3

I've been struggling with this for some time now, hopefully someone has done this before and can help me on my way. I went to the Firebase people to request the scrypt params in order to migrate our user authentication away from Firebase to our own server. Now I got those params, but I have no clue as how they should map towards the node scrypt package (https://www.npmjs.com/package/scrypt). The Firebase params are of the following format:

hash_config: {
    algorithm: SCRYPT,
    base64_signer_key: asdf1234
    base64_salt_seperator: xxxx
    rounds: 123456
    mem_cost: 098765
}

Somehow these should map onto the nodejs scrypt params, but I can't find the similarities. Any help would be much appreciated!

Matjuhh
  • 53
  • 8

3 Answers3

2

Struggled a lot with getting scrypt work properly. The documentation from here https://github.com/firebase/scrypt#password-hashing looks like outdated. Decided to share knowledge how we did things correctly in our team.

Working command

scrypt {key} {salt} {saltSeparator} {rounds} {memcost} [-P]

No need for salt+separator concatenation and base64 manipulations.

Rashad Ibrahimov
  • 3,279
  • 2
  • 18
  • 39
0

Firebase uses a custom version of Scrypt for user authentication. We take the derived key from standard scrypt, and then AES encrypt it with a "pepper", stored with the hashed password.

We just open sourced Firebase's version so that you can do your own password verification. Check it out at github.com/firebase/scrypt

Kiana
  • 1,415
  • 11
  • 17
  • hey @Kiana, could you please explain how to make this algo working with nodejs? I couldn't find any usage of firebase/scrypt in nodejs. I couldn't find a way to use standard scrypt package with password hash params firebase provided. And I don't know what salt for scrypt, and what secret for AES are using. Any precise nodejs example with proper data will be appreciated. Thank you – Rashad Ibrahimov May 02 '18 at 13:56
  • Sorry, we don't have any nodejs version of the code. The AES secret is in the Password Hash Parameters in the firebase console (https://firebase.google.com/docs/auth/admin/import-users#import_users_with_firebase_scrypt_hashed_passwords). The scrypt salt is exported along with the password when you do firebase auth:export. – Kiana Jun 15 '18 at 00:11
-1

I've been running into the same problem with migrating my firebase users over. I've also been going back and forth with firebase technical support - they said they couldn't share their hashing libraries unfortunately. As an alternative I've migrated my users over to my new db and checked for the "salt" variable whenever someone signs in. If the salt exists then query firebase, otherwise query your own db.

David Tao
  • 61
  • 1
  • 7
  • 1
    We've changed this policy - you can take a look at the hashing library on github: github.com/firebase/scrypt – Kiana Feb 23 '18 at 23:33