Merge dev into master

CONTRIBUTING.md

@@ -137,6 +137,14 @@ required to ensure that exported user records contain the password hashes of the
 3. Click 'ADD ANOTHER ROLE' and choose 'Firebase Authentication Admin'.
 4. Click 'SAVE'.
 
+Some of the integration tests require an
+[Identity Platform](https://cloud.google.com/identity-platform/) project with multi-tenancy
+[enabled](https://cloud.google.com/identity-platform/docs/multi-tenancy-quickstart#enabling_multi-tenancy).
+An existing Firebase project can be upgraded to an Identity Platform project without losing any
+functionality via the
+[Identity Platform Marketplace Page](https://console.cloud.google.com/customer-identity). Note that
+charges may be incurred for active users beyond the Identity Platform free tier.
+
 Now you can invoke the test suite as follows:
 
 ```bash

auth/auth.go

@@ -138,8 +138,8 @@ func NewClient(ctx context.Context, conf *internal.AuthConfig) (*Client, error)
 //   - If the SDK was initialized with service account credentials, uses the private key present in
 //     the credentials to sign tokens locally.
 //   - If a service account email was specified during initialization (via firebase.Config struct),
-//     calls the IAM service with that email to sign tokens remotely. See
-//     https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signBlob.
+//     calls the IAMCredentials service with that email to sign tokens remotely. See
+//     https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signBlob.
 //   - If the code is deployed in the Google App Engine standard environment, uses the App Identity
 //     service to sign tokens. See https://cloud.google.com/appengine/docs/standard/go/reference#SignBytes.
 //   - If the code is deployed in a different GCP-managed environment (e.g. Google Compute Engine),

auth/hash/hash.go

@@ -25,6 +25,16 @@ import (
 	"firebase.google.com/go/v4/internal"
 )
 
+// InputOrderType specifies the order in which users' passwords/salts are hashed
+type InputOrderType int
+
+// Available InputOrderType values
+const (
+	InputOrderUnspecified InputOrderType = iota
+	InputOrderSaltFirst
+	InputOrderPasswordFirst
+)
+
 // Bcrypt represents the BCRYPT hash algorithm.
 //
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_bcrypt_hashed_passwords
@@ -96,12 +106,13 @@ func (s Scrypt) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords
 // for more details. Key is required.
 type HMACMD5 struct {
-	Key []byte
+	Key        []byte
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h HMACMD5) Config() (internal.HashConfig, error) {
-	return hmacConfig("HMAC_MD5", h.Key)
+	return hmacConfig("HMAC_MD5", h.Key, h.InputOrder)
 }
 
 // HMACSHA1 represents the HMAC SHA512 hash algorithm.
@@ -110,12 +121,13 @@ func (h HMACMD5) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords
 // for more details.
 type HMACSHA1 struct {
-	Key []byte
+	Key        []byte
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h HMACSHA1) Config() (internal.HashConfig, error) {
-	return hmacConfig("HMAC_SHA1", h.Key)
+	return hmacConfig("HMAC_SHA1", h.Key, h.InputOrder)
 }
 
 // HMACSHA256 represents the HMAC SHA512 hash algorithm.
@@ -124,12 +136,13 @@ func (h HMACSHA1) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords
 // for more details.
 type HMACSHA256 struct {
-	Key []byte
+	Key        []byte
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h HMACSHA256) Config() (internal.HashConfig, error) {
-	return hmacConfig("HMAC_SHA256", h.Key)
+	return hmacConfig("HMAC_SHA256", h.Key, h.InputOrder)
 }
 
 // HMACSHA512 represents the HMAC SHA512 hash algorithm.
@@ -138,12 +151,13 @@ func (h HMACSHA256) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_hmac_hashed_passwords
 // for more details.
 type HMACSHA512 struct {
-	Key []byte
+	Key        []byte
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h HMACSHA512) Config() (internal.HashConfig, error) {
-	return hmacConfig("HMAC_SHA512", h.Key)
+	return hmacConfig("HMAC_SHA512", h.Key, h.InputOrder)
 }
 
 // MD5 represents the MD5 hash algorithm.
@@ -152,12 +166,13 @@ func (h HMACSHA512) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type MD5 struct {
-	Rounds int
+	Rounds     int
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h MD5) Config() (internal.HashConfig, error) {
-	return basicConfig("MD5", h.Rounds)
+	return basicConfig("MD5", h.Rounds, h.InputOrder)
 }
 
 // PBKDF2SHA256 represents the PBKDF2SHA256 hash algorithm.
@@ -171,7 +186,7 @@ type PBKDF2SHA256 struct {
 
 // Config returns the validated hash configuration.
 func (h PBKDF2SHA256) Config() (internal.HashConfig, error) {
-	return basicConfig("PBKDF2_SHA256", h.Rounds)
+	return basicConfig("PBKDF2_SHA256", h.Rounds, InputOrderUnspecified)
 }
 
 // PBKDFSHA1 represents the PBKDFSHA1 hash algorithm.
@@ -185,7 +200,7 @@ type PBKDFSHA1 struct {
 
 // Config returns the validated hash configuration.
 func (h PBKDFSHA1) Config() (internal.HashConfig, error) {
-	return basicConfig("PBKDF_SHA1", h.Rounds)
+	return basicConfig("PBKDF_SHA1", h.Rounds, InputOrderUnspecified)
 }
 
 // SHA1 represents the SHA1 hash algorithm.
@@ -194,12 +209,13 @@ func (h PBKDFSHA1) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA1 struct {
-	Rounds int
+	Rounds     int
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h SHA1) Config() (internal.HashConfig, error) {
-	return basicConfig("SHA1", h.Rounds)
+	return basicConfig("SHA1", h.Rounds, h.InputOrder)
 }
 
 // SHA256 represents the SHA256 hash algorithm.
@@ -208,12 +224,13 @@ func (h SHA1) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA256 struct {
-	Rounds int
+	Rounds     int
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h SHA256) Config() (internal.HashConfig, error) {
-	return basicConfig("SHA256", h.Rounds)
+	return basicConfig("SHA256", h.Rounds, h.InputOrder)
 }
 
 // SHA512 represents the SHA512 hash algorithm.
@@ -222,25 +239,32 @@ func (h SHA256) Config() (internal.HashConfig, error) {
 // Refer to https://firebase.google.com/docs/auth/admin/import-users#import_users_with_md5_sha_and_pbkdf_hashed_passwords
 // for more details.
 type SHA512 struct {
-	Rounds int
+	Rounds     int
+	InputOrder InputOrderType
 }
 
 // Config returns the validated hash configuration.
 func (h SHA512) Config() (internal.HashConfig, error) {
-	return basicConfig("SHA512", h.Rounds)
+	return basicConfig("SHA512", h.Rounds, h.InputOrder)
 }
 
-func hmacConfig(name string, key []byte) (internal.HashConfig, error) {
+func hmacConfig(name string, key []byte, order InputOrderType) (internal.HashConfig, error) {
 	if len(key) == 0 {
 		return nil, errors.New("signer key not specified")
 	}
-	return internal.HashConfig{
+	conf := internal.HashConfig{
 		"hashAlgorithm": name,
 		"signerKey":     base64.RawURLEncoding.EncodeToString(key),
-	}, nil
+	}
+	if order == InputOrderSaltFirst {
+		conf["passwordHashOrder"] = "SALT_AND_PASSWORD"
+	} else if order == InputOrderPasswordFirst {
+		conf["passwordHashOrder"] = "PASSWORD_AND_SALT"
+	}
+	return conf, nil
 }
 
-func basicConfig(name string, rounds int) (internal.HashConfig, error) {
+func basicConfig(name string, rounds int, order InputOrderType) (internal.HashConfig, error) {
 	minRounds := 0
 	maxRounds := 120000
 	switch name {
@@ -253,8 +277,15 @@ func basicConfig(name string, rounds int) (internal.HashConfig, error) {
 	if rounds < minRounds || maxRounds < rounds {
 		return nil, fmt.Errorf("rounds must be between %d and %d", minRounds, maxRounds)
 	}
-	return internal.HashConfig{
+
+	conf := internal.HashConfig{
 		"hashAlgorithm": name,
 		"rounds":        rounds,
-	}, nil
+	}
+	if order == InputOrderSaltFirst {
+		conf["passwordHashOrder"] = "SALT_AND_PASSWORD"
+	} else if order == InputOrderPasswordFirst {
+		conf["passwordHashOrder"] = "PASSWORD_AND_SALT"
+	}
+	return conf, nil
 }