55 lines
1.6 KiB
Python
55 lines
1.6 KiB
Python
"""Argon2 algorithm implementation."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import base64
|
|
import binascii
|
|
|
|
from argon2 import PasswordHasher
|
|
from argon2.exceptions import VerifyMismatchError, InvalidHashError
|
|
|
|
|
|
class Argon2Algorithm:
|
|
"""Argon2id password hashing algorithm."""
|
|
|
|
identifier = "argon2"
|
|
|
|
def __init__(self):
|
|
"""Initialize with default Argon2 parameters."""
|
|
self._hasher = PasswordHasher()
|
|
|
|
def hash(self, password: str, **kwargs) -> tuple[str, str]:
|
|
"""Hash a password using Argon2id.
|
|
|
|
Note: Argon2 generates its own salt internally and returns
|
|
a complete hash string that includes the salt and parameters.
|
|
We return empty string for salt_b64 and the full hash as hash_b64.
|
|
"""
|
|
hash_string = self._hasher.hash(password)
|
|
# Return empty salt since Argon2 embeds salt in hash
|
|
return ("", base64.b64encode(hash_string.encode("utf-8")).decode("utf-8"))
|
|
|
|
def verify(
|
|
self,
|
|
password: str,
|
|
salt_b64: str,
|
|
hash_b64: str,
|
|
**kwargs,
|
|
) -> bool:
|
|
"""Verify a password against Argon2 hash.
|
|
|
|
Note: salt_b64 is ignored since Argon2 embeds salt in the hash.
|
|
"""
|
|
try:
|
|
hash_string = base64.b64decode(hash_b64, validate=True).decode("utf-8")
|
|
self._hasher.verify(hash_string, password)
|
|
return True
|
|
except (VerifyMismatchError, InvalidHashError, binascii.Error, ValueError, UnicodeDecodeError):
|
|
return False
|
|
|
|
|
|
from algorithms import register_algorithm
|
|
|
|
# Auto-register when module is imported
|
|
register_algorithm(Argon2Algorithm())
|