Irina Rapoport
Irina Rapoport

Reputation: 1692

How do I migrate to hashed Firebase passwords?

I have an existing client, which calls a server, which in turn calls

https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword

With that, client POSTs to the server (and server, to Firebase) an unhashed password over HTTPS.

I would like to salt/hash the password on the client. I am at liberty to use the same algorithm Firebase uses. But I don't see a method for sending a hashed password to Firebase. And I have existing users who, of course, can't lose access with this migration.

Upvotes: 1

Views: 572

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 599621

To sign in to Firebase Authentication's email/password provider, you have to send the password in cleartext over a secure connection. There is no way to change this.

This is not a security risk to send the password in cleartext, as the secure connection is end-to-end encrypted, so the only two sides who can see the data can already access it anyway. If somebody can intercept the data and decrypt it, it means they have access to the certificate of your secure connection, which is a much broader security risk.

Of you want to sign in with a password in a different form, the only way to do that is by implementing your own custom provider on top of Firebase Authentication.

Upvotes: 3

Related Questions