Whether you want to move your dev accounts between environments or want to make a backup of the accounts in production before a potential change in your app, it's always a good idea to know how to handle your app's accounts.
Firebase has a pretty straightforward Authentication system (not so with Authorization, but that's a topic for another time)
This post shows how to export and import Firebase Authentication's accounts to do any of the former actions (move, backup) and also a couple of tips on handling environment variables.
Environment variables
I may have a post explaining this in more detail but, in summary, I have at least two files, a public, and a private environment file. The public is committed to the repo, the private is not.
Then I use combine-files and dotenv to merge the files and have them available when running npm scripts.
Variables needed
For this to work (especially the import) we are going to set some variables. Those that are secret, as we said before, are going to be set in the private .env file.
- FIREBASE_TOKEN (private) - Token to use when running firebase commands, its value must be the result of running
firebase login:ci - ACCOUNTS_FILE (public) - Name of the accounts file.*
- HASH_KEY (private) - Key used to hash passwords.*
- SALT_SEPARATOR (private) - Salt separator which will be appended to salt when verifying password.*
- ROUNDS (private) - The number of rounds used to hash passwords.*
- MEM_COST (private) - This parameter represents either the memory cost required for the SCRYPT algorithm OR the CPU/memory cost required for the STANDARD_SCRYPT algorithm.*
*Took from Firebase Auth Documentation
You can find the HASH_KEY, SALT_SEPARATOR, ROUNDS and MEM_COST in Authentication > Hash Parameters (it's hidden in the three dots on the right of the filter, next to the Add user button)
Export
Before doing anything is always a good idea to confirm we are on the correct Firebase project. We can use firebase projects:list to see a list of projects we are part and we will see highlighted the one that is currently set. If we want to change the project, we can use firebase use <projectId> where we take the project id from the list and use it here.
Now we are sure that we are on the correct project and the variables are set, we can run the command to have the accounts exported.
dotenv -e .env -- cross-var firebase auth:export %ACCOUNTS_FILE% --format=JSON --token %FIREBASE_TOKEN%
Here we use dotenv to fetch the variables from the .env file, then we use cross-var to make it available no matter the OS where this is executed. After that, we have the firebase command, with the account name we set, the format we want for our account's file, and the token to identify us with firebase.
Import
Once we have the account file, we can do whatever we want with it, back it up, importing it into another environment.
Let's say we want to migrate it to another firebase project. First, we change the project with firebase use <projectId> once we are there, we execute:
dotenv -e .env -- cross-var firebase auth:import %ACCOUNTS_FILE% --hash-algo=SCRYPT --hash-key=%HASH_KEY% --salt-separator=%SALT_SEPARATOR% --rounds=%ROUNDS% --mem-cost=%MEM_COST% --token %FIREBASE_TOKEN%
And now we should have the accounts in the new project. Let's check in Firebase's console under Authentication if they show up
Security
When seeing these steps one may think that having a copy of the accounts may end in a leak, however, passwords are hashed so without the hash_key, hash_separator they are useless. That's why you should keep that information on your private env file (and if you can avoid that, great)
Andddd that's how you deal with accounts when you want to move them around or just keep a copy for backup. Don't forget to check the docs when doing these steps.
As always, I hope you can take anything useful from this and I'd like to know your thoughts.