initial commit

server/utils/password.js

@@ -0,0 +1,30 @@
+import { scryptSync, randomBytes } from 'node:crypto'
+
+const SALT_LEN = 16
+const KEY_LEN = 64
+const SCRYPT_OPTS = { N: 16384, r: 8, p: 1 }
+
+/**
+ * Hash a password for storage. Returns "salt:hash" hex string.
+ * @param {string} password
+ * @returns {string} Salt and hash as hex, colon-separated.
+ */
+export function hashPassword(password) {
+  const salt = randomBytes(SALT_LEN)
+  const hash = scryptSync(password, salt, KEY_LEN, SCRYPT_OPTS)
+  return `${salt.toString('hex')}:${hash.toString('hex')}`
+}
+
+/**
+ * Verify password against stored "salt:hash" value.
+ * @param {string} password
+ * @param {string} stored
+ * @returns {boolean} True if password matches.
+ */
+export function verifyPassword(password, stored) {
+  if (!stored || !stored.includes(':')) return false
+  const [saltHex, hashHex] = stored.split(':')
+  const salt = Buffer.from(saltHex, 'hex')
+  const hash = scryptSync(password, salt, KEY_LEN, SCRYPT_OPTS)
+  return hash.toString('hex') === hashHex
+}