supabase
fix: use URL-safe Base64 decoding for Firebase Scrypt password hash and salt
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Firebase Scrypt password hash and salt decoding uses base64.StdEncoding.
When users are exported from Firebase, their PasswordHash may contain URL-safe Base64 characters (- and _). These characters cannot be decoded by base64.StdEncoding.DecodeString(), causing decoding errors.
Related issue: https://github.com/firebase/firebase-admin-go/issues/479
What is the new behavior?
- Changed PasswordHash and salt decoding to use base64.URLEncoding
-
signerKeyandsaltSeparatorcontinue to use base64.StdEncoding (as they are provided in standard Base64 format)
Test updates:
- Updated test data to use salt and hash containing URL-safe Base64 characters (_)
- Added negative test cases to verify that standard Base64 (containing
/) in salt and hash results in errors
Additional context
According to Firebase Admin SDK Issue https://github.com/firebase/firebase-admin-go/issues/479, when exporting user data from Firebase, the PasswordHash is encoded in URL-safe Base64, while the signerKey provided in the Firebase Console uses standard Base64. When importing users from Firebase Auth, the exported data contains URL-safe Base64 encoded values like:
{
"passwordHash": "cxbDzJu2W1DU20SXh--UNtR9Tu2tH2GSKQ91hGBAEN49OJJpuZbdhz-3GdYnBujQXxkXdqnhUehXVeLA6zoF-g==",
"passwordSalt": "G-s6NpQQJdtvlQ=="
}
Both passwordHash and passwordSalt contain - characters, which are URL-safe Base64 specific and cannot be decoded with standard Base64.
