I am trying to develop a Rest API using Kotlin/Spring Boot. The JSON request in it, should have a hashed password that was done using Argon2id. Getting the password hashed was pretty straight forward and simple enough! But I am stumped at how to verify what I receive in the JSON request is correct or not. That is matching it with a plain string. This is how I am achieving the hashing.
val argon2PasswordEncoder = Argon2PasswordEncoder(64, 256, 4, 10240, 4)
val hashedPassword : String = argon2PasswordEncoder.encode(decryptedPassword)
println(hashedPassword)
Now I can store the plain text password in a Kotlin string and match it against the hashed password but that probably beats the point of encryption in the first place, I guess!
The other option I was thinking was probably to encrypt the plain text password using some other algorithm (lets say, I use Jasypt) and storing it in the database. And then decrypting it when I get the request, and matching it with the hashed password I receive. But that seems to be a bit of stretch and probably a bad design too! Because from what I see there is encode() method in Argon2PasswordEncoder, but nothing to decode, it back to a string. There is matches() method. But leads me back to the question on my mind. How do I store the plain text password?
Can you please let me know, what is the best way to do this? Was Argon2 a bad choice from the get-go? Or just my lack of knowledge.
Any pointers would be helpful. Thanks!
