firebase-admin-node icon indicating copy to clipboard operation
firebase-admin-node copied to clipboard

Invalid hash rounds for round = 0 and for algorithms PBKDF_SHA1 / PBKDF2_SHA256

Open pagomide opened this issue 4 years ago • 1 comments

Describe your environment

  • Operating System version: macOS Big Sur v11.2.3
  • Firebase SDK version: 9.6.0
  • Firebase Product: auth
  • Node.js version: 15.14.0
  • NPM version: 7.9.0

Describe the problem

Steps to reproduce:

At function admin.auth().importUsers(), set hash options to "algorithm" PBKDF_SHA1 or PBKDF2_SHA256 and "rounds" equals to 0. Rounds value equals to zero is being considered invalid. Documentation states that values between 0 and 120000 are possible.

Server returning this error:

errorInfo: {
    code: 'auth/internal-error',
    message: 'An internal error has occurred. Raw server response: "{"error":{"code":400,"message":"INVALID_HASH_ROUNDS","errors":[{"message":"INVALID_HASH_ROUNDS","domain":"global","reason":"invalid"}]}}"'
  },
codePrefix: 'auth'

Relevant Code:

admin
  .auth()
  .importUsers(
    [
      {
        uid: 'some-uid',
        email: '[email protected]',
        // Must be provided in a byte buffer.
        passwordHash: Buffer.from('password-hash'),
        // Must be provided in a byte buffer.
        passwordSalt: Buffer.from('salt'),
      },
    ],
    {
      hash: {
        algorithm: 'PBKDF2_SHA256',
        rounds: 0,
      },
    }
  )
  .then((results) => {
    results.errors.forEach((indexedError) => {
      console.log(`Error importing user ${indexedError.index}`);
    });
  })
  .catch((error) => {
    console.log('Error importing users :', error);
  });

pagomide avatar Apr 11 '21 10:04 pagomide

Hmm, after some investigation, our backend does not support zero rounds values. Unfortunately, this was copied from the CLI implementation. We will need to make some changes to reflect this. I don't believe a 0 value is used in practice which may explain why this did not surface until now.

bojeil-google avatar Apr 12 '21 17:04 bojeil-google