Documentation
¶
Overview ¶
Package auth holds akari-server's credential primitives: argon2id password hashing, opaque token and id generation, and token hashing. It is pure crypto with no storage or HTTP dependencies.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidHash = errors.New("invalid password hash format")
ErrInvalidHash is returned when a stored password hash cannot be parsed.
Functions ¶
func HashPassword ¶
HashPassword returns a PHC-encoded argon2id hash with a fresh random salt.
func HashToken ¶
HashToken returns the hex sha256 of a presented secret. Only hashes are stored, so a database read never exposes a usable token.
func NewPublicID ¶
NewPublicID returns an unguessable, URL-safe id for a published session (144 bits of entropy). Unlike a token it is stored in the clear: it is a capability URL, so possession of the link is what grants logged-out read access.
func NewToken ¶
NewToken returns a new opaque secret (URL-safe, 256 bits of entropy) suitable for an API token, invite token, or session cookie id.
func VerifyPassword ¶
VerifyPassword reports whether password matches the PHC-encoded hash, using the parameters and salt embedded in the hash. The comparison is constant-time.
Types ¶
This section is empty.