Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for migration of firebase scrypt passwords #1768

Merged
merged 1 commit into from
Sep 26, 2024

Conversation

J0
Copy link
Contributor

@J0 J0 commented Sep 6, 2024

What kind of change does this PR introduce?

Fix #1750. Firebase uses a modified version of scrypt We add support for Firebase Scrypt hashes so that developers can move over from Firebase (or similar) without the obligation to force a password reset for all users.

As there is no pre-defined convention for Firebase scrypt hashes, we establish the following:

$fbscrypt$v=1,n=<N>,r=<r>,p=<p>,ss=<salt_separator>,sk=<signer_key>$<salt>$<hash>
$fbscrypt: Firebase scrypt Identifier
$v: version identifier. Intended to allow for flexibility in parameters used.
$n: N is the CPU/memory cost parameter.
$r: block size
$p: parallelization
$ss: salt seperator, optional, only if using firebase,  base64-encoded string used to separate the salt from other parameters.
$sk: signer key, a base64-encoded string used as an additional input to the hash function.
$<salt>: base64 encoded salt
$<hash>: base64 encoded output

Developers can extract their hash parameters from the firebase console

For testing and debugging, clone this utility and follow the instructions in BUILDING.

On MacOS please add the following flags when attempting to build so as to guard against error: AES_FUNCTION missing

export CFLAGS="-I$(brew --prefix openssl)/include"
export LDFLAGS="-L$(brew --prefix openssl)/lib -L/usr/local/opt/openssl/lib"

More details about export from CLI

You'll can then to use the admin method to update the PasswordHash

internal/crypto/password.go Outdated Show resolved Hide resolved
@hf
Copy link
Contributor

hf commented Sep 24, 2024

Would prefer if the name for the Firebase scrypt be fbscrypt instead of scrypt.

@J0 J0 force-pushed the j0/add_scrypt_password_hash branch 2 times, most recently from ba549df to 5d88639 Compare September 25, 2024 06:47
@coveralls
Copy link

coveralls commented Sep 25, 2024

Pull Request Test Coverage Report for Build 11048130786

Details

  • 91 of 121 (75.21%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.1%) to 57.916%

Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/crypto/password.go 85 115 73.91%
Totals Coverage Status
Change from base Build 11017821166: 0.1%
Covered Lines: 9332
Relevant Lines: 16113

💛 - Coveralls

internal/crypto/password.go Outdated Show resolved Hide resolved
@J0 J0 marked this pull request as ready for review September 25, 2024 12:08
@J0 J0 requested a review from a team as a code owner September 25, 2024 12:08
@J0 J0 force-pushed the j0/add_scrypt_password_hash branch from df090f3 to d524770 Compare September 25, 2024 12:10
internal/crypto/password.go Outdated Show resolved Hide resolved
@J0 J0 changed the title fix: add support for migration of scrypt passwords feat: add support for migration of firebase scrypt passwords Sep 25, 2024
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks!

@J0 J0 force-pushed the j0/add_scrypt_password_hash branch from d524770 to e3768ab Compare September 26, 2024 08:05
@J0 J0 merged commit ba00f75 into master Sep 26, 2024
2 checks passed
@J0 J0 deleted the j0/add_scrypt_password_hash branch September 26, 2024 08:13
kangmingtay pushed a commit that referenced this pull request Sep 27, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.162.0](v2.161.0...v2.162.0)
(2024-09-27)


### Features

* add support for migration of firebase scrypt passwords
([#1768](#1768))
([ba00f75](ba00f75))


### Bug Fixes

* apply authorized email restriction to non-admin routes
([#1778](#1778))
([1af203f](1af203f))
* magiclink failing due to passwordStrength check
([#1769](#1769))
([7a5411f](7a5411f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hf pushed a commit to supabase/auth-js that referenced this pull request Dec 26, 2024
## What kind of change does this PR introduce?

As per title - relevant PR: supabase/auth#1768
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment