Error: Native crypto module could not be used to get secure random number.

[Benzer1406]

Describe the bug
I'm using the serverless.com framework together with: "amazon-cognito-identity-js": "^4.5.2" and I still get the error: Error: Native crypto module could not be used to get secure random number. even though it was supposed to be fixed in version 3.2.0.

It happens when I use the CognitoUser.authenticateUser method. Any updates on this issue?

[amhinson]

@Benzer1406 Are you still experiencing this issue after using the unstable tag and setting global.crypto = require('crypto'), as we discussed in the other issue?
#4886 (comment)

[Benzer1406]

@amhinson No, that solved it for me. If you want to you can close the issue when you released the fix on the stable version, leaving a comment here to let everybody know.

[amhinson]

Ok will do. Thanks for the follow up! I will update the issue once it is released to latest.

For anyone seeing the same issue using Node, you can get around it by using amazon-cognito-identity-js@unstable and/or aws-amplify@unstable and setting global.crypto = require('crypto') at the top of the file before any imports.

[manojkumarg16]

@amhinson I used unstable tag for amazon-cognito-identity-js and crypto on top of all the imports as mentioned in earlier comments, Still issue remains same.

Error: Native crypto module could not be used to get secure random number.

[amhinson]

@manojkumarg16 Could you provide some more details so I can try to reproduce the issue you're seeing? A code snippet of the file you're working with would help.

[manojkumarg16]

@amhinson Here is the code, a simple function
const globalAny:any = global;
globalAny.fetch = require('node-fetch');
globalAny.crypto = require('crypto');
const AmazonCognitoIdentity = require('amazon-cognito-identity-js');

const login = (email_id, pass) => {
/* Login */
const authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails({
Username : ,
Password : ,
});
return new Promise((resolve,reject) => {
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: (result) => {
resolve(result);
},
onFailure: (err) => {
reject(err);
}
});
})
}

}

[amhinson]

Can you try assigning require('crypto') directly to global.crypto instead of globalAny.crypto? Here's where we're using it in the amazon-cognito-identity-js code:
https://github.com/aws-amplify/amplify-js/blob/main/packages/amazon-cognito-identity-js/src/utils/cryptoSecureRandomInt.js#L15

[amhinson]

Also, what version of Node are you using?

[manojkumarg16]

@amhinson I'm using typescript , so type need to be denoted, that's the reason I used it as globalAny:any = global.
as mentioned here : #4886 (comment)

I'm using node v12.18.3

[amhinson]

Could you try doing that anyway, perhaps just with a // @ts-ignore for now just to validate if it changes anything?

Also, can you also delete your node_modules and yarn.lock/package-lock.json and install the dependencies again?

[manojkumarg16]

@amhinson tried as you said, but nothing turned up. Still issue remains

[amhinson]

Can you share your package.json?

[manojkumarg16]

{
"name": "serverless",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"scripts": {
"start": "env-cmd -f .env.dev nodemon --exec serverless offline start --httpPort 4000 --websocketPort 4001 --lambdaPort 4002",
"package": "SLS_DEBUG=* sls package",
"deploy-function": "SLS_DEBUG=* sls deploy function --function graphql",
"deploy-stack": "SLS_DEBUG=* sls deploy",
"prisma:generate": "prisma generate",
"prisma:introspect": "prisma introspect",
"lint": "eslint ."
},
"dependencies": {
"@prisma/client": "^2.6.2",
"@types/graphql-fields": "^1.3.3",
"amazon-cognito-identity-js": "^4.5.3-unstable.1",
"apollo-errors": "^1.9.0",
"apollo-server": "^2.19.0",
"apollo-server-express": "2.17.0",
"aws-sdk": "^2.4.8",
"class-validator": "^0.12.2",
"crypto-js": "^3.3.0",
"eslint-import-resolver-webpack": "^0.12.2",
"express": "^4.17.1",
"graphql": "^15.3.0",
"graphql-fields": "^2.0.3",
"graphql-middleware-sentry": "^3.2.1",
"graphql-playground-middleware-express": "1.7.20",
"graphql-tag": "2.11.0",
"graphql-tools": "6.2.1",
"graphql-type-json": "^0.3.2",
"jsonwebtoken": "^8.5.1",
"jwk-to-pem": "^2.0.4",
"nexmo": "^2.9.1",
"node-fetch": "^2.6.1",
"nodemailer": "^6.4.13",
"otp-generator": "^2.0.0",
"password-generator": "^2.3.2",
"path": "^0.12.7",
"pg": "^8.3.3",
"reflect-metadata": "^0.1.13",
"request": "^2.88.2",
"serverless-http": "^2.5.0",
"source-map-support": "^0.5.19",
"telesignsdk": "^2.2.1",
"type-graphql": "^1.0.0"
},
"devDependencies": {
"@prisma/cli": "^2.6.2",
"@types/express": "^4.17.8",
"@types/jest": "26.0.13",
"@types/node": "14.6.4",
"@types/nodemailer": "^6.4.0",
"@typescript-eslint/eslint-plugin": "2.24.0",
"@typescript-eslint/parser": "2.30.0",
"copy-webpack-plugin": "^6.1.0",
"cors": "2.8.4",
"env-cmd": "10.1.0",
"eslint": "6.8.0",
"eslint-config-airbnb": "18.1.0",
"eslint-config-airbnb-typescript": "7.2.1",
"eslint-config-prettier": "6.10.0",
"eslint-plugin-import": "2.20.1",
"eslint-plugin-jest": "23.8.2",
"eslint-plugin-jsx-a11y": "6.2.3",
"eslint-plugin-prettier": "3.1.2",
"husky": "4.2.5",
"jest": "25.2.2",
"lint-staged": "10.0.8",
"nodemon": "^2.0.4",
"prettier": "1.19.1",
"serverless": "1.78.0",
"serverless-dotenv-plugin": "^3.0.0",
"serverless-offline": "6.5.0",
"serverless-webpack": "5.3.3",
"ts-loader": "^8.0.3",
"typegraphql-prisma": "^0.6.0",
"typescript": "3.8.3",
"webpack": "4.42.0",
"webpack-node-externals": "2.5.2"
}
}

[amhinson]

I'm having some trouble trying to replicate the issue you're seeing unfortunately 😕 . I just created a new Serverless framework Express app using some of the same code snippets you provided and I am able to successfully authenticate a user. Would you be able to look into creating a basic Express app that you could share with me to show the behavior you're seeing, and then provide some reproduction steps?

[manojkumarg16]

Week back I wrote a rough code snippet of same which was working fine. Now I just reused the snippet which is throwing error, quite strange :(

[amhinson]

@Benzer1406 This fix is now available with latest 👍

@manojkumarg16 Can you try with the latest version to see if any behavior changes?

[manojkumarg16]

@amhinson tried with latest version of crypto , still issue persists
"amazon-cognito-identity-js": "^4.5.3-unstable.1",
"crypto-js": "^4.0.0",

[manojkumarg16]

@amhinson It started working after downgrading amazon-cognito-identity-js from ^4.5.3-unstable.1--> 4.5.0 and removing crypto-js .
Thanks for your support @amhinson

[amhinson]

@manojkumarg16 can you try with "amazon-cognito-identity-js": "4.5.3"? You also shouldn't need to install crypto-js unless you're using it explicitly in your project.

[pathiyilnaveen]

@amhinson I tried with "amazon-cognito-identity-js": "4.5.3" I am still getting the same issue .

[amhinson]

@pathiyilnaveen Could you share your code or a small reproducible example so we can try to replicate the issue you are seeing?

[pathiyilnaveen]

I am using amplify on my unit tests
@amhinson

const chai = require('chai');
const chaiHttp = require('chai-http');
const mocha = require('mocha');
const Amplify = require('aws-amplify');
const { Auth } = require('aws-amplify');

const { describe, before } = mocha;
const { it } = mocha;
const { expect } = require('chai');

chai.use(chaiHttp);
chai.should();

Amplify.default.configure({
  Auth: {
    // REQUIRED - Amazon Cognito Identity Pool ID
    identityPoolId: 'ID_POOL_ID',
    // REQUIRED - Amazon Cognito Region
    region: 'us-east-1',
    // OPTIONAL - Amazon Cognito User Pool ID
    userPoolId: 'USR_POOL_ID',
    // OPTIONAL - Amazon Cognito Web Client ID
    userPoolWebClientId: 'WEB_CLIENT
  },
});

async function onUserSignIn(email, password) {
  const username = email;
  await Auth.signIn(username, password).then((user) => {
    global.cognito_id = user.username;
  });
}

before(async function () {
  this.timeout(10000);
  const mailId = '[email protected]';
  const password = 'test@123';
  await onUserSignIn(mailId, password);
});

Below is my dependencies in package.json

"dependencies": {
"@babel/cli": "^7.10.1",
"@babel/preset-env": "^7.10.2",
"amazon-cognito-identity-js": "4.5.3",
"aws-amplify": "^3.0.23",
"aws-sdk": "^2.756.0",
"axios": "^0.20.0",
"body-parser": "^1.19.0",
"bull": "^3.14.0",
"bull-board": "^0.9.0",
"casbin": "^5.0.4",
"casbin-sequelize-adapter": "^2.1.0",
"chai": "^4.2.0",
"chai-http": "^4.3.0",
"cookie-parser": "~1.4.4",
"cors": "^2.8.5",
"cpx": "^1.5.0",
"cross-fetch": "^3.0.5",
"debug": "~2.6.9",
"elasticsearch": "^16.7.1",
"express": "~4.16.1",
"express-validator": "^6.6.0",
"geoip-lite": "^1.4.2",
"http-aws-es": "^6.0.0",
"ioredis": "^4.17.3",
"json-rules-engine": "^5.0.3",
"jsonwebtoken": "^8.5.1",
"jwk-to-pem": "^2.0.3",
"lodash": "^4.17.19",
"logform": "^2.2.0",
"mocha": "^7.2.0",
"moment": "^2.29.1",
"morgan": "~1.9.1",
"multer": "^1.4.2",
"nodemailer": "^6.4.8",
"nodemon": "^2.0.4",
"npm-run-all": "^4.1.5",
"pg": "^8.2.1",
"pg-hstore": "^2.3.3",
"read-excel-file": "^4.0.6",
"redis": "^3.0.2",
"redis-clustr": "^1.7.0",
"rimraf": "^3.0.2",
"save": "^2.4.0",
"save-dev": "0.0.1-security",
"sequelize": "^5.21.12",
"swagger-jsdoc": "^4.2.0",
"swagger-stats": "^0.95.18",
"swagger-ui-express": "^4.1.4",
"winston": "^3.3.3",
"winston-daily-rotate-file": "^4.5.0",
"xlsx": "^0.16.7"
},

here is the error i get

1. "before all" hook in "{root}"

0 passing (13ms)
1 failing

1. "before all" hook in "{root}":
   Error: Native crypto module could not be used to get secure random number.
   at cryptoSecureRandomInt (node_modules/amazon-cognito-identity-js/lib/utils/cryptoSecureRandomInt.js:43:9)
   at WordArray.random (node_modules/amazon-cognito-identity-js/lib/utils/WordArray.js:50:56)
   at randomBytes (node_modules/amazon-cognito-identity-js/lib/AuthenticationHelper.js:40:58)
   at AuthenticationHelper.generateRandomSmallA (node_modules/amazon-cognito-identity-js/lib/AuthenticationHelper.js:101:21)
   at new AuthenticationHelper (node_modules/amazon-cognito-identity-js/lib/AuthenticationHelper.js:56:29)
   at CognitoUser.authenticateUserDefaultAuth (node_modules/amazon-cognito-identity-js/lib/CognitoUser.js:264:32)
   at CognitoUser.authenticateUser (node_modules/amazon-cognito-identity-js/lib/CognitoUser.js:237:19)
   at /smart-property/service-api/service-api/service-api/node_modules/@aws-amplify/auth/lib/Auth.js:515:18
   at new Promise ()
   at AuthClass.signInWithPassword (node_modules/@aws-amplify/auth/lib/Auth.js:514:16)
   at AuthClass.signIn (node_modules/@aws-amplify/auth/lib/Auth.js:400:25)
   at onUserSignIn (test/07UserCreation.js:31:14)
   at Context. (test/07UserCreation.js:40:9)
   at process.topLevelDomainCallback (domain.js:126:23)

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] test-coverage-html: nyc --reporter=html mocha -timeout 10000 --exit
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] test-coverage-html script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

[amhinson]

@pathiyilnaveen Can you add global.crypto = require('crypto') at the top of the file?

[Ladvace]

I already have global.crypto = require('crypto').
I do nothing more than this:
const signInRes = await signIn(username, password); return res.send(signInRes);

[amhinson]

@Ladvace Would you be able to share a small example repo that shows the behavior you're seeing? I've really been trying hard to replicate the issues you are seeing, but there are just just many different factors that might be contributing to the problem.

[Ladvace]

I hope this will be fine: https://pastebin.com/MYxyuMHk

[amhinson]

@Ladvace Thank you, that will help a lot! Is this just a standard Express app?

[Ladvace]

yes. the api.get you see in the pastebin it's just an express router.

let api = Router();

[amhinson]

Thanks again for the reproduction sample @Ladvace! I have made a small adjustment in this PR that should fix the behavior you're seeing. It is available to use now with the unstable tag, and we will likely have a release to latest next week.

Can you verify that unstable works for you?

Also, with that fix, it is no longer required to add global.crypto = require('crypto') in your code, as this will handle that automatically.

[Ladvace]

ok, fixed!, thanks so much

[cbschuld]

@amhinson - I too can confirm "unstable" with no additional require works. Thanks for the fix & the unstable push.

[renanwilliam]

Here works too.

[minkasu-kuppusamy]

How to add global.crypto = require('crypto') in build file? i mean after bundling we can do it manually, how to do before bundle starts ?

[rahul-network]

Please use the package
"amazon-cognito-identity-js": "4.3.3" instead of "amazon-cognito-identity-js": "^4.3.3"

This ^ sysmbol will always find latest version of the package and it will break if any unstable version released or any errors.

[arunmishra152]

I was facing this issue when I was working with amazon cognito in nodejs. After so many hit and trial i found the solution, just change the amazon-cognito-identity-js version to :

"amazon-cognito-identity-js": "^4.5.4-unstable.6"

and now it is working for me, hope it will save your time and will work for you all who is facing this issue.

[amhinson]

Update: latest is now up to date with the fix so global.crypto = require('crypto') is not required anymore 👍

[mattiLeBlanc]

I am still experiencing this error with Angular 11 when running ng-serve, and @aws-amplify/auth.

Warning: ./node_modules/amazon-cognito-identity-js/es/utils/cryptoSecureRandomInt.js
Module not found: Error: Can't resolve 'crypto' in '/Users/mattijs/www/earnr/earnr-dashboard/node_modules/amazon-cognito-identity-js/es/utils'

I have tried installing "amazon-cognito-identity-js": "^4.5.4-unstable.6",

"compilerOptions": {
    "baseUrl": "./",
    "paths": {
      "crypto": [
        "../../node_modules/crypto-js"
      ]
    },

and installing latest ampliy/core, auth and pubsub. Nothing works.

I can't use require, TS compiler is freaking out.

[mjpaton]

+1 for mattiLeBlanc - starting a new vanilla Angular 11 project, installing Amplify and Auth

[mattiLeBlanc]

@mjpaton I fixed/hacked it by doing the following:
Adding to polyfill.ts

// Amplify polyfill
(window as any).global = window;
(window as any).process = {};

Adding the following packages to my package.json:

    "@aws-amplify/auth": "^3.4.13",
    "@aws-amplify/core": "^3.8.5",
    "@aws-amplify/pubsub": "^3.2.11",
    "amazon-cognito-identity-js": "^4.5.4-unstable.6",

and added to tsconfig:

"compilerOptions": {
    "baseUrl": "./",
    "paths": {
      "crypto": [
        "../../node_modules/crypto-js"
      ]
    },

I am still getting warnings:

but Auth seems to be working.
What is the proper solution for Angular 11?

[theninadoge]

@mattiLeBlanc do you mind posting your full tsconfig.

I'm hoping something within that is a clue to get this working.

Also using Angular 11,
I've tried every permutation between adding global.crypto = require('crypto') to the top of main.ts or not, using "amazon-cognito-identity-js": "^4.5.4-unstable.6" or latest,
I've tried with and without the polyfills, and the compiler paths you listed, and I just can't seem to get past this issue.

[mattiLeBlanc]

@theninadoge

Pretty much standard generated by angular, except for the paths.

/* To learn more about this file see: https://angular.io/config/tsconfig. */
{
  "compileOnSave": false,
  "compilerOptions": {
    "baseUrl": "./",
    "paths": {
      "crypto": [
        "../../node_modules/crypto-js"
      ]
    },
    "outDir": "./dist/out-tsc",
    "forceConsistentCasingInFileNames": true,
    "strict": true,
    "noImplicitReturns": true,
    "noFallthroughCasesInSwitch": true,
    "sourceMap": true,
    "declaration": false,
    "downlevelIteration": true,
    "experimentalDecorators": true,
    "moduleResolution": "node",
    "importHelpers": true,
    "target": "es2015",
    "module": "es2020",
    "lib": [
      "es2018",
      "dom"
    ]
  },
  "angularCompilerOptions": {
    "strictInjectionParameters": true,
    "strictInputAccessModifiers": true,
    "strictTemplates": true
  },
  "exclude": [ "lib", "bin", "scripts"]
}

[amhinson]

@mattiLeBlanc Are you seeing an Error that crashes your app, or are you just seeing the warning in the console? I think that the warning might just be coming from this require, which isn't relevant for web:

amplify-js/packages/amazon-cognito-identity-js/src/utils/cryptoSecureRandomInt.js

Lines 18 to 23 in e98217c

	// Native crypto import via require (NodeJS)
	if (!crypto && typeof require === 'function') {
	try {
	crypto = require('crypto');
	} catch (err) {}
	}

With that said, I don't think it should impact your app in any way besides the warning showing. I am going to look into what it would take to suppress that warning.

[mattiLeBlanc]

@amhinson I am currently seeing errors during build and ng serve, because I added this to my polyfill:

(window as any).global = window;
(window as any).process = {};

If I leave that out the app crashes.

[mjpaton]

Yep confirmed I'm still getting about a dozen warnings in the console - @amhinson any update on how they can be suppressed if they truly are spurious for web?

I've not noticed an impact aside from them blowing up the console - auth works, refreshing tokens work, API calls work to cognito secured endpoints.

[amhinson]

@mjpaton This appears to just be limited to Angular apps from my testing. As you mentioned, there should be no effect on the functionality here. I'll look into what we can do on our side to suppress and superficial warnings.

[amhinson]

It appears that there may not be much we can do on our side with this. The implementation we have is similar to crypto-js, and it looks like they have the same issues:
brix/crypto-js#262
brix/crypto-js#290
brix/crypto-js#291
brix/crypto-js#295

Here is one potential solution you can add in your app to suppress the warning: https://stackoverflow.com/a/54162447

[mrsan22]

@mjpaton I fixed/hacked it by doing the following:
Adding to polyfill.ts

// Amplify polyfill
(window as any).global = window;
(window as any).process = {};

Adding the following packages to my package.json:

    "@aws-amplify/auth": "^3.4.13",
    "@aws-amplify/core": "^3.8.5",
    "@aws-amplify/pubsub": "^3.2.11",
    "amazon-cognito-identity-js": "^4.5.4-unstable.6",

and added to tsconfig:

"compilerOptions": {
    "baseUrl": "./",
    "paths": {
      "crypto": [
        "../../node_modules/crypto-js"
      ]
    },

I am still getting warnings:

but Auth seems to be working.
What is the proper solution for Angular 11?

In angular.json file you can update the builder -> options to get rid of these warnings

`

 "builder": "@angular-devkit/build-angular:browser",
          "options": {
            "allowedCommonJsDependencies": [
              "crypto-js",
              "js-cookie",
              "isomorphic-unfetch",
              "buffer"
            ],

`

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.