feat: Add ARGON2ID Hash Algorithm

Author: Xephi

authme-core/src/main/java/fr/xephi/authme/datasource/converter/LibreLoginConverter.java

@@ -42,7 +42,7 @@
  * <b>Algorithm mapping:</b>
  * <ul>
  *   <li>{@code BCrypt-2A} → configure AuthMe with {@code passwordHash: BCRYPT}</li>
- *   <li>{@code Argon2-ID} → configure AuthMe with {@code passwordHash: ARGON2}</li>
+ *   <li>{@code Argon2-ID} → configure AuthMe with {@code passwordHash: ARGON2ID}</li>
  *   <li>{@code SHA-256} → configure AuthMe with {@code passwordHash: SHA256}</li>
  *   <li>{@code SHA-512} → configure AuthMe with {@code passwordHash: DOUBLE_SHA512}</li>
  *   <li>{@code LOGIT-SHA-256} → configure AuthMe with {@code passwordHash: SALTEDSHA256}</li>

authme-core/src/main/java/fr/xephi/authme/datasource/converter/NLoginConverter.java

@@ -35,7 +35,7 @@
  * <p>
  * nLogin reuses AuthMe's password hash formats for BCrypt, SHA-256 and SHA-512, so hashes are
  * copied as-is. Configure AuthMe's {@code passwordHash} to match nLogin's algorithm (default:
- * {@code BCRYPT}). Argon2 hashes are also supported via {@code ARGON2}.
+ * {@code BCRYPT}). Argon2 (argon2id) hashes are supported via {@code ARGON2ID}.
  */
 public class NLoginConverter implements Converter {
 

authme-core/src/main/java/fr/xephi/authme/security/HashAlgorithm.java

@@ -8,6 +8,7 @@
 public enum HashAlgorithm {
 
     ARGON2(fr.xephi.authme.security.crypts.Argon2.class),
+    ARGON2ID(fr.xephi.authme.security.crypts.Argon2Id.class),
     BCRYPT(fr.xephi.authme.security.crypts.BCrypt.class),
     BCRYPT2Y(fr.xephi.authme.security.crypts.BCrypt2y.class),
     CMW(fr.xephi.authme.security.crypts.CmwCrypt.class),

authme-core/src/main/java/fr/xephi/authme/security/crypts/Argon2Id.java

@@ -0,0 +1,96 @@
+package fr.xephi.authme.security.crypts;
+
+import fr.xephi.authme.security.crypts.description.HasSalt;
+import fr.xephi.authme.security.crypts.description.Recommendation;
+import fr.xephi.authme.security.crypts.description.SaltType;
+import fr.xephi.authme.security.crypts.description.Usage;
+import org.bouncycastle.crypto.generators.Argon2BytesGenerator;
+import org.bouncycastle.crypto.params.Argon2Parameters;
+
+import java.security.MessageDigest;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+@Recommendation(Usage.RECOMMENDED)
+@HasSalt(value = SaltType.TEXT, length = 16)
+// Note: Argon2id is actually a salted algorithm but salt generation is handled internally
+// and isn't exposed to the outside, so we treat it as an unsalted implementation
+public class Argon2Id extends UnsaltedMethod {
+
+    private static final int ITERATIONS = 2;
+    private static final int MEMORY_KB = 65536;
+    private static final int PARALLELISM = 1;
+    private static final int SALT_BYTES = 16;
+    private static final int HASH_BYTES = 32;
+
+    private final SecureRandom random = new SecureRandom();
+
+    @Override
+    public String computeHash(String password) {
+        byte[] salt = new byte[SALT_BYTES];
+        random.nextBytes(salt);
+        byte[] hash = derive(password.toCharArray(), salt, ITERATIONS, MEMORY_KB, PARALLELISM, HASH_BYTES);
+        Base64.Encoder enc = Base64.getEncoder().withoutPadding();
+        return "$argon2id$v=19$m=" + MEMORY_KB + ",t=" + ITERATIONS + ",p=" + PARALLELISM
+            + "$" + enc.encodeToString(salt)
+            + "$" + enc.encodeToString(hash);
+    }
+
+    @Override
+    public boolean comparePassword(String password, HashedPassword hashedPassword, String name) {
+        String[] parts = hashedPassword.getHash().split("\\$");
+        // Expected: ["", "argon2id", "v=19", "m=65536,t=2,p=1", "<salt_b64>", "<hash_b64>"]
+        if (parts.length != 6 || !"argon2id".equals(parts[1])) {
+            return false;
+        }
+        try {
+            int[] params = parseParams(parts[3]); // m, t, p
+            byte[] salt = decodeNoPadding(parts[4]);
+            byte[] expected = decodeNoPadding(parts[5]);
+            byte[] computed = derive(password.toCharArray(), salt, params[1], params[0], params[2], expected.length);
+            return MessageDigest.isEqual(computed, expected);
+        } catch (IllegalArgumentException e) {
+            return false;
+        }
+    }
+
+    private static byte[] derive(char[] password, byte[] salt, int iterations, int memoryKb, int parallelism, int hashLen) {
+        Argon2Parameters params = new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id)
+            .withVersion(Argon2Parameters.ARGON2_VERSION_13)
+            .withIterations(iterations)
+            .withMemoryAsKB(memoryKb)
+            .withParallelism(parallelism)
+            .withSalt(salt)
+            .build();
+        Argon2BytesGenerator generator = new Argon2BytesGenerator();
+        generator.init(params);
+        byte[] result = new byte[hashLen];
+        generator.generateBytes(password, result);
+        return result;
+    }
+
+    /** Parses "m=65536,t=2,p=1" → [m, t, p]. */
+    private static int[] parseParams(String paramStr) {
+        int[] result = new int[3];
+        for (String kv : paramStr.split(",")) {
+            String[] pair = kv.split("=");
+            int v = Integer.parseInt(pair[1]);
+            switch (pair[0]) {
+                case "m": result[0] = v; break;
+                case "t": result[1] = v; break;
+                case "p": result[2] = v; break;
+            }
+        }
+        return result;
+    }
+
+    /** Decodes base64 without padding (PHC format omits '='). */
+    private static byte[] decodeNoPadding(String s) {
+        switch (s.length() % 4) {
+            case 2: s += "=="; break;
+            case 3: s += "="; break;
+            default: break;
+        }
+        return Base64.getDecoder().decode(s);
+    }
+}

docs/converters.md

@@ -46,7 +46,7 @@ Migrates accounts from the **LibreLogin** plugin.
 | LibreLogin algorithm | AuthMe `passwordHash` |
 |---|---|
 | `BCrypt-2A` (default) | `BCRYPT` |
-| `Argon2-ID` | `ARGON2` |
+| `Argon2-ID` | `ARGON2ID` |
 | `SHA-256` | `SHA256` |
 | `SHA-512` | `DOUBLE_SHA512` |
 | `LOGIT-SHA-256` | `SALTEDSHA256` |
@@ -80,7 +80,7 @@ Migrates accounts from the **NexAuth** plugin (a fork of LibreLogin).
 | NexAuth algorithm | AuthMe `passwordHash` |
 |---|---|
 | `BCrypt-2A` (default) | `BCRYPT` |
-| `Argon-2ID` | `ARGON2` |
+| `Argon-2ID` | `ARGON2ID` |
 | `SHA-256` | `SHA256` |
 | `SHA-512` | `DOUBLE_SHA512` |
 | `LOGIT-SHA-256` | `SALTEDSHA256` |
@@ -139,7 +139,7 @@ Migrates accounts from the **nLogin** plugin.
 |---|---|
 | BCrypt (default) | `BCRYPT` or `BCRYPT2Y` |
 | SHA-256 (`$SHA$…`) | `SHA256` |
-| Argon2 | `ARGON2` |
+| Argon2 (argon2id) | `ARGON2ID` |
 
 **Notes:**
 - Email addresses and last-login timestamps are migrated.

docs/hash_algorithms.md

@@ -1,5 +1,5 @@
 <!-- AUTO-GENERATED FILE! Do not edit this directly -->
-<!-- File auto-generated on Wed May 06 10:48:06 CEST 2026. See authme-tools/src/test/java/tools/docs/hashmethods/hash_algorithms.tpl.md -->
+<!-- File auto-generated on Sat May 23 08:31:23 CEST 2026. See authme-tools/src/test/java/tools/docs/hashmethods/hash_algorithms.tpl.md -->
 
 ## Hash Algorithms
 AuthMe supports the following hash algorithms for storing your passwords safely.
@@ -8,6 +8,7 @@ AuthMe supports the following hash algorithms for storing your passwords safely.
 Algorithm | Recommendation | Hash length | ASCII |     | Salt type | Length | Separate?
 --------- | -------------- | ----------- | ----- | --- | --------- | ------ | ---------
 ARGON2 | Recommended | 96 |  | | Text | 16 | 
+ARGON2ID | Recommended | 97 |  | | Text | 16 | 
 BCRYPT | Recommended | 60 |  | | Text | 22 | 
 BCRYPT2Y | Recommended | 60 |  | | Text | 22 | 
 CMW | Do not use | 32 |  | | None |  | 
@@ -82,4 +83,4 @@ or bad.
 
 ---
 
-This page was automatically generated on the [AuthMe/AuthMeReloaded repository](https://github.com/AuthMe/AuthMeReloaded/tree/master/docs/) on Wed May 06 10:48:06 CEST 2026
+This page was automatically generated on the [AuthMe/AuthMeReloaded repository](https://github.com/AuthMe/AuthMeReloaded/tree/master/docs/) on Sat May 23 08:31:23 CEST 2026