Importing users into firebase using sha-1 hashed passwords

Question

In the simple case outlined below, the user will successfully import but I receive an INVALID_PASSWORD when I try to authenticate.

The salt and passwordHash where pulled from an LDAP user directory (apacheds) using the {SSHA} auth schema. When I run the following JS I receive the passwordHash I'm expecting:

var sha1Hex = require('sha1-hex');

var saltHex =  Buffer.from("ktuF+dzYMQU=", 'base64').toString('hex');
var passwordHex = Buffer.from("demo", 'utf-8').toString('hex');

var hash = sha1Hex(Buffer.from(passwordHex + saltHex, 'hex'));
var hashBase64 = Buffer.from(hash, 'hex').toString('base64');
console.log(hashBase64);

firebase CLM import command:

firebase auth:import users.json --hash-algo=SHA1 --rounds=80

users.json file:

{
  "users": [
    {
      "localId": "3c872eee-e86c-4b44-9840-bcebaac18f2c",
      "email": "[email protected]",
      "salt": "ktuF+dzYMQU=",
      "passwordHash": "BuapoGGKIdfGprfMFjj3N9I7Ljg=",
      "displayName": "Demo User",
    }
  ]
}

Credentials that should work with imported user:
Username: [email protected]
Password: demo

Firebase web api login command (returns INVALID_PASSWORD):

firebase.auth().signInWithEmailAndPassword('[email protected]', demo);

I'm not confident about the --rounds=80 parameter, seems weird that needs to be specified at all when using sha1. I've also tried with --rounds=0.

Kato Kato · Accepted Answer · 2017-04-26T05:23:42

After trying this out with Java MessageDigest SHA-1 to verify the password hash, one of our uber auth experts said that it looks like you're doing passwordHash = SHA1(plainPassword + salt)

However, the Firebase Auth system uses passwordHash = SHA1(salt + plainPassword).

So I think if you switch that around, it should produce better results.

Importing users into firebase using sha-1 hashed passwords

3 Answers