arcanajs 6.0.4 → 6.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/development/arcanajs.auth.js +5 -2
  2. package/dist/development/arcanajs.auth.js.map +1 -1
  3. package/dist/lib/auth/utils/PasswordHasher.d.ts +2 -0
  4. package/dist/production/arcanajs.auth.min.js +1 -1
  5. package/dist/production/arcanajs.auth.min.js.map +1 -1
  6. package/package.json +1 -1
package/dist/development/arcanajs.auth.js CHANGED
@@ -3138,14 +3138,17 @@ class PasswordHasher {
3138
3138
 
3139
3139
  /**
3140
3140
  * Apply pepper to password (server-side secret)
3141
+ * Concatenates pepper with password so Argon2 receives the full password data.
3142
+ * This preserves password entropy while adding the server-side secret.
3141
3143
  */
3142
3144
  static applyPepper(password) {
3143
3145
  var _this$config14;
3144
3146
  if (!((_this$config14 = this.config) !== null && _this$config14 !== void 0 && _this$config14.pepper)) {
3145
3147
  return password;
3146
3148
  }
3147
- // Use HMAC to combine password with pepper
3148
- return crypto__WEBPACK_IMPORTED_MODULE_1___default().createHmac("sha256", this.config.pepper).update(password).digest("hex");
3149
+ // Concatenate pepper with password - Argon2 will handle the secure hashing
3150
+ // Using pepper as prefix prevents length-extension attacks
3151
+ return this.config.pepper + password;
3149
3152
  }
3150
3153
 
3151
3154
  /**