using System; using static StellaOps.Localization.T; namespace StellaOps.Cryptography; ///

/// Supported password hashing algorithms. ///

public enum PasswordHashAlgorithm { Argon2id, Pbkdf2 } ///

/// Options describing password hashing requirements. /// Values follow OWASP baseline guidance by default. ///

public sealed record PasswordHashOptions { ///

/// Algorithm to use when hashing new passwords. ///

public PasswordHashAlgorithm Algorithm { get; init; } = PasswordHashAlgorithm.Argon2id; ///

/// Memory cost in KiB (default 19 MiB). ///

public int MemorySizeInKib { get; init; } = 19 * 1024; ///

/// Iteration count / time cost. ///

public int Iterations { get; init; } = 2; ///

/// Parallelism / degree of concurrency. ///

public int Parallelism { get; init; } = 1; ///

/// Validates the option values and throws when invalid. ///

public void Validate() { if (MemorySizeInKib <= 0) { throw new InvalidOperationException(_t("crypto.password.memory_cost_invalid")); } if (Iterations <= 0) { throw new InvalidOperationException(_t("crypto.password.iterations_invalid")); } if (Parallelism <= 0) { throw new InvalidOperationException(_t("crypto.password.parallelism_invalid")); } } } ///

/// Abstraction for password hashing implementations. ///

public interface IPasswordHasher { ///

/// Produces an encoded hash for the supplied password. ///

string Hash(string password, PasswordHashOptions options); ///

/// Verifies the supplied password against a stored hash. ///

bool Verify(string password, string encodedHash); ///

/// Detects when an existing encoded hash no longer satisfies the desired options. ///

bool NeedsRehash(string encodedHash, PasswordHashOptions desired); }