Improve README/docs understanding about node-argon2 HOT 6 CLOSED

Added a comprehensive options guide to the wiki: https://github.com/ranisalt/node-argon2/wiki/Options

Will work on other parts when I have time.

from node-argon2.

neither should I let client to send plain password to the server

Yes, you should. When a client signs up or logs in, you will send the password in plain, through a secure channel (HTTPS).

The only logical way I can see is to use argon2 on client side to generate and send digest to the server

Wrong because of the above. When you hash the password prior to sending to the server, you are effectively making the hash become the password. Send it plainly through HTTPS.

I have no clue how am I supposed to get the plain hash out of it

It is impossible. Argon2 is an one-way function, you can never revert to the preimage.

from node-argon2.

@EyalPerry nice addition. We currently track the latest upstream release of phc-winner-argon2, though.

from node-argon2.

Can do, though most of that is actually Argon2 related and not exactly from this lib, I feel it's a good thing to do.

I use defaults recommended by Argon2 and used by most implementations, and since the options get stored with the hash, if you want to change the options your old hashes are still valid and working. You can assume that defaults are enough.

from node-argon2.

which algorithm version does this library implement?
I think it should be a part of docs.

from node-argon2.

I think that documentation could use some simple examples of library usage. Personally, I am literally confused about how to do such a simple thing like saving password hash for future verifications. I know I can just argon2.verify(hash, 'password'), but I shouldn't be keeping plain passwords in my db, neither should I let client to send plain password to the server.

The only logical way I can see is to use argon2 on client side to generate and send digest to the server. On server-side I can just compare this digest against hashed password. This is easy. But when user is creating new account and sends digest to the server, I have no clue how am I supposed to get the plain hash out of it for further verifications. I tried to verify digest against another digest but it obivously failed.

from node-argon2.