getUser() return value contains passwordHash and passwordSalt

[hiranya911]

The UserRecord returned by admin.auth().getUser() contains passwordHash and passwordSalt fields.

const admin = require('firebase-admin')
admin.initializeApp();
admin.auth().getUser(uid)
  .then((user) => console.log(user));

This resulted in:

UserRecord {
  uid: 'e1b2NmnasZXw0QtpYFcZ88IeK5t1',
  email: '********@gmail.com',
  emailVerified: true,
  displayName: undefined,
  photoURL: undefined,
  phoneNumber: undefined,
  disabled: false,
  metadata: 
   UserMetadata {
     creationTime: 'Wed, 03 Apr 2019 23:36:27 GMT',
     lastSignInTime: 'Thu, 04 Apr 2019 00:38:10 GMT' },
  providerData: 
   [ UserInfo {
       uid: '********@gmail.com',
       displayName: undefined,
       email: '********@gmail.com',
       photoURL: undefined,
       providerId: 'password',
       phoneNumber: undefined } ],
  passwordHash: 'UkVEQUNURUQ=',
  passwordSalt: undefined,
  customClaims: undefined,
  tokensValidAfterTime: 'Wed, 03 Apr 2019 23:36:27 GMT' }

This is contrary to the documented behavior:

passwordHash
(string or undefined)

The user’s hashed password (base64-encoded), only if Firebase Auth hashing algorithm (SCRYPT) is used. If a different hashing algorithm had been used when uploading this user, as is typical when migrating from another Auth system, this will be an empty string. If no password is set, this is null. This is only available when the user is obtained from listUsers().

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[LilJaaY]

Is there any other way to get the password hash?

[zerobytes]

You can get passwordHash and passwordSalt using the listUsers method from admin auth api

[baotran-bryan]

google does not fix this, right?

[akashgangrade]

@hiranya911: Which firebase-admin version are you using?

[Acterion]

documented behavior

Can confirm this is still an issue in this setup:

    "firebase": "9.6.4",
    "firebase-admin": "10.0.2",
    "firebase-functions": "3.16.0",

[Randima-Lahiru]

I'm also have same problem.
admin.auth().getUser return passwordHash and passwordSalt parameter with undefined. But I can get value for those parametes using admin.auth().listUsers
How can I get passwordHash and passwordSalt values using admin.auth().getUser

[luizfelipelaviola]

This makes no sense. I just want to get a single user password hash to match using firebase admin and I need to pull the entire user list to do it. Can you imagine charging the app with millions of user entries just to get only single entity property from one position? It's also heavy for Firebase servers at all...

[soknifedev]

is there any update on this?

[alexpechkarev]

Hi, please can we have an update on this?