Reject rounds=0 for SHA1 hashes (#677)

Port of firebase/firebase-tools#1701

Author: rsgowman

src/auth/user-import-builder.ts

@@ -344,6 +344,22 @@ export class UserImportBuilder {
       case 'SHA1':
       case 'SHA256':
       case 'SHA512':
+        // MD5 is [0,8192] but SHA1, SHA256, and SHA512 are [1,8192]
+        rounds = getNumberField(options.hash, 'rounds');
+        const minRounds = options.hash.algorithm === 'MD5' ? 0 : 1;
+        if (isNaN(rounds) || rounds < minRounds || rounds > 8192) {
+          throw new FirebaseAuthError(
+            AuthClientErrorCode.INVALID_HASH_ROUNDS,
+            `A valid "hash.rounds" number between ${minRounds} and 8192 must be provided for ` +
+            `hash algorithm ${options.hash.algorithm}.`,
+          );
+        }
+        populatedOptions = {
+          hashAlgorithm: options.hash.algorithm,
+          rounds,
+        };
+        break;
+
       case 'PBKDF_SHA1':
       case 'PBKDF2_SHA256':
         rounds = getNumberField(options.hash, 'rounds');

test/integration/auth.spec.ts

@@ -1331,7 +1331,7 @@ describe('admin.auth', () => {
         importOptions: {
           hash: {
             algorithm: 'SHA256',
-            rounds: 0,
+            rounds: 1,
           },
         } as any,
         computePasswordHash: (userImportTest: UserImportTest): Buffer => {

test/unit/auth/user-import-builder.spec.ts

@@ -207,12 +207,34 @@ describe('UserImportBuilder', () => {
 
     md5ShaPbkdfAlgorithms.forEach((algorithm) => {
       describe(`${algorithm}`, () => {
-        const invalidRounds = [-1, 120001, 'invalid', undefined, null];
+        let minRounds: number;
+        let maxRounds: number;
+        switch (algorithm) {
+          case 'MD5':
+            minRounds = 0;
+            maxRounds = 8192;
+            break;
+          case 'SHA1':
+          case 'SHA256':
+          case 'SHA512':
+            minRounds = 1;
+            maxRounds = 8192;
+            break;
+          case 'PBKDF_SHA1':
+          case 'PBKDF2_SHA256':
+            minRounds = 0;
+            maxRounds = 120000;
+            break;
+          default:
+            throw new Error('Unexpected algorithm: ' + algorithm);
+        }
+        const invalidRounds = [minRounds - 1, maxRounds + 1, 'invalid', undefined, null];
+
         invalidRounds.forEach((rounds) => {
           it(`should throw when ${JSON.stringify(rounds)} rounds provided`, () => {
             const expectedError = new FirebaseAuthError(
               AuthClientErrorCode.INVALID_HASH_ROUNDS,
-              `A valid "hash.rounds" number between 0 and 120000 must be provided for ` +
+              `A valid "hash.rounds" number between ${minRounds} and ${maxRounds} must be provided for ` +
               `hash algorithm ${algorithm}.`,
             );
             const invalidOptions = {
@@ -231,12 +253,12 @@ describe('UserImportBuilder', () => {
           const validOptions = {
             hash: {
               algorithm,
-              rounds: 120000,
+              rounds: maxRounds,
             },
           };
           const expectedRequest = {
             hashAlgorithm: algorithm,
-            rounds: 120000,
+            rounds: maxRounds,
             users: expectedUsersRequest,
           };
           const userImportBuilder =