
+    if (!this.muted) {
+      process.stdout.write(chunk, encoding);
+    }
+    callback();
+  }
+};
+function getHiddenPassword(query) {
+  const mutableStdout = new MutableStream();
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: mutableStdout,
+    terminal: true
+  });
+  return new Promise((resolve) => {
+    rl.question(query, (password) => {
+      process.stdout.write("\n");
+      rl.close();
+      resolve(password);
+    });
+    mutableStdout.muted = true;
+  });
+}
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/dist/cli.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/cli.js

@@ -0,0 +1,99 @@
+#!/usr/bin/env node
+import {
+  addUserAsync
+} from "./chunk-TY6MHXM4.js";
+import "./chunk-7BDWK2L2.js";
+
+// src/cli.ts
+import * as readline from "readline";
+import { Writable } from "stream";
+import * as tty from "tty";
+import { parseArgs } from "util";
+async function main() {
+  const { values, positionals } = parseArgs({
+    options: {
+      create: { type: "boolean", short: "c" },
+      batch: { type: "boolean", short: "b" },
+      bcrypt: { type: "boolean", short: "B" },
+      md5: { type: "boolean", short: "m" },
+      sha: { type: "boolean", short: "s" },
+      plain: { type: "boolean", short: "p" },
+      help: { type: "boolean", short: "h" }
+    },
+    allowPositionals: true
+  });
+  if (values.help || positionals.length < 2) {
+    console.log(`
+Usage: htpasswd [options] [file] [username]
+       htpasswd -b [options] [file] [username] [password]
+
+Options:
+  -c, --create    Create a new file.
+  -b, --batch     Use batch mode (read password from command line).
+  -B, --bcrypt    Use bcrypt encryption (default).
+  -m, --md5       Use MD5 encryption.
+  -s, --sha       Use SHA encryption.
+  -p, --plain     Use plaintext.
+  -h, --help      Show this help message.
+`);
+    return;
+  }
+  const [file, username] = positionals;
+  let password = positionals[2];
+  if (!password) {
+    if (values.batch) {
+      console.error("Error: Password is required in batch mode.");
+      process.exit(1);
+    }
+    if (!tty.isatty(process.stdin.fd)) {
+      console.error("Error: Password input requires a terminal.");
+      process.exit(1);
+    }
+    password = await getHiddenPassword("New password: ");
+    const confirm = await getHiddenPassword("Re-type new password: ");
+    if (password !== confirm) {
+      console.error("Error: Passwords don't match.");
+      process.exit(1);
+    }
+  }
+  let algorithm = "bcrypt";
+  if (values.md5) algorithm = "md5";
+  else if (values.sha) algorithm = "sha1";
+  else if (values.plain) algorithm = "plain";
+  try {
+    await addUserAsync(file, username, password, algorithm);
+    console.log(`User ${username} ${values.create ? "created" : "updated"} successfully.`);
+  } catch (error) {
+    console.error(`Error: ${error.message}`);
+    process.exit(1);
+  }
+}
+var MutableStream = class extends Writable {
+  muted = false;
+  _write(chunk, encoding, callback) {
+    if (!this.muted) {
+      process.stdout.write(chunk, encoding);
+    }
+    callback();
+  }
+};
+function getHiddenPassword(query) {
+  const mutableStdout = new MutableStream();
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: mutableStdout,
+    terminal: true
+  });
+  return new Promise((resolve) => {
+    rl.question(query, (password) => {
+      process.stdout.write("\n");
+      rl.close();
+      resolve(password);
+    });
+    mutableStdout.muted = true;
+  });
+}
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});

package/dist/fs.cjs

@@ -0,0 +1,233 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/fs.ts
+var fs_exports = {};
+__export(fs_exports, {
+  addUser: () => addUser,
+  addUserAsync: () => addUserAsync,
+  authenticate: () => authenticate,
+  authenticateAsync: () => authenticateAsync,
+  removeUser: () => removeUser
+});
+module.exports = __toCommonJS(fs_exports);
+var import_promises = require("fs/promises");
+var import_apr12 = require("@se-oss/apr1");
+var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
+
+// src/index.ts
+var import_apr1 = require("@se-oss/apr1");
+var import_bcryptjs = __toESM(require("bcryptjs"), 1);
+
+// src/sha1.ts
+var import_sha1 = require("@se-oss/sha1");
+
+// src/utils.ts
+var import_timing_safe_compare = require("@se-oss/timing-safe-compare");
+function detectAlgorithm(hash) {
+  if (hash.startsWith("$2y$") || hash.startsWith("$2a$") || hash.startsWith("$2b$")) {
+    return "bcrypt";
+  }
+  if (hash.startsWith("$apr1$")) {
+    return "md5";
+  }
+  if (hash.startsWith("{SHA}")) {
+    return "sha1";
+  }
+  if (hash.length === 13) {
+    return "crypt";
+  }
+  return "plain";
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return btoa(String.fromCharCode(...bytes));
+}
+
+// src/sha1.ts
+function verifySha1(password, hash) {
+  return (0, import_timing_safe_compare.safeCompare)(generateSha1(password), hash);
+}
+function generateSha1(password) {
+  const digest = (0, import_sha1.sha1)(password);
+  const b64 = bytesToBase64(digest);
+  return `{SHA}${b64}`;
+}
+
+// src/index.ts
+function verify(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return import_bcryptjs.default.compareSync(password, hash);
+    case "md5":
+      return (0, import_apr1.verifyApr1)(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return (0, import_timing_safe_compare.safeCompare)(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+async function verifyAsync(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return import_bcryptjs.default.compare(password, hash);
+    case "md5":
+      return (0, import_apr1.verifyApr1)(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return (0, import_timing_safe_compare.safeCompare)(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+function parse(content, options = {}) {
+  return content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).map((line) => {
+    const [username, ...rest] = line.split(":");
+    const hash = rest.join(":");
+    const algorithm = detectAlgorithm(hash);
+    if (algorithm === "plain" && !options.unsafe) {
+      throw new Error(
+        `Plaintext password detected for user "${username}". Use options.unsafe to allow this.`
+      );
+    }
+    return { username, hash, algorithm };
+  });
+}
+function stringify(entries) {
+  return entries.map((entry) => `${entry.username}:${entry.hash}`).join("\n");
+}
+
+// src/fs.ts
+async function readEntries(filepath, handleEnoent = false) {
+  try {
+    const content = await (0, import_promises.readFile)(filepath, "utf-8");
+    return parse(content, { unsafe: true });
+  } catch (error) {
+    if (handleEnoent && error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+}
+async function writeAtomic(filepath, content) {
+  const tempPath = `${filepath}.${Math.random().toString(36).slice(2)}.tmp`;
+  await (0, import_promises.writeFile)(tempPath, content);
+  await (0, import_promises.rename)(tempPath, filepath);
+}
+async function updateAndSave(filepath, username, hash, algorithm) {
+  const entries = await readEntries(filepath, true);
+  const existingIndex = entries.findIndex((e) => e.username === username);
+  if (existingIndex !== -1) {
+    entries[existingIndex].hash = hash;
+    entries[existingIndex].algorithm = algorithm;
+  } else {
+    entries.push({ username, hash, algorithm });
+  }
+  await writeAtomic(filepath, stringify(entries) + "\n");
+}
+async function authenticate(filepath, username, password) {
+  const entries = await readEntries(filepath);
+  const entry = entries.find((e) => e.username === username);
+  if (!entry) {
+    return false;
+  }
+  return verify(password, entry.hash);
+}
+async function authenticateAsync(filepath, username, password) {
+  const entries = await readEntries(filepath);
+  const entry = entries.find((e) => e.username === username);
+  if (!entry) {
+    return false;
+  }
+  return verifyAsync(password, entry.hash);
+}
+async function addUser(filepath, username, password, algorithm = "bcrypt") {
+  let hash;
+  switch (algorithm) {
+    case "bcrypt":
+      hash = import_bcryptjs2.default.hashSync(password, 10);
+      break;
+    case "md5":
+      hash = (0, import_apr12.generateApr1)(password);
+      break;
+    case "sha1":
+      hash = generateSha1(password);
+      break;
+    case "plain":
+      hash = password;
+      break;
+    default:
+      throw new Error(`Unsupported algorithm for generation: ${algorithm}`);
+  }
+  await updateAndSave(filepath, username, hash, algorithm);
+}
+async function addUserAsync(filepath, username, password, algorithm = "bcrypt") {
+  let hash;
+  switch (algorithm) {
+    case "bcrypt":
+      hash = await import_bcryptjs2.default.hash(password, 10);
+      break;
+    case "md5":
+      hash = (0, import_apr12.generateApr1)(password);
+      break;
+    case "sha1":
+      hash = generateSha1(password);
+      break;
+    case "plain":
+      hash = password;
+      break;
+    default:
+      throw new Error(`Unsupported algorithm for generation: ${algorithm}`);
+  }
+  await updateAndSave(filepath, username, hash, algorithm);
+}
+async function removeUser(filepath, username) {
+  const entries = await readEntries(filepath);
+  const newEntries = entries.filter((e) => e.username !== username);
+  await writeAtomic(filepath, stringify(newEntries) + "\n");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  addUser,
+  addUserAsync,
+  authenticate,
+  authenticateAsync,
+  removeUser
+});

package/dist/fs.d.ts

@@ -0,0 +1,47 @@
+import { A as Algorithm } from './typings-5dbtijKO.js';
+
+/**
+ * Authenticates a user against an htpasswd file.
+ *
+ * @param filepath Path to the htpasswd file.
+ * @param username Username to authenticate.
+ * @param password Password to authenticate.
+ * @returns True if authentication succeeds.
+ */
+declare function authenticate(filepath: string, username: string, password: string): Promise<boolean>;
+/**
+ * Authenticates a user against an htpasswd file asynchronously.
+ *
+ * @param filepath Path to the htpasswd file.
+ * @param username Username to authenticate.
+ * @param password Password to authenticate.
+ * @returns True if authentication succeeds.
+ */
+declare function authenticateAsync(filepath: string, username: string, password: string): Promise<boolean>;
+/**
+ * Adds or updates a user in an htpasswd file.
+ *
+ * @param filepath Path to the htpasswd file.
+ * @param username Username to add or update.
+ * @param password Password for the user.
+ * @param algorithm Hashing algorithm to use.
+ */
+declare function addUser(filepath: string, username: string, password: string, algorithm?: Algorithm): Promise<void>;
+/**
+ * Adds or updates a user in an htpasswd file asynchronously.
+ *
+ * @param filepath Path to the htpasswd file.
+ * @param username Username to add or update.
+ * @param password Password for the user.
+ * @param algorithm Hashing algorithm to use.
+ */
+declare function addUserAsync(filepath: string, username: string, password: string, algorithm?: Algorithm): Promise<void>;
+/**
+ * Removes a user from an htpasswd file.
+ *
+ * @param filepath Path to the htpasswd file.
+ * @param username Username to remove.
+ */
+declare function removeUser(filepath: string, username: string): Promise<void>;
+
+export { addUser, addUserAsync, authenticate, authenticateAsync, removeUser };

package/dist/fs.js

@@ -0,0 +1,15 @@
+import {
+  addUser,
+  addUserAsync,
+  authenticate,
+  authenticateAsync,
+  removeUser
+} from "./chunk-TY6MHXM4.js";
+import "./chunk-7BDWK2L2.js";
+export {
+  addUser,
+  addUserAsync,
+  authenticate,
+  authenticateAsync,
+  removeUser
+};

package/dist/index.cjs

@@ -0,0 +1,136 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  parse: () => parse,
+  stringify: () => stringify,
+  verify: () => verify,
+  verifyAsync: () => verifyAsync
+});
+module.exports = __toCommonJS(index_exports);
+var import_apr1 = require("@se-oss/apr1");
+var import_bcryptjs = __toESM(require("bcryptjs"), 1);
+
+// src/sha1.ts
+var import_sha1 = require("@se-oss/sha1");
+
+// src/utils.ts
+var import_timing_safe_compare = require("@se-oss/timing-safe-compare");
+function detectAlgorithm(hash) {
+  if (hash.startsWith("$2y$") || hash.startsWith("$2a$") || hash.startsWith("$2b$")) {
+    return "bcrypt";
+  }
+  if (hash.startsWith("$apr1$")) {
+    return "md5";
+  }
+  if (hash.startsWith("{SHA}")) {
+    return "sha1";
+  }
+  if (hash.length === 13) {
+    return "crypt";
+  }
+  return "plain";
+}
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return btoa(String.fromCharCode(...bytes));
+}
+
+// src/sha1.ts
+function verifySha1(password, hash) {
+  return (0, import_timing_safe_compare.safeCompare)(generateSha1(password), hash);
+}
+function generateSha1(password) {
+  const digest = (0, import_sha1.sha1)(password);
+  const b64 = bytesToBase64(digest);
+  return `{SHA}${b64}`;
+}
+
+// src/index.ts
+function verify(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return import_bcryptjs.default.compareSync(password, hash);
+    case "md5":
+      return (0, import_apr1.verifyApr1)(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return (0, import_timing_safe_compare.safeCompare)(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+async function verifyAsync(password, hash) {
+  const algo = detectAlgorithm(hash);
+  switch (algo) {
+    case "bcrypt":
+      return import_bcryptjs.default.compare(password, hash);
+    case "md5":
+      return (0, import_apr1.verifyApr1)(password, hash);
+    case "sha1":
+      return verifySha1(password, hash);
+    case "plain":
+      return (0, import_timing_safe_compare.safeCompare)(password, hash);
+    case "crypt":
+      throw new Error('Algorithm "crypt" is insecure and not supported.');
+    default:
+      throw new Error(`Unsupported algorithm: ${algo}`);
+  }
+}
+function parse(content, options = {}) {
+  return content.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).map((line) => {
+    const [username, ...rest] = line.split(":");
+    const hash = rest.join(":");
+    const algorithm = detectAlgorithm(hash);
+    if (algorithm === "plain" && !options.unsafe) {
+      throw new Error(
+        `Plaintext password detected for user "${username}". Use options.unsafe to allow this.`
+      );
+    }
+    return { username, hash, algorithm };
+  });
+}
+function stringify(entries) {
+  return entries.map((entry) => `${entry.username}:${entry.hash}`).join("\n");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  parse,
+  stringify,
+  verify,
+  verifyAsync
+});

package/dist/index.d.ts

@@ -0,0 +1,35 @@
+import { P as ParseOptions, H as HtpasswdEntry } from './typings-5dbtijKO.js';
+
+/**
+ * Verifies a password against a hash.
+ *
+ * @param password The plaintext password.
+ * @param hash The hash to verify against.
+ * @returns True if the password matches the hash.
+ */
+declare function verify(password: string, hash: string): boolean;
+/**
+ * Verifies a password against a hash asynchronously.
+ *
+ * @param password The plaintext password.
+ * @param hash The hash to verify against.
+ * @returns A promise that resolves to true if the password matches the hash.
+ */
+declare function verifyAsync(password: string, hash: string): Promise<boolean>;
+/**
+ * Parses an htpasswd content string.
+ *
+ * @param content The htpasswd file content.
+ * @param options Parsing options.
+ * @returns An array of htpasswd entries.
+ */
+declare function parse(content: string, options?: ParseOptions): HtpasswdEntry[];
+/**
+ * Stringifies an array of htpasswd entries.
+ *
+ * @param entries The htpasswd entries to stringify.
+ * @returns The stringified htpasswd content.
+ */
+declare function stringify(entries: HtpasswdEntry[]): string;
+
+export { parse, stringify, verify, verifyAsync };

package/dist/index.js

@@ -0,0 +1,12 @@
+import {
+  parse,
+  stringify,
+  verify,
+  verifyAsync
+} from "./chunk-7BDWK2L2.js";
+export {
+  parse,
+  stringify,
+  verify,
+  verifyAsync
+};

package/dist/typings-5dbtijKO.d.ts

@@ -0,0 +1,15 @@
+type Algorithm = 'bcrypt' | 'md5' | 'sha1' | 'crypt' | 'plain';
+interface HtpasswdEntry {
+    username: string;
+    hash: string;
+    algorithm: Algorithm;
+}
+interface ParseOptions {
+    /**
+     * Allow parsing plaintext passwords.
+     * @default false
+     */
+    unsafe?: boolean;
+}
+
+export type { Algorithm as A, HtpasswdEntry as H, ParseOptions as P };

package/package.json

@@ -0,0 +1,82 @@
+{
+  "name": "@se-oss/htpasswd",
+  "version": "1.0.0",
+  "description": "High-performance, modern TypeScript library for managing HTTP Basic Authentication password files with support for Bcrypt, APR1, SHA1, and Plaintext.",
+  "keywords": [
+    "htpasswd",
+    "auth",
+    "basic-auth",
+    "bcrypt",
+    "apr1",
+    "sha1",
+    "apache",
+    "authentication",
+    "security",
+    "typescript"
+  ],
+  "homepage": "https://github.com/shahradelahi/ts-htpasswd",
+  "repository": "github:shahradelahi/ts-htpasswd",
+  "license": "MIT",
+  "author": "Shahrad Elahi <shahrad@litehex.com> (https://github.com/shahradelahi)",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.cjs"
+    },
+    "./fs": {
+      "types": "./dist/fs.d.ts",
+      "import": "./dist/fs.js",
+      "default": "./dist/fs.cjs"
+    }
+  },
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "browser": "dist/index.cjs",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "htpasswd": "./dist/cli.js"
+  },
+  "files": [
+    "dist/**",
+    "!**/*.d.cts"
+  ],
+  "scripts": {
+    "bench": "vitest bench --run",
+    "build": "pnpm typecheck && tsup",
+    "clean": "git clean -dfx **/node_modules/** dist .tsbuildinfo",
+    "dev": "tsup --watch",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "pnpm typecheck && eslint .",
+    "lint:fix": "eslint --fix .",
+    "prepublishOnly": "pnpm build && pnpm lint && pnpm format:check && pnpm test",
+    "test": "vitest --run",
+    "typecheck": "tsc --noEmit"
+  },
+  "prettier": "@shahrad/prettier-config",
+  "dependencies": {
+    "@se-oss/apr1": "^1.0.0",
+    "@se-oss/sha1": "^1.0.0",
+    "@se-oss/timing-safe-compare": "^1.0.0",
+    "bcryptjs": "^3.0.3"
+  },
+  "devDependencies": {
+    "@shahrad/eslint-config": "^1.0.1",
+    "@shahrad/prettier-config": "^1.2.2",
+    "@shahrad/tsconfig": "^1.2.0",
+    "@types/node": "^25.2.3",
+    "eslint": "^10.0.0",
+    "globals": "^17.3.0",
+    "prettier": "^3.8.1",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  },
+  "packageManager": "pnpm@10.29.3+sha512.498e1fb4cca5aa06c1dcf2611e6fafc50972ffe7189998c409e90de74566444298ffe43e6cd2acdc775ba1aa7cc5e092a8b7054c811ba8c5770f84693d33d2dc",
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  }
+}