Last week i assisted a customer in getting ready to import their existing users into Google Identity Platform. As is the case with many companies, their userbase’s identity store was your basic run of the mill salted password store. This is usually a no-brainier to migrate and the identity platform, firebase docs cover that ad nauseam (see Migrating users from an existing app).
What stood apart in with this customer was the choice of they had i their existing system: SHA-1
. No big deal i thought, the docs cover it.
However, the story more complicated quickly: a known password for a test user just didn’t work…the customer knew the original password, the salt used and given those two the password hash to import:
email = dev@foooo.com
raw_password = Password1
password_hash= kfjS+dtoePcY0vEKx1w5ol2ZJ88=
raw_salt = XiwiihQ=
I looked at this for hours and then noticed how they seeded their users in their users store:
sha1(password+salt)
the salt value was appended to the password and those two together got hashed…that left me thinking of the scheme firebase/cloud identity uses..I then looked around the firebase SDK for anyplace where you set/define the order since it may well be defaulting t
hash(salt+password)
It turns the ability to set the order is not surfaced in the SDK but is there in the firebase cli as the --hash-input-order=
switch here deep in the code.
"--hash-input-order <hashInputOrder>",
"specify the order of password and salt. Possible values are SALT_FIRST and PASSWORD_FIRST. " +
So then i went ahead to test this. I had to setup the firebase CLI, create an import file using the hash i was given and the b64 encoded salt
{
"users": [
{
"localId": "dev@foooo.com",
"email": "dev@foooo.com",
"passwordHash": "kfjS+dtoePcY0vEKx1w5ol2ZJ88=",
"salt": "WGl3aWloUT0=",
"displayName": "dev@foooo.com"
}
]
}
Then ran the import using the cli:
$ firebase auth:import user.json --hash-algo=SHA1 --rounds=1 --hash-input-order=PASSWORD_FIRST
Processing user.json (239 bytes)
Starting importing 1 account(s).
✔ Imported successfully.
At that point, i used the sample firebase “login client” below to test..take my word for it…success!
Now..your next question is “why can’t i use an sdk client?”…well, i don’t know, i’ll file a FR to the git repo to add it in…but in a quick look at the code, it just looks like you’d need to add in the following parameter to each user’s entry:
passwordHashOrder
: "SALT_AND_PASSWORD"
, or "PASSWORD_AND_SALT"
thats all…i spent maybe 7 hours on this one little thing…hope this helps someone out.
The following is a sample firebase ‘login’ client which will take an email/password and attempt a login.
This site supports webmentions. Send me a mention via this form.