Remove (base64) 'REDACTED' passwords from user records. (#277)

rsgowman · web-flow · commit 851c0a29698b · 2019-10-01T09:41:58.000-04:00
These values look like passwords hashes, but aren't, leading to
potential confusion.

Additionally, added docs to CONTRIBUTING.md detailing how to add the
permission that causes password hashes to be properly returned as well
as adjusting the test failure message should the developer not add that
permission.

b/141189502
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -130,6 +130,13 @@ following credentials from the project:
    your Go workspace as
    `src/firebase.google.com/go/testdata/integration_apikey.txt`.
 
+You'll also need to grant your service account the 'Firebase Authentication Admin' role. This is
+required to ensure that exported user records contain the password hashes of the user accounts:
+1. Go to [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin).
+2. Find your service account in the list, and click the 'pencil' icon to edit it's permissions.
+3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
+4. Click 'SAVE'.
+
 Now you can invoke the test suite as follows:
 
 ```bash
diff --git a/auth/user_mgt.go b/auth/user_mgt.go
@@ -16,6 +16,7 @@ package auth
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -35,6 +36,9 @@ const (
 	idToolkitV1Endpoint = "https://identitytoolkit.googleapis.com/v1"
 )
 
+// 'REDACTED', encoded as a base64 string.
+var b64Redacted = base64.StdEncoding.EncodeToString([]byte("REDACTED"))
+
 // UserInfo is a collection of standard profile information for a user.
 type UserInfo struct {
 	DisplayName string `json:"displayName,omitempty"`
@@ -595,6 +599,14 @@ func (r *userQueryResponse) makeExportedUserRecord() (*ExportedUserRecord, error
 		}
 	}
 
+	// If the password hash is redacted (probably due to missing permissions)
+	// then clear it out, similar to how the salt is returned. (Otherwise, it
+	// *looks* like a b64-encoded hash is present, which is confusing.)
+	hash := r.PasswordHash
+	if hash == b64Redacted {
+		hash = ""
+	}
+
 	return &ExportedUserRecord{
 		UserRecord: &UserRecord{
 			UserInfo: &UserInfo{
@@ -615,7 +627,7 @@ func (r *userQueryResponse) makeExportedUserRecord() (*ExportedUserRecord, error
 				CreationTimestamp:  r.CreationTimestamp,
 			},
 		},
-		PasswordHash: r.PasswordHash,
+		PasswordHash: hash,
 		PasswordSalt: r.PasswordSalt,
 	}, nil
 }
diff --git a/auth/user_mgt_test.go b/auth/user_mgt_test.go
@@ -995,7 +995,7 @@ func TestInvalidDeleteUser(t *testing.T) {
 }
 
 func TestMakeExportedUser(t *testing.T) {
-	rur := &userQueryResponse{
+	queryResponse := &userQueryResponse{
 		UID:                "testuser",
 		Email:              "testuser@example.com",
 		PhoneNumber:        "+1234567890",
@@ -1028,7 +1028,7 @@ func TestMakeExportedUser(t *testing.T) {
 		PasswordHash: "passwordhash",
 		PasswordSalt: "salt",
 	}
-	exported, err := rur.makeExportedUserRecord()
+	exported, err := queryResponse.makeExportedUserRecord()
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1045,6 +1045,21 @@ func TestMakeExportedUser(t *testing.T) {
 	}
 }
 
+func TestExportedUserRecordShouldClearRedacted(t *testing.T) {
+	queryResponse := &userQueryResponse{
+		UID:          "uid1",
+		PasswordHash: base64.StdEncoding.EncodeToString([]byte("REDACTED")),
+	}
+
+	exported, err := queryResponse.makeExportedUserRecord()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if exported.PasswordHash != "" {
+		t.Errorf("PasswordHash = %q; want = ''", exported.PasswordHash)
+	}
+}
+
 func TestSessionCookie(t *testing.T) {
 	resp := `{
 		"sessionCookie": "expectedCookie"
diff --git a/integration/auth/user_mgt_test.go b/integration/auth/user_mgt_test.go
@@ -107,6 +107,9 @@ func TestDeleteNonExistingUser(t *testing.T) {
 }
 
 func TestListUsers(t *testing.T) {
+	errMsgTemplate := "Users() %s = empty; want = non-empty. A common cause would be " +
+		"forgetting to add the 'Firebase Authentication Admin' permission. See " +
+		"instructions in CONTRIBUTING.md"
 	newUsers := map[string]bool{}
 	user := newUserWithParams(t)
 	defer deleteUser(user.UID)
@@ -133,7 +136,10 @@ func TestListUsers(t *testing.T) {
 		if _, ok := newUsers[u.UID]; ok {
 			count++
 			if u.PasswordHash == "" {
-				t.Errorf("Users() PasswordHash = empty; want = non-empty")
+				t.Errorf(errMsgTemplate, "PasswordHash")
+			}
+			if u.PasswordSalt == "" {
+				t.Errorf(errMsgTemplate, "PasswordSalt")
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,9 @@ func TestDeleteNonExistingUser(t *testing.T) {`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`func TestListUsers(t *testing.T) {`
	`110`	`+ errMsgTemplate := "Users() %s = empty; want = non-empty. A common cause would be " +`
	`111`	`+ "forgetting to add the 'Firebase Authentication Admin' permission. See " +`
	`112`	`+ "instructions in CONTRIBUTING.md"`
`110`	`113`	`newUsers := map[string]bool{}`
`111`	`114`	`user := newUserWithParams(t)`
`112`	`115`	`defer deleteUser(user.UID)`
`@@ -133,7 +136,10 @@ func TestListUsers(t *testing.T) {`
`133`	`136`	`if _, ok := newUsers[u.UID]; ok {`
`134`	`137`	`count++`
`135`	`138`	`if u.PasswordHash == "" {`
`136`		`- t.Errorf("Users() PasswordHash = empty; want = non-empty")`
	`139`	`+ t.Errorf(errMsgTemplate, "PasswordHash")`
	`140`	`+ }`
	`141`	`+ if u.PasswordSalt == "" {`
	`142`	`+ t.Errorf(errMsgTemplate, "PasswordSalt")`
`137`	`143`	`}`
`138`	`144`	`}`
`139`	`145`	`}`