package security import ( "crypto/rand" "crypto/sha256" "encoding/hex" "errors" "golang.org/x/crypto/bcrypt" ) func HashPassword(password string) (string, error) { if len(password) < 6 { return "", errors.New("password must contain at least 6 characters") } return hashPassword(password) } // HashPasswordWithoutMinimum is reserved for credential domains that define their // own policy before hashing. bcrypt still enforces its 72-byte maximum; keeping this // separate prevents the external-admin exception from weakening main-admin passwords. func HashPasswordWithoutMinimum(password string) (string, error) { return hashPassword(password) } func hashPassword(password string) (string, error) { hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return "", err } return string(hash), nil } func CheckPassword(hash string, password string) bool { return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) == nil } func NewRefreshToken() (string, string, error) { raw := make([]byte, 32) if _, err := rand.Read(raw); err != nil { return "", "", err } token := hex.EncodeToString(raw) return token, HashToken(token), nil } func HashToken(token string) string { sum := sha256.Sum256([]byte(token)) return hex.EncodeToString(sum[:]) }