inslash 1.0.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Inslash
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,59 @@
+# inslash
+
+A modern, upgradeable, and secure password hashing utility for Node.js.  
+Features passport encoding, hash ancestry, salt, pepper, and automatic upgrade support.
+
+## Features
+
+- Secure password hashing with salt and pepper
+- Passport encoding (all hash info in one string)
+- Hash ancestry/history for upgrades and audits
+- Automatic upgrade detection and rehashing
+- Async API
+
+## Installation
+
+```sh
+npm install inslash
+```
+
+## Usage
+
+```js
+const { hash, verify } = require("inslash");
+
+const secret = "your-secret-key";
+
+// Hash a password
+const result = await hash("myPassword", secret);
+
+// Store result.passport in your database
+
+// Verify a password
+const verifyResult = await verify("myPassword", result.passport, secret);
+
+console.log(verifyResult.valid); // true or false
+```
+
+## API
+
+### `async hash(value, secret, options?)`
+- `value` (string): The value to hash.
+- `secret` (string): Secret key for HMAC.
+- `options` (object): Optional. Override defaults (`iterations`, `algorithm`, etc).
+- **Returns:** `{ passport, algorithm, iterations, saltLength, hashLength, salt, hash, history }`
+
+### `async verify(value, passport, secret, options?)`
+- `value` (string): Value to verify.
+- `passport` (string): Encoded hash passport.
+- `secret` (string): Secret key for HMAC.
+- `options` (object): Optional. Override defaults.
+- **Returns:** `{ valid, needsUpgrade, upgradedPassport }`
+
+### Environment Variables
+
+- `HASH_PEPPER`: Optional. Adds a global pepper to all hashes.
+
+## License
+
+MIT

package/cstest.js

@@ -0,0 +1,49 @@
+const { hash, verify } = require("./script");
+
+const SECRET_KEY = "supersecret";
+
+// 1. Rainbow Table Attack
+(async () => {
+    const a = await hash("password123", SECRET_KEY);
+    const b = await hash("password123", SECRET_KEY);
+    console.log("Rainbow Table Test:", a.hash !== b.hash ? "PASS" : "FAIL");
+
+    // 2. Brute Force Attack (timing)
+    console.time("Low Iterations");
+    await hash("password123", SECRET_KEY, { iterations: 1000 });
+    console.timeEnd("Low Iterations");
+
+    console.time("High Iterations");
+    await hash("password123", SECRET_KEY, { iterations: 200_000 });
+    console.timeEnd("High Iterations");
+
+    // 3. Timing Attack (should use timingSafeEqual)
+    const v = await verify("password123", a.passport, SECRET_KEY);
+    console.log("Timing Safe Equal Test:", v.valid ? "PASS" : "FAIL");
+
+    // 4. Salt Storage
+    console.log("Salt Unique Test:", a.salt !== b.salt ? "PASS" : "FAIL");
+
+    // 5. Pepper Security
+    process.env.HASH_PEPPER = "pepper";
+    const withPepper = await hash("password123", SECRET_KEY);
+    process.env.HASH_PEPPER = "";
+    const vPepper = await verify("password123", withPepper.passport, SECRET_KEY);
+    console.log("Pepper Security Test:", vPepper.valid ? "FAIL" : "PASS");
+
+    // 6. Upgrade Path
+    const vUpgrade = await verify("password123", a.passport, SECRET_KEY, { iterations: 200_000 });
+    console.log("Upgrade Path Test:", vUpgrade.needsUpgrade ? "PASS" : "FAIL");
+
+    // 7. Input Validation
+    try {
+        await hash(null, SECRET_KEY);
+        console.log("Null Input Test: FAIL");
+    } catch {
+        console.log("Null Input Test: PASS");
+    }
+
+    // 8. Collision Resistance
+    const c = await hash("passwordABC", SECRET_KEY);
+    console.log("Collision Resistance Test:", a.hash !== c.hash ? "PASS" : "FAIL");
+})();

package/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "inslash",
+  "version": "1.0.2",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "Reshuk Sapkota",
+  "license": "MIT",
+  "description": "",
+  "dependencies": {
+    "crypto": "^1.0.1"
+  }
+}

package/script.js

@@ -0,0 +1,124 @@
+const crypto = require("crypto");
+
+const DEFAULTS = {
+    saltLength: 16,
+    hashLength: 32,
+    iterations: 100_000,
+    algorithm: "sha256"
+};
+
+const createSalt = (length) => crypto.randomBytes(length).toString("hex");
+
+const hashWithSalt = async (value, salt, secret, options) => {
+    const { iterations, hashLength, algorithm } = options;
+    let data = value + salt;
+    let digest = Buffer.from(data);
+
+    for (let i = 0; i < iterations; i++) {
+        digest = crypto.createHmac(algorithm, secret).update(digest).digest();
+    }
+
+    return digest.toString("hex").slice(0, hashLength);
+};
+
+const encodePassport = (meta) => {
+    const history = Buffer.from(JSON.stringify(meta.history || [])).toString("base64");
+    return [
+        "$inslash",
+        meta.algorithm,
+        meta.iterations,
+        meta.saltLength,
+        meta.hashLength,
+        meta.salt,
+        meta.hash,
+        history
+    ].join("$");
+};
+
+const decodePassport = (passport) => {
+    const parts = passport.split("$");
+    if (parts[1] !== "inslash") throw new Error("Invalid passport format");
+    const [ , , algorithm, iterations, saltLength, hashLength, salt, hash, history ] = parts;
+    return {
+        algorithm,
+        iterations: Number(iterations),
+        saltLength: Number(saltLength),
+        hashLength: Number(hashLength),
+        salt,
+        hash,
+        history: JSON.parse(Buffer.from(history, "base64").toString())
+    };
+};
+
+const hash = async (value, secret, opts = {}) => {
+    if (!secret) throw new Error("Secret key is required");
+    if (typeof value !== "string" || !value) throw new Error("Value to hash must be a non-empty string");
+    const options = { ...DEFAULTS, ...opts };
+    const salt = createSalt(options.saltLength);
+    const pepper = process.env.HASH_PEPPER || "";
+    const valueWithPepper = value + pepper;
+    const hashed = await hashWithSalt(valueWithPepper, salt, secret, options);
+
+    const meta = {
+        algorithm: options.algorithm,
+        iterations: options.iterations,
+        saltLength: options.saltLength,
+        hashLength: options.hashLength,
+        salt,
+        hash: hashed,
+        history: [
+            {
+                date: new Date().toISOString(),
+                algorithm: options.algorithm,
+                iterations: options.iterations
+            }
+        ]
+    };
+
+    return {
+        passport: encodePassport(meta),
+        ...meta
+    };
+};
+
+const verify = async (value, passport, secret, opts = {}) => {
+    const meta = decodePassport(passport);
+    const options = {
+        algorithm: meta.algorithm,
+        iterations: meta.iterations,
+        saltLength: meta.saltLength,
+        hashLength: meta.hashLength,
+        ...opts
+    };
+    const pepper = process.env.HASH_PEPPER || "";
+    const valueWithPepper = value + pepper;
+    const computed = await hashWithSalt(valueWithPepper, meta.salt, secret, options);
+    const valid = crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(meta.hash));
+    let needsUpgrade = false;
+    if (opts.iterations && opts.iterations > meta.iterations) needsUpgrade = true;
+    if (opts.algorithm && opts.algorithm !== meta.algorithm) needsUpgrade = true;
+    let upgradedPassport = null;
+    if (valid && needsUpgrade) {
+        const newMeta = { ...meta, ...opts };
+        newMeta.history = meta.history.concat([
+            {
+                date: new Date().toISOString(),
+                algorithm: opts.algorithm || meta.algorithm,
+                iterations: opts.iterations || meta.iterations
+            }
+        ]);
+        const newSalt = createSalt(newMeta.saltLength);
+        const newHash = await hashWithSalt(valueWithPepper, newSalt, secret, newMeta);
+        newMeta.salt = newSalt;
+        newMeta.hash = newHash;
+        upgradedPassport = encodePassport(newMeta);
+    }
+    return { valid, needsUpgrade, upgradedPassport };
+};
+
+module.exports = {
+    hash,
+    verify,
+    encodePassport,
+    decodePassport
+};

package/test.js

@@ -0,0 +1,22 @@
+const { hash, verify } = require("./script");
+
+const SECRET_KEY = process.env.HASH_SECRET || "abcd";
+
+// create hash
+(async () => {
+    const result = await hash("Happy", SECRET_KEY, {
+        iterations: 150_000
+    });
+
+    console.log(result);
+
+    // verify
+    const verifyResult = await verify(
+        "Happy",
+        result.passport, // <-- use passport, not salt/hash
+        SECRET_KEY,
+        { iterations: result.iterations }
+    );
+
+    console.log(verifyResult); // { valid: true, needsUpgrade: false, upgradedPassport: null }
+})();