Scrypt algorithm not supported

aquapolis · December 15, 2022, 1:48pm

Hello,
The situation very strange for me.
On localhost Node.js project is running well but
on the host I am receiving error while trying to login:
“ERR_CRYPTO_SCRYPT_NOT_SUPPORTED”
with message"Scrypt algorithm not supported".
And is no any password encoding in the app like (Argon2).
on mysql db password stores as text.Any suggestion will be appreciated.

Notum · December 15, 2022, 3:22pm

https://nodejs.org/api/errors.html#err_crypto_scrypt_not_supported

I suggest you to double check that you’re using latest Node JS and re-deploy your production server.

aquapolis · December 15, 2022, 3:51pm

But I use the same Node.js version on local and server
and in localhost works fine. Unfortunately hosting provider offer only lates -Node14

aquapolis · December 15, 2022, 4:47pm

I solved the problem by removing part of script in provider.js
that coding & encoding.But this is not good in case if needs hash passwords

patrick · December 16, 2022, 7:43am

Node.js was compiled without scrypt support. Not possible with the official release binaries but can happen with custom builds, including distro builds.

Best is to contact your host that they update the node with scrypt support.

When you edit the code then change the line:

const key = crypto.scryptSync(this.secret, iv, 32);

to:

const key = crypto.createHash('sha256').update(this.secret).digest();

That would still be secure enough.

aquapolis · December 16, 2022, 11:24am

doesn’t help>The only that worked for me - change the line:
this.app.setCookie(this.name + ‘.auth’, this.encrypt({ username, password }), this.cookieOpts); to
this.app.setCookie(this.name + ‘.auth’);

patrick · December 16, 2022, 11:53am

When you do that only an empty cookie is created without any credentials information, so the user credentials are not saved and users get logged out after the session expires. If you don’t want users to be logged in after the session expires you could simply set the remember argument to false on the login action.

aquapolis · December 16, 2022, 12:15pm

The flag Remember was set as “1” in api and in server form

aquapolis · December 16, 2022, 12:16pm

So how to fix it ?

patrick · December 16, 2022, 1:47pm

The changes I’ve given should work, using a sha256 hash instead of the scrypt hash will be secure and doesn’t require scrypt to be compiled. The code needs to be updated in the file lib/auth/provider.js at line 109 and 119.

aquapolis · December 16, 2022, 2:14pm

Thank so much. It was my fault as I didn’t change on line 119