Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating argon2 password guidance. #848

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

oeribo
Copy link

@oeribo oeribo commented Aug 2, 2023

Hey there! So you want to contribute to a Firebase SDK?
Before you file this pull request, please read these guidelines:

Discussion

  • Read the contribution guidelines (CONTRIBUTING.md).
  • If this has been discussed in an issue, make sure to link to the issue here.
    If not, go file an issue about this before creating a pull request to discuss.

Testing

  • Make sure all existing tests in the repository pass after your change.
  • If you fixed a bug or added a feature, add a new test to cover your code.

API Changes

  • At this time we cannot accept changes that affect the public API. If you'd like to help
    us make Firebase APIs better, please propose your change in an issue so that we
    can discuss it together.

.setPasswordSalt("salt".getBytes())
.setEmailVerified(true)
.setPasswordSalt(Base64.getDecoder().decode("VERvRWRsRklaVERQckJzUg")) // Provide the password salt only
.setPasswordHash(Base64.getDecoder().decode("dYpfJgmRyTZefxRiToYFpO+4PyaHPsHIKz5VI/FE06w")) // Provide the password key only
Copy link
Contributor

@ssbushi ssbushi Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @oeribo,

Thank you very much for contributing.

  • Could you provide a little more context on the new guidance that you are suggesting for Argon2 here? It looks like to me that you're trying to match other snippets that use the Base64 decoding libraries in the other examples from https://firebase.google.com/docs/auth/admin/import-users#java_2 (which is perfectly fine! I wanted to make sure that I got this right).

.setPasswordHash("password-hash".getBytes())
.setPasswordSalt("salt".getBytes())
.setEmailVerified(true)
.setPasswordSalt(Base64.getDecoder().decode("VERvRWRsRklaVERQckJzUg")) // Provide the password salt only
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is just a snippet, could you please revert this string back to the the descriptive version ("password-hash" or "salt"), since it makes it clearer to the developer where this input comes from, and matches other examples.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants