From 1d068c3f758a4ed2de135950100021c543af0bae Mon Sep 17 00:00:00 2001
From: Protocol dd0c Agent <agent@dd0c.net>
Date: Tue, 3 Mar 2026 05:11:37 +0000
Subject: [PATCH] fix: add maxmem to scrypt params (128MB)

Node's OpenSSL defaults to 32MB scrypt memory limit but N=65536/r=8/p=1
needs ~64MB. Adds maxmem: 128*1024*1024 to all 5 services' hash and
verify functions.
---
 products/02-iac-drift-detection/saas/src/auth/middleware.ts | 4 ++--
 products/03-alert-intelligence/src/auth/middleware.ts       | 4 ++--
 products/04-lightweight-idp/src/auth/middleware.ts          | 4 ++--
 products/05-aws-cost-anomaly/src/auth/middleware.ts         | 4 ++--
 products/06-runbook-automation/saas/src/auth/middleware.ts  | 4 ++--
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/products/02-iac-drift-detection/saas/src/auth/middleware.ts b/products/02-iac-drift-detection/saas/src/auth/middleware.ts
index 8ad7912..f9ea7cc 100644
--- a/products/02-iac-drift-detection/saas/src/auth/middleware.ts
+++ b/products/02-iac-drift-detection/saas/src/auth/middleware.ts
@@ -96,7 +96,7 @@ export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h
 async function hashPassword(password: string): Promise<string> {
   const salt = crypto.randomBytes(16).toString('hex');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(`${salt}:${derived.toString('hex')}`);
     });
@@ -106,7 +106,7 @@ async function hashPassword(password: string): Promise<string> {
 async function verifyPassword(password: string, hash: string): Promise<boolean> {
   const [salt, key] = hash.split(':');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(crypto.timingSafeEqual(Buffer.from(key, 'hex'), derived));
     });
diff --git a/products/03-alert-intelligence/src/auth/middleware.ts b/products/03-alert-intelligence/src/auth/middleware.ts
index 0305fa9..b2a8ca4 100644
--- a/products/03-alert-intelligence/src/auth/middleware.ts
+++ b/products/03-alert-intelligence/src/auth/middleware.ts
@@ -96,7 +96,7 @@ export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h
 async function hashPassword(password: string): Promise<string> {
   const salt = crypto.randomBytes(16).toString('hex');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(`${salt}:${derived.toString('hex')}`);
     });
@@ -106,7 +106,7 @@ async function hashPassword(password: string): Promise<string> {
 async function verifyPassword(password: string, hash: string): Promise<boolean> {
   const [salt, key] = hash.split(':');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(crypto.timingSafeEqual(Buffer.from(key, 'hex'), derived));
     });
diff --git a/products/04-lightweight-idp/src/auth/middleware.ts b/products/04-lightweight-idp/src/auth/middleware.ts
index 1049196..7958603 100644
--- a/products/04-lightweight-idp/src/auth/middleware.ts
+++ b/products/04-lightweight-idp/src/auth/middleware.ts
@@ -96,7 +96,7 @@ export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h
 async function hashPassword(password: string): Promise<string> {
   const salt = crypto.randomBytes(16).toString('hex');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(`${salt}:${derived.toString('hex')}`);
     });
@@ -106,7 +106,7 @@ async function hashPassword(password: string): Promise<string> {
 async function verifyPassword(password: string, hash: string): Promise<boolean> {
   const [salt, key] = hash.split(':');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(crypto.timingSafeEqual(Buffer.from(key, 'hex'), derived));
     });
diff --git a/products/05-aws-cost-anomaly/src/auth/middleware.ts b/products/05-aws-cost-anomaly/src/auth/middleware.ts
index 8ad7912..f9ea7cc 100644
--- a/products/05-aws-cost-anomaly/src/auth/middleware.ts
+++ b/products/05-aws-cost-anomaly/src/auth/middleware.ts
@@ -96,7 +96,7 @@ export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h
 async function hashPassword(password: string): Promise<string> {
   const salt = crypto.randomBytes(16).toString('hex');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(`${salt}:${derived.toString('hex')}`);
     });
@@ -106,7 +106,7 @@ async function hashPassword(password: string): Promise<string> {
 async function verifyPassword(password: string, hash: string): Promise<boolean> {
   const [salt, key] = hash.split(':');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(crypto.timingSafeEqual(Buffer.from(key, 'hex'), derived));
     });
diff --git a/products/06-runbook-automation/saas/src/auth/middleware.ts b/products/06-runbook-automation/saas/src/auth/middleware.ts
index 8ad7912..f9ea7cc 100644
--- a/products/06-runbook-automation/saas/src/auth/middleware.ts
+++ b/products/06-runbook-automation/saas/src/auth/middleware.ts
@@ -96,7 +96,7 @@ export function signToken(payload: AuthPayload, secret: string, expiresIn = '24h
 async function hashPassword(password: string): Promise<string> {
   const salt = crypto.randomBytes(16).toString('hex');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(`${salt}:${derived.toString('hex')}`);
     });
@@ -106,7 +106,7 @@ async function hashPassword(password: string): Promise<string> {
 async function verifyPassword(password: string, hash: string): Promise<boolean> {
   const [salt, key] = hash.split(':');
   return new Promise((resolve, reject) => {
-    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1 }, (err, derived) => {
+    crypto.scrypt(password, salt, 64, { N: 65536, r: 8, p: 1, maxmem: 128 * 1024 * 1024 }, (err, derived) => {
       if (err) reject(err);
       resolve(crypto.timingSafeEqual(Buffer.from(key, 'hex'), derived));
     });