Remove (base64) 'REDACTED' passwords from user records. (#660)

rsgowman · web-flow · commit 47c505606015 · 2019-09-27T16:57:38.000-04:00
These values *look* like passwords hashes, but aren't, leading to
potential confusion.

Additionally, added docs to CONTRIBUTING.md detailing how to add the
permission that causes password hashes to be properly returned as well
as adjusting the test failure message should the developer not add that
permission.

b/141189502
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -153,13 +153,21 @@ Then set up your Firebase/GCP project as follows:
    to set up Firestore either in the locked mode or in the test mode.
 2. Enable password auth: Select "Authentication" from the "Develop" menu in
    Firebase Console. Select the "Sign-in method" tab, and enable the
-   "Email/Password" sign-in method.
+   "Email/Password" sign-in method, including the Email link (passwordless
+   sign-in) option.
 3. Enable the IAM API: Go to the
    [Google Cloud Platform Console](https://console.cloud.google.com) and make
    sure your Firebase/GCP project is selected. Select "APIs & Services >
    Dashboard" from the main menu, and click the "ENABLE APIS AND SERVICES"
    button. Search for and enable the "Identity and Access Management (IAM)
    API".
+4. Grant your service account the 'Firebase Authentication Admin' role. This is
+   required to ensure that exported user records contain the password hashes of
+   the user accounts:
+   1. Go to [Google Cloud Platform Console / IAM & admin](https://console.cloud.google.com/iam-admin).
+   2. Find your service account in the list, and click the 'pencil' icon to edit it's permissions.
+   3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
+   4. Click 'SAVE'.
 
 Finally, to run the integration test suite:
 
diff --git a/src/auth/user-record.ts b/src/auth/user-record.ts
@@ -18,6 +18,11 @@ import {deepCopy} from '../utils/deep-copy';
 import * as utils from '../utils';
 import {AuthClientErrorCode, FirebaseAuthError} from '../utils/error';
 
+/**
+ * 'REDACTED', encoded as a base64 string.
+ */
+const B64_REDACTED = Buffer.from('REDACTED').toString('base64');
+
 /**
  * Parses a time stamp string or number and returns the corresponding date if valid.
  *
@@ -173,7 +178,16 @@ export class UserRecord {
       providerData.push(new UserInfo(entry));
     }
     utils.addReadonlyGetter(this, 'providerData', providerData);
-    utils.addReadonlyGetter(this, 'passwordHash', response.passwordHash);
+
+    // If the password hash is redacted (probably due to missing permissions)
+    // then clear it out, similar to how the salt is returned. (Otherwise, it
+    // *looks* like a b64-encoded hash is present, which is confusing.)
+    if (response.passwordHash === B64_REDACTED) {
+      utils.addReadonlyGetter(this, 'passwordHash', undefined);
+    } else {
+      utils.addReadonlyGetter(this, 'passwordHash', response.passwordHash);
+    }
+
     utils.addReadonlyGetter(this, 'passwordSalt', response.salt);
     try {
       utils.addReadonlyGetter(
diff --git a/test/integration/auth.spec.ts b/test/integration/auth.spec.ts
@@ -185,7 +185,21 @@ describe('admin.auth', () => {
         expect(typeof listUsersResult.pageToken).to.equal('string');
         // Confirm each user's uid and the hashed passwords.
         expect(listUsersResult.users[0].uid).to.equal(uids[1]);
+
+        expect(
+            listUsersResult.users[0].passwordHash,
+            'Missing passwordHash field. A common cause would be forgetting to '
+            + 'add the "Firebase Authentication Admin" permission. See '
+            + 'instructions in CONTRIBUTING.md',
+        ).to.be.ok;
         expect(listUsersResult.users[0].passwordHash.length).greaterThan(0);
+
+        expect(
+            listUsersResult.users[0].passwordSalt,
+            'Missing passwordSalt field. A common cause would be forgetting to '
+            + 'add the "Firebase Authentication Admin" permission. See '
+            + 'instructions in CONTRIBUTING.md',
+        ).to.be.ok;
         expect(listUsersResult.users[0].passwordSalt.length).greaterThan(0);
 
         expect(listUsersResult.users[1].uid).to.equal(uids[2]);
diff --git a/test/unit/auth/auth.spec.ts b/test/unit/auth/auth.spec.ts
@@ -1684,7 +1684,6 @@ AUTH_CONFIGS.forEach((testConfig) => {
           });
       });
 
-
       it('should resolve on downloadAccount request success with no users in response', () => {
         // Stub downloadAccount to return expected response.
         const downloadAccountStub = sinon
diff --git a/test/unit/auth/user-record.spec.ts b/test/unit/auth/user-record.spec.ts
@@ -486,6 +486,15 @@ describe('UserRecord', () => {
       expect((new UserRecord(resp)).passwordHash).to.be.undefined;
     });
 
+    it('should clear REDACTED passwordHash', () => {
+      const user = new UserRecord({
+        localId: 'uid1',
+        passwordHash: Buffer.from('REDACTED').toString('base64'),
+      });
+
+      expect(user.passwordHash).to.be.undefined;
+    });
+
     it('should return expected empty string passwordHash', () => {
       // This happens for users that were migrated from other Auth systems
       // using different hashing algorithms.
