We have a Meteor app which we wish to migrate to Auth0; we’re looking at the best approach to do this.
There are a few posts on both the Meteor Forum and here that provide some info on this, but I feel the information is not conclusive.
Using vanilla Meteor, passwords are SHA256 hashed and then bcrypted (here’s a nice explantion - Replicating Meteor's Password Implementation )- this hashed, bcrypted pw is stored in the Meteor User db. I understand the Auth0 Bulk Import interface does provide support for bcrypt passwords, so I guess there should be no issue importing these per se.
What’s not clear to me, however, is whether Auth0 supports this hashing function in its standard interface (eg the Universal Login Page) such that a valid comparison can be performed against the record in the db. I see some mention of this in this forum issue
where it explicitly states “(yes, we support SHA256)” in response to q pertaining to Meteor but no further detail is provided…
So, my q is if anyone knows if we can simply import our existing pw’s and everything Will Just Work, or if there are some specific config options we need to set to enable such pw hashing or if it’s something that is not supported.
You can import password hashes that were created with bcrypt into an Auth0 database, you would just need to provide with the user’s hash the information listed here:
However, if Meteor combined two hashing algorithms on top of each other (SHA256 followed by bcrypt) I’m afraid we can’t support that directly. We can support passwords hashed by one or the other, but not combined.
You would need to either use:
A custom database connection with import mode turned on; this could log the users in via a Meteor endpoint and if Meteor reported the login as successful, Auth0 would re-hash the plain text password provided by the user into the Universal Login page form, and store that hash for future authentications.
This is useful for migrating users automatically without needing them to reset their passwords.
Or:
You would need to import the users without their password hashes, and send password reset emails to your users so they could set the initial password for their new Auth0 based account.