Version: v0.7.1 - Beta.  We welcome contributors & feedback.


$password.check($correctHash) -> boolean


Returns true if this password is an exact match of $correctHash, which is how Password objects are saved to the database via the Db module.

A hash looks something like this: $2y$10$ko.tlm3NGWCegJqo...

$tryPassword ='password')

if $tryPassword.check($correctHash) {
    // Good. Log in...

Full Example

$correctPassHash = getCorrectHash()
$tryPass ='password')

if $tryPass.check($correctPassHash) {
    // Good. Log in...

fn getCorrectHash {

    $query = sql'''
        select password from user where userId = {}

    $userId = Session.get('userId')
    $user = Db.getRow($query.fill($userId))

    return $user.password

Rate Limiting 

Calls to this method are rate-limited to prevent brute force attacks.

It is currently limited to 30 failed attempts per hour. This is large enough that normal users should not be affected, but automated attempts will be slowed considerably. At this rate, a 10,000 word dictionary attack would take about 13 days.

The rate limit applies in 2 ways: to the client IP address, and to the password itself. This dual approach will help mitigate site-wide distributed attacks (e.g. from a botnet) and attacks that target a specific user.

Attempts beyond this limit will be returned as a failed match. Because it does not respond with feedback on the rate limit, most bots will continue to make attempts, but will have zero chance at finding the correct match.

To help prevent a Denial of Service (DoS) from this approach, IP addresses that have successfully used this password in the past 10 days will bypass the rate limit.