search

lucia-auth / lucia

Authentication, simple and clean
https://lucia-auth.com
MIT License
8.32k stars 447 forks source link

[Bug]: switch to hash @node-rs/argon2 breaks sveltekit production builds #1567

Open vhochstein opened 1 month ago

vhochstein commented 1 month ago

Package

lucia

Describe the bug

Latest versions of Lucia are relying upon: import { hash } from "@node-rs/argon2"; That one is breaking npm run build for sveltekit projects. Please see error below. node: v20.11.1

/Users/volkerhochstein/projects/node/magic-pull/node_modules/@node-rs/argon2-android-arm-eabi/argon2.android-arm-eabi.node error during build: RollupError: Unexpected character '\u{7f}' at getRollupError (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/parseAst.js:380:41) at ParseError.initialise (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/node-entry.js:11172:28) at convertNode (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/node-entry.js:12914:1

Looks like there is already a corresponding ticket open in node-rs/argon2, https://github.com/napi-rs/node-rs/issues/816

If I use "old style" to create hash and verification eg: return await new Argon2id().hash(password); and remove import for node-rs/argon2 prod build npm task is working

building in dev mode is working without any issue for both hashing solutions

What do you suggest to do, currently I do not know how to work around this ?

Thanks a lot for your support

vhochstein commented 1 month ago

Tried now other node versions eg. node 18 and tried other machines to build. But always the same issue.

Any help would be greatly appreciated.

pilcrowOnPaper commented 1 month ago

Is it an issue with Lucia or Oslo?

vhochstein commented 1 month ago

Not sure.. I ve just tried it with your example project: https://github.com/lucia-auth/examples/tree/main/sveltekit/username-and-password

if you install: npm i -D @sveltejs/adapter-node adjust svelteConfig to adapter-node (just changing import)

switch hash algorithm to: await hash(password, { // recommended minimum parameters memoryCost: 19456, timeCost: 2, outputLen: 32, parallelism: 1 });

npm run build

I am getting same error

chaseweaver commented 1 month ago

Also running into this issue for what it's worth, but even running locally doesn't work on my end. Currently looking into a work around

vhochstein commented 1 month ago

I ve made a mistake in my own project..., let me correct my comment: If I switch to oslo Argon hash, I can build for production, so same result as for example project.

so at least I have a workaround for the moment.

pilcrowOnPaper commented 1 month ago

Ah so you're using the adapter-node. Is Oslo/Argon installed as a dev dependency?

vhochstein commented 1 month ago

Argon is neither listed as dev nor "standard" dependency. oslo is listed as "standard" dependency. Simlar to: https://github.com/lucia-auth/examples/tree/main/sveltekit/username-and-password

pilcrowOnPaper commented 1 month ago

I'm not really following here. Is it an issue with Oslo or napi-rs? Lucia doesn't have a dependency on the latter

vhochstein commented 1 month ago

Its about these imports given in code example on the following page: https://lucia-auth.com/tutorials/username-and-password/sveltekit import { hash } from "@node-rs/argon2"; import { verify } from "@node-rs/argon2";

LargatSeif commented 1 month ago

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+argon2-darwin-x64@1.7.0/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@node-rs+argon2@1.7.0/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+bcrypt-darwin-x64@1.9.0/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@node-rs+bcrypt@1.9.0/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵
chaseweaver commented 1 month ago

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+argon2-darwin-x64@1.7.0/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@node-rs+argon2@1.7.0/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+bcrypt-darwin-x64@1.9.0/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@node-rs+bcrypt@1.9.0/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵

@LargatSeif Try adding this to your optimizeDeps.exclude in your vite.config.ts and see if that fixes it

optimizeDeps: {
    exclude: ['@node-rs/argon2', '@node-rs/bcrypt']
},
LargatSeif commented 1 month ago

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+argon2-darwin-x64@1.7.0/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@node-rs+argon2@1.7.0/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@node-rs+bcrypt-darwin-x64@1.9.0/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@node-rs+bcrypt@1.9.0/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵

@LargatSeif Try adding this to your optimizeDeps.exclude in your vite.config.ts and see if that fixes it

optimizeDeps: {
    exclude: ['@node-rs/argon2', '@node-rs/bcrypt']
},

this worked thanks 🙏

pilcrowOnPaper commented 3 weeks ago

Is this a bug or just something we need to add to the docs?

chaseweaver commented 3 weeks ago

Something funky must have happened with one of the @node-rs packages at some point but is fixed now. It appears as though those packages are no longer required to be in optimizeDeps (at least the few projects I work on no longer seem to need it). I cannot replicate the original issue any longer either.

Probably safe to call it "not a bug" unless @vhochstein is still having issues.

holahoon commented 3 weeks ago

I get a similar error when using it in Next.js. I'm sure this is related to node-rs/argon2 as I got a similar error when using the below code:

import { hash } from "@node-rs/argon2";
...
const passwordHash = await hash(password, {
    // recommended minimum parameters
    memoryCost: 19456,
    timeCost: 2,
    outputLen: 32,
    parallelism: 1
});

When I following the Next.js example with oslo/password:

import { Argon2id } from "oslo/password";
...
// hasing pw
const hashedPassword = await new Argon2id().hash(password);

// verifying pw
const validPassword = await new Argon2id().verify(existingUser.password, password);

I get this error image

btw, huge fan of your library!

njanke96 commented 2 weeks ago

The "Unexpected character" issue seems to be an issue with bundlers not handling .node files, see https://github.com/vitejs/vite/issues/14289. Some users in that thread have found workarounds

EDIT: I fixed it in SvelteKit by explicitly adding @node-rs/argon2 to "dependencies" of my SvelteKit app (even though it's the dependancy of a library package in my monorepo) and adding @node-rs/argon2 to rollupOptions.external in my Vite config. I can now use @node-rs/argon2 (or oslo/password) server-side in my app.

dBianchii commented 4 hours ago

Hi, I am getting this error, but for Next.JS:

│   ▲ Next.js 14.2.4
│ 
│    Creating an optimized production build ...
│ Failed to compile.
│ 
│ ../../packages/api/node_modules/@node-rs/argon2-linux-x64-gnu/argon2.linux-x64-gnu.node
│ Module parse failed: Unexpected character '' (1:0)
│ You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
│ (Source code omitted for this binary file)

NOTE: as per the documentation on lucia, I have already added

experimental: {
    serverComponentsExternalPackages: ["@node-rs/argon2"],
  },

to my next.config.js file, but no luck

dBianchii commented 2 hours ago

OOOKK, Sooo...

I discovered that the problem was that I was using @node-rs/argon2 in a separate package from my monorepo, that was being used by my Next.JS app. (@acme/api package from this monorepo starter: https://github.com/noxify/t3-turbo-lucia)

So, since @node-rs/argon2 wasn't a direct dependency, I guess that serverComponentsExternalPackages: ["@node-rs/argon2"], config for nextjs was being pretty much ignored.

Solution: I installed @node-rs/argon2 directly on my next.js app, so it appears on its package.json. Then, the serverComponentsExternalPackages works correctly. If you are on a monorepo, make sure this package is installed directly, even if it is only being undirectly being used by next.js