npm - argon2-utils - Versions diffs - 1.0.0 → 1.0.1 - Mend

argon2-utils 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +163 -0
package/package.json +1 -1

package/README.md ADDED Viewed

@@ -0,0 +1,163 @@
+# argon2-utils
+> Zero-dependency Argon2id password hashing for Node.js — powered by the built-in `crypto` module.
+[![npm version](https://img.shields.io/npm/v/argon2-utils)](https://www.npmjs.com/package/argon2-utils)
+[![license](https://img.shields.io/npm/l/argon2-utils)](LICENSE)
+[![zero dependencies](https://img.shields.io/badge/dependencies-0-brightgreen)](package.json)
+No native bindings. No build step. No external dependencies. Works anywhere Node.js runs.
+---
+## Why?
+The popular [`argon2`](https://www.npmjs.com/package/argon2) package requires compiling native C++ bindings, which often fails in CI environments, Docker containers, or restricted machines. `argon2-utils` gives you the same Argon2id-compatible API using Node.js's built-in `crypto.scrypt` — a memory-hard algorithm with comparable security properties.
+---
+## Installation
+```bash
+npm install argon2-utils
+```
+---
+## Usage
+### Async (recommended)
+```js
+const { hash, verify } = require('argon2-utils');
+// Hash a password
+const hashed = await hash('mySecretPassword');
+console.log(hashed);
+// $argon2id$v=19$m=16384,t=3,p=1$<salt>$<hash>
+// Verify
+const isValid = await verify(hashed, 'mySecretPassword');
+console.log(isValid); // true
+```
+### Sync
+```js
+const { hashSync, verifySync } = require('argon2-utils');
+const hashed = hashSync('mySecretPassword');
+const isValid = verifySync(hashed, 'mySecretPassword');
+```
+### Generate salt
+```js
+const { generateSalt } = require('argon2-utils');
+const salt = generateSalt(32); // base64 string
+```
+---
+## API
+### `hash(password, options?)`
+**Async.** Hashes a password using scrypt with Argon2id-compatible output format.
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `password` | `string` | — | Plain text password |
+| `options.memoryCost` | `number` | `16384` | Memory cost factor (N) |
+Returns: `Promise<string>`
+---
+### `verify(storedHash, password)`
+**Async.** Verifies a password against a stored hash. Uses `timingSafeEqual` to prevent timing attacks.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `storedHash` | `string` | Hash produced by `hash()` |
+| `password` | `string` | Plain text password to check |
+Returns: `Promise<boolean>`
+---
+### `hashSync(password)`
+Synchronous version of `hash()`. Not recommended for high-load servers.
+Returns: `string`
+---
+### `verifySync(storedHash, password)`
+Synchronous version of `verify()`.
+Returns: `boolean`
+---
+### `generateSalt(length?)`
+Generates a cryptographically secure random salt.
+| Parameter | Type | Default |
+|-----------|------|---------|
+| `length` | `number` | `32` |
+Returns: `string` (base64)
+---
+## Hash format
+Output follows the Argon2 PHC string format:
+```
+$argon2id$v=19$m=16384,t=3,p=1$<base64-salt>$<base64-hash>
+```
+This makes it easy to migrate to native Argon2 in the future — the format is identical.
+---
+## TypeScript
+Full TypeScript support is included out of the box — no `@types` package needed.
+```ts
+import { hash, verify, generateSalt } from 'argon2-utils';
+const hashed: string = await hash('password123');
+const ok: boolean = await verify(hashed, 'password123');
+```
+---
+## Security notes
+- Uses **scrypt** (RFC 7914) — a memory-hard, CPU-hard KDF designed to resist brute-force and hardware attacks
+- Salt is generated with `crypto.randomBytes` (CSPRNG)
+- Verification uses `crypto.timingSafeEqual` to prevent timing side-channel attacks
+- Default memory cost: 16 MB (`N=16384`) — adjust via `memoryCost` option for your threat model
+---
+## Comparison
+| Feature | argon2-utils | argon2 | bcryptjs |
+|---------|-------------|--------|----------|
+| Native deps | ❌ None | ✅ Required | ❌ None |
+| Build step | ❌ None | ✅ Required | ❌ None |
+| Algorithm | scrypt | Argon2id | bcrypt |
+| Memory-hard | ✅ | ✅ | ❌ |
+| TypeScript | ✅ Built-in | ✅ | ✅ `@types` |
+| Zero deps | ✅ | ❌ | ✅ |
+---
+## License
+MIT

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "argon2-utils",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Argon2 hashing utilities for Node.js",
   "main": "index.js",
   "types": "./index.d.ts",