21

I've got my users exported the in CLI:

firebase auth:export my_users.json

The passwords in the exported file should be hashed with SCRYPT, because as the documentation states:

auth:export command only exports passwords hashed using the scrypt algorithm, which is used by the Firebase backend. Account records with passwords hashed using other algorithms are exported with empty passwordHash and salt fields. Projects might have passwords hashed with other algorithms after importing user records from a file, since passwords are only re-hashed with scrypt when an imported user signs in for the first time

My hash-key and salt fields are not empty in the result. Also, I know that all my users signed in at least once.

Now, when I try to import my_users.json:

firebase auth:import --hash-algo=SCRYPT --rounds=1 my_users.json

I get the following error:

Must provide hash key(base64 encoded) for hash algorithm SCRYPT

But what should I set --hash-key to, since the auth:export command did not take any parameters? ...

Thanks in advance

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
ezmegy
  • 605
  • 6
  • 17
  • For now the only workaround I found is to ask users to reset their passwords after the import, as Bryan Lewis also mentioned. The only upside is that they can set the very same password they had before :| – ezmegy Aug 01 '17 at 09:10
  • I've just tried to do the same thing - default export of users then import back into the same firebase project, I found that not providing the hash algo in the import command led to the import working correctly, despite the tool printing this warning message "No hash algorithm specified. Password users cannot be imported.". This only works when importing into the same project from which the export was made. – Will Bolam Jul 01 '20 at 13:45
  • @Frank the given answer is working but the project which I am importing in it already has some emails which I have in my exported JSON file so , it will create duplicate users with same email id isn't it ? – Ritik Joshi Jan 23 '23 at 08:24

2 Answers2

31

So you can now get the hash key and the salt info from the firebase console GUI. I had to enter incognito mode in chrome for some reason (firebase support suggested this).

I could then log into my firebase console in the incognito browser.

(Note that you need to use the firebase instance that you are copying users from, not the one that you are copying users to)

You click on Authentication -> Users and then click on the three vertical dots next to the reload button and a popup menu will show up with a single menu item: "Password hash parameters".

password hash parameters

Click on this menu item and all of the settings you need for doing the firebase auth:import command will show up. Here's what I see:

hash_config {
  algorithm: SCRYPT,
  base64_signer_key: <long string of random characters>,
  base64_salt_separator: <short string of random characters>,
  rounds: 8,
  mem_cost: 14,
}

I can then do the command successfully

firebase auth:import ./users.json --hash-algo=scrypt --rounds=8 --mem-cost=14 --hash-key=<long string of random characters> --salt-separator=<short string of random characters>
Geoffrey Wall
  • 558
  • 4
  • 11
  • And with which tool did you get the string which goes into the passwordHash field in `users.json`? – nalply Nov 28 '17 at 20:40
  • @nalply You can use the firebase-cli as discussed in this SO post: https://stackoverflow.com/questions/26801163/firebase-export-user-accounts-email-and-password-hashes – Geoffrey Wall Nov 28 '17 at 21:15
  • No this is not what I wanted to ask. Let me retry asking. The JSON file has a field "passwordHash". How did you get the value of that field? In other words: `"passwordHash": `: how to get that long string? – nalply Nov 29 '17 at 20:38
  • @nalpy the string you are looking for can be acquired by clicking on the 3 vertical dots as shown in the screen shot above. A small menu will popup after pressing the 3 vertical dots and you need to select the menu item: "Password hash parameters". The hash config parameters will then be displayed as described above. – Geoffrey Wall Dec 08 '17 at 17:46
  • 1
    No this is not what I wanted to ask. Let me retry asking. I already have the password hash parameter. But I don't know how to hash the password with the password hash parameters. Whatever I tried it has not been accepted by Firebase authentication. – nalply Dec 10 '17 at 07:52
  • 2
    @nalply Did you get the solution for this? I am facing the same issue. I want a common password i.e. '123456789' for all the new users which I want to import. But how to tell this to firebase, that I am not able to find? – Murtuza Sep 21 '19 at 12:57
  • No, but I found a workaround. Something like recreating the user somewhere else then copying the password hash, but I forgot the exact details. I found this deeply annoying. – nalply Sep 21 '19 at 19:52
  • This note: "(Note that you need to use the firebase instance that you are copying users from, not the one that you are copying users to)" of yours saved me! thanks! – benshabatnoam Dec 21 '21 at 13:18
0

Referring to Firebase documentation - "Firebase Authentication Password Hashing": https://firebaseopensource.com/projects/firebase/scrypt/

Finding the Password Hash Parameters

Firebase generates unique password hash parameters for each Firebase project. To access these parameters, navigate to the 'Users' tab of the 'Authentication' section in the Firebase Console and select 'Password Hash Parameters' from the drop down in the upper-right hand corner of the users table.

Seems like there is no option to fetch hash parameters via cli unfortunately. So, the GUI is the only way, I suppose (as Geoffrey Wall mentioned on their answer).

Karri Rasinmäki
  • 1,019
  • 10
  • 19