Usage of Firebase SCrypt params in nodejs scrypt package

Question

I've been struggling with this for some time now, hopefully someone has done this before and can help me on my way. I went to the Firebase people to request the scrypt params in order to migrate our user authentication away from Firebase to our own server. Now I got those params, but I have no clue as how they should map towards the node scrypt package (https://www.npmjs.com/package/scrypt). The Firebase params are of the following format:

hash_config: {
    algorithm: SCRYPT,
    base64_signer_key: asdf1234
    base64_salt_seperator: xxxx
    rounds: 123456
    mem_cost: 098765
}

Somehow these should map onto the nodejs scrypt params, but I can't find the similarities. Any help would be much appreciated!

Answer 1

Struggled a lot with getting scrypt work properly. The documentation from here https://github.com/firebase/scrypt#password-hashing looks like outdated. Decided to share knowledge how we did things correctly in our team.

Working command

scrypt {key} {salt} {saltSeparator} {rounds} {memcost} [-P]

No need for salt+separator concatenation and base64 manipulations.

Answer 2

I've been running into the same problem with migrating my firebase users over. I've also been going back and forth with firebase technical support - they said they couldn't share their hashing libraries unfortunately. As an alternative I've migrated my users over to my new db and checked for the "salt" variable whenever someone signs in. If the salt exists then query firebase, otherwise query your own db.

Answer 3

Firebase uses a custom version of Scrypt for user authentication. We take the derived key from standard scrypt, and then AES encrypt it with a "pepper", stored with the hashed password.

We just open sourced Firebase's version so that you can do your own password verification. Check it out at github.com/firebase/scrypt