Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: switch to hash @node-rs/argon2 breaks sveltekit production builds #1567

Open
vhochstein opened this issue May 12, 2024 · 23 comments
Open
Labels
bug Something ain't right...

Comments

@vhochstein
Copy link

vhochstein commented May 12, 2024

Package

lucia

Describe the bug

Latest versions of Lucia are relying upon: import { hash } from "@node-rs/argon2";
That one is breaking npm run build for sveltekit projects.
Please see error below.
node: v20.11.1

/Users/volkerhochstein/projects/node/magic-pull/node_modules/@node-rs/argon2-android-arm-eabi/argon2.android-arm-eabi.node error during build: RollupError: Unexpected character '\u{7f}' at getRollupError (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/parseAst.js:380:41) at ParseError.initialise (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/node-entry.js:11172:28) at convertNode (file:///Users/volkerhochstein/projects/node/magic-pull/node_modules/rollup/dist/es/shared/node-entry.js:12914:1

Looks like there is already a corresponding ticket open in node-rs/argon2,
napi-rs/node-rs#816

If I use "old style" to create hash and verification eg:
return await new Argon2id().hash(password);
and remove import for node-rs/argon2 prod build npm task is working

building in dev mode is working without any issue for both hashing solutions

What do you suggest to do, currently I do not know how to work around this ?

Thanks a lot for your support

@vhochstein vhochstein added the bug Something ain't right... label May 12, 2024
@vhochstein
Copy link
Author

Tried now other node versions eg. node 18
and tried other machines to build.
But always the same issue.

Any help would be greatly appreciated.

@pilcrowonpaper
Copy link
Member

Is it an issue with Lucia or Oslo?

@vhochstein
Copy link
Author

vhochstein commented May 14, 2024

Not sure..
I ve just tried it with your example project: https://github.com/lucia-auth/examples/tree/main/sveltekit/username-and-password

if you install: npm i -D @sveltejs/adapter-node
adjust svelteConfig to adapter-node (just changing import)

switch hash algorithm to:
await hash(password, {
// recommended minimum parameters
memoryCost: 19456,
timeCost: 2,
outputLen: 32,
parallelism: 1
});

npm run build

I am getting same error

@chaseweaver
Copy link

Also running into this issue for what it's worth, but even running locally doesn't work on my end. Currently looking into a work around

@vhochstein
Copy link
Author

I ve made a mistake in my own project..., let me correct my comment:
If I switch to oslo Argon hash, I can build for production, so same result as for example project.

so at least I have a workaround for the moment.

@pilcrowonpaper
Copy link
Member

Ah so you're using the adapter-node. Is Oslo/Argon installed as a dev dependency?

@vhochstein
Copy link
Author

Argon is neither listed as dev nor "standard" dependency.
oslo is listed as "standard" dependency.
Simlar to: https://github.com/lucia-auth/examples/tree/main/sveltekit/username-and-password

@pilcrowonpaper
Copy link
Member

I'm not really following here. Is it an issue with Oslo or napi-rs? Lucia doesn't have a dependency on the latter

@vhochstein
Copy link
Author

Its about these imports given in code example on the following page:
https://lucia-auth.com/tutorials/username-and-password/sveltekit
import { hash } from "@node-rs/argon2"; import { verify } from "@node-rs/argon2";

@LargatSeif
Copy link

LargatSeif commented May 25, 2024

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵      

@chaseweaver
Copy link

chaseweaver commented May 25, 2024

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵      

@LargatSeif Try adding this to your optimizeDeps.exclude in your vite.config.ts and see if that fixes it

optimizeDeps: {
    exclude: ['@node-rs/argon2', '@node-rs/bcrypt']
},

@LargatSeif
Copy link

[sveltekit]

having same issue here is the errors that i'm receiving :

the first : @node-rs/argon2-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2-darwin-x64/argon2.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/argon2/index.js:159:36:
      159 │             nativeBinding = require('@node-rs/argon2-darwin-x64')

the second : @node-rs/bcrypt-darwin-x64

✘ [ERROR] No loader is configured for ".node" files: node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt-darwin-x64/bcrypt.darwin-x64.node

    node_modules/.pnpm/@[email protected]/node_modules/@node-rs/bcrypt/binding.js:153:36:
      153 │             nativeBinding = require('@node-rs/bcrypt-darwin-x64')
          ╵      

@LargatSeif Try adding this to your optimizeDeps.exclude in your vite.config.ts and see if that fixes it

optimizeDeps: {
    exclude: ['@node-rs/argon2', '@node-rs/bcrypt']
},

this worked thanks 🙏

@pilcrowonpaper
Copy link
Member

Is this a bug or just something we need to add to the docs?

@chaseweaver
Copy link

chaseweaver commented Jun 9, 2024

Something funky must have happened with one of the @node-rs packages at some point but is fixed now. It appears as though those packages are no longer required to be in optimizeDeps (at least the few projects I work on no longer seem to need it). I cannot replicate the original issue any longer either.

Probably safe to call it "not a bug" unless @vhochstein is still having issues.

@holahoon
Copy link

holahoon commented Jun 10, 2024

I get a similar error when using it in Next.js. I'm sure this is related to node-rs/argon2 as I got a similar error when using the below code:

import { hash } from "@node-rs/argon2";
...
const passwordHash = await hash(password, {
    // recommended minimum parameters
    memoryCost: 19456,
    timeCost: 2,
    outputLen: 32,
    parallelism: 1
});

When I following the Next.js example with oslo/password:

import { Argon2id } from "oslo/password";
...
// hasing pw
const hashedPassword = await new Argon2id().hash(password);

// verifying pw
const validPassword = await new Argon2id().verify(existingUser.password, password);

I get this error
image

btw, huge fan of your library!

@njanke96
Copy link

njanke96 commented Jun 14, 2024

The "Unexpected character" issue seems to be an issue with bundlers not handling .node files, see vitejs/vite#14289. Some users in that thread have found workarounds

EDIT: I fixed it in SvelteKit by explicitly adding @node-rs/argon2 to "dependencies" of my SvelteKit app (even though it's the dependancy of a library package in my monorepo) and adding @node-rs/argon2 to rollupOptions.external in my Vite config. I can now use @node-rs/argon2 (or oslo/password) server-side in my app.

@dBianchii
Copy link

dBianchii commented Jul 3, 2024

Hi, I am getting this error, but for Next.JS:

│   ▲ Next.js 14.2.4
│ 
│    Creating an optimized production build ...
│ Failed to compile.
│ 
│ ../../packages/api/node_modules/@node-rs/argon2-linux-x64-gnu/argon2.linux-x64-gnu.node
│ Module parse failed: Unexpected character '' (1:0)
│ You may need an appropriate loader to handle this file type, currently no loaders are configured to process this file. See https://webpack.js.org/concepts#loaders
│ (Source code omitted for this binary file)

NOTE: as per the documentation on lucia, I have already added

experimental: {
    serverComponentsExternalPackages: ["@node-rs/argon2"],
  },

to my next.config.js file, but no luck

@dBianchii
Copy link

dBianchii commented Jul 3, 2024

OOOKK, Sooo...

I discovered that the problem was that I was using @node-rs/argon2 in a separate package from my monorepo, that was being used by my Next.JS app. (@acme/api package from this monorepo starter: https://github.com/noxify/t3-turbo-lucia)

So, since @node-rs/argon2 wasn't a direct dependency, I guess that serverComponentsExternalPackages: ["@node-rs/argon2"], config for nextjs was being pretty much ignored.

Solution: I installed @node-rs/argon2 directly on my next.js app, so it appears on its package.json. Then, the serverComponentsExternalPackages works correctly. If you are on a monorepo, make sure this package is installed directly, even if it is only being undirectly being used by next.js

@SolidTux
Copy link

SolidTux commented Aug 2, 2024

Something funky must have happened with one of the @node-rs packages at some point but is fixed now. It appears as though those packages are no longer required to be in optimizeDeps (at least the few projects I work on no longer seem to need it). I cannot replicate the original issue any longer either.

Probably safe to call it "not a bug" unless @vhochstein is still having issues.

I still get this problem when using adapter-cloudflare. Adding the packages to the exclude list in optimizeDeps does not solve it. I attached my package.json and here's the relevant output:

> Using @sveltejs/adapter-cloudflare
✘ [ERROR] No loader is configured for ".node" files: node_modules/@node-rs/argon2-linux-x64-musl/argon2.linux-x64-musl.node

    node_modules/@node-rs/argon2/index.js:209:38:
      209 │ ...        nativeBinding = require('@node-rs/argon2-linux-x64-musl')
          ╵                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


✘ [ERROR] No loader is configured for ".node" files: node_modules/@node-rs/argon2-linux-x64-gnu/argon2.linux-x64-gnu.node

    node_modules/@node-rs/argon2/index.js:222:38:
      222 │ ...         nativeBinding = require('@node-rs/argon2-linux-x64-gnu')
          ╵                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


✘ [ERROR] No loader is configured for ".node" files: node_modules/@node-rs/bcrypt-linux-x64-musl/bcrypt.linux-x64-musl.node

    node_modules/@node-rs/bcrypt/binding.js:199:38:
      199 │ ...        nativeBinding = require('@node-rs/bcrypt-linux-x64-musl')
          ╵                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


✘ [ERROR] No loader is configured for ".node" files: node_modules/@node-rs/bcrypt-linux-x64-gnu/bcrypt.linux-x64-gnu.node

    node_modules/@node-rs/bcrypt/binding.js:210:38:
      210 │ ...         nativeBinding = require('@node-rs/bcrypt-linux-x64-gnu')
          ╵                                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


error during build:
Error: Bundling with esbuild failed with 4 errors
    at adapt (file:///$PATH/concertdb/node_modules/@sveltejs/adapter-cloudflare/index.js:140:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async adapt (file:///$PATH/concertdb/node_modules/@sveltejs/kit/src/core/adapt/index.js:38:2)
    at async finalise (file:///$PATH/concertdb/node_modules/@sveltejs/kit/src/exports/vite/index.js:890:7)
    at async Object.handler (file:///$PATH/concertdb/node_modules/@sveltejs/kit/src/exports/vite/index.js:920:5)
    at async PluginDriver.hookParallel (file:///$PATH/concertdb/node_modules/rollup/dist/es/shared/node-entry.js:19794:17)
    at async Object.close (file:///$PATH/concertdb/node_modules/rollup/dist/es/shared/node-entry.js:20729:13)
    at async build (file:///$PATH/concertdb/node_modules/vite/dist/node/chunks/dep-mCdpKltl.js:65142:17)
    at async CAC.<anonymous> (file:///$PATH/concertdb/node_modules/vite/dist/node/cli.js:828:5)
)

package.json

@pilcrowonpaper
Copy link
Member

@SolidTux @node-rs/argon2 (and a lot hashing libs) doesn't work in CF

@raunak-mishraa
Copy link

serverComponentsExternalPackages: ["@node-rs/argon2"],

thanks @dBianchii it worked for me!

@BradNut
Copy link

BradNut commented Sep 23, 2024

Is there any better solution? I keep bouncing between my app building and not building even though I have all these dependencies in regular dependencies.

"@internationalized/date": "^3.5.5",
"@lucia-auth/adapter-drizzle": "^1.1.0",
		"@neondatabase/serverless": "^0.9.5",
		"@node-rs/argon2": "^1.8.3",
		"@oslojs/crypto": "^1.0.1",
		"@oslojs/encoding": "^1.0.0",
		"@oslojs/jwt": "^0.2.0",
		"@oslojs/oauth2": "^0.5.0",
		"@oslojs/otp": "^1.0.0",
		"@oslojs/webauthn": "^1.0.0",
		"@paralleldrive/cuid2": "^2.2.2",
		"@sveltejs/adapter-node": "^5.2.3",
		"@sveltejs/adapter-vercel": "^5.4.4",
		"oslo": "^1.2.1",
		"pg": "^8.13.0",
		"postgres": "^3.4.4",

@opensas
Copy link

opensas commented Oct 23, 2024

@SolidTux @node-rs/argon2 (and a lot hashing libs) doesn't work in CF

what pure js library would you recommend to replace it?

currently I'm using something like this (just copied it from SO)

import { randomBytes, scryptSync } from 'crypto';

// Pass the password string and get hashed password back
// ( and store only the hashed string in your database)
function encryptPassword(password: string, salt: string) {
	return scryptSync(password, salt, 32).toString('hex');
}

/**
 * Hash password with random salt
 * @return {string} password hash followed by salt
 *  XXXX till 64 XXXX till 32
 *
 */
export function hash(password: string) {
	// Any random string here (ideally should be at least 16 bytes)
	const salt = randomBytes(16).toString('hex');
	return encryptPassword(password, salt) + salt;
}

// fetch the user from your db and then use this function

/**
 * Match password against the stored hash
 */
export function verify(hash: string, password: string) {
	// extract salt from the hashed string
	// our hex password length is 32*2 = 64
	const salt = hash.slice(64);
	const originalPassHash = hash.slice(0, 64);
	const currentPassHash = encryptPassword(password, salt);
	return originalPassHash === currentPassHash;
}

export function simpleHash(password: string) {
	let hash = 0;
	let char = 0;

	if (password.length === 0) return hash.toString();
	for (let index = 0; index < password.length; index++) {
		char = password.charCodeAt(index);
		hash = (hash << 5) - hash + char;
		hash |= 0; // Convert to 32bit integer
	}
	return hash.toString();
}
export function simpleVerify(hash: string, password: string) {
	return hash === simpleHash(password);
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something ain't right...
Projects
None yet
Development

No branches or pull requests