Node.bcrypt.js: API: 'salt' parameter as a number for hash method?

That's not my understanding of how hash works. genSalt will generate a random salt, and the numSaltRounds just tells the function how many times to generate a salt, which increases the "randomness" of the final salt that is passed to your function(err, salt) function. In order words, numSaltRounds is not the salt but an iteration count. The hash function accepts an actual salt, not an iteration count. So, you're first technique is the correct one.

Hey @johnmanko, thanks for your reply! I hope we'll be able to figure this out together :)

I understand and am in agreement with what you described as the general use for the hash function. However, the core of my confusion revolves around the API documentation part that reads:

"if [the salt parameter is] specified as a number then a salt will be generated and used."

It seems this contradicts your statement that the hash function does not accept an "iteration count" (as per your words) since there is mention of a numeric value. A salt is clearly being generated and used somewhere. After all, the output of the function is a hashed password. It would make the most sense, then, for this numeric value of the salt-parameter to correspond to the iteration count (what other value could it possibly represent?).

However, I am unable to find evidence for this in either the documentation or the source code (I also don't know C++ so I might've missed it). Further, as per the docs/README, there is no explanation as to why a convoluted method (i.e. Technique 1) seems to be preferred over a much simpler one (i.e. Technique 2).

I'm trying to both:

1. confirm my suspicions and
2. get an answer for the difference(s) between the two techniques.

Here is the code the for the hash function:

module.exports.hash = function(data, salt, cb) {
    if (typeof data === 'function') {
        return process.nextTick(function() {
            data(new Error('data must be a string and salt must either be a salt string or a number of rounds'));
        });
    }

    if (typeof salt === 'function') {
        return process.nextTick(function() {
            salt(new Error('data must be a string and salt must either be a salt string or a number of rounds'));
        });
    }

    if (data == null || salt == null) {
        return process.nextTick(function() {
            cb(new Error('data and salt arguments required'));
        });
    }

    if (typeof data !== 'string' || (typeof salt !== 'string' && typeof salt !== 'number')) {
        return process.nextTick(function() {
            cb(new Error('data must be a string and salt must either be a salt string or a number of rounds'));
        });
    }

    if (!cb || typeof cb !== 'function') {
        return;
    }

    if (typeof salt === 'number') {
        return module.exports.genSalt(salt, function(err, salt) {
            return bindings.encrypt(data, salt, cb);
        });
    }

    return bindings.encrypt(data, salt, cb);
};

Neither technique is preferred and you can use either one depending on your use case. I use technique 2 but we have technique 1 for backwards compatibility.

@johnmanko The issue's been resolved but I'm just curious where you found that code?

Dear lord I've been looking in the /src folder this whole time without realizing the bcrypt.js file at the root. Whoops - my bad.