Firebase Authentication Migration

Question

I was trying to move away from firebase authentication. So I exported all firebase users with their email, hashedPassword, saltKey, all the other necessary information.

After all, I migrated them to database and tried to implement auth flow using JWT and Express.js.

What I did is I used firebase-scrypt npm to validate hashedPassword with saltkey and firebase auth configuration I get from the original firebase app.

What whatever I input as password, it is validated all true and I can't make auth flow working.

If someone faced this issue and help me figure out this one, I really appreciate it.

Thanks for taking a careful look.

p.s. code attached below

import { FirebaseScrypt } from 'firebase-scrypt';
const hashConfig: FirebaseScryptOptions = {
  signerKey: 'xxxx',
  saltSeparator: 'xxxx',
  rounds: 8,
  memCost: 14
};
const scrypt = new FirebaseScrypt(hashConfig);
public async login(req: Request, res: Response) {
  const { email, password } = req.body;
  try {
    const user = await User.findOne({
      where: {
        email
      }
    });

    const hashedPassword = await scrypt.hash(password, user.salt);
    const valid = await scrypt.verify(password, user.salt, hashedPassword);
    if (!valid) {
      res.status(400).send(AuthError.InvalidPassword);
      return;
    }
    const token = AuthController.createToken(user.id);
    res.setHeader('token', AuthController.createCookie(token));
    res.send(user);
  } catch (e) {
    res.status(400).send(AuthError.UserNotFound);
  }
}

Answer 1

The function scrypt.hash(password, user.salt) doesn't fetch an existing hash, but it generates a new one based on the given password and salt. After generating a new hash based on the given password, you then check if the given password is valid for that hash. Which is always true, since the hash is always generated for the input password :)

So you should probably change the line const hashedPassword = ... to something that loads the hash from a database.