t3hnar / scala-bcrypt Goto Github PK

View Code? Open in Web Editor NEW

151.0 14.0 24.0 105 KB

Scala wrapper for jBcrypt + pom.xml inside

License: Other

Scala 100.00%

bcrypt scala

scala-bcrypt's Introduction

Scala Bcrypt

Scala Bcrypt is a scala friendly wrapper of jBCRYPT

Examples

Safe APIs

The safe APIs will result in scala.util.Failures and scala.util.Successs when executing operations to explicitly indicate the possibility that certain bcrypt operations can fail due to providing incorrect salt versions or number of rounds (eg. > 30 rounds).

Encrypt password

    scala>  import com.github.t3hnar.bcrypt._
    import com.github.t3hnar.bcrypt._

    scala>  "password".bcryptSafeBounded
    res1: Try[String] = Success($2a$10$iXIfki6AefgcUsPqR.niQ.FvIK8vdcfup09YmUxmzS/sQeuI3QOFG)

Validate password

    scala>  "password".isBcryptedSafeBounded("$2a$10$iXIfki6AefgcUsPqR.niQ.FvIK8vdcfup09YmUxmzS/sQeuI3QOFG")
    res2: Try[Boolean] = Success(true)

Composition

Since Try is monadic, you can use a for-comprehension to compose operations that return Success or Failure with fail-fast semantics. You can also use the desugared notation (flatMaps and maps) if you prefer.

    scala>  val bcryptAndVerify = for {
      bcrypted <- "hello".bcryptBounded(12)
      result <- "hello".isBcryptedSafeBounded(bcrypted)
    } yield result
    res: Try[Boolean] = Success(true)

Advanced usage

By default, the salt generated internally, and developer does not need to generate and store salt. But if you decide that you need to manage salt, you can use bcrypt in the following way:

    scala>  val salt = generateSalt
    salt: String = $2a$10$8K1p/a0dL1LXMIgoEDFrwO

    scala>  "password".bcryptBounded(salt)
    res3: Try[String] = Success($2a$10$8K1p/a0dL1LXMIgoEDFrwOfMQbLgtnOoKsWc.6U6H0llP3puzeeEu)

Unsafe APIs

The Unsafe APIs will result in Exceptions being thrown when executing operations as certain bcrypt operations can fail due to providing incorrect salt versions or number of rounds (eg. > 30 rounds or password longer than 71 bytes). These Unsafe APIs are present for backwards compatibility reasons and should be avoided if possible.

Encrypt password

    scala>  import com.github.t3hnar.bcrypt._
    import com.github.t3hnar.bcrypt._

    scala>  "password".bcryptBounded
    res1: String = $2a$10$iXIfki6AefgcUsPqR.niQ.FvIK8vdcfup09YmUxmzS/sQeuI3QOFG

Validate password

    scala>  "password".isBcryptedBounded("$2a$10$iXIfki6AefgcUsPqR.niQ.FvIK8vdcfup09YmUxmzS/sQeuI3QOFG")
    res2: Boolean = true

Advanced usage

    scala>  val salt = generateSalt
    salt: String = $2a$10$8K1p/a0dL1LXMIgoEDFrwO

    scala>  "password".bcryptBounded(salt)
    res3: String = $2a$10$8K1p/a0dL1LXMIgoEDFrwOfMQbLgtnOoKsWc.6U6H0llP3puzeeEu

Setup

SBT

libraryDependencies += "com.github.t3hnar" %% "scala-bcrypt" % "4.3.1"

Maven

<dependency>
    <groupId>com.github.t3hnar</groupId>
    <artifactId>scala-bcrypt_2.13</artifactId>
    <version>4.3.1</version>
</dependency>

scala-bcrypt's People

Contributors

Stargazers

Watchers

scala-bcrypt's Issues

cross-compile for 2.11

As scala 2.11 is released, please add cross-compilation to 2.10.4 and 2.11

Add installation section in Readme

Hi there!

Thanks for this great package. Could you please add some notes about installation (SBT) to the Readme file?. I know it's pretty trivial but it still saves a bit of time when getting started. 👍

[Enhancement] Use a different name for implicit class

Problem

When importing

import com.github.t3hnar.bcrypt._

extension method collides with local Password class in case one exists.

Solution

Obviously the import can be aliased to something else like

import com.github.t3hnar.bcrypt.{Password => PasswordExtension}

However, since it's probably a very common usecase to have a Password class locally, and the name of the implicit extension is completely irrelevant, I suggest to change the name of the implicit class extension

package com.github.t3hnar

package object bcrypt {

  implicit class StringBcrypt(val pswrd: String) extends AnyVal {
    ...
  }
}

Unexpected behaviour with long keys

I was testing my authorization implementation. I'm using bcrypt for some login information. While testing I shortened the key (just to try out a different key) and to my suprise, it validated as a working key. This doesn't seem to be the case with shorter keys.

I was wondering if this is an expected behaviour or if this is a bug. I suspect that this isn't the expected behaviour.

"Shorter key" should "not work with bcrypt" in {
    val key = "b5c805cf4f1ccd534ad36c4480c835c57caf487dec1953568d486e0af70147f1872b2592c2491dde0eb7ebf8efd27bd3bd9db3dc2e33c0ac94144a1a40bac65a95fcf5ae2b3298c478da86346b6f1e1a57cba70a97ade3d3df821faf646f2d4cb4506bd98d1239b215bb590edbed7c8b6a957a1898889e5d49d53546f71100cf0a2a0880f9625a8d17e2efe0d45c99d9906a6a06a5baee710918e37361574e56bff5ded7fc98c73f20b0cf9e42e59106683e9e60f372b4263ba2ae3dce1f19fb5ba17141f01575c4d7eb7754485fb7eb0353c47a48ca0cc53ce725ff15cf96caa86bf0680edb4414cfc1e4f5c86a8d03d1436abbc72e0c0bc7c33866c19b778520974f279b0c6b1a0f6d5e5544581cc0d85a514b1f4953668c854ec644bf29c7cc669f95ffcba3bdc12382bbaa6df3c3667d1e119c26f502f30b5538003971b8c69cdb175ab41406dcd73977d2290706c4c2bd0eedebcab3c7ba4e0a8f1fb1752963ff375d2598c14a2c412ecfd5e51d9a52625adb67c97117cbb28caca75b70eec1e549fee56d80a92216b2c371206e9e8055419577b0e2fed123fe293e70bce784d111e668b86b51d526462ada227b2216092ecd19002ecfd1a4a7ad7bd2be6009c3ab7e58dedf19d06238619524e7b8fc49cfaa2ae891b40cb54b04834af2a784fc744386ff3d821d8c5a998c742dad8b93ec7338c6583a70ab9222e57192"
    val shorterKey = "b5c805cf4f1ccd534ad36c4480c835c57caf487dec1953568d486e0af70147f1872b2592c2491dde0eb7ebf8efd27bd3bd9db3dc2e33c0ac94144a1a40bac65a95fcf5ae2b3298c478da86346b6f1e1a57cba70a97ade3d3df821faf646f2d4cb4506bd98d1239b215bb590edbed7c8b6a957a1898889e5d49d53546f71100cf0a2a0880f9625a8d17e2efe0d45c99d9906a6a06a5baee710918e37361574e56bff5ded7fc98c73f20b0cf9e42e59106683e9e60f372b4263ba2ae3dce1f19fb5ba17141f01575c4d7eb7754485fb7eb0353c47a48ca0cc53ce725ff15cf96caa86bf0680edb4414cfc1e4f5c86a8d03d1436abbc72e0c0bc7c33866c19b778520974f279b0c6b1a0f6d5e5544581cc0d85a514b1f4953668c854ec644bf29c7cc669f95ffcba3bdc12382bbaa6df3c3667d1e119c26f502f30b5538003971b8c69cdb175ab41406dcd73977d2290706c4c2bd0eedebcab3c7ba4e0a8f1fb1752963ff375d2598c14a2c412ecfd5e51d9a52625adb67c97117cbb28caca75b70eec1e549fee56d80a92216b2c371206e9e8055419577b0e2fed123fe293e70bce784d111e668b86b51d526462ada227b2216092ecd19002ecfd1a4a7ad7bd2be6009c3ab7e58dedf19d06238619524e7b8fc49"
    val evenShorterKey = "b5c805cf4f1ccd534ad36c4480c835c57caf487dec1953568d486e0af70147f1872b2592c2491dde0eb7ebf8efd27bd3bd9db3dc2e33c0ac94144a1a40bac65a95fcf5ae2b3298c478da86346b6f1e1a57cba70a97ade3d3df821faf646f2d4cb4506bd98d1239b215bb590edbed7c8b6a957a1898889e5d49d53546f71100cf0a2a0880f9625a8d17e2efe0d45c99d9906a6a06a5baee710918e37361574e56bff5ded7fc98c73f20b0cf9e42e59106683e9e60f372b4263ba2ae3dce1f19fb5ba17141f01575c4d7eb7754485fb7eb0353c47a48ca0cc53ce725ff15cf96caa86bf0680edb4414cfc1e4f5c86a8d03d1436abbc72e0c0bc7c33866c19b778520974f279b0c6b1a0f6d5e5544581cc0d85a514b1f4953668c854ec644bf29c7cc669f95ffcba3bdc12382bbaa6df3c3667d1e119c26f502f30b5538003971b8c69cdb175ab41406dcd73977d2290706c4c2bd0eedebcab3c7ba4e0a8f1fb1752963ff375d2598c14a2c412ecfd5e51d9a52625adb67c97117cbb28caca75b70eec1e549fee56d80a92216b2c371206e9e8055419577b0e2f"
    val bcryptedKey = "$2a$12$gF8jgmfUpYPvjX0FsVadhugiwuiEpt1.jdOg3GCQB1aqFGdt1Kr5G"
    key.isBcryptedSafe(bcryptedKey) should be(Success(true))
    shorterKey.isBcryptedSafe(bcryptedKey) should be(Success(false))
    evenShorterKey.isBcryptedSafe(bcryptedKey) should be(Success(false))
  }

Looking forward for your answer. For now I'll be adding a hashing step in between and hoping that works.

Publish for Scala v2.12.0

The Scala 2.12.0 release train is here. Please publish for 2.12.0 and submit a pull request to let the world know what libraries are available.

Passwords should not be stored in String objects

Good practice to protect against attacks that use RAM dumps or other memory attacks is to never store passwords in an immutable data structure. Doing this means that between when the password is verified and the next garbage collection run, there is a period of time when the plaintext password is in memory but not being used.

Instead, the password should be stored as a char[] so that once the password has been hashed, the plaintext can immediately be zero'ed out to limit the attack surface.

2.3-SNAPSHOT not published on sonatype

Hello,

2.3-SNAPSHOT is not published on sonatype

Update jBCrypt dep to 0.4

jBCrypt was updated in January, after five years.

SBT Dependency Incorrect

Should be

"com.github.t3hnar" % "scala-bcrypt_2.10" % "2.1"

Version 2.0 does not appear to be published in nexus

http://nexus.thenewmotion.com/content/repositories/releases-public/ua/t3hnar/bcrypt/scala-bcrypt_2.10/2.0/scala-bcrypt_2.10-2.0.pom is a 404.

There appears to be a 2.10.0-RC2 2.0-SNAPSHOT artifact but that is breaking on github-parent-pom.

fwiw I am using sbt and not maven.

t3hnar / scala-bcrypt Goto Github PK

scala-bcrypt's Introduction

Scala Bcrypt

Examples

Safe APIs

Encrypt password

Validate password

Composition

Advanced usage

Unsafe APIs

Encrypt password

Validate password

Advanced usage

Setup

SBT

Maven

scala-bcrypt's People

Contributors

Stargazers

Watchers

Forkers

scala-bcrypt's Issues

Problem

Solution

Recommend Projects

Recommend Topics

Recommend Org