search

lucia-auth / lucia

Authentication, simple and clean
https://lucia-auth.com
MIT License
9.46k stars 485 forks source link

[Bug]: legacy scrypt has a bug #1369

Closed mohamedhoss123 closed 8 months ago

mohamedhoss123 commented 8 months ago

Package

lucia

Describe the bug

when using 

scrypt.verify(hash, password);

it gives that password is wrong even when manually write the password and write it for hashing function like that 

scrypt = new LegacyScrypt();
let hash=await scrypt.hash(password);
let ok = await scrypt.verify(hash, password);
console.log(ok) // false

after some debug the problem apeard to be with these two lines https://github.com/lucia-auth/lucia/blob/main/packages/lucia/src/crypto.ts#L43 https://github.com/lucia-auth/lucia/blob/main/packages/lucia/src/crypto.ts#L51 when we make the size of the array as same as block size we pass to generateScryptKey function it apears to wroks fine so when making line 51 like this 

const targetKey = await generateScryptKey(password.normalize("NFKC"), salt, 16);

it works

pilcrowonpaper commented 8 months ago

The issue is this

async hash(password: string): Promise<string> {
  const salt = encodeHex(crypto.getRandomValues(new Uint8Array(16)));
  const key = await generateScryptKey(password.normalize("NFKC"), salt);
  return `${salt}:${encodeHex(key)}`;
}

I forgot to add the s2 prefix

mohamedhoss123 commented 8 months ago

XD, why when changing block size works i didn't understad that part though ?

mohamedhoss123 commented 8 months ago

oh ok never mind now i understand the default is 16 so when version is s2 it use the function default value