[Angular] Using the Argon 2 Hashing Function In Our Sign Up Backend Service

Which hash algorithom to choose for new application:

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Argon2[*7] is the winner of the password hashing competition and should be considered as your first choice for new applications;

We can use this package:

Install:

npm install argon2 --save

Code:

import {Request, Response} from 'express';
import {db} from './database';
import {USERS} from './database-data';

import * as argon from 'argon2';

export function createUser (req: Request, res: Response) {

  const credentials = req.body;

  argon.hash(credentials.password)
    .then(passwordDigest => {

      const user = db.createUser(credentials.email, passwordDigest);

      console.log(USERS);
      res.status(200).json({id: user.id, email: user.email});
    });

};

It would be good to add some password validations. So that user cannot enter the password as simple as '123456'...

Valid password:

npm install --save password-validatory

password-validation.ts:

import * as passwordValidator from 'password-validator';

// Create a schema
const schema = new passwordValidator();

// Add properties to it
schema
  .is().min(7)                                    // Minimum length 7
  .has().uppercase()                              // Must have uppercase letters
  .has().lowercase()                              // Must have lowercase letters
  .has().digits()                                 // Must have digits
  .has().not().spaces()                           // Should not have spaces
  .is().not().oneOf(['Passw0rd', 'Password123']); // Blacklist these values

export function validatePassword(password: string) {
  return schema.validate(password, {list: true});
}

Update code:

import {Request, Response} from 'express';
import {db} from './database';
import {USERS} from './database-data';

import * as argon from 'argon2';
import {validatePassword} from './password-validation';

export function createUser (req: Request, res: Response) {

  const credentials = req.body;

  const errors = validatePassword(credentials);

  if (errors.length > 0) {
    res.status(400).json({
      errors
    });
  } else {
    argon.hash(credentials.password)
      .then(passwordDigest => {

        const user = db.createUser(credentials.email, passwordDigest);

        console.log(USERS);
        res.status(200).json({id: user.id, email: user.email});
      });
  }
};