Credentials — Aquilia Documentation
Comprehensive guide and documentation for Credentials in the Aquilia framework. View API reference, examples, and implementation patterns.
Auth / Credentials & Hashers Credentials & Hashers Password hashing with Argon2id (primary) and PBKDF2 (fallback), password policy enforcement with HIBP breach checking, and async-safe convenience functions. PasswordHasher The PasswordHasher uses Argon2id as the primary algorithm with PBKDF2 as a fallback. All operations are async-safe — hashing runs in a thread executor to avoid blocking the event loop. from aquilia.auth.hashing import PasswordHasher hasher = PasswordHasher( algorithm="argon2id", # primary algorithm memory_cost=65536, # 64 MiB time_cost=3, # 3 iterations parallelism=4, # 4 threads hash_length=32, # 32-byte output salt_length=16, # 16-byte salt fallback_algorithm="pbkdf2",# PBKDF2-SHA256 fallback ) # Async hash and verify (runs in thread pool) hashed = await hasher.hash_async("MyP@ssw0rd!") is_valid = await hasher.verify_async("MyP@ssw0rd!", hashed) # → True # Rehash check — detects when params have changed if hasher.check_needs_rehash(hashed): new_hash = await hasher.hash_async(password) await credential_store.update_password(identity_id, new_hash) Convenience Functions from aquilia.auth.hashing import hash_password, verify_password, validate_password # Quick hash and verify (uses default PasswordHasher) hashed = hash_password("MyP@ssw0rd!") ok = verify_password("MyP@ssw0rd!", hashed) # Validate against policy (sync helper) is_valid, errors = validate_password("weak", policy) # is_valid → False # errors → ["Password must be at least 12 characters", ...] PasswordPolicy from aquilia.auth.hashing import PasswordPolicy policy = PasswordPolicy( min_length=12, # minimum 12 characters require_uppercase=True, # at least one A-Z require_lowercase=True, # at least one a-z require_digit=True, # at least one 0-9 require_special=True, # at least one special char check_breached=True, # HIBP breach check ) # Validate — async because breach check calls HIBP API is_valid, errors = await policy.validate_async("MyP@ssw0rd!") if not is_valid: print(errors) # → ["Password has been found in data breaches"] HIBP k-Anonymity: Only the first 5 characters of the SHA-1 hash are sent to the HIBP API. The full hash is never transmitted — the response is checked locally using range queries. Hasher Parameters Parameter Default Description ))} Other Credential Types , , ].map((c, i) => ( ))} )
Go to Homepage