-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #881 from supertokens/fix/migration-page
Add missing user migration data
- Loading branch information
Showing
2 changed files
with
157 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,8 +5,133 @@ hide_title: true | |
| sidebar_position: 1 | ||
| --- | ||
|
|
||
| import { SelfHostingTabs } from "/src/components/tabs" | ||
|
|
||
| # User Creation | ||
|
|
||
| ## Email Password Migration | ||
|
|
||
| :::important | ||
| If you do not have access to your user's password hashes, you can use our [guide for migrating them dynamically during login](./ep-migration-without-password-hash). | ||
| ::: | ||
|
|
||
| SuperTokens allows you to import users with password hashes generated with `BCrypt`, `Argon2` and `Firebase SCrypt` with our import user API. | ||
| You can find the API spec [here](https://app.swaggerhub.com/apis/supertokens/CDI/2.16.0#/EmailPassword%20Recipe/userImport). | ||
|
|
||
| ### Migrating users With Argon2 or BCrypt Password hashes | ||
|
|
||
| For users with `BCrypt` or `Argon2` password hashes you can use the following curl command to import your user. | ||
|
|
||
| ```bash | ||
| curl --location --request POST '^{coreInfo.uri}/recipe/user/passwordhash/import' \ | ||
| --header 'api-key: ^{coreInfo.key}' \ | ||
| --header 'Content-Type: application/json; charset=utf-8' \ | ||
| --data-raw '{ | ||
| "email": "[email protected]", | ||
| "passwordHash": "$argon2d$v=19$m=12,t=3,p=1$NWd0eGp4ZW91b3IwMDAwMA$57jcfXF19MyiUXSjkVBpEQ" | ||
| }' | ||
| ``` | ||
|
|
||
| :::important | ||
| SuperTokens accepts `BCrypt` and `Argon2` hashes in standard format. When exporting password hashes from authentication providers the structure might be changed. For example, Auth0 prepends an identifier to the exported password hashes which needs to removed before importing into SuperTokens. | ||
|
|
||
| Sample password hashes for BCrypt and Argon2 in standard format: | ||
|
|
||
| - BCrypt: `$2a$10$GzEm3vKoAqnJCTWesRARCe/ovjt/07qjvcH9jbLUg44Fn77gMZkmm` | ||
| - Argon2: `$argon2id$v=19$m=16,t=2,p=1$VG1Oa1lMbzZLbzk5azQ2Qg$kjcNNtZ/b0t/8HgXUiQ76A` | ||
| ::: | ||
|
|
||
|
|
||
| ### Migrating users with Firebase SCrypt Password hashes | ||
|
|
||
| Importing users from Firebases requires an update to your supertokens core config and formatting the input password hash. | ||
|
|
||
| #### Step 1: Retrive your Firebase password hashing parameters from your dashboard. | ||
|
|
||
| <img src="/img/migration/firebase_password_hashing_params.png" alt="Firebase password hashing details modal" /> | ||
|
|
||
| #### Step 2: Update the SuperTokens core to use the `base64_signer_key` | ||
|
|
||
| - ** For Managed Service ** | ||
|
|
||
|
|
||
| - Edit the core configuration in the SuperTokens Managed Service Dashboard. | ||
| - Set the `firebase_password_hashing_signer_key` field in the config to the `base64_signer_key` retrieved from your firebase hashing parameters. | ||
|
|
||
|
|
||
|
|
||
| <SelfHostingTabs> | ||
|
|
||
| <SelfHostingTabs.TabItem value="with-docker"> | ||
|
|
||
| ```bash | ||
| docker run \ | ||
| -p 3567:3567 \ | ||
| // highlight-next-line | ||
| -e FIREBASE_PASSWORD_HASHING_SIGNER_KEY="gRhC3eDeQOdyEn4bMd9c6kxguWVmcIVq/HbJKnCXdWscZx0l2WbCJ1wbg==" \ | ||
| -d registry.supertokens.io/supertokens/supertokens-<db_name> | ||
| ``` | ||
|
|
||
| </SelfHostingTabs.TabItem> | ||
| <SelfHostingTabs.TabItem value="without-docker"> | ||
|
|
||
| ```yaml | ||
| # Add your base64_signer_key to the following in the config.yaml file. | ||
| # The file path can be found by running the "supertokens --help" command | ||
|
|
||
| firebase_password_hashing_signer_key: "gRhC3eDeQOdyEn4bMd9c6kxguWVmcIVq/HbJKnCXdWscZx0l2WbCJ1wbg==" | ||
| ``` | ||
| </SelfHostingTabs.TabItem> | ||
| </SelfHostingTabs> | ||
| #### Step 3: SuperTokens requires firebase password hashes to be in a specific format to be parsed. | ||
| For example: | ||
| Your exported firebase user has the following credentials: | ||
| ```json | ||
| { | ||
| "users": [ | ||
| { | ||
| "localId": "userId", | ||
| "email": "[email protected]" | ||
| "passwordHash": "9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==", | ||
| "salt": "/cj0jC1br5o4+w==", | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| The memory cost, rounds and salt separator retrived from the password hashing config are: | ||
| ```json | ||
| { | ||
| mem_cost: 14, | ||
| rounds: 8, | ||
| base64_salt_separator: "Bw==" | ||
| } | ||
| ``` | ||
|
|
||
| The password hash would be the following: `$f_scrypt$9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==$/cj0jC1br5o4+w==$m=14$r=8$s=Bw==` | ||
|
|
||
| The example password hash is in the following format `$f_scrypt$<passwordHash>$<salt>$m=<mem_cost>$r=<rounds>$s=<base64_salt_separator>` | ||
|
|
||
| #### Step 4: Run the following `curl` command to import the user | ||
|
|
||
| ```bash | ||
| curl --location --request POST '^{coreInfo.uri}/recipe/user/passwordhash/import' \ | ||
| --header 'Content-Type: application/json; charset=utf-8' \ | ||
| --header 'api-key: ^{coreInfo.key}' \ | ||
| --data-raw '{ | ||
| "email": "[email protected]", | ||
| "passwordHash": "$f_scrypt$9Y8ICWcqbzmI42DxV1jpyEjbrJPG8EQ6nI6oC32JYz+/dd7aEjI/R7jG9P5kYh8v9gyqFKaXMDzMg7eLCypbOA==$/cj0jC1br5o4+w==$m=14$r=8$s=Bw==", | ||
| "hashingAlgorithm": "firebase_scrypt" | ||
| }' | ||
| ``` | ||
|
|
||
|
|
||
| ## Passwordless Migration | ||
|
|
||
| To migrate a Passwordless user from your previous authentication provider to SuperTokens, you will first need to generate a code for the user and then call the consume code API. | ||
|
|
@@ -77,3 +202,26 @@ curl --location --request PUT '^{coreInfo.uri}/recipe/user' \ | |
| "phoneNumber": "+14155552671" | ||
| }' | ||
| ``` | ||
|
|
||
|
|
||
| ## ThirdParty Migration | ||
|
|
||
| To migrate users with social accounts we can simply call the SuperTokens Core's `signInUp` API with the provider Id and the user's third party userId. | ||
|
|
||
| For example: | ||
|
|
||
| If we were importing a user with Google as their provider with their third party userId being `106347997792363870000`, we can run the following curl command to import the user. | ||
|
|
||
| ```bash | ||
| curl --location --request POST '^{coreInfo.uri}/recipe/signinup' \ | ||
| --header 'api-key: ^{coreInfo.key}' \ | ||
| --header 'Content-Type: application/json; charset=utf-8' \ | ||
| --data-raw '{ | ||
| "thirdPartyId": "google", | ||
| "thirdPartyUserId": "106347997792363870000", | ||
| "email": { | ||
| "id": "[email protected]", | ||
| "isVerified": true | ||
| } | ||
| }' | ||
| ``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters