Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firebase auth:import do not use the right password #1617

Closed
TherapyBox opened this issue Aug 22, 2019 · 6 comments · Fixed by #1701
Closed

firebase auth:import do not use the right password #1617

TherapyBox opened this issue Aug 22, 2019 · 6 comments · Fixed by #1701
Assignees
Labels

Comments

@TherapyBox
Copy link

@TherapyBox TherapyBox commented Aug 22, 2019

firebase auth:import appear to be broken?

With MD5:

firebase auth:import users.json --hash-algo=MD5 --rounds=0
{  
   "users":[  
      {  
         "localId":"uid1",
         "email":"fedtest@gmail.com",
         "emailVerified":true,
         "displayName":"Test Foo Bar",
         "passwordHash":"NzJkNGE1YTViNjA1YzUzYWUxYWM0NzhkOWE0OTc3ZDc=",
         "salt":null
      }
   ]
}

This works fine.

But, with SHA1, SHA256, etc.:

firebase auth:import users.json --hash-algo=SHA1 --rounds=0
{  
   "users":[  
      {  
         "localId":"uid1",
         "email":"fedtest@gmail.com",
         "emailVerified":true,
         "displayName":"Test Foo Bar",
         "passwordHash":"NDM3MDkxZjMxYmY1OTgwOWJkMzRjZDBjYzVlNGM3ZGE2ODIwZmU3Nw==",
         "salt":null
      }
   ]
}

this don't allow me to login with the password that I choosed. The account is created, but I cannot login. On login I get error is:

Error: The password is invalid or the user does not have a password.

The plain password for those tests of mine is: tester5. I tried with both the latest version of firebase-tools ( 7.2.4 ), and the previous major version as well - same behaviour.
Am I missing something?

@google-oss-bot

This comment has been minimized.

Copy link
Contributor

@google-oss-bot google-oss-bot commented Aug 22, 2019

This issue does not seem to follow the issue template. Make sure you provide all the required information.

@mbleigh mbleigh added the api: auth label Aug 28, 2019
@mbleigh

This comment has been minimized.

Copy link
Contributor

@mbleigh mbleigh commented Aug 29, 2019

Internal tracking id: 140201224

@rcoppinger-tbox

This comment has been minimized.

Copy link

@rcoppinger-tbox rcoppinger-tbox commented Oct 7, 2019

Hi, does anyone have an update to the status of this issue?

@samtstern

This comment has been minimized.

Copy link
Member

@samtstern samtstern commented Oct 8, 2019

I asked the engineering team and we currently don't support 0-round hashing for SHA1 passwords. I will add a warning to reflect this.

@rcoppinger-tbox

This comment has been minimized.

Copy link

@rcoppinger-tbox rcoppinger-tbox commented Oct 22, 2019

Hi @samtstern ,

I was hoping to get a bit of direction for a problem we're having with the import users method.
Our application has +- 2,000 weekly active users and we're moving to firebase from our legacy system, which uses PHP SHA1 password hashing with rounds 0 to encrypt users' passwords, like so:

$hashed = sha1($salt . $current_password);

Since rounds=0 is rejected for SHA1, we've tried importing using rounds=1 and rounds=80. Neither of them work. When trying to log in with that account, an incorrect password error is thrown:

Error: The password is invalid or the user does not have a password.

Any advice as to what number of rounds we should try? Is there any alternative solution to this problem, or are we out of luck with this one?

@erickentry

This comment has been minimized.

Copy link

@erickentry erickentry commented Dec 12, 2019

I think the problem is in the Base64 encoding. You should generate Base64 from un-hex-ed SHA1 hash.

Refer to this SO post: https://stackoverflow.com/questions/27838177/convert-string-to-sha1-and-to-base64

And we basically import our data using this command:

firebase auth:import some_file.json --hash-algo=SHA1 --rounds=1

--
We've spent some time figuring this out too 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.