homebox/backend/pkgs/hasher/password.go

package hasher

import (
	"fmt"
	"os"

	"golang.org/x/crypto/bcrypt"
)

var enabled = true

func init() { // nolint: gochecknoinits
	disableHas := os.Getenv("UNSAFE_DISABLE_PASSWORD_PROJECTION") == "yes_i_am_sure"

	if disableHas {
		fmt.Println("WARNING: Password protection is disabled. This is unsafe in production.")
		enabled = false
	}
}

func HashPassword(password string) (string, error) {
	if !enabled {
		return password, nil
	}

	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
	return string(bytes), err
}

func CheckPasswordHash(password, hash string) bool {
	if !enabled {
		return password == hash
	}

	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
	return err == nil
}