fix!(argon2): respect the salt provided in hash options (#899)

Author: Brooooooklyn

depracted/deno-lint/package.json

@@ -73,7 +73,7 @@
     "typanion": "^3.14.0"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0-alpha.54",
+    "@napi-rs/cli": "^3.0.0-alpha.63",
     "@types/webpack": "^5.28.5"
   },
   "funding": {

packages/argon2/README.md

@@ -27,24 +27,6 @@ It has a simple design aimed at the highest memory filling rate and effective us
     Hybrid that mixes Argon2i and Argon2d passes.
     Uses the Argon2i approach for the first half pass over memory and Argon2d approach for subsequent passes. This effectively places it in the “middle” between the other two: it doesn’t provide as good TMTO/GPU cracking resistance as Argon2d, nor as good of side-channel resistance as Argon2i, but overall provides the most well-rounded approach to both classes of attacks.
 
-## Support matrix
-
-|                     | node12 | node14 | node16 | node18 |
-| ------------------- | ------ | ------ | ------ | ------ |
-| Windows x64         | ✓      | ✓      | ✓      | ✓      |
-| Windows x32         | ✓      | ✓      | ✓      | ✓      |
-| Windows arm64       | ✓      | ✓      | ✓      | ✓      |
-| macOS x64           | ✓      | ✓      | ✓      | ✓      |
-| macOS arm64(m chip) | ✓      | ✓      | ✓      | ✓      |
-| Linux x64 gnu       | ✓      | ✓      | ✓      | ✓      |
-| Linux x64 musl      | ✓      | ✓      | ✓      | ✓      |
-| Linux arm gnu       | ✓      | ✓      | ✓      | ✓      |
-| Linux arm64 gnu     | ✓      | ✓      | ✓      | ✓      |
-| Linux arm64 musl    | ✓      | ✓      | ✓      | ✓      |
-| Android arm64       | ✓      | ✓      | ✓      | ✓      |
-| Android armv7       | ✓      | ✓      | ✓      | ✓      |
-| FreeBSD x64         | ✓      | ✓      | ✓      | ✓      |
-
 # Benchmarks
 
 See [benchmark/](benchmark/argon2.js).

packages/argon2/__test__/argon2.spec.ts

@@ -1,4 +1,4 @@
-import { randomBytes } from 'crypto'
+import { randomBytes } from 'node:crypto'
 
 import test from 'ava'
 
@@ -43,6 +43,30 @@ test('should be able to hash string', async (t) => {
   )
 })
 
+test('should be able to hash string with a defined salt', async (t) => {
+  await t.notThrowsAsync(() =>
+    hash('whatever', {
+      salt: randomBytes(32),
+    }),
+  )
+  await t.notThrowsAsync(() =>
+    hash('whatever', {
+      secret: randomBytes(32),
+      salt: randomBytes(32),
+    }),
+  )
+
+  const salt = randomBytes(32)
+  t.is(
+    await hash('whatever', {
+      salt,
+    }),
+    await hash('whatever', {
+      salt,
+    }),
+  )
+})
+
 test('should be able to hashRaw string with a defined salt', async (t) => {
   await t.notThrowsAsync(() => hash('whatever'))
   await t.notThrowsAsync(() =>

packages/argon2/benchmark/argon2.js

@@ -1,42 +1,38 @@
-const { cpus } = require('os')
+import { cpus } from 'node:os'
 
-const nodeArgon2 = require('argon2')
-const { Suite } = require('benchmark')
-const chalk = require('chalk')
+import nodeArgon2 from 'argon2'
+import { Bench } from 'tinybench'
 
-const { hash, verify, Algorithm } = require('../index')
+import { hash, verify, Algorithm } from '../index.js'
 
 const PASSWORD = '$v=19$m=4096,t=3,p=1$fyLYvmzgpBjDTP6QSypj3g$pb1Q3Urv1amxuFft0rGwKfEuZPhURRDV7TJqcBnwlGo'
 const CORES = cpus().length
 
-const suite = new Suite('Hash with all cores')
-
-suite
-  .add(
-    '@node-rs/argon',
-    async (deferred) => {
-      await hash(PASSWORD, {
-        algorithm: Algorithm.Argon2id,
-        parallelism: CORES,
-      })
-      deferred.resolve()
-    },
-    { defer: true },
-  )
-  .add(
-    'node-argon',
-    async (deferred) => {
-      await nodeArgon2.hash(PASSWORD, { type: nodeArgon2.argon2id, parallelism: CORES })
-      deferred.resolve()
-    },
-    {
-      defer: true,
-    },
-  )
-  .on('cycle', function (event) {
-    console.info(String(event.target))
+const HASHED = await hash(PASSWORD, {
+  algorithm: Algorithm.Argon2id,
+  parallelism: CORES,
+})
+
+const bench = new Bench('Hash with all cores')
+
+bench
+  .add('@node-rs/argon hash', async () => {
+    await hash(PASSWORD, {
+      algorithm: Algorithm.Argon2id,
+      parallelism: CORES,
+    })
+  })
+  .add('node-argon hash', async () => {
+    await nodeArgon2.hash(PASSWORD, { type: nodeArgon2.argon2id, parallelism: CORES })
   })
-  .on('complete', function () {
-    console.info(`${this.name} bench suite: Fastest is ${chalk.green(this.filter('fastest').map('name'))}`)
+  .add('@node-rs/argon verify', async () => {
+    console.assert(await verify(HASHED, PASSWORD))
   })
-  .run()
+  .add('node-argon verify', async () => {
+    console.assert(await nodeArgon2.verify(HASHED, PASSWORD))
+  })
+
+await bench.warmup()
+await bench.run()
+
+console.table(bench.table())

packages/argon2/benchmark/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

packages/argon2/package.json

@@ -62,8 +62,9 @@
     "version": "napi version && git add npm"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0-alpha.54",
+    "@napi-rs/cli": "^3.0.0-alpha.63",
     "argon2": "^0.41.0",
-    "cross-env": "^7.0.3"
+    "cross-env": "^7.0.3",
+    "tinybench": "^2.9.0"
   }
 }

packages/argon2/src/lib.rs

@@ -125,11 +125,18 @@ impl Task for HashTask {
   type JsValue = String;
 
   fn compute(&mut self) -> Result<Self::Output> {
-    let salt = SaltString::generate(&mut OsRng);
+    let salt = if let Some(salt) = &self.options.salt {
+      SaltString::encode_b64(salt)
+        .map_err(|err| Error::new(Status::InvalidArg, format!("{err}")))?
+    } else {
+      SaltString::generate(&mut OsRng)
+    };
+    let hasher = self
+      .options
+      .to_argon()
+      .map_err(|err| Error::new(Status::InvalidArg, format!("{err}")))?;
 
-    let hasher = self.options.to_argon();
     hasher
-      .map_err(|err| Error::new(Status::InvalidArg, format!("{err}")))?
       .hash_password(self.password.as_slice(), &salt)
       .map_err(|err| Error::new(Status::GenericFailure, format!("{err}")))
       .map(|h| h.to_string())
@@ -263,8 +270,12 @@ impl Task for VerifyTask {
   type JsValue = bool;
 
   fn compute(&mut self) -> Result<Self::Output> {
-    let parsed_hash = argon2::PasswordHash::new(self.hashed.as_str())
-      .map_err(|err| Error::new(Status::InvalidArg, format!("{err}")))?;
+    let parsed_hash = argon2::PasswordHash::new(self.hashed.as_str()).map_err(|err| {
+      Error::new(
+        Status::InvalidArg,
+        format!("Invalid hashed password: {err}"),
+      )
+    })?;
     let argon2 = self.options.to_argon();
     Ok(
       argon2

packages/bcrypt/package.json

@@ -70,7 +70,7 @@
     "url": "https://github.com/napi-rs/node-rs/issues"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0-alpha.54",
+    "@napi-rs/cli": "^3.0.0-alpha.63",
     "@types/bcrypt": "^5.0.2",
     "bcrypt": "^5.1.1",
     "bcryptjs": "^2.4.3",

packages/crc32/package.json

@@ -64,7 +64,7 @@
     "url": "https://github.com/napi-rs/node-rs/issues"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0-alpha.54",
+    "@napi-rs/cli": "^3.0.0-alpha.63",
     "@types/crc": "^3.8.3",
     "buffer": "^6.0.3",
     "crc": "^4.3.2",

packages/jieba/package.json

@@ -64,7 +64,7 @@
     "url": "https://github.com/napi-rs/node-rs/issues"
   },
   "devDependencies": {
-    "@napi-rs/cli": "^3.0.0-alpha.54",
+    "@napi-rs/cli": "^3.0.0-alpha.63",
     "nodejieba": "^3.0.0"
   },
   "funding": {