"""Authentication — optional password protection for the console.

Provides password hashing and verification for the console's
optional authentication feature.

Ported from net.i2p.router.web.ConsolePasswordManager.
"""

from __future__ import annotations

import hashlib
import secrets


def generate_password_hash(password: str) -> str:
    """Generate a salted SHA-256 hash of a password."""
    salt = secrets.token_hex(16)
    h = hashlib.sha256((salt + password).encode("utf-8")).hexdigest()
    return f"{salt}:{h}"


def check_password(password: str, password_hash: str) -> bool:
    """Check a password against a salted hash."""
    if ":" not in password_hash:
        return False
    salt, expected = password_hash.split(":", 1)
    h = hashlib.sha256((salt + password).encode("utf-8")).hexdigest()
    return secrets.compare_digest(h, expected)