As title I have a password-like passphrase (8 chars at least) that is then hashed with argon2(with the salt is SHA256 of that passphrase).
Then use it as AES256 key along with a random IV generated by CryptoJS.lib.WordArray.random(256 / 8);
Is it okay?
Or should I use the IV as a key?
with the salt is SHA256 of that passphrase
Don't use the SHA-256 of the passphrase as the salt; randomly generate it so it's not the same for identical passwords.
CryptoJS.lib.WordArray.random(256 / 8);
Don't use CryptoJS. From memory, it generated random numbers incorrectly, the passphrase methods for the ciphers used/use some broken KDF, and it doesn't offer AEAD modes.
See if you can use libsodium.js instead. Alternatively, there's the Web Crypto API. Unfortunately, I know nothing about JavaScript.
Then use it as AES256 key
I presume you're currently using AES-CBC (the default for CryptoJS). It needs to be paired with HMAC-SHA-256 or HMAC-SHA-512 to be secure.
If you switch to a better library, you should just use an AEAD mode like AES-GCM or ChaCha20-Poly1305. You then don't need to apply HMAC because they authenticate the inputs for you. Importantly, with most AEAD modes, you should use a counter nonce (number used once), meaning you increment it after each encryption operation with the same key.
should I use the IV as a key?
No, the IV should only be used as the IV and is a different size to the key. The Argon2 output should be used as the key.
along with a random IV
With AES-CBC, the IV should indeed be random and unpredictable for each encryption operation. It should not be reused with the same key. You can prepend it to the ciphertext output.
