bcrypt-ts

Optimized bcrypt written in typescript. Working in both Node.js and browser.

Heavily inspired by bcrypt.js.

Security considerations

Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. (see)

While bcrypt-ts is compatible to the C++ bcrypt binding, it is providing pure JavaScript and thus slower about 30%, effectively reducing the number of iterations that can be processed in an equal time span.

The maximum input length is 72 bytes (note that UTF8 encoded characters use up to 4 bytes) and the length of generated hashes is 60 characters.

Highlights

• 0 dependencies, with ONLY 8KB Gzip size
• Written in typescript
• Provide tree-shakable ES module

Usage

Node.js

On Node.js, the inbuilt crypto module's randomBytes interface is used to obtain secure random numbers.

Browser

In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers. If no cryptographically secure source of randomness is available, the package will throw an error.

How to choose between them

• If you are using this package in pure Node.js environment, then you will probably use the node bundle.

• If you are using bundler like webpack and vite, then you will probably use the client bundle.

• If you meet any issues that a incorrect bundle is used, you can use bcrypt-ts/node and bcrypt-ts/client to force the correct bundle.

Usage - Sync

To hash a password:

1import { genSaltSync, hashSync } from "bcrypt-ts";
2
3const salt = genSaltSync(10);
4const hash = hashSync("B4c0//", salt);
5// Store hash in your password DB.

To check a password:

1import { compareSync } from "bcrypt-ts";
2
3// Load hash from your password DB.
4compareSync("B4c0//", hash); // true
5compareSync("not_bacon", hash); // false

Auto-gen a salt and hash at the same time:

1import { hashSync } from "bcrypt-ts";
2
3const hash = hashSync("bacon", 8);

Usage - Async

To hash a password:

1import { genSalt, hash } from "bcrypt-ts";
2
3genSalt(10)
4  .then((salt) => hash("B4c0//", salt))
5  .then((hash) => {
6    // Store hash in your password DB.
7  });

To check a password:

1import { compare } from "bcrypt-ts";
2
3// Load hash from your password DB.
4const hash = "xxxxxx";
5
6compare("B4c0//", hash).then((result) => {
7  // result is `true`
8});
9compare("not_bacon", hash).then((result) => {
10  // result is `false`
11});

Auto-gen a salt and hash:

1import { hash } from "bcrypt-ts";
2
3hash("bacon").then((hash) => {
4  // do something with hash
5});

Note: Under the hood, asynchronisation splits a crypto operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of JS event loop queue, thus efficiently sharing the computational resources with the other operations in the queue.

API

1/**
2 * Synchronously tests a string against a hash.
3 *
4 * @param content String to compare
5 * @param hash Hash to test against
6 */
7export const compareSync: (content: string, hash: string) => boolean;
8/**
9 * Asynchronously compares the given data against the given hash.
10 *
11 * @param content Data to compare
12 * @param hash Data to be compared to
13 * @param progressCallback Callback successively called with the percentage of rounds completed
14 *  (0.0 - 1.0), maximally once per `MAX_EXECUTION_TIME = 100` ms.
15 */
16export const compare: (
17  content: string,
18  hash: string,
19  progressCallback?: ((percent: number) => void) | undefined
20) => Promise<boolean>;
21
22/**
23 * Synchronously generates a hash for the given string.
24 *
25 * @param contentString String to hash
26 * @param salt Salt length to generate or salt to use, default to 10
27 * @returns Resulting hash
28 */
29export const hashSync: (
30  contentString: string,
31  salt?: string | number
32) => string;
33/**
34 * Asynchronously generates a hash for the given string.
35 *
36 * @param contentString String to hash
37 * @param salt Salt length to generate or salt to use
38 * @param progressCallback Callback successively called with the percentage of rounds completed
39 *  (0.0 - 1.0), maximally once per `MAX_EXECUTION_TIME = 100` ms.
40 */
41export const hash: (
42  contentString: string,
43  salt: number | string,
44  progressCallback?: ((progress: number) => void) | undefined
45) => Promise<string>;
46
47/**
48 * Gets the number of rounds used to encrypt the specified hash.
49 *
50 * @param hash Hash to extract the used number of rounds from
51 * @returns Number of rounds used
52 * @throws {Error} If `hash` is not a string
53 */
54export const getRounds: (hash: string) => number;
55/**
56 * Gets the salt portion from a hash. Does not validate the hash.
57 *
58 * @param hash Hash to extract the salt from
59 * @returns Extracted salt part
60 * @throws {Error} If `hash` is not a string or otherwise invalid
61 */
62export const getSalt: (hash: string) => string;
63
64/**
65 * Synchronously generates a salt.
66 *
67 * @param rounds Number of rounds to use, defaults to 10 if omitted
68 * @returns Resulting salt
69 * @throws {Error} If a random fallback is required but not set
70 */
71export const genSaltSync: (rounds?: number) => string;
72/**
73 * Asynchronously generates a salt.
74 *
75 * @param rounds Number of rounds to use, defaults to 10 if omitted
76 */
77export const genSalt: (rounds?: number) => Promise<string>;

License

New-BSD / MIT (see)