Importing hashed passwords using the authlogic ruby gem
49 views
Skip to first unread message
Andrew Schwartz
Feb 22, 2020, 7:31:34 PM2/22/20
to Firebase Google Group
I am trying to import users from a Rails database into Firebase auth. The passwords were hashed by the authlogic gem/library in ruby using their SHA512 implementation.
Unfortunately, it seems they may have gotten it wrong. At least they're doing it differently from firebase. Specifically, there is a hexdigest method being called that returns a regular sting with hex characters. When repeating rounds of the hashing, they hash this utf-8 string directly instead of the bytes represented by the hex characters. Firebase, on the other hand, hashes the bytes represented by that string. For a demo of both methods in both ruby and node.js, see this issue on firebase-admin-node and the comments toward the bottom. There I reproduce authlogic's hashed passwords exactly using the "hash the string" method, but the correct way to import users into firebase is to use the "hash the bytes" method.
Given this, it seems that importing users will be impossible unless firebase auth recreates this "incorrect" hashing method. Is that correct?
Given the popularity of authlogic, is there any sense in which this would be a reasonable feature request? Ability to import users is a big reason I'm able to use to pitch firebase / google identity platform over AWS Cognito (the one that Product will bite into, they don't care nearly as much as I do that GCP is just much nicer to use)
Unfortunately, it seems they may have gotten it wrong. At least they're doing it differently from firebase. Specifically, there is a hexdigest method being called that returns a regular sting with hex characters. When repeating rounds of the hashing, they hash this utf-8 string directly instead of the bytes represented by the hex characters. Firebase, on the other hand, hashes the bytes represented by that string. For a demo of both methods in both ruby and node.js, see this issue on firebase-admin-node and the comments toward the bottom. There I reproduce authlogic's hashed passwords exactly using the "hash the string" method, but the correct way to import users into firebase is to use the "hash the bytes" method.
Given this, it seems that importing users will be impossible unless firebase auth recreates this "incorrect" hashing method. Is that correct?
Given the popularity of authlogic, is there any sense in which this would be a reasonable feature request? Ability to import users is a big reason I'm able to use to pitch firebase / google identity platform over AWS Cognito (the one that Product will bite into, they don't care nearly as much as I do that GCP is just much nicer to use)
Kato Richardson
Feb 25, 2020, 12:20:46 PM2/25/20
to Firebase Google Group
Hi Andrew,
I don't think this is likely to get implemented at our end; Hiranya's comment on GitHub can be considered authoritative.
I think the best alternative here would be to do some sort of hybrid import. It might look something like this:
- Import the user accounts without the authlogic passwords
- Set up a custom auth server you manage (maybe with Cloud Functions)
- When a user logs in for the first time, authenticate the users against their existing authlogic hashes, hold on to the password provided briefly
- Return a Firebase signed JWT token for use with Firebase Authentication
- Run updateUser on their Firebase account with the password provided
- Now users can log in with Firebase Auth normally.
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e37573c1-4c3e-4999-a19f-7f02f931af4c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages