feat(password): allow custom hasing methods for password

README.md

@@ -175,6 +175,10 @@ Sets a custom method for generating random session IDs.
 
 Sets a custom method for generating random email verification codes.
 
+##### `setPasswordHashingMethods(fn: () => string)`
+
+Sets a custom method for generating random email verification codes.
+
 ##### `getSession(sessionId: string)`
 
 Fetches a session by its session ID.

src/runtime/core/core.ts

@@ -1,15 +1,14 @@
 import { createChecker, type supportedConnectors } from "drizzle-schema-checker";
 import { getOAuthAccountsTableSchema, getSessionsTableSchema, getUsersTableSchema, getEmailVerificationCodesTableSchema } from "../database/lib/sqlite/schema.sqlite";
 import { drizzle as drizzleIntegration } from "db0/integrations/drizzle/index";
-import type { ICreateOrLoginParams, ICreateUserParams, ILoginUserParams, ISlipAuthCoreOptions, SchemasMockValue, SlipAuthUser, tableNames } from "./types";
+import type { ICreateOrLoginParams, ICreateUserParams, ILoginUserParams, IPasswordHashingMethods, ISlipAuthCoreOptions, SchemasMockValue, SlipAuthUser, tableNames } from "./types";
 import { createSlipHooks } from "./hooks";
 import { UsersRepository } from "./repositories/UsersRepository";
 import { SessionsRepository } from "./repositories/SessionsRepository";
 import { OAuthAccountsRepository } from "./repositories/OAuthAccountsRepository";
 import { EmailVerificationCodesRepository } from "./repositories/EmailVerificationCodesRepository";
 import type { SlipAuthPublicSession } from "../types";
-import { defaultIdGenerationMethod, isValidEmail, defaultEmailVerificationCodeGenerationMethod } from "./email-and-password-utils";
-import { hashPassword, verifyPassword } from "./password";
+import { defaultIdGenerationMethod, isValidEmail, defaultEmailVerificationCodeGenerationMethod, defaultHashPasswordMethod, defaultVerifyPasswordMethod } from "./email-and-password-utils";
 import { InvalidEmailOrPasswordError, UnhandledError } from "./errors/SlipAuthError.js";
 import type { Database } from "db0";
 import { isWithinExpirationDate } from "oslo";
@@ -30,6 +29,8 @@ export class SlipAuthCore {
   #createRandomSessionId: () => string;
   #createRandomEmailVerificationCode: () => string;
 
+  #passwordHashingMethods: IPasswordHashingMethods;
+
   readonly schemas: SchemasMockValue;
   readonly hooks = createSlipHooks();
 
@@ -62,6 +63,11 @@ export class SlipAuthCore {
     this.#createRandomUserId = defaultIdGenerationMethod;
 
     this.#createRandomEmailVerificationCode = defaultEmailVerificationCodeGenerationMethod;
+
+    this.#passwordHashingMethods = {
+      hash: defaultHashPasswordMethod,
+      verify: defaultVerifyPasswordMethod,
+    };
   }
 
   public checkDbAndTables(dialect: supportedConnectors) {
@@ -105,7 +111,7 @@ export class SlipAuthCore {
       throw new InvalidEmailOrPasswordError("no password oauth user");
     }
 
-    const validPassword = await verifyPassword(existingUser.password, password);
+    const validPassword = await this.#passwordHashingMethods.verify(existingUser.password, password);
     if (!validPassword) {
       throw new InvalidEmailOrPasswordError("login invalid password");
     }
@@ -131,7 +137,7 @@ export class SlipAuthCore {
     }
 
     const userId = this.#createRandomUserId();
-    const passwordHash = await hashPassword(password);
+    const passwordHash = await this.#passwordHashingMethods.hash(password);
 
     try {
       const user = await this.#repos.users.insert(userId, email, passwordHash);
@@ -254,6 +260,11 @@ export class SlipAuthCore {
     this.#createRandomEmailVerificationCode = fn;
   }
 
+  public setPasswordHashingMethods(fn: () => IPasswordHashingMethods) {
+    const methods = fn();
+    this.#passwordHashingMethods = methods;
+  }
+
   public getSession(sessionId: string) {
     return this.#repos.sessions.findById(sessionId);
   }

src/runtime/core/email-and-password-utils.ts

@@ -1,7 +1,9 @@
 import { generateRandomString, alphabet } from "oslo/crypto";
+import type { Options as ArgonOptions } from "@node-rs/argon2";
+import { hash, verify } from "@node-rs/argon2";
 
 /**
   https://thecopenhagenbook.com/email-verification#input-validation
 
   Input validation
   Emails are complex and cannot be fully validated using Regex. Attempting to use Regex may also introduce ReDoS vulnerabilities. Do not over-complicate it:
@@ -20,3 +22,20 @@
 export const defaultIdGenerationMethod = () => generateRandomString(15, alphabet("a-z", "A-Z", "0-9"));
 
 export const defaultEmailVerificationCodeGenerationMethod = () => generateRandomString(6, alphabet("0-9", "A-Z"));
+
+const hashOptions: ArgonOptions = {
+  // recommended minimum parameters
+  memoryCost: 19456,
+  timeCost: 2,
+  outputLen: 32,
+  parallelism: 1,
+};
+
+// https://thecopenhagenbook.com/password-authentication#argon2id
+export async function defaultHashPasswordMethod(rawPassword: string): Promise<string> {
+  return await hash(rawPassword, hashOptions);
+};
+
+export async function defaultVerifyPasswordMethod(sourceHashedPassword: string, rawPassword: string): Promise<boolean> {
+  return verify(sourceHashedPassword, rawPassword, hashOptions);
+};

src/runtime/core/types.ts

@@ -47,6 +47,11 @@ export type SlipAuthOAuthAccount = ReturnType<typeof getOAuthAccountsTableSchema
 export type EmailVerificationCodeTableInsert = ReturnType<typeof getEmailVerificationCodesTableSchema>["$inferInsert"];
 export type SlipAuthEmailVerificationCode = ReturnType<typeof getEmailVerificationCodesTableSchema>["$inferSelect"];
 
+export interface IPasswordHashingMethods {
+  hash: (rawPassword: string) => Promise<string>
+  verify: (sourceHashedPassword: string, rawPassword: string) => Promise<boolean>
+}
+
 export interface ISlipAuthCoreOptions {
   /**
    * {@link https://github.com/unjs/h3/blob/c04c458810e34eb15c1647e1369e7d7ef19f567d/src/utils/session.ts#L24}

tests/core-email-password.spec.ts

@@ -24,13 +24,14 @@ beforeEach(async () => {
 
 const defaultInsert = {
   email: "email@test.com",
-  password: "password",
+  password: "pa$$word",
 };
 
 const mocks = vi.hoisted(() => {
   return {
     userCreatedCount: 0,
     sessionCreatedCount: 0,
+    passwordCount: 0,
   };
 });
 
@@ -71,6 +72,21 @@ describe("SlipAuthCore", () => {
       mocks.sessionCreatedCount++;
       return `session-id-${mocks.sessionCreatedCount}`;
     });
+
+    function sanitizePassword(str: string) {
+      return str.replaceAll("$", "") + "$";
+    }
+    auth.setPasswordHashingMethods(() => ({
+      hash: async (password: string) => sanitizePassword(password) + mocks.passwordCount,
+      verify: async (sourceHashedPassword, rawPassword) => {
+        const salt = sourceHashedPassword.split("$").at(-1);
+        if (!salt) {
+          return false;
+        }
+        return sourceHashedPassword === sanitizePassword(rawPassword) + salt;
+      },
+    }),
+    );
   });
 
   describe("register", () => {