# `Sigra.Hasher`
[🔗](https://github.com/sztheory/sigra/blob/v1.20.0/lib/sigra/hasher.ex#L1)

Behaviour for password hashing implementations.

Sigra uses this behaviour to abstract the password hashing algorithm,
allowing transparent migration between hashing algorithms (e.g., bcrypt
to Argon2id) and easy testing via Mox.

## Default Implementation

`Sigra.Hashers.Argon2` -- uses Argon2id, the OWASP-recommended algorithm.

## Mox Usage

    Mox.defmock(MockHasher, for: Sigra.Hasher)

# `hash_password`
*since 0.1.0* 

```elixir
@callback hash_password(password :: String.t()) :: String.t()
```

Hashes a plaintext password and returns the hashed string.

# `no_user_verify`
*since 0.1.0* 

```elixir
@callback no_user_verify() :: :ok
```

Runs a dummy hash operation to prevent timing-based user enumeration.

This must take approximately the same time as a real hash verification
to prevent attackers from distinguishing between "user exists" and
"user does not exist" based on response time.

# `verify_password`
*since 0.1.0* 

```elixir
@callback verify_password(password :: String.t(), hashed_password :: String.t()) ::
  boolean()
```

Verifies a plaintext password against a hashed password.

---

*Consult [api-reference.md](api-reference.md) for complete listing*