I am making a login system, and when logging in the password currently gets sent from JavaScript to a PHP file.
In PHP I use the following piece of code to hash.
$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
How should I hash the password in JavaScript before sending it using POST?
I obviously do not want to affect BCRYPT's security.
What is done on the client side is not really controlled by you. What I mean is that even if you hash your password it's possible for a client to get the password before hashing/encryption.
var password = document.getElementById('login').value;
console.log(password); // It is as simple as it
//hash password...
Above a simple example to explain, the client could get the password like this, or someone else could get it using a XSS attack. You should do your best to protect your clients from XSS, but then you can't control what happens on the client side.
If what you fear is a Man In The Middle (MITM) attack, the most important thing is to use a TLS certificate with a correct algorithm (it depends on the OpenSSL version of your server).
In short, using HTTPS is what you should do to protect your clients from a MITM attack.
So according to me, it's not required to hash/encrypt the passwork before sending it.