Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password validation can be improved #527

Closed
c-2002 opened this issue May 10, 2019 · 1 comment
Closed

Password validation can be improved #527

c-2002 opened this issue May 10, 2019 · 1 comment
Labels
api: auth

Comments

@c-2002
Copy link

c-2002 commented May 10, 2019

[READ] Step 1: Are you in the right place?

Yes :)

[REQUIRED] Step 2: Describe your environment

  • Operating System version: OSX 10.14.4
  • Firebase SDK version: 7.3.0
  • Library version: 6.9.1
  • Firebase Product: auth
>> firebase --version
6.9.1

[REQUIRED] Step 3: Describe the problem

The password check of admin.auth().createUser(...) does not consider a password value of "undefined". If the password is undefined, the user will be created without any problems.

In my opinion a undefined string should throw an error as well.

Steps to reproduce:

Take the code from below and set different values for the constant value "myPassword" and run it with "npm yourscriptname.js".

Test cases:

Value of myPassword Result Expected result?
a string longer than 6 characters no error yes
a 6 character string no error yes
a string shorter than 6 characters error yes
an empty string ("") error yes
null error yes
undefined no error no

Relevant Code:

const admin = require("firebase-admin");

// FIXME Please change file location
const serviceAccount = require("./config/firebase-adminsdk.json");

admin.initializeApp({
  credential: admin.credential.cert(serviceAccount),
  // FIXME Please change URL
  databaseURL: "https://a-sample-project.firebaseio.com"
});

const myPassword = undefined; // enter values here

const user = {
  email: "[email protected]",
  emailVerified: false,
  password: myPassword,
  displayName: "A nice test person",
  disabled: false
};

admin
  .auth()
  .createUser(user)
  .then(userRecord => {
    console.log(userRecord);
  })
  .catch(error => {
    const e = error.errorInfo;
    console.log(JSON.stringify(e));
  });

If the password does not match the password rules of Firebase the following error will be shown (catch case):

{
  "code": "auth/invalid-password",
  "message":" The password must be a string with at least 6 characters."
}
@hiranya911
Copy link
Contributor

Password is optional for user accounts. Therefore it's perfectly valid to create a user account without any password. Our validation therefore triggers only when something other than undefined is specified as a password.

@snyk-bot snyk-bot mentioned this issue Dec 24, 2020
Open
@snyk-bot snyk-bot mentioned this issue Sep 6, 2021
Open
@Jeremip11 Jeremip11 mentioned this issue Oct 27, 2023
Open
@Jeremip11 Jeremip11 mentioned this issue Dec 14, 2023
Open
This was referenced Jan 1, 2024
Open
Open
@Jeremip11 Jeremip11 mentioned this issue Mar 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hiranya911 @c-2002 @google-oss-bot