Inslash Logo Inslash
Docs Back to Home

Documentation

Everything you need to integrate Inslash into your application

Installation

Install Inslash using npm or yarn:

# Using npm
npm install inslash

# Using yarn
yarn add inslash

Set up your environment variables:

HASH_PEPPER=your-secret-pepper-here

API Mode (Optional)

Use the hosted Inslash API service instead of local hashing:

Benefits: Centralized security updates, automatic hash upgrades, and no need to manage crypto libraries. 

const inslash=require('inslash'); require("dotenv").config(); //
          1. Configure (Global) inslash.configure({ apiKey: process.env.INSLASH_API_KEY,
          apiUrl: 'https://inslash.antqr.xyz' // Hosted Instance }); // 2. Destructure after configuration (optional,
          but cleaner) const { hash, verify }=inslash; async function example() { // This now automatically uses the
          API! const result=await hash('password123', process.env.HASH_PEPPER); console.log(result.passport); const
          isValid=await verify('password123', result.passport, process.env.HASH_PEPPER); console.log(isValid.valid); //
          true } example();

Get Your API Key

  1. Sign up at inslash.antqr.xyz
  2. Navigate to API Keys in your dashboard
  3. Generate a new API key
  4. Add to your .env file
INSLASH_API_KEY=inslash_your_key_here
INSLASH_API_URL=https://inslash.antqr.xyz
HASH_PEPPER=your-secret-pepper

Automatic Fallback: If the API is unavailable, Inslash automatically falls back to local hashing.

Quick Start

Basic usage example:

const { hash, verify }=require('inslash'); // Hash a password
          const result=await hash('userPassword123', process.env.HASH_PEPPER); console.log(result.passport); // Store
          this in your database // Verify a password const isValid=await verify('userPassword123', result.passport,
          process.env.HASH_PEPPER); console.log(isValid.valid); // true

Features

🔐 Multiple Algorithms

Support for SHA-256, SHA-384, and SHA-512 HMAC algorithms

🎫 Passport Encoding

All metadata encoded in a single string for easy storage

⚡ Automatic Upgrades

Detects when hashes need upgrading to stronger algorithms

🛡️ Timing-Safe

Protection against timing attacks with constant-time comparison

hash(value, secret, options)

Creates a secure hash of a password.

Parameter Type Required Description
value string Required The password to hash
secret string Required Secret key (pepper) for additional security
options object Optional Configuration options

Options

Parameter Type Required Description
algorithm string Optional Hash algorithm: "sha256", "sha384", or "sha512" (default: "sha256")
iterations number Optional Number of iterations (default: 100,000)
saltLength number Optional Length of salt in bytes (default: 16)
hashLength number Optional Length of hash in bytes (default: 32)

Returns

Object containing:

  • passport - Encoded string to store in database
  • hash - The raw hash value
  • salt - The generated salt
  • metadata - Algorithm, iterations, etc.

verify(value, passport, secret, options)

Verifies a password against a stored passport.

Parameter Type Required Description
value string Required The password to verify
passport string Required The stored passport from hash()
secret string Required Same secret key used for hashing
options object Optional Upgrade configuration

Returns

Object containing:

  • valid - Boolean indicating if password is correct
  • needsUpgrade - Boolean indicating if hash should be upgraded
  • upgradedPassport - New passport if upgrade needed
  • metadata - Current hash metadata

Example: Complete Authentication System

Full Express.js authentication with login, automatic upgrades, and session management:

const express=require('express'); const
          session=require('express-session'); const { hash, verify }=require('inslash'); const
          User=require('./models/User'); const app=express(); app.use(express.json()); app.use(session({
          secret: 'your-session-secret' , resave: false, saveUninitialized: false })); // Login endpoint
          app.post('/login', async (req, res)=> {
          const { email, password } = req.body;

          // Find user
          const user = await User.findOne({ email });
          if (!user) {
          return res.status(401).json({ error: 'Invalid credentials' });
          }

          // Verify password
          const result = await verify(password, user.passport, process.env.HASH_PEPPER);

          if (!result.valid) {
          return res.status(401).json({ error: 'Invalid credentials' });
          }

          // Automatic security upgrade
          if (result.needsUpgrade) {
          user.passport = result.upgradedPassport;
          await user.save();
          console.log('Password hash upgraded for user:', user.email);
          }

          // Create session
          req.session.userId = user._id;
          res.json({ success: true, user: { id: user._id, email: user.email } });
          });

          // Protected route middleware
          function requireAuth(req, res, next) {
          if (!req.session.userId) {
          return res.status(401).json({ error: 'Unauthorized' });
          }
          next();
          }

          app.get('/dashboard', requireAuth, (req, res) => {
          res.json({ message: 'Welcome to your dashboard!' });
          });

          app.listen(3000);

Example: User Registration Flow

Complete user registration with validation and secure password storage:

const { hash }=require('inslash'); const
          User=require('./models/User'); app.post('/signup', async (req, res)=> {
          const { username, email, password, confirmPassword } = req.body;

          // Validation
          if (!username || !email || !password) {
          return res.status(400).json({ error: 'All fields required' });
          }

          if (password !== confirmPassword) {
          return res.status(400).json({ error: 'Passwords do not match' });
          }

          if (password.length < 8) { return res.status(400).json({ error: 'Password must be at least 8 characters' }); }
            // Check if user exists const existingUser=await User.findOne({ $or: [{ username }, { email }] }); if
            (existingUser) { return res.status(400).json({ error: 'Username or email already exists' }); } // Hash
            password with strong settings const hashResult=await hash(password, process.env.HASH_PEPPER, {
            algorithm: 'sha512' , iterations: 150000 }); // Create user const user=new User({ username, email, passport:
            hashResult.passport, createdAt: new Date() }); await user.save(); // Auto-login after registration
            req.session.userId=user._id; res.status(201).json({ success: true, user: { id: user._id, username:
            user.username, email: user.email } }); });

Example: Password Reset System

Secure password reset with email tokens:

const crypto=require('crypto'); const { hash
          }=require('inslash'); const User=require('./models/User'); const sendEmail=require('./utils/email'); //
          Request password reset app.post('/forgot-password', async (req, res)=> {
          const { email } = req.body;

          const user = await User.findOne({ email });
          if (!user) {
          // Don't reveal if email exists
          return res.json({ message: 'If email exists, reset link sent' });
          }

          // Generate reset token
          const resetToken = crypto.randomBytes(32).toString('hex');
          const resetTokenHash = crypto.createHash('sha256').update(resetToken).digest('hex');

          user.resetPasswordToken = resetTokenHash;
          user.resetPasswordExpires = Date.now() + 3600000; // 1 hour
          await user.save();

          // Send email
          const resetUrl = `https://yourapp.com/reset-password/${resetToken}`;
          await sendEmail({
          to: user.email,
          subject: 'Password Reset Request',
          html: `Click here to reset: ${resetUrl}`
          });

          res.json({ message: 'If email exists, reset link sent' });
          });

          // Reset password with token
          app.post('/reset-password/:token', async (req, res) => {
          const { password } = req.body;

          // Hash the token to compare
          const resetTokenHash = crypto.createHash('sha256')
          .update(req.params.token)
          .digest('hex');

          // Find user with valid token
          const user = await User.findOne({
          resetPasswordToken: resetTokenHash,
          resetPasswordExpires: { $gt: Date.now() }
          });

          if (!user) {
          return res.status(400).json({ error: 'Invalid or expired token' });
          }

          // Hash new password
          const hashResult = await hash(password, process.env.HASH_PEPPER, {
          algorithm: 'sha512',
          iterations: 150000
          });

          // Update user
          user.passport = hashResult.passport;
          user.resetPasswordToken = undefined;
          user.resetPasswordExpires = undefined;
          await user.save();

          res.json({ success: true, message: 'Password reset successful' });
          });

Configuration

Recommended security settings:

Production Recommendation: Use SHA-512 with 150,000+ iterations for maximum security. 

// Production configuration const productionConfig={
          algorithm: 'sha512' , // Strongest algorithm iterations: 150000, // High iteration count saltLength: 16, //
          Default is fine hashLength: 64 // Larger for SHA-512 }; const result=await hash(password,
          process.env.HASH_PEPPER, productionConfig);