-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot authenticate users imported with SHA512 passwords #792
Comments
One more public-api-method-only demonstration of correctness of my password hashing: 2.3.3 :014 > user = User.new; user.crypted_password
=> nil
2.3.3 :015 > user.password = "test123"; user.crypted_password
=> "ac888afb942d693a154323d180d708bc2b4c6d4902d3b90dfddc3e2e88d975a4c641addd492c67af24656cf4252c18fce8a45337d8c72e9a4f9b4e3782d90589" where the |
SDK only supports salt-first password hashing, whereas your code is attempting a password-first hash:
Here's a working example for SHA256 for comparison. This is from our own integration tests, and it is run regularly against actual Firebase projects. I expect SHA512 to work similarly. firebase-admin-node/test/integration/auth.spec.ts Lines 1375 to 1390 in 5abaab6
firebase-admin-node/test/integration/auth.spec.ts Lines 1487 to 1500 in 5abaab6
firebase-admin-node/test/integration/auth.spec.ts Lines 1593 to 1613 in 5abaab6
|
I managed to get a successful sign in by modifying your function as follows:
In addition to using salt-first hashing, you should also account for the fact that the js-sha512 API you're using returns output as a hex string. |
@hiranya911 Thank you for the explanation and the fix! Unfortunately, since it seems that Authlogic makes this same error of hashing the hex string instead of the hex output as bytes, this seems to imply that I will not be able to import passwords hashed using this library. Does that sound correct? Authlogic is a pretty popular gem, is there any sense in which this method of hashing could be supported by firebase auth so that applications that use(d) authlogic can import users into Firebase? |
For reference: Here's the line from AuthLogic that shows how they use SHA512 stretches.times { digest = Digest::SHA512.hexdigest(digest) } And demonstrating how this code works in ruby: 2.3.3 :187 > password = "test123"
=> "test123"
2.3.3 :188 > c = Digest::SHA512.hexdigest(password)
=> "daef4953b9783365cad6615223720506cc46c5167cd16ab500fa597aa08ff964eb24fb19687f34d7665f778fcb6c5358fc0a5b81e1662cf90f73a2671c53f991"
2.3.3 :189 > Digest::SHA512.hexdigest(c)
=> "113c466936018ad6d5ba5c565f7aa7f44006013f15c0793c020b799e12f1d3560accfd7b4b94caac7c3dbaf55eb8f22a37b9194df040fb59083a9fa7c07468a9" vs representing the 2.3.3 :184 > password = "test123"
=> "test123"
2.3.3 :185 > c = Digest::SHA512.hexdigest(password)
=> "daef4953b9783365cad6615223720506cc46c5167cd16ab500fa597aa08ff964eb24fb19687f34d7665f778fcb6c5358fc0a5b81e1662cf90f73a2671c53f991"
2.3.3 :186 > Digest::SHA512.hexdigest([c].pack("H*"))
=> "a9bdede324c91e7a390a70e641254cd03c17e879d50f96c2c7a3107de6a45596467deb2849d7aa3aa0fcac452b51bc5ab4a8e881d72e61ae6a07cdc299643dc2" Now using your method in Node: > password = "test123"
'test123'
> c = sha512(password)
'daef4953b9783365cad6615223720506cc46c5167cd16ab500fa597aa08ff964eb24fb19687f34d7665f778fcb6c5358fc0a5b81e1662cf90f73a2671c53f991'
> sha512(Buffer.from(c, "hex"))
'a9bdede324c91e7a390a70e641254cd03c17e879d50f96c2c7a3107de6a45596467deb2849d7aa3aa0fcac452b51bc5ab4a8e881d72e61ae6a07cdc299643dc2' This matches the ruby method using the byte pack method. The equivalent "incorrect" method that I was initially using that matches how Authlogic uses the hashing function: > password = "test123"
'test123'
> c = sha512(password)
'daef4953b9783365cad6615223720506cc46c5167cd16ab500fa597aa08ff964eb24fb19687f34d7665f778fcb6c5358fc0a5b81e1662cf90f73a2671c53f991'
> sha512(c)
'113c466936018ad6d5ba5c565f7aa7f44006013f15c0793c020b799e12f1d3560accfd7b4b94caac7c3dbaf55eb8f22a37b9194df040fb59083a9fa7c07468a9' So we can see that the method I used initially matches what Authlogic is doing, and if I'm getting this correct that means the only way to import passwords that were encrypted with the authglogic library would be if firebase-auth were to build support for this (incorrect) method of hashing, right? |
Yes, this will require some fix from the Authlogic end if you wish to use that library. It seems you've already initiated the process for getting it fixed. |
I'm experiencing a similar issue where users are unable to authenticate after importing our user database into Firebase. An example of what we're doing can be seen below. Has anyone run into a similar issue? @hiranya911
I'm also noticing that passwordHash and passwordSalt are always undefined.
|
I might be wrong, but it seems you're setting the hash algorithm type to crypto.createHash('sha512').update(rawSalt + rawPassword).digest(); That might explain why the login is not working as expected. As for why the password hash is not included in the |
[READ] Step 1: Are you in the right place?
template.
with the firebase tag.
google group.
of the above categories, reach out to the personalized
Firebase support channel.
[REQUIRED] Step 2: Describe your environment
[REQUIRED] Step 3: Describe the problem
Steps to reproduce:
I cannot authenticate with imported users using SHA512-encrypted passwords. The import is successful and the password hashes look correct using
listUsers()
, but authentication fails withauth/wrong-password
.What happened? How can we make the problem occur?
This could be a description, log/console output, etc.
See code below for demo. I started from the [firebase docs instructions on importing users] (https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords). Users imported using (known) SHA512 encrypted passwords are not able to authenticate.
I have tried this using both existing encrypted passwords using the AuthLogic ruby gem and by generating the encrypted passwords myself, as below. I have confirmed that my method produces identical password hashes to AuthLogic. Neither method is producing valid logins.
Relevant Code:
package.json dependencies:
Node script to reproduce the issue:
OUTPUT:
To prove that password hashes match the third-party output:
My method in Node:
Using AuthLogic in ruby:
I have tried the above script with salted and unsalted passwords. Same result.
Any help is greatly appreciated!
The text was updated successfully, but these errors were encountered: