Description
I have two guesses: it is a bug, or it was not marked as deprecated in the types. Here is my testing:
This is one I can't explain too well.
const salt = generateRandomString(
{
read(bytes) {
crypto.getRandomValues(bytes);
},
},
alphabet,
16,
);This creates a salt using generateRandomString from @oslojs/crypto/random.
It then uses hash from @node-rs/argon2:
const passwordHash = await hash(password, {
memoryCost: 19456,
timeCost: 2,
outputLen: 32,
parallelism: 1,
salt: Buffer.from(salt),
});password: testtest
salt: ojq_1kIXDG5zpGx0
salt buffer: <Buffer 6f 6a 71 5f 31 6b 49 58 44 47 35 7a 70 47 78 30>
hash: $argon2id$v=19$m=19456,t=2,p=1$ZgWgG5c6yUxJWjp3QSRMmw$JJmgej/ScGPbq+RozS2zKyWZLMZixL3MV1JVsu03WI4
According to the types, salt is a correct property of Options, and is NOT marked as deprecated.
I then use the verify function from the same package, giving it the same password, and the hash created earlier, BUT i modofy the salt being passed.
const validPassword = await verify(existingUser.passwordHash, password, {
memoryCost: 19456,
timeCost: 2,
outputLen: 32,
parallelism: 1,
salt: Buffer.from(existingUser.salt),
});hash: $argon2id$v=19$m=19456,t=2,p=1$ZgWgG5c6yUxJWjp3QSRMmw$JJmgej/ScGPbq+RozS2zKyWZLMZixL3MV1JVsu03WI4
password: testtest
salt: "This has been set and should not match anything"
salt buffer: <Buffer 54 68 69 73 20 68 61 73 20 62 65 65 6e 20 73 65 74 20 61 6e 64 20 73 68 6f 75 6c 64 20 6e 6f 74 20 6d 61 74 63 68 20 61 6e 79 74 68 69 6e 67>
validPassword = true
This shows that the verify function that verifies the password against the hashed password, with a completely different salt input still passes.
Back to the fact I said it was not marked as deprecated, nowhere in the documentation nor the types does it say this. It also returns no error. However, using the secret prop instead of the salt prop now properly fails the verify function when the fake salt is given.