Implement Phase 2: password auth (Argon2id + bearer tokens)
- Argon2id password hashing and verification with configurable params - Bearer token generation (32-byte random), SHA-256 hashed storage, TTL-based expiry - User creation and authentication helpers - auth_tokens table added to migrations - 6 tests: hash/verify, wrong password, create/auth user, token create/validate, token expiry Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
77
internal/auth/argon2.go
Normal file
77
internal/auth/argon2.go
Normal file
@@ -0,0 +1,77 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/subtle"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"golang.org/x/crypto/argon2"
|
||||
)
|
||||
|
||||
type Argon2Params struct {
|
||||
Memory uint32
|
||||
Time uint32
|
||||
Threads uint8
|
||||
}
|
||||
|
||||
var DefaultParams = Argon2Params{
|
||||
Memory: 65536,
|
||||
Time: 3,
|
||||
Threads: 4,
|
||||
}
|
||||
|
||||
const saltLen = 16
|
||||
const keyLen = 32
|
||||
|
||||
// HashPassword generates an Argon2id hash string.
|
||||
func HashPassword(password string, params Argon2Params) (string, error) {
|
||||
salt := make([]byte, saltLen)
|
||||
if _, err := rand.Read(salt); err != nil {
|
||||
return "", fmt.Errorf("generate salt: %w", err)
|
||||
}
|
||||
|
||||
key := argon2.IDKey([]byte(password), salt, params.Time, params.Memory, params.Threads, keyLen)
|
||||
|
||||
return fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
|
||||
argon2.Version,
|
||||
params.Memory, params.Time, params.Threads,
|
||||
base64.RawStdEncoding.EncodeToString(salt),
|
||||
base64.RawStdEncoding.EncodeToString(key),
|
||||
), nil
|
||||
}
|
||||
|
||||
// VerifyPassword checks a password against an Argon2id hash string.
|
||||
func VerifyPassword(password, hash string) (bool, error) {
|
||||
parts := strings.Split(hash, "$")
|
||||
if len(parts) != 6 || parts[1] != "argon2id" {
|
||||
return false, fmt.Errorf("invalid hash format")
|
||||
}
|
||||
|
||||
var v int
|
||||
if _, err := fmt.Sscanf(parts[2], "v=%d", &v); err != nil {
|
||||
return false, fmt.Errorf("parse version: %w", err)
|
||||
}
|
||||
|
||||
var memory uint32
|
||||
var time uint32
|
||||
var threads uint8
|
||||
if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &threads); err != nil {
|
||||
return false, fmt.Errorf("parse params: %w", err)
|
||||
}
|
||||
|
||||
salt, err := base64.RawStdEncoding.DecodeString(parts[4])
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("decode salt: %w", err)
|
||||
}
|
||||
|
||||
expectedKey, err := base64.RawStdEncoding.DecodeString(parts[5])
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("decode key: %w", err)
|
||||
}
|
||||
|
||||
key := argon2.IDKey([]byte(password), salt, time, memory, threads, uint32(len(expectedKey)))
|
||||
|
||||
return subtle.ConstantTimeCompare(key, expectedKey) == 1, nil
|
||||
}
|
||||
Reference in New Issue
Block a user