How to set hash-key option for auth:import after default auth:export in firebase?

20
votes

I've got my users exported the in CLI:

firebase auth:export my_users.json

The passwords in the exported file should be hashed with SCRYPT, because as the documentation states:

auth:export command only exports passwords hashed using the scrypt algorithm, which is used by the Firebase backend. Account records with passwords hashed using other algorithms are exported with empty passwordHash and salt fields. Projects might have passwords hashed with other algorithms after importing user records from a file, since passwords are only re-hashed with scrypt when an imported user signs in for the first time

My hash-key and salt fields are not empty in the result. Also, I know that all my users signed in at least once.

Now, when I try to import my_users.json:

firebase auth:import --hash-algo=SCRYPT --rounds=1 my_users.json

I get the following error:

Must provide hash key(base64 encoded) for hash algorithm SCRYPT

But what should I set --hash-key to, since the auth:export command did not take any parameters? ...

Thanks in advance

2
firebasefirebase-authenticationfirebase-tools
For now the only workaround I found is to ask users to reset their passwords after the import, as Bryan Lewis also mentioned. The only upside is that they can set the very same password they had before :|ezmegy
I've just tried to do the same thing - default export of users then import back into the same firebase project, I found that not providing the hash algo in the import command led to the import working correctly, despite the tool printing this warning message "No hash algorithm specified. Password users cannot be imported.". This only works when importing into the same project from which the export was made.Will Bolam

2 Answers

29
votes

So you can now get the hash key and the salt info from the firebase console GUI. I had to enter incognito mode in chrome for some reason (firebase support suggested this).

I could then log into my firebase console in the incognito browser.

(Note that you need to use the firebase instance that you are copying users from, not the one that you are copying users to)

You click on Authentication -> Users and then click on the three vertical dots next to the reload button and a popup menu will show up with a single menu item: "Password hash parameters".

password hash parameters

Click on this menu item and all of the settings you need for doing the firebase auth:import command will show up. Here's what I see:

hash_config {
  algorithm: SCRYPT,
  base64_signer_key: <long string of random characters>,
  base64_salt_separator: <short string of random characters>,
  rounds: 8,
  mem_cost: 14,
}

I can then do the command successfully

firebase auth:import ./users.json --hash-algo=scrypt --rounds=8 --mem-cost=14 --hash-key=<long string of random characters> --salt-separator=<short string of random characters>
0
votes

Referring to Firebase documentation - "Firebase Authentication Password Hashing": https://firebaseopensource.com/projects/firebase/scrypt/

Finding the Password Hash Parameters

Firebase generates unique password hash parameters for each Firebase project. To access these parameters, navigate to the 'Users' tab of the 'Authentication' section in the Firebase Console and select 'Password Hash Parameters' from the drop down in the upper-right hand corner of the users table.

Seems like there is no option to fetch hash parameters via cli unfortunately. So, the GUI is the only way, I suppose (as Geoffrey Wall mentioned on their answer).