The
auth:import
command imports user accounts into Firebase projects.The
auth:export
command exports user accounts to JSON and CSV files.
Password hash parameters
To determine the password hash parameters used for your project navigate to
the Authentication > Users section of the Firebase console and click
the three dots icon above the list of users. You will see a dialog with a list
of password hash parameters you can use with the auth:import
and auth:export
commands:
hash_config {
algorithm: SCRYPT,
base64_signer_key: <...sensitive...>,
base64_salt_separator: <...sensitive...>,
rounds: 8,
mem_cost: 14,
}
These values are sensitive, so store them with care. Most Firebase projects use
SCRYPT
, a modified version of the scrypt hashing algorithm,
which is the default for new projects.
auth:import
firebase auth:import ACCOUNT_FILE \ --hash-algo=HASH_ALGORITHM \ --hash-key=KEY \ --salt-separator=SALT_SEPARATOR \ --rounds=ROUNDS \ --mem-cost=MEM_COST \ --parallelization=PARALLELIZATION \ --block-size=BLOCK_SIZE \ --dk-len=DK_LEN \ --hash-input-order=HASH_INPUT_ORDER
Parameters | |
---|---|
account_file | The CSV or JSON file that contains the user accounts to import. See File format. |
hash-algo | The algorithm used to hash passwords in the user account file. Required to import accounts with password fields. One of the following values: BCRYPT ,
SCRYPT , STANDARD_SCRYPT ,
HMAC_SHA512 , HMAC_SHA256 ,
HMAC_SHA1 , HMAC_MD5 , MD5 ,
SHA512 , SHA256 , SHA1 ,
PBKDF_SHA1 , PBKDF2_SHA256 . |
hash-key | Key used to hash passwords. Required for the SCRYPT , HMAC_SHA512 , HMAC_SHA256 ,
HMAC_SHA1 , and HMAC_MD5 algorithms.
This argument must be formatted as a base64-encoded
string. |
salt-separator | Salt separator which will be appended to salt when verifying password. Optional for all algorithms. This argument must be formatted as a base64-encoded string. |
rounds | The number of rounds used to hash passwords. Required for the SCRYPT , MD5 , SHA512 ,
SHA256 , SHA1 , PBKDF_SHA1 and
PBKDF2_SHA256 algorithms. |
mem-cost | This parameter represents either the memory cost required for the
SCRYPT algorithm OR the CPU/memory cost required for the
STANDARD_SCRYPT algorithm.
|
parallelization | The parallelization of the hashing algorithm. Required for the STANDARD_SCRYPT algorithm. |
block-size | The block size (normally is 8) of the hashing algorithm. Required for the STANDARD_SCRYPT algorithm. |
dk-len | The derived key length of the hashing algorithm. Required for the STANDARD_SCRYPT algorithm. |
hash-input-order | The order of password and salt. Possible values are SALT_FIRST and PASSWORD_FIRST . This flag applies
to SHA512 , SHA256 , SHA1 ,
MD5 , HMAC_SHA512 , HMAC_SHA256 ,
HMAC_SHA1 , and HMAC_MD5 . |
auth:export
firebase auth:export ACCOUNT_FILE --format=FILE_FORMAT
Parameters | |
---|---|
account_file | The CSV or JSON file to export to. See File format. |
file_format | Optional. The file format to export: either CSV or JSON. If the file name specified in the account_file parameter ends
with .csv or .json , that format is used and this
parameter is ignored.
|
File format
The user account file can be formatted as CSV or JSON.
CSV
A CSV user account file has the following format:
Column number | Field description | Field type | Comments |
---|---|---|---|
1 | UID | String | Required This ID should be unique among all accounts in your Firebase projects. If you import an account with a UID that already exists, then the account will be overwritten. |
2 | String | Optional | |
3 | Email Verified | Boolean | Optional |
4 | Password Hash | String | Optional A base64 encoded string. This field requires the caller to have Editor or Owner role. |
5 | Password Salt | String | Optional A base64 encoded string. This field requires the caller to have Editor or Owner role. |
6 | Name | String | Optional |
7 | Photo URL | String | Optional |
8 | Google ID | String | Optional |
9 | Google Email | String | Optional |
10 | Google Display Name | String | Optional |
11 | Google Photo URL | String | Optional |
12 | Facebook ID | String | Optional |
13 | Facebook Email | String | Optional |
14 | Facebook Display Name | String | Optional |
15 | Facebook Photo URL | String | Optional |
16 | Twitter ID | String | Optional |
17 | Twitter Email | String | Optional |
18 | Twitter Display Name | String | Optional |
19 | Twitter Photo URL | String | Optional |
20 | GitHub ID | String | Optional |
21 | GitHub Email | String | Optional |
22 | GitHub Display Name | String | Optional |
23 | GitHub Photo URL | String | Optional |
24 | User Creation Time | Long | Optional Epoch Unix Timestamp in milliseconds. |
25 | Last Sign-In Time | Long | Optional Epoch Unix Timestamp in milliseconds. |
26 | Phone Number | String | Optional |
If you leave an optional value unspecified, ensure that you still include an empty field for the value. An empty field can be any number of space characters.
For example, the following line represents a user account:
111, test@test.org, false, Jlf7onfLbzqPNFP/1pqhx6fQF/w=, c2FsdC0x, Test User, http://photo.com/123, , , , , 123, test@test.org, Test FB User, http://photo.com/456, , , , , , , , , 1486324027000, 1486324027000
JSON
A JSON user account file has the following format:
{ "users": [ { "localId": UID, "email": EMAIL_ADDRESS "emailVerified": EMAIL_VERIFIED, "passwordHash": BASE64_ENCODED_PASSWORD_HASH, "salt": BASE64_ENCODED_PASSWORD_SALT, "displayName": NAME, "photoUrl": PHOTO_URL, "createdAt": CREATED_AT_IN_MILLIS, "lastSignedInAt": LAST_SIGNEDIN_AT_IN_MILLIS, "phoneNumber": PHONE_NUMBER "providerUserInfo": [ { "providerId": PROVIDER_ID, "rawId": PROVIDER_UID, "email": PROVIDER_EMAIL, "displayName": PROVIDER_NAME, "photoUrl": PROVIDER_PHOTO_URL }, ... ] }, ... ] }
Replace PROVIDER_ID with one of the following values:
google.com
facebook.com
github.com
twitter.com