Argon2 hashing algorithm for NodeJS server model

Will it be ready for final release?

Will see if we can integrate it with something like:

Not sure if we will be able to pull it off for the release tough.

1 Like

Seems like that project is kind of outdated.


While the actual argon2 project and the node bindings have had recent commits.

I personally don’t mind waiting for a native integration with the “official” bindings as my actual project is still in development and I can always generate a hash and a salt. It is just preferable to use a well tested algorithm than trusting my home cooked one.

Question was just out of interest as I was very happy to see it integrated in PHP.

this project us just the php like wrapper - you can plugin any algorithm on it.
the function in PHP add a prefix to the hash string indicating the hash type. So this needs to be the same as in PHP

the Agron2 encoding by itself does not handle the encoding prefix that why we need a wrapper. In PHP it is build in the php functions.

1 Like

Thanks for the additional info! I understand know. I thought it was some kind of binding.

Would that mean that I have to add php to the server?

No it is just the structure of the hash prefix - you don’t need php at all

I am missing something then.

As per their docs:

node-php-password is a solution for every kind of webapp which has a user database with passwords hashed with PHP’s password_hash. Instead of starting from scratch, just use this package to get compatibility with PHP.

Is this to provide compatibility with projects that used PHP server model and already have a running db with php hashed passwords?

It is to make a function compatible with the PHP version. The password_hash function from PHP stores extra information with the hash, like the hashing algorithm used and the options for it. That way it is more future proof and it also has a handy function like password_needs_rehash to check if a password was stored with an old hashing algorithm and need to be rehashed. This logic is not directly in the Argon2 library, which is only the hashing algorithm.

Are you sure about this?

In the docs for this binding you can set the options to be used and the hash method will return that info.

You can see it here.

Also it implements a needsRehash helper.

Nonetheless if you guys think the wrapper is the best way to move forward I have nothing to say there.

I was just kind of confused as I already saw in the docs that the prefix with the timecost, memorycost and version was returned and a needs_rehash was available.

1 Like

Have read all documentation and found one big issue, they only have an async version. In the formatters I can’t use async, we require a sync version there.

1 Like

Would a callback function suffice? Or is it not about the method but about the actual synchronous nature of formatters?

If the former maybe you could use:

No, the formatters are actual synchronous and can’t be async. Action steps can be async with node.

1 Like

Any updates/timeline on this front?

1 Like

@patrick @George I don’t know how far you are with this but if it’s going to take too long it would be nice to have an alternative.

I believe that node crypto library implements a synchronous version of scrypt and while it’s not as recommended as argon2 it will always be better than any algorithm we cook ourselves in an SC file :slight_smile:

Then whenever argon2 is released for node it’s just a matter of validating the old password during next login, checking if hash starts with “$argon2” and if not encrypt password with argon2 and update hash for a clean transition.

That or refactoring formatters and SC to fully support async. Although I am assuming this is the ultimate goal in order to take advantage of this model at its fullest.

Also you could maybe build a new separate SC action to hash asynchronously. Hashing is one of the most intensive CPU tasks as you know so async pretty much a must here.

But while that happens sync versions of scrypt and bcrypt would be nice.

Just found this in case it’s useful for you guys. Never tried it though.

This is pretty low level adjusting the NodeJS core functionality so I don’t think we will use it.

Actually the whole async problem is just in the formatter functions.

So if we offer argon2 as a server action step, like assigning to a variable, instead of as a formatter, then it should be pretty easy to do!


Bumping this because I think it is important to have a good hashing and verifying algorithm for nodejs projects also.

It is bad business leaving users to create their own hashing logic.

1 Like

This is partly a reason why I haven’t yet switched some projects to nodejs.