Usage of Firebase SCrypt params in nodejs scrypt package

I've been struggling with this for some time now, hopefully someone has done this before and can help me on my way. I went to the Firebase people to request the scrypt params in order to migrate our user authentication away from Firebase to our own server. Now I got those params, but I have no clue as how they should map towards the node scrypt package (https://www.npmjs.com/package/scrypt). The Firebase params are of the following format:

hash_config: {
    algorithm: SCRYPT,
    base64_signer_key: asdf1234
    base64_salt_seperator: xxxx
    rounds: 123456
    mem_cost: 098765
}

Somehow these should map onto the nodejs scrypt params, but I can't find the similarities. Any help would be much appreciated!

Struggled a lot with getting scrypt work properly. The documentation from here https://github.com/firebase/scrypt#password-hashing looks like outdated. Decided to share knowledge how we did things correctly in our team.

Working command

scrypt {key} {salt} {saltSeparator} {rounds} {memcost} [-P]

No need for salt+separator concatenation and base64 manipulations.

node.js, i've been struggling time now, has done before , can me on way. went firebase people request scrypt params in order migrate our user  Node Firebase Scrypt. NodeJs implementation of Firebase's Scrypt modified version. Warning. This module work only with users exported with Firebase Tools CLI and the command auth:export. Others way to gets users (Admin SDK, etc.) will give you an incompatible hash. Table of Contents. Install; Usage. Initialisation; Hash; Verify; Test; Install. To install, run :

Firebase uses a custom version of Scrypt for user authentication. We take the derived key from standard scrypt, and then AES encrypt it with a "pepper", stored with the hashed password.

We just open sourced Firebase's version so that you can do your own password verification. Check it out at github.com/firebase/scrypt

xeewi/firebase-scrypt: Nodejs implementation of Firebase's , Usage. Firebase parameters. Go to Firebase to get your hash parameters. To access these parameters, navigate to the 'Users' tab of the 'Authentication' section  Using Firebase Auth with a Custom Node.js Server (Part 1) His tutorial has helped you implement Firebase Authentication on the client side but you don’t want to use Firebase Realtime

I've been running into the same problem with migrating my firebase users over. I've also been going back and forth with firebase technical support - they said they couldn't share their hashing libraries unfortunately. As an alternative I've migrated my users over to my new db and checked for the "salt" variable whenever someone signs in. If the salt exists then query firebase, otherwise query your own db.

firebase/scrypt: The scrypt key derivation function was , The scrypt key derivation function was originally developed for use in the Firebase Authentication uses an internally modified version of scrypt to hash Finding the Password Hash Parameters · Downloading User Accounts #2 Not able to use with Crypto.scrypt in NodeJS Opened by backspacerhino 6 months ago. The scrypt key derivation function was originally developed for use in the Tarsnap online backup system and is designed to be far more secure against hardware brute-force attacks than alternative functions such as PBKDF2 or bcrypt. - firebase/scrypt

Scrypt, Represents the Scrypt password hashing algorithm. This is the modified Scrypt algorithm used by Firebase Auth. See StandardScrypt for the  Node.js versions 8 and 10 are supported. For installing Node.js and npm, Node Version Manager is recommended. Once you have Node.js and npm installed, install the Firebase CLI via your preferred method. To install the CLI via npm, use: npm install -g firebase-tools This installs the globally available firebase command. If the command fails, you

firebase-scrypt, Nodejs implementation of Firebase's Scrypt modified version. Need private packages and team management tools?Check out npm Teams »  Node's crypto library does not support scrypt. And an implementation of scrypt into crypto doesn't seem to be in the future as scrypt isn't standardized yet. You should use node-scrypt which wraps the native C++ scrypt utility. – tsturzl Feb 21 '14 at 8:38.

Firebase Authentication Password Hashing, Firebase Authentication uses an internally modified version of scrypt to hash Firebase generates unique password hash parameters for each Firebase project. Firebase config object. To initialize Firebase in your app, you need to provide your app's Firebase project configuration. If you use reserved Hosting URLs, your Firebase config is automatically pulled from your Firebase project, so you don't need to explicitly provide the object in your code.

Comments
  • hey @Kiana, could you please explain how to make this algo working with nodejs? I couldn't find any usage of firebase/scrypt in nodejs. I couldn't find a way to use standard scrypt package with password hash params firebase provided. And I don't know what salt for scrypt, and what secret for AES are using. Any precise nodejs example with proper data will be appreciated. Thank you
  • Sorry, we don't have any nodejs version of the code. The AES secret is in the Password Hash Parameters in the firebase console (firebase.google.com/docs/auth/admin/…). The scrypt salt is exported along with the password when you do firebase auth:export.
  • We've changed this policy - you can take a look at the hashing library on github: github.com/firebase/scrypt