Switch from argon2-browser to hash-wasm for argon2 implementation

The latest official release argon2-browser doesn't support node.js v18+
and also has some other caveats.
Because of this I've used my fork of it in 74099d4
with some patches.
Instead of using my patched version this commit uses hash-wasm which
also includes a implementation of argon2, works correctly with node.js
v18 and works fine in the browser as well.

Author: hlxid

nodecg-io-core/dashboard/esbuild.config.js

@@ -90,10 +90,6 @@ const BuildOptions = {
      * invalidate the build.
      */
     watch: args.has("--watch"),
-    // argon2-browser has some imports to fs and path that only get actually imported when running in node.js
-    // because these code paths aren't executed we can just ignore the error that they don't exist in browser environments.
-    // See https://github.com/antelle/argon2-browser/issues/79 and https://github.com/antelle/argon2-browser/issues/26
-    external: ["fs", "path"],
 };
 
 esbuild

nodecg-io-core/extension/persistenceManager.ts

@@ -2,7 +2,7 @@ import { NodeCG, ReplicantServer } from "nodecg-types/types/server";
 import { InstanceManager } from "./instanceManager";
 import { BundleManager } from "./bundleManager";
 import crypto from "crypto-js";
-import * as argon2 from "argon2-browser";
+import { argon2id } from "hash-wasm";
 import { emptySuccess, error, Result, success } from "./utils/result";
 import { ObjectMap, ServiceDependency, ServiceInstance } from "./service";
 import { ServiceManager } from "./serviceManager";
@@ -108,21 +108,20 @@ export function encryptData(data: PersistentData, encryptionKey: crypto.lib.Word
 export async function deriveEncryptionKey(password: string, salt: string): Promise<string> {
     const saltBytes = Uint8Array.from(salt.match(/.{1,2}/g)?.map((byte) => parseInt(byte, 16)) ?? []);
 
-    const hash = await argon2.hash({
-        pass: password,
+    return await argon2id({
+        password,
         salt: saltBytes,
         // OWASP reccomends either t=1,m=37MiB or t=2,m=37MiB for argon2id:
         // https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Argon2id
         // On a Ryzen 5 5500u a single iteration is about 220 ms. Two iterations would make that about 440 ms, which is still fine.
         // This is run inside the browser when logging in, therefore 37 MiB is acceptable too.
         // To future proof this we use 37 MiB ram and 2 iterations.
-        time: 2,
-        mem: 37 * 1024,
-        hashLen: 32, // Output size: 32 bytes = 256 bits as a key for AES-256
-        type: argon2.ArgonType.Argon2id,
+        iterations: 2,
+        memorySize: 37, // KiB
+        hashLength: 32, // Output size: 32 bytes = 256 bits as a key for AES-256
+        parallelism: 1,
+        outputType: "hex",
     });
-
-    return hash.hashHex;
 }
 
 /**

nodecg-io-core/package.json

@@ -44,7 +44,6 @@
     },
     "license": "MIT",
     "devDependencies": {
-        "@types/argon2-browser": "^1.18.1",
         "@types/crypto-js": "^4.1.1",
         "@types/jest": "^28.1.6",
         "@types/node": "^18.0.3",
@@ -55,7 +54,7 @@
     },
     "dependencies": {
         "ajv": "^8.11.0",
-        "argon2-browser": "https://github.com/daniel0611/argon2-browser/releases/download/1.19.0/argon2-browser-1.19.0.tgz",
+        "hash-wasm": "^4.9.0",
         "crypto-js": "^4.1.1",
         "tslib": "^2.4.0"
     }