feat: fork bcryptjs as @opensourceframework/bcryptjs

packages/bcryptjs/LICENSE

@@ -0,0 +1,27 @@
+bcrypt.js
+---------
+Copyright (c) 2012 Nevins Bartolomeo <nevins.bartolomeo@gmail.com>
+Copyright (c) 2012 Shane Girish <shaneGirish@gmail.com>
+Copyright (c) 2025 Daniel Wirtz <dcode@dcode.io>
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. The name of the author may not be used to endorse or promote products
+   derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

packages/bcryptjs/README.md

@@ -0,0 +1,201 @@
+# bcrypt.js
+
+Optimized bcrypt in JavaScript with zero dependencies, with TypeScript support. Compatible to the C++
+[bcrypt](https://npmjs.org/package/bcrypt) binding on Node.js and also working in the browser.
+
+[![Build Status](https://img.shields.io/github/actions/workflow/status/dcodeIO/bcrypt.js/test.yml?branch=main&label=test&logo=github)](https://github.com/dcodeIO/bcrypt.js/actions/workflows/test.yml) [![Publish Status](https://img.shields.io/github/actions/workflow/status/dcodeIO/bcrypt.js/publish.yml?branch=main&label=publish&logo=github)](https://github.com/dcodeIO/bcrypt.js/actions/workflows/publish.yml) [![npm](https://img.shields.io/npm/v/bcryptjs.svg?label=npm&color=007acc&logo=npm)](https://www.npmjs.com/package/bcryptjs)
+
+## Security considerations
+
+Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the
+iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with
+increasing computation power. ([see](http://en.wikipedia.org/wiki/Bcrypt))
+
+While bcrypt.js is compatible to the C++ bcrypt binding, it is written in pure JavaScript and thus slower ([about 30%](https://github.com/dcodeIO/bcrypt.js/wiki/Benchmark)), effectively reducing the number of iterations that can be
+processed in an equal time span.
+
+The maximum input length is 72 bytes (note that UTF-8 encoded characters use up to 4 bytes) and the length of generated
+hashes is 60 characters. Note that maximum input length is not implicitly checked by the library for compatibility with
+the C++ binding on Node.js, but should be checked with `bcrypt.truncates(password)` where necessary.
+
+## Usage
+
+The package exports an ECMAScript module with an UMD fallback.
+
+```
+$> npm install bcryptjs
+```
+
+```ts
+import bcrypt from "bcryptjs";
+```
+
+### Usage with a CDN
+
+- From GitHub via [jsDelivr](https://www.jsdelivr.com):<br />
+  `https://cdn.jsdelivr.net/gh/dcodeIO/bcrypt.js@TAG/index.js` (ESM)
+- From npm via [jsDelivr](https://www.jsdelivr.com):<br />
+  `https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/index.js` (ESM)<br />
+  `https://cdn.jsdelivr.net/npm/bcryptjs@VERSION/umd/index.js` (UMD)
+- From npm via [unpkg](https://unpkg.com):<br />
+  `https://unpkg.com/bcryptjs@VERSION/index.js` (ESM)<br />
+  `https://unpkg.com/bcryptjs@VERSION/umd/index.js` (UMD)
+
+Replace `TAG` respectively `VERSION` with a [specific version](https://github.com/dcodeIO/bcrypt.js/releases) or omit it (not recommended in production) to use latest.
+
+When using the ESM variant in a browser, the `crypto` import needs to be stubbed out, for example using an [import map](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script/type/importmap). Bundlers should omit it automatically.
+
+### Usage - Sync
+
+To hash a password:
+
+```ts
+const salt = bcrypt.genSaltSync(10);
+const hash = bcrypt.hashSync("B4c0/\/", salt);
+// Store hash in your password DB
+```
+
+To check a password:
+
+```ts
+// Load hash from your password DB
+bcrypt.compareSync("B4c0/\/", hash); // true
+bcrypt.compareSync("not_bacon", hash); // false
+```
+
+Auto-gen a salt and hash:
+
+```ts
+const hash = bcrypt.hashSync("bacon", 10);
+```
+
+### Usage - Async
+
+To hash a password:
+
+```ts
+const salt = await bcrypt.genSalt(10);
+const hash = await bcrypt.hash("B4c0/\/", salt);
+// Store hash in your password DB
+```
+
+```ts
+bcrypt.genSalt(10, (err, salt) => {
+  bcrypt.hash("B4c0/\/", salt, function (err, hash) {
+    // Store hash in your password DB
+  });
+});
+```
+
+To check a password:
+
+```ts
+// Load hash from your password DB
+await bcrypt.compare("B4c0/\/", hash); // true
+await bcrypt.compare("not_bacon", hash); // false
+```
+
+```ts
+// Load hash from your password DB
+bcrypt.compare("B4c0/\/", hash, (err, res) => {
+  // res === true
+});
+bcrypt.compare("not_bacon", hash, (err, res) => {
+  // res === false
+});
+```
+
+Auto-gen a salt and hash:
+
+```ts
+await bcrypt.hash("B4c0/\/", 10);
+// Store hash in your password DB
+```
+
+```ts
+bcrypt.hash("B4c0/\/", 10, (err, hash) => {
+  // Store hash in your password DB
+});
+```
+
+**Note:** Under the hood, asynchronous APIs split an operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of the [JS event queue](https://developer.mozilla.org/en/docs/Web/JavaScript/EventLoop), efficiently yielding for other computation to execute.
+
+### Usage - Command Line
+
+```
+Usage: bcrypt <input> [rounds|salt]
+```
+
+## API
+
+### Callback types
+
+- **Callback<`T`>**: `(err: Error | null, result?: T) => void`<br />
+  Called with an error on failure or a value of type `T` upon success.
+
+- **ProgressCallback**: `(percentage: number) => void`<br />
+  Called with the percentage of rounds completed (0.0 - 1.0), maximally once per `MAX_EXECUTION_TIME = 100` ms.
+
+- **RandomFallback**: `(length: number) => number[]`<br />
+  Called to obtain random bytes when both [Web Crypto API](http://www.w3.org/TR/WebCryptoAPI/) and Node.js
+  [crypto](http://nodejs.org/api/crypto.html) are not available.
+
+### Functions
+
+- bcrypt.**genSaltSync**(rounds?: `number`): `string`<br />
+  Synchronously generates a salt. Number of rounds defaults to 10 when omitted.
+
+- bcrypt.**genSalt**(rounds?: `number`): `Promise<string>`<br />
+  Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.
+
+- bcrypt.**genSalt**([rounds: `number`, ]callback: `Callback<string>`): `void`<br />
+  Asynchronously generates a salt. Number of rounds defaults to 10 when omitted.
+
+- bcrypt.**truncates**(password: `string`): `boolean`<br />
+  Tests if a password will be truncated when hashed, that is its length is greater than 72 bytes when converted to UTF-8.
+
+- bcrypt.**hashSync**(password: `string`, salt?: `number | string`): `string`
+  Synchronously generates a hash for the given password. Number of rounds defaults to 10 when omitted.
+
+- bcrypt.**hash**(password: `string`, salt: `number | string`): `Promise<string>`<br />
+  Asynchronously generates a hash for the given password.
+
+- bcrypt.**hash**(password: `string`, salt: `number | string`, callback: `Callback<string>`, progressCallback?: `ProgressCallback`): `void`<br />
+  Asynchronously generates a hash for the given password.
+
+- bcrypt.**compareSync**(password: `string`, hash: `string`): `boolean`<br />
+  Synchronously tests a password against a hash.
+
+- bcrypt.**compare**(password: `string`, hash: `string`): `Promise<boolean>`<br />
+  Asynchronously compares a password against a hash.
+
+- bcrypt.**compare**(password: `string`, hash: `string`, callback: `Callback<boolean>`, progressCallback?: `ProgressCallback`)<br />
+  Asynchronously compares a password against a hash.
+
+- bcrypt.**getRounds**(hash: `string`): `number`<br />
+  Gets the number of rounds used to encrypt the specified hash.
+
+- bcrypt.**getSalt**(hash: `string`): `string`<br />
+  Gets the salt portion from a hash. Does not validate the hash.
+
+- bcrypt.**setRandomFallback**(random: `RandomFallback`): `void`<br />
+  Sets the pseudo random number generator to use as a fallback if neither [Web Crypto API](http://www.w3.org/TR/WebCryptoAPI/) nor Node.js [crypto](http://nodejs.org/api/crypto.html) are available. Please note: It is highly important that the PRNG used is cryptographically secure and that it is seeded properly!
+
+## Building
+
+Building the UMD fallback:
+
+```
+$> npm run build
+```
+
+Running the [tests](./tests):
+
+```
+$> npm test
+```
+
+## Credits
+
+Based on work started by Shane Girish at [bcrypt-nodejs](https://github.com/shaneGirish/bcrypt-nodejs), which is itself
+based on [javascript-bcrypt](http://code.google.com/p/javascript-bcrypt/) (New BSD-licensed).

packages/bcryptjs/bin/bcrypt

@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+
+import path from "node:path";
+import bcrypt from "../index.js";
+
+if (process.argv.length < 3) {
+  console.log(
+    "Usage: " + path.basename(process.argv[1]) + " <input> [rounds|salt]",
+  );
+  process.exit(1);
+} else {
+  var salt;
+  if (process.argv.length > 3) {
+    salt = process.argv[3];
+    var rounds = parseInt(salt, 10);
+    if (rounds == salt) {
+      salt = bcrypt.genSaltSync(rounds);
+    }
+  } else {
+    salt = bcrypt.genSaltSync();
+  }
+  console.log(bcrypt.hashSync(process.argv[2], salt));
+}

packages/bcryptjs/index.d.ts

@@ -0,0 +1,3 @@
+import * as bcrypt from "./types.js";
+export * from "./types.js";
+export default bcrypt;