feat: add password hash

saenyakorn · saenyakorn · commit 985e1cfacd09 · 2025-05-27T19:08:53.000+07:00
diff --git a/packages/core/src/auth/handlers/index.ts b/packages/core/src/auth/handlers/index.ts
@@ -10,10 +10,8 @@ import type { AuthConfig } from '..'
 export function createAuthHandlers<TAuthConfig extends AuthConfig>(config: TAuthConfig) {
   const handlers = {
     //  No authentication required
-    signUp: signUp({
-      autoLogin: config.emailAndPassword?.signUp?.autoLogin ?? true,
-    }),
-    loginEmail: loginEmail({}),
+    signUp: signUp(config),
+    loginEmail: loginEmail(config),
     signOut: signOut({}),
     resetPasswordEmail: resetPasswordEmail({}),
     forgotPasswordEmail: forgotPasswordEmail({}),
diff --git a/packages/core/src/auth/handlers/login-email.ts b/packages/core/src/auth/handlers/login-email.ts
@@ -1,15 +1,12 @@
 import z from 'zod'
 
 import { type ApiRouteHandler, type ApiRouteSchema, createEndpoint } from '../../endpoint'
+import type { AuthConfig } from '..'
 import { AccountProvider } from '../constant'
 import { type AuthContext } from '../context'
-import { setSessionCookie } from '../utils'
+import { setSessionCookie, verifyPassword } from '../utils'
 
-interface InternalRouteOptions {
-  prefix?: string
-}
-
-export function loginEmail<const TOptions extends InternalRouteOptions>(options: TOptions) {
+export function loginEmail<const TOptions extends AuthConfig>(options: TOptions) {
   const schema = {
     method: 'POST',
     path: '/api/auth/login-email',
@@ -36,9 +33,8 @@ export function loginEmail<const TOptions extends InternalRouteOptions>(options:
       AccountProvider.CREDENTIAL
     )
 
-    // TODO: Hash password and compare
-    const hashPassword = account.password
-    if (account.password !== hashPassword) {
+    const verifyStatus = await verifyPassword(args.body.password, account.password as string)
+    if (!verifyStatus) {
       throw new Error('Invalid password')
     }
 
diff --git a/packages/core/src/auth/handlers/sign-up.ts b/packages/core/src/auth/handlers/sign-up.ts
@@ -1,15 +1,12 @@
 import z from 'zod'
 
 import { type ApiRouteHandler, type ApiRouteSchema, createEndpoint } from '../../endpoint'
+import type { AuthConfig } from '..'
 import { AccountProvider } from '../constant'
 import { type AuthContext } from '../context'
-import { setSessionCookie } from '../utils'
+import { hashPassword, setSessionCookie } from '../utils'
 
-interface InternalRouteOptions {
-  autoLogin?: boolean
-}
-
-export function signUp<const TOptions extends InternalRouteOptions>(options: TOptions) {
+export function signUp<const TOptions extends AuthConfig>(options: TOptions) {
   const schema = {
     method: 'POST',
     path: '/api/auth/sign-up',
@@ -34,7 +31,9 @@ export function signUp<const TOptions extends InternalRouteOptions>(options: TOp
   } as const satisfies ApiRouteSchema
 
   const handler: ApiRouteHandler<AuthContext, typeof schema> = async (args) => {
-    const hasedPassword = args.body.password // TODO: hash password
+    const hasedPassword =
+      (await options.emailAndPassword?.passwordHasher?.(args.body.password)) ??
+      (await hashPassword(args.body.password))
 
     const user = await args.context.internalHandlers.user.create({
       name: args.body.name,
@@ -60,7 +59,7 @@ export function signUp<const TOptions extends InternalRouteOptions>(options: TOp
     })
 
     const responseHeaders = {}
-    if (options.autoLogin) {
+    if (options.emailAndPassword?.signUp?.autoLogin !== false) {
       // Set session cookie if auto login is enabled
       setSessionCookie(responseHeaders, session.token)
     }
diff --git a/packages/core/src/auth/index.ts b/packages/core/src/auth/index.ts
@@ -73,6 +73,7 @@ export interface AuthConfig {
   }
   emailAndPassword?: {
     enabled: boolean
+    passwordHasher?: (password: string) => Promise<string> // default: bcrypt
     signUp?: {
       autoLogin?: boolean // default: true
       additionalFields?: Fields<any>
diff --git a/packages/core/src/auth/utils.ts b/packages/core/src/auth/utils.ts
@@ -1,4 +1,8 @@
 import { parse as parseCookies, serialize } from 'cookie-es'
+import crypto, { randomBytes } from 'crypto'
+import { promisify } from 'util'
+
+const scrypt = promisify(crypto.scrypt)
 
 function setCookie(
   headers: Record<string, string> | undefined,
@@ -30,3 +34,16 @@ export function setSessionCookie(headers: Record<string, string> | undefined, va
 export function deleteSessionCookie(headers?: Record<string, string>) {
   deleteCookie(headers, SESSION_COOKIE_NAME)
 }
+
+export async function hashPassword(password: string): Promise<string> {
+  const salt = randomBytes(8).toString('hex')
+  const derivedKey = await scrypt(password, salt, 64)
+  return salt + ':' + (derivedKey as Buffer).toString('hex')
+}
+
+export async function verifyPassword(password: string, hashedPassword: string): Promise<boolean> {
+  const [salt, key] = hashedPassword.split(':')
+  const keyBuffer = Buffer.from(key, 'hex')
+  const derivedKey = await scrypt(password, salt, 64)
+  return crypto.timingSafeEqual(keyBuffer, derivedKey as any)
+}

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,7 @@ export interface AuthConfig {`
`73`	`73`	`}`
`74`	`74`	`emailAndPassword?: {`
`75`	`75`	`enabled: boolean`
	`76`	`+ passwordHasher?: (password: string) => Promise<string> // default: bcrypt`
`76`	`77`	`signUp?: {`
`77`	`78`	`autoLogin?: boolean // default: true`
`78`	`79`	`additionalFields?: Fields<any>`