This library is a +thin wrapper around that function which handles salting, serializing and +deserializing hash metadata, and verification. It contains both asynchronous +and synchronous versions of its functions, and is thoroughly tested. + +## Usage + +```javascript +const { hash, verify } = require('@techworkers/scrypt-wrapper') +const userEnteredPassword = 'some password' +const hashedPassword = await hash(userEnteredPassword) +if (await verify(hashedPassword, userEnteredPassword)) { + // allowed! +} +``` + +Or, in a synchronous environment... + +```javascript +const { hashSync, verifySync } = require('@techworkers/scrypt-wrapper') +const userEnteredPassword = 'some password' +const hashedPassword = hashSync(userEnteredPassword) +if (verifySync(hashedPassword, userEnteredPassword)) { + // allowed! +} +``` + +Async and sync versions can be used together. For example, Sequelize doesn't +offer async setters: + +```javascript +const sequelize = require('sequelize') +const { Model } = sequelize +const { hashSync, verify } = require('@techworkers/scrypt-wrapper') +module.exports = (sequelize, DataTypes) => { + class User extends Model { + static async authenticated(name, password) { + const user = await User.findOne({ where: { name } }) + if (!user) return null + if (await verify(user.password, password)) return user + else return null + } + } + User.init( + { + name: DataTypes.STRING, + password: { + type: DataTypes.STRING, + set(password) { + if (!password) throw `invalid password <${password}>` + this.setDataValue('password', hashSync(password)) + // We need to generate the hash ^^^ value synchronously here + }, + }, + }, + { + sequelize, + tableName: 'Users', + modelName: 'User', + underscored: true, + }, + ) + return User +} + +// Creating a user +const user = await User.create({name: 'user', password: 'monkey'}) +// Validating them +const reFetchedUser = await User.authenticated('user', 'monkey') +``` + +## Tests + +Run tests with `yarn test`. \ No newline at end of file diff --git a/index.js b/index.js new file mode 100644 index 0000000..8a2d2bf --- /dev/null +++ b/index.js @@ -0,0 +1,224 @@ +/** + * Helpers to make using node's built-in scrypt implementation more + * straightforward to use and testable + * + * See + * + * + */ +const { scrypt, scryptSync, timingSafeEqual, randomBytes } = require('node:crypto') + +/// Node recommends at least 16 at time of writing. 24 is more than that and +// also will result in a base64 string which doesn't contain padding, which is +// always nice. +const DEFAULT_SALT_LENGTH = 24 + +// Node defaults to 16384 (1 << 14) +const DEFAULT_COST = 14 + +// Not really sure why this is the value everyone is using. +const DEFAULT_KEY_LENGTH = 64 + +/** + * @class + * @extends {Error} + * @classdesc An error thrown when there was a problem encountered while parsing a serialized hash + * @property {?Exception} cause An exception which was thrown while parsing this string. + * @property {any} malformedString + */ +class ParseError extends Error { + /** + * @param {any} malformedString - The string which could not be parsed + * @param {?Exception} cause - An error which was raised while trying to parse the string + */ + constructor(malformedString, cause) { + super(`error parsing ${malformedString}, expected hash encoded by @techworkers/scrypt-wrapper`) + this.cause = cause + this.malformedString = malformedString + } +} + +/** + * @class + * @extends {Error} + * @classdesc An Error thrown when the given options value passed to hash() or hashSync() is invalid + * @property {HashOptions} options The options passed to hash() or hashSync() + */ +class InvalidOptions extends Error { + /** + * + * @param {HashOptions} options The options which were received that are invalid + */ + constructor(options) { + super(`invalid options were received:\n\tcost: ${options.cost}\n\tkeyLength: ${options.keyLength}\n\tsaltLength: ${options.saltLength}`) + this.options = options + } + + /** + * Check that the given options are actually what they're expected to be + * @param {HashOptions} options + * @param {?function} reject A function called with the error rather than it being thrown + */ + static validateOptions(options, reject) { + const {cost, keyLength, saltLength} = options + // Cost validation + if ( + !(typeof cost === 'number' || cost instanceof Number) + || cost < 13 + || !Number.isInteger(cost) + ) { + const err = new InvalidOptions(options) + if(reject) reject(err) + else throw err + } + // keyLength validation + if ( + !(typeof keyLength === 'number' || keyLength instanceof Number) + || !Number.isInteger(keyLength) + ) { + const err = new InvalidOptions(options) + if(reject) reject(err) + else throw err + } + // saltLength validation + if ( + !(typeof saltLength === 'number' || saltLength instanceof Number) + || saltLength < 16 /* (recommended minimum) */ + || !Number.isInteger(saltLength) + ) { + const err = new InvalidOptions(options) + if(reject) reject(err) + else throw err + } + } +} + +/** + * @typedef HashOptions the optional values which may be passed to hash() and hashSync() + * @property {number} cost the number of bits to shift 1 to to get the cost value. Defaults to 14 + * @property {number} keyLength how long the generated hash should be. Defaults to 64. + * @property {number} saltLength the number of random bytes to use as a salt. Defaults to 24. + */ + +/** + * Generate an scrypt hash for the given password. The resulting string is as + * follows: + * - The base-16 cost value + * - a dot ('.') + * - the URL-safe base64-encoded salt + * - a dot ('.') + * - the URL-safe base64-encoded derived hash + * + * @param {string} password the plain-text password + * @param {?HashOptions} options optional settings + * @throws {InvalidOptions} if the options aren't within the expected constraints + * @returns {Promise} + */ +function hash(password, options) { + const cost = options?.cost ?? DEFAULT_COST + const keyLength = options?.keyLength ?? DEFAULT_KEY_LENGTH + const saltLength = options?.saltLength ?? DEFAULT_SALT_LENGTH + const salt = randomBytes(saltLength) + const $cost = 1 << cost + return new Promise((resolve, reject) => { + InvalidOptions.validateOptions({cost, keyLength, saltLength}, reject) + let $hash = cost.toString(16) + '.' + $hash += salt.toString('base64url') + '.' + scrypt(password.normalize(), salt, keyLength, { cost: $cost }, (err, key) => { + if (err) reject(err) + else resolve($hash + key.toString('base64url')) + }) + }) +} + +/** + * Like the above hash() function but synchronous. + * + * @param {string} password the plain-text password + * @param {?HashOptions} options optional settings + * @throws {InvalidOptions} if the options aren't within the expected constraints + * @returns {Promise} + */ +function hashSync(password, options) { + const cost = options?.cost ?? DEFAULT_COST + const keyLength = options?.keyLength ?? DEFAULT_KEY_LENGTH + const saltLength = options?.saltLength ?? DEFAULT_SALT_LENGTH + InvalidOptions.validateOptions({cost, keyLength, saltLength}) + const salt = randomBytes(saltLength) + const $cost = 1 << cost + let $hash = cost.toString(16) + '.' + $hash += salt.toString('base64url') + '.' + return $hash + scryptSync(password.normalize(), salt, keyLength, { cost: $cost }).toString('base64url') +} + +/** + * Verify that the given plaintext password derives the given hash. The hash is + * expected to be in the format as encoded by the above hash() function, which + * also encodes the cost and salt used to create it. + * + * @param {string} derivedHash The hash as derived and encoded by the above + * hash() function + * @param {string} password The plaintext password to compare + * @async + * @returns {Promise} whether the password matches + */ +function verify(derivedHash, password) { + return new Promise((resolve, reject) => { + var $cost, $salt, $key + try { + [$cost, $salt, $key] = derivedHash.split('.') + } catch (e) { + return reject(new ParseError(derivedHash, e)) + } + if (!$cost || !$salt || !$key) { + return reject(new ParseError(derivedHash)) + } + var cost, salt, key + try { + cost = 1 << Number.parseInt($cost, 16) + salt = Buffer.from($salt, 'base64url') + key = Buffer.from($key, 'base64url') + } catch (e) { + return reject(new ParseError(derivedHash, e)) + } + scrypt(password.normalize(), salt, key.length, { cost }, (err, newKey) => { + if (err) reject(err) + else resolve(timingSafeEqual(key, newKey)) + }) + }) +} + +/** + * Like `verify()`, but synchronous. + * + * @param {string} derivedHash The hash as derived and encoded by the above + * hash() function + * @param {string} password The plaintext password to compare + * @throws {ParseError} when there's a problem parsing the given hash + * @returns {Promise} whether the password matches + */ +function verifySync(derivedHash, password) { + var $cost, $salt, $key + try { + [$cost, $salt, $key] = derivedHash.split('.') + } catch (e) { + throw new ParseError(derivedHash, e) + } + if (!$cost || !$salt || !$key) { + throw new ParseError(derivedHash) + } + var cost, salt, key + try { + cost = 1 << Number.parseInt($cost, 16) + salt = Buffer.from($salt, 'base64url') + key = Buffer.from($key, 'base64url') + } catch (e) { + throw new ParseError(derivedHash, e) + } + const newKey = scryptSync(password.normalize(), salt, key.length, { cost }) + return timingSafeEqual(key, newKey) +} + +module.exports = { + hash, hashSync, verify, verifySync, ParseError, InvalidOptions +} \ No newline at end of file diff --git a/package.json b/package.json new file mode 100644 index 0000000..2b778b7 --- /dev/null +++ b/package.json @@ -0,0 +1,18 @@ +{ + "name": "@techworkers/scrypt-wrapper", + "version": "1.0.0", + "description": "A thin wrapper around Node's stdlib crypto.scrypt function", + "main": "index.js", + "repository": "", + "author": "Tech Workers' Syndicate", + "license": "MPL-2.0", + "private": false, + "scripts": { + "test": "mocha" + }, + "devDependencies": { + "chai": "^4.3.8", + "chai-as-promised": "^7.1.1", + "mocha": "^10.2.0" + } +} diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..203a0a9 --- /dev/null +++ b/shell.nix @@ -0,0 +1,10 @@ +# DEVELOPMENT shell environment +{ pkgs ? import {} }: + +pkgs.mkShell { + name = "NodeJS"; + nativeBuildInputs = with pkgs.buildPackages; [ + nodejs yarn + ]; +} + diff --git a/test/scrypt.test.js b/test/scrypt.test.js new file mode 100644 index 0000000..954ea39 --- /dev/null +++ b/test/scrypt.test.js @@ -0,0 +1,181 @@ +const chai = require('chai') +chai.use(require('chai-as-promised')) +chai.should() +const { expect } = chai +const scrypt = require('..') + +describe('hashing and verification', function () { + it('works', async function () { + const pass = 'b4dpa$s' + const derived = await scrypt.hash(pass) + const [cost, salt, key] = derived.split('.') + cost.should.eq('e') + salt.length.should.eq(32) + key.length.should.eq(86) + Buffer.from(key, 'base64url').length.should.eq(64) + scrypt.verify(derived, pass) + }) +}) +describe('hashSync() and sync verification', function () { + it('works', function () { + const pass = 'b4dpa$s' + const derived = scrypt.hashSync(pass) + const [cost, salt, key] = derived.split('.') + cost.should.eq('e') + salt.length.should.eq(32) + key.length.should.eq(86) + Buffer.from(key, 'base64url').length.should.eq(64) + scrypt.verifySync(derived, pass) + }) +}) + +describe('hash() error cases', function () { + it('throws an error when it receives an invalid cost value', async function () { + scrypt.hash('bad password', { cost: 2.3 }) + scrypt.hash('bad password', { cost: 2 /* too small */ }) + }) + it('throws an error when it receives an invalid keyLength value', async function () { + scrypt.hash('bad password', { keyLength: 2.3 }) + }) + it('throws an error when it receives an invalid saltLength value', async function () { + scrypt.hash('bad password', { saltLength: 2.3 }) + scrypt.hash('bad password', { saltLength: 15 /* too small */ }) + }) + it('throws an error when the password is not the right thing', function () { + scrypt.hash(undefined) + scrypt.hash(null) + scrypt.hash(123.4) + scrypt.hash(NaN) + scrypt.hash(['some', 'arbitrary', 'values']) + scrypt.hash({ some: 'arbitrary values' }) + scrypt.hash(Symbol('something else')) + scrypt.hash(() => "no, you can't do this either") + }) +}) + +describe('hashSync() error cases', function () { + it('throws an error when it receives an invalid cost value', async function () { + scrypt.hashSync.bind(undefined, 'bad password', { cost: 2.3 }).should.throw(scrypt.InvalidOptions) + scrypt.hashSync.bind(undefined, 'bad password', { cost: 2 /* too small */ }).should.throw(scrypt.InvalidOptions) + }) + it('throws an error when it receives an invalid keyLength value', async function () { + scrypt.hashSync.bind(undefined, 'bad password', { keyLength: 2.3 }).should.throw(scrypt.InvalidOptions) + }) + it('throws an error when it receives an invalid saltLength value', async function () { + scrypt.hashSync.bind(undefined, 'bad password', { saltLength: 2.3 }).should.throw(scrypt.InvalidOptions) + scrypt.hashSync.bind(undefined, 'bad password', { saltLength: 15 }).should.throw(scrypt.InvalidOptions) + }) + it('throws an error when the password is not the right thing', function () { + scrypt.hashSync.bind(undefined, undefined).should.throw() + scrypt.hashSync.bind(undefined, null).should.throw() + scrypt.hashSync.bind(undefined, 123.4).should.throw() + scrypt.hashSync.bind(undefined, NaN).should.throw() + scrypt.hashSync.bind(undefined, ['some', 'arbitrary', 'values']).should.throw() + scrypt.hashSync.bind(undefined, { some: 'arbitrary values' }).should.throw() + scrypt.hashSync.bind(undefined, Symbol('something else')).should.throw() + scrypt.hashSync.bind(undefined, () => "no, you can't do this either").should.throw() + }) +}) + +describe('verify() error cases', function () { + it('throws an error when the password is not the right thing', function () { + const validHash = 'e.WCu8zB9FHLhXaAf5Svn7NE4ySqB5X45X.ZLpxVwLz1816kmshqXHn12X_4_lZD_0Yl-27KSLLzdhXJ0Fr2huSD7BvoMlBMOMUQBKyKXPzhKI01_Ot-C_w8g' + scrypt.verify(validHash, undefined) + scrypt.verify(validHash, null) + scrypt.verify(validHash, 123.4) + scrypt.verify(validHash, NaN) + scrypt.verify(validHash, ['some', 'arbitrary', 'values']) + scrypt.verify(validHash, { some: 'arbitrary values' }) + scrypt.verify(validHash, Symbol('something else')) + scrypt.verify(validHash, () => "no, you can't do this either") + }) + it('throws an error when the hash is not the expected format', async function () { + const validHash = 'e.WCu8zB9FHLhXaAf5Svn7NE4ySqB5X45X.ZLpxVwLz1816kmshqXHn12X_4_lZD_0Yl-27KSLLzdhXJ0Fr2huSD7BvoMlBMOMUQBKyKXPzhKI01_Ot-C_w8g' + const hashParts = validHash.split('.') + async function checkThrows(value, cause) { + let thrown + try { + await scrypt.verify(value, 'bad password') + thrown = false + } catch (e) { + thrown = true + + expect(e.malformedString).to.eq(value) + if (cause) + expect(e.cause) + else + expect(e.cause) + } + + } + await checkThrows(undefined, TypeError) + await checkThrows(1234, TypeError) + await checkThrows(null, TypeError) + await checkThrows([1, 2, 3], TypeError) + scrypt.verify({ + // This is technically valid, why try to prevent it? 🤷 + split: () => hashParts + }, 'bad password') + await checkThrows({}, TypeError) + + await checkThrows(validHash.substring(1)) // No cost + // no salt + await checkThrows('e..' + hashParts[2]) + // no key + await checkThrows(hashParts[0] + '.' + hashParts[1]) + await checkThrows('...') + await checkThrows('') + }) +}) + +describe('verifySync() error cases', function () { + it('throws an error when the password is not the right thing', function () { + const validHash = 'e.WCu8zB9FHLhXaAf5Svn7NE4ySqB5X45X.ZLpxVwLz1816kmshqXHn12X_4_lZD_0Yl-27KSLLzdhXJ0Fr2huSD7BvoMlBMOMUQBKyKXPzhKI01_Ot-C_w8g' + scrypt.verifySync.bind(undefined, validHash, undefined).should.throw() + scrypt.verifySync.bind(undefined, validHash, null).should.throw() + scrypt.verifySync.bind(undefined, validHash, 123.4).should.throw() + scrypt.verifySync.bind(undefined, validHash, NaN).should.throw() + scrypt.verifySync.bind(undefined, validHash, ['some', 'arbitrary', 'values']).should.throw() + scrypt.verifySync.bind(undefined, validHash, { some: 'arbitrary values' }).should.throw() + scrypt.verifySync.bind(undefined, validHash, Symbol('something else')).should.throw() + scrypt.verifySync.bind(undefined, validHash, () => "no, you can't do this either").should.throw() + scrypt.verifySync.bind(undefined, validHash, Promise.resolve("no, you can't do this either")).should.throw() + }) + it('throws an error when the hash is not the expected format', function () { + const validHash = 'e.WCu8zB9FHLhXaAf5Svn7NE4ySqB5X45X.ZLpxVwLz1816kmshqXHn12X_4_lZD_0Yl-27KSLLzdhXJ0Fr2huSD7BvoMlBMOMUQBKyKXPzhKI01_Ot-C_w8g' + const hashParts = validHash.split('.') + function checkThrows(value, cause) { + let thrown + try { + scrypt.verifySync(value, 'bad password') + thrown = false + } catch (e) { + thrown = true + + expect(e.malformedString).to.eq(value) + if (cause) + expect(e.cause) + else + expect(e.cause) + } + + } + checkThrows(undefined, TypeError) + checkThrows(1234, TypeError) + checkThrows(null, TypeError) + checkThrows([1, 2, 3], TypeError) + scrypt.verify({ + // This is 