cli/pkg/crypt/hash.go

package crypt

import (
	"crypto/subtle"
	"encoding/base64"
	"fmt"
	"strings"

	core "forge.lthn.ai/core/cli/pkg/framework/core"
	"golang.org/x/crypto/argon2"
	"golang.org/x/crypto/bcrypt"
)

// HashPassword hashes a password using Argon2id with default parameters.
// Returns a string in the format: $argon2id$v=19$m=65536,t=3,p=4$<base64salt>$<base64hash>
func HashPassword(password string) (string, error) {
	salt, err := generateSalt(argon2SaltLen)
	if err != nil {
		return "", core.E("crypt.HashPassword", "failed to generate salt", err)
	}

	hash := argon2.IDKey([]byte(password), salt, argon2Time, argon2Memory, argon2Parallelism, argon2KeyLen)

	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
	b64Hash := base64.RawStdEncoding.EncodeToString(hash)

	encoded := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
		argon2.Version, argon2Memory, argon2Time, argon2Parallelism,
		b64Salt, b64Hash)

	return encoded, nil
}

// VerifyPassword verifies a password against an Argon2id hash string.
// The hash must be in the format produced by HashPassword.
func VerifyPassword(password, hash string) (bool, error) {
	parts := strings.Split(hash, "$")
	if len(parts) != 6 {
		return false, core.E("crypt.VerifyPassword", "invalid hash format", nil)
	}

	var version int
	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
		return false, core.E("crypt.VerifyPassword", "failed to parse version", err)
	}

	var memory uint32
	var time uint32
	var parallelism uint8
	if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &parallelism); err != nil {
		return false, core.E("crypt.VerifyPassword", "failed to parse parameters", err)
	}

	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
	if err != nil {
		return false, core.E("crypt.VerifyPassword", "failed to decode salt", err)
	}

	expectedHash, err := base64.RawStdEncoding.DecodeString(parts[5])
	if err != nil {
		return false, core.E("crypt.VerifyPassword", "failed to decode hash", err)
	}

	computedHash := argon2.IDKey([]byte(password), salt, time, memory, parallelism, uint32(len(expectedHash)))

	return subtle.ConstantTimeCompare(computedHash, expectedHash) == 1, nil
}

// HashBcrypt hashes a password using bcrypt with the given cost.
// Cost must be between bcrypt.MinCost and bcrypt.MaxCost.
func HashBcrypt(password string, cost int) (string, error) {
	hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
	if err != nil {
		return "", core.E("crypt.HashBcrypt", "failed to hash password", err)
	}
	return string(hash), nil
}

// VerifyBcrypt verifies a password against a bcrypt hash.
func VerifyBcrypt(password, hash string) (bool, error) {
	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
	if err == bcrypt.ErrMismatchedHashAndPassword {
		return false, nil
	}
	if err != nil {
		return false, core.E("crypt.VerifyBcrypt", "failed to verify password", err)
	}
	return true, nil
}
feat: infrastructure packages and lint cleanup (#281) * ci: consolidate duplicate workflows and merge CodeQL configs Remove 17 duplicate workflow files that were split copies of the combined originals. Each family (CI, CodeQL, Coverage, PR Build, Alpha Release) had the same job duplicated across separate push/pull_request/schedule/manual trigger files. Merge codeql.yml and codescan.yml into a single codeql.yml with a language matrix covering go, javascript-typescript, python, and actions — matching the previous default setup coverage. Remaining workflows (one per family): - ci.yml (push + PR + manual) - codeql.yml (push + PR + schedule, all languages) - coverage.yml (push + PR + manual) - alpha-release.yml (push + manual) - pr-build.yml (PR + manual) - release.yml (tag push) - agent-verify.yml, auto-label.yml, auto-project.yml Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add collect, config, crypt, plugin packages and fix all lint issues Add four new infrastructure packages with CLI commands: - pkg/config: layered configuration (defaults → file → env → flags) - pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums) - pkg/plugin: plugin system with GitHub-based install/update/remove - pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate) Fix all golangci-lint issues across the entire codebase (~100 errcheck, staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that `core go qa` passes with 0 issues. Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 11:34:43 +00:00			`package crypt`

			`import (`
			`"crypto/subtle"`
			`"encoding/base64"`
			`"fmt"`
			`"strings"`

refactor: rename module from github.com/host-uk/core to forge.lthn.ai/core/cli Move module identity to our own Forgejo instance. All import paths updated across 434 Go files, sub-module go.mod files, and go.work. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 00:30:41 +00:00			`core "forge.lthn.ai/core/cli/pkg/framework/core"`
feat: infrastructure packages and lint cleanup (#281) * ci: consolidate duplicate workflows and merge CodeQL configs Remove 17 duplicate workflow files that were split copies of the combined originals. Each family (CI, CodeQL, Coverage, PR Build, Alpha Release) had the same job duplicated across separate push/pull_request/schedule/manual trigger files. Merge codeql.yml and codescan.yml into a single codeql.yml with a language matrix covering go, javascript-typescript, python, and actions — matching the previous default setup coverage. Remaining workflows (one per family): - ci.yml (push + PR + manual) - codeql.yml (push + PR + schedule, all languages) - coverage.yml (push + PR + manual) - alpha-release.yml (push + manual) - pr-build.yml (PR + manual) - release.yml (tag push) - agent-verify.yml, auto-label.yml, auto-project.yml Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * feat: add collect, config, crypt, plugin packages and fix all lint issues Add four new infrastructure packages with CLI commands: - pkg/config: layered configuration (defaults → file → env → flags) - pkg/crypt: crypto primitives (Argon2id, AES-GCM, ChaCha20, HMAC, checksums) - pkg/plugin: plugin system with GitHub-based install/update/remove - pkg/collect: collection subsystem (GitHub, BitcoinTalk, market, papers, excavate) Fix all golangci-lint issues across the entire codebase (~100 errcheck, staticcheck SA1012/SA1019/ST1005, unused, ineffassign fixes) so that `core go qa` passes with 0 issues. Closes #167, #168, #170, #250, #251, #252, #253, #254, #255, #256 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-04 11:34:43 +00:00			`"golang.org/x/crypto/argon2"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`// HashPassword hashes a password using Argon2id with default parameters.`
			`// Returns a string in the format: $argon2id$v=19$m=65536,t=3,p=4$<base64salt>$<base64hash>`
			`func HashPassword(password string) (string, error) {`
			`salt, err := generateSalt(argon2SaltLen)`
			`if err != nil {`
			`return "", core.E("crypt.HashPassword", "failed to generate salt", err)`
			`}`

			`hash := argon2.IDKey([]byte(password), salt, argon2Time, argon2Memory, argon2Parallelism, argon2KeyLen)`

			`b64Salt := base64.RawStdEncoding.EncodeToString(salt)`
			`b64Hash := base64.RawStdEncoding.EncodeToString(hash)`

			`encoded := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",`
			`argon2.Version, argon2Memory, argon2Time, argon2Parallelism,`
			`b64Salt, b64Hash)`

			`return encoded, nil`
			`}`

			`// VerifyPassword verifies a password against an Argon2id hash string.`
			`// The hash must be in the format produced by HashPassword.`
			`func VerifyPassword(password, hash string) (bool, error) {`
			`parts := strings.Split(hash, "$")`
			`if len(parts) != 6 {`
			`return false, core.E("crypt.VerifyPassword", "invalid hash format", nil)`
			`}`

			`var version int`
			`if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {`
			`return false, core.E("crypt.VerifyPassword", "failed to parse version", err)`
			`}`

			`var memory uint32`
			`var time uint32`
			`var parallelism uint8`
			`if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &parallelism); err != nil {`
			`return false, core.E("crypt.VerifyPassword", "failed to parse parameters", err)`
			`}`

			`salt, err := base64.RawStdEncoding.DecodeString(parts[4])`
			`if err != nil {`
			`return false, core.E("crypt.VerifyPassword", "failed to decode salt", err)`
			`}`

			`expectedHash, err := base64.RawStdEncoding.DecodeString(parts[5])`
			`if err != nil {`
			`return false, core.E("crypt.VerifyPassword", "failed to decode hash", err)`
			`}`

			`computedHash := argon2.IDKey([]byte(password), salt, time, memory, parallelism, uint32(len(expectedHash)))`

			`return subtle.ConstantTimeCompare(computedHash, expectedHash) == 1, nil`
			`}`

			`// HashBcrypt hashes a password using bcrypt with the given cost.`
			`// Cost must be between bcrypt.MinCost and bcrypt.MaxCost.`
			`func HashBcrypt(password string, cost int) (string, error) {`
			`hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)`
			`if err != nil {`
			`return "", core.E("crypt.HashBcrypt", "failed to hash password", err)`
			`}`
			`return string(hash), nil`
			`}`

			`// VerifyBcrypt verifies a password against a bcrypt hash.`
			`func VerifyBcrypt(password, hash string) (bool, error) {`
			`err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))`
			`if err == bcrypt.ErrMismatchedHashAndPassword {`
			`return false, nil`
			`}`
			`if err != nil {`
			`return false, core.E("crypt.VerifyBcrypt", "failed to verify password", err)`
			`}`
			`return true, nil`
			`}`