docs/security/passwords.md
Vapor includes a password hashing API to help you store and verify passwords securely. This API is configurable based on environment and supports asynchronous hashing.
To configure the Application's password hasher, use app.passwords.
import Vapor
app.passwords.use(...)
To use Vapor's Bcrypt API for password hashing, specify .bcrypt. This is the default.
app.passwords.use(.bcrypt)
Bcrypt will use a cost of 12 unless otherwise specified. You can configure this by passing the cost parameter.
app.passwords.use(.bcrypt(cost: 8))
Vapor includes an insecure password hasher that stores and verifies passwords as plaintext. This should not be used in production but can be useful for testing.
switch app.environment {
case .testing:
app.passwords.use(.plaintext)
default: break
}
To hash passwords, use the password helper available on Request.
let digest = try req.password.hash("vapor")
Password digests can be verified against the plaintext password using the verify method.
let bool = try req.password.verify("vapor", created: digest)
The same API is available on Application for use during boot.
let digest = try app.password.hash("vapor")
Password hashing algorithms are designed to be slow and CPU intensive. Because of this, you may want to avoid blocking the event loop while hashing passwords. Vapor provides an asynchronous password hashing API that dispatches hashing to a background thread pool. To use the asynchronous API, use the async property on a password hasher.
req.password.async.hash("vapor").map { digest in
// Handle digest.
}
// or
let digest = try await req.password.async.hash("vapor")
Verifying digests works similarly:
req.password.async.verify("vapor", created: digest).map { bool in
// Handle result.
}
// or
let result = try await req.password.async.verify("vapor", created: digest)
Calculating hashes on background threads can free your application's event loops up to handle more incoming requests.