feat(utils): add argon2 password hashing

utils/hash.go

@@ -0,0 +1,75 @@
+package utils
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+)
+
+var (
+	Time    uint32 = 3
+	Memory  uint32 = 64 * 1024 // 64 MiB (in KiB)
+	Threads uint8  = 4
+	KeyLen  uint32 = 32
+	SaltLen int    = 16
+)
+
+// HashPassword hashes a password using Argon2.
+func HashPassword(password string) (string, error) {
+	salt := make([]byte, SaltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+
+	hash := argon2.IDKey([]byte(password), salt, Time, Memory, Threads, KeyLen)
+
+	// Encode salt and hash to base64
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+
+	// Format is $argon2id$v=19$m=...,t=...,p=...$salt$hash
+	encodedHash := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
+		argon2.Version, Memory, Time, Threads, b64Salt, b64Hash)
+
+	return encodedHash, nil
+}
+
+// ComparePassword verifies a password against an Argon2 hash.
+func ComparePassword(password, encodedHash string) (bool, error) {
+	parts := strings.Split(encodedHash, "$")
+	if len(parts) != 6 {
+		return false, fmt.Errorf("invalid hash format")
+	}
+
+	var version, m, t, p int
+	_, err := fmt.Sscanf(parts[2], "v=%d", &version)
+	if err != nil {
+		return false, err
+	}
+	if version != argon2.Version {
+		return false, fmt.Errorf("incompatible version")
+	}
+
+	_, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &m, &t, &p)
+	if err != nil {
+		return false, err
+	}
+
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
+	if err != nil {
+		return false, err
+	}
+
+	hash, err := base64.RawStdEncoding.DecodeString(parts[5])
+	if err != nil {
+		return false, err
+	}
+
+	otherHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), uint32(len(hash)))
+
+	return subtle.ConstantTimeCompare(hash, otherHash) == 1, nil
+}