tyto/backend/internal/auth/password.go

package auth

import (
	"crypto/rand"
	"encoding/base64"

	"golang.org/x/crypto/bcrypt"
)

const (
	// bcryptCost is the computational cost for bcrypt hashing.
	// Higher values are more secure but slower.
	// 12 is a good balance for 2024+ hardware.
	bcryptCost = 12
)

// HashPassword creates a bcrypt hash of the password.
func HashPassword(password string) ([]byte, error) {
	return bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
}

// CheckPassword verifies a password against a bcrypt hash.
func CheckPassword(password string, hash []byte) bool {
	err := bcrypt.CompareHashAndPassword(hash, []byte(password))
	return err == nil
}

// generateID creates a random ID for users, sessions, etc.
func generateID() string {
	b := make([]byte, 16)
	rand.Read(b)
	return base64.RawURLEncoding.EncodeToString(b)
}

// generateToken creates a secure random token for sessions.
func generateToken() string {
	b := make([]byte, 32)
	rand.Read(b)
	return base64.RawURLEncoding.EncodeToString(b)
}