Update hashed password import APIs (#381)

Author: shilgapira

README.md

@@ -700,7 +700,7 @@ userReqInvite.SSOAppIDs = []string{"appId1", "appId2"}
 options := &descope.InviteOptions{InviteURL: "https://sub.domain.com"}
 err := descopeClient.Management.User().Invite(context.Background(), "[email protected]", userReqInvite, options)
 
-// batch invite
+// Invite multiple users with InviteBatch
 options := &descope.InviteOptions{InviteURL: "https://sub.domain.com"}
 batchUsers := []*descope.BatchUser{}
 u1 := &descope.BatchUser{}
@@ -717,6 +717,19 @@ u2.Roles = []string{"two"}
 batchUsers = append(batchUsers, u1, u2)
 users, err := descopeClient.Management.User().InviteBatch(context.Background(), batchUsers, options)
 
+// Import users from another service by calling CreateBatch with each user's password hash
+user := &descope.BatchUser{
+    LoginID: "[email protected]",
+    Password: &descope.BatchUserPassword{
+        Hashed: &descope.BatchUserPasswordHashed{
+            Bcrypt: &descope.BatchUserPasswordBcrypt{
+                Hash: "$2a$...",
+            },
+        },
+    },
+}
+users, err := descopeClient.Management.User().CreateBatch(context.Background(), []*descope.BatchUser{user})
+
 // Update will override all fields as is. Use carefully.
 userReqUpdate := &descope.UserRequest{}
 userReqUpdate.Email = "[email protected]"
@@ -762,8 +775,7 @@ if err == nil {
 err := descopeClient.Management.User().LogoutUser(context.Background(), "<login id>")
 
 // Logout given user from all its devices, by user ID
-err := descopeClient.Management.User()LogoutUserByUserID(context.Background(), "<user id>")
-
+err := descopeClient.Management.User().LogoutUserByUserID(context.Background(), "<user id>")
 ```
 
 #### Set or Expire User Password
@@ -832,7 +844,6 @@ err := descopeClient.Management.AccessKey().Delete(context.Background(), "access
 You can manage SSO (SAML or OIDC) settings for a specific tenant.
 
 ```go
-
 // Load all tenant SSO settings
 ssoSettings, err := cc.HC.DescopeClient().Management.SSO().LoadSettings(context.Background(), "tenant-id")
 
@@ -893,6 +904,9 @@ attributeMapping := &descope.AttributeMapping {
     PhoneNumber: "IDP_PHONE",
 }
 err := descopeClient.Management.SSO().ConfigureMapping(context.Background(), tenantID, roleMapping, attributeMapping)
+
+// To delete SSO settings, call the following method
+err := descopeClient.Management.SSO().DeleteSettings(context.Background(), "tenant-id")
 ```
 
 Note: Certificates should have a similar structure to:
@@ -903,9 +917,6 @@ Certifcate contents
 -----END CERTIFICATE-----
 ```
 
-// To delete SSO settings, call the following method
-err := descopeClient.Management.SSO().DeleteSettings(context.Background(), "tenant-id")
-
 ### Manage Password Setting
 
 You can manage password settings for tenants and projects.

descope/internal/mgmt/user.go

@@ -2,7 +2,6 @@ package mgmt
 
 import (
 	"context"
-	"encoding/base64"
 
 	"github.com/descope/go-sdk/descope"
 	"github.com/descope/go-sdk/descope/api"
@@ -61,7 +60,10 @@ func (u *user) create(ctx context.Context, loginID, email, phone, displayName, g
 }
 
 func (u *user) createBatch(ctx context.Context, users []*descope.BatchUser, options *descope.InviteOptions) (*descope.UsersBatchResponse, error) {
-	req := makeCreateUsersBatchRequest(users, options)
+	req, err := makeCreateUsersBatchRequest(users, options)
+	if err != nil {
+		return nil, err
+	}
 	res, err := u.client.DoPostRequest(ctx, api.Routes.ManagementUserCreateBatch(), req, nil, u.conf.ManagementKey)
 	if err != nil {
 		return nil, err
@@ -570,7 +572,7 @@ func makeCreateUserRequest(loginID, email, phone, displayName, givenName, middle
 	return req
 }
 
-func makeCreateUsersBatchRequest(users []*descope.BatchUser, options *descope.InviteOptions) map[string]any {
+func makeCreateUsersBatchRequest(users []*descope.BatchUser, options *descope.InviteOptions) (map[string]any, error) {
 	var usersReq []map[string]any
 	for _, u := range users {
 		user := makeUpdateUserRequest(u.LoginID, u.Email, u.Phone, u.Name, u.GivenName, u.MiddleName, u.FamilyName, u.Picture, u.Roles, u.Tenants, u.CustomAttributes, u.VerifiedEmail, u.VerifiedPhone, u.AdditionalLoginIDs, u.SSOAppIDs)
@@ -579,15 +581,13 @@ func makeCreateUsersBatchRequest(users []*descope.BatchUser, options *descope.In
 				user["password"] = u.Password.Cleartext
 			}
 			if hashed := u.Password.Hashed; hashed != nil {
-				m := map[string]any{
-					"algorithm": hashed.Algorithm,
-					"hash":      base64.RawStdEncoding.EncodeToString(hashed.Hash),
+				b, err := utils.Marshal(hashed)
+				if err != nil {
+					return nil, err
 				}
-				if len(hashed.Salt) > 0 {
-					m["salt"] = base64.RawStdEncoding.EncodeToString(hashed.Salt)
-				}
-				if hashed.Iterations != 0 {
-					m["iterations"] = hashed.Iterations
+				var m map[string]any
+				if err := utils.Unmarshal(b, &m); err != nil {
+					return nil, err
 				}
 				user["hashedPassword"] = m
 			}
@@ -610,7 +610,7 @@ func makeCreateUsersBatchRequest(users []*descope.BatchUser, options *descope.In
 		}
 	}
 
-	return req
+	return req, nil
 }
 
 func makeUpdateUserRequest(loginID, email, phone, displayName, givenName, middleName, familyName, picture string, roles []string, tenants []*descope.AssociatedTenant, customAttributes map[string]any, verifiedEmail *bool, verifiedPhone *bool, additionalLoginIDs []string, ssoAppIDs []string) map[string]any {

descope/internal/mgmt/user_test.go

@@ -129,10 +129,12 @@ func TestUsersInviteBatchSuccess(t *testing.T) {
 	u2.Email = "[email protected]"
 	u2.Roles = []string{"two"}
 	u2.Password = &descope.BatchUserPassword{Hashed: &descope.BatchUserPasswordHashed{
-		Algorithm:  descope.BatchUserPasswordAlgorithmPBKDF2SHA256,
-		Hash:       []byte("1"),
-		Salt:       []byte("2"),
-		Iterations: 100,
+		Pbkdf2: &descope.BatchUserPasswordPbkdf2{
+			Hash:       []byte("1"),
+			Salt:       []byte("2"),
+			Iterations: 100,
+			Type:       "sha256",
+		},
 	}}
 
 	users = append(users, u1, u2)
@@ -170,10 +172,12 @@ func TestUsersInviteBatchSuccess(t *testing.T) {
 		assert.Nil(t, userRes2["customAttributes"])
 		pass2, _ := userRes2["hashedPassword"].(map[string]any)
 		require.NotNil(t, pass2)
-		require.Equal(t, "pbkdf2sha256", pass2["algorithm"])
-		require.Equal(t, "MQ", pass2["hash"])
-		require.Equal(t, "Mg", pass2["salt"])
-		require.EqualValues(t, 100, pass2["iterations"])
+		pbkdf2, _ := pass2["pbkdf2"].(map[string]any)
+		require.NotNil(t, pbkdf2)
+		require.Equal(t, "MQ==", pbkdf2["hash"])
+		require.Equal(t, "Mg==", pbkdf2["salt"])
+		require.EqualValues(t, 100, pbkdf2["iterations"])
+		require.Equal(t, "sha256", pbkdf2["type"])
 		roleNames = userRes2["roleNames"].([]any)
 		require.Len(t, roleNames, 1)
 		require.Equal(t, u2.Roles[0], roleNames[0])

descope/types.go

@@ -381,26 +381,43 @@ type BatchUser struct {
 	UserRequest `json:",inline"`
 }
 
+// Set a cleartext or prehashed password for a new user (only one should be set).
 type BatchUserPassword struct {
 	Cleartext string
 	Hashed    *BatchUserPasswordHashed
 }
 
+// Set the kind of prehashed password for a user (only one should be set).
 type BatchUserPasswordHashed struct {
-	Algorithm  BatchUserPasswordAlgorithm
-	Hash       []byte
-	Salt       []byte
-	Iterations int
+	Bcrypt   *BatchUserPasswordBcrypt   `json:"bcrypt,omitempty"`
+	Firebase *BatchUserPasswordFirebase `json:"firebase,omitempty"`
+	Pbkdf2   *BatchUserPasswordPbkdf2   `json:"pbkdf2,omitempty"`
+	Django   *BatchUserPasswordDjango   `json:"django,omitempty"`
 }
 
-type BatchUserPasswordAlgorithm string
+type BatchUserPasswordBcrypt struct {
+	Hash string `json:"hash"` // the bcrypt hash in plaintext format, for example "$2a$..."
+}
 
-const (
-	BatchUserPasswordAlgorithmBcrypt       BatchUserPasswordAlgorithm = "bcrypt"
-	BatchUserPasswordAlgorithmPBKDF2SHA1   BatchUserPasswordAlgorithm = "pbkdf2sha1"
-	BatchUserPasswordAlgorithmPBKDF2SHA256 BatchUserPasswordAlgorithm = "pbkdf2sha256"
-	BatchUserPasswordAlgorithmPBKDF2SHA512 BatchUserPasswordAlgorithm = "pbkdf2sha512"
-)
+type BatchUserPasswordFirebase struct {
+	Hash          []byte `json:"hash"`          // the hash in raw bytes (base64 strings should be decoded first)
+	Salt          []byte `json:"salt"`          // the salt in raw bytes (base64 strings should be decoded first)
+	SaltSeparator []byte `json:"saltSeparator"` // the salt separator (usually 1 byte long)
+	SignerKey     []byte `json:"signerKey"`     // the signer key (base64 strings should be decoded first)
+	Memory        int    `json:"memory"`        // the memory cost value (usually between 12 to 17)
+	Rounds        int    `json:"rounds"`        // the rounds cost value (usually between 6 to 10)
+}
+
+type BatchUserPasswordPbkdf2 struct {
+	Hash       []byte `json:"hash"`       // the hash in raw bytes (base64 strings should be decoded first)
+	Salt       []byte `json:"salt"`       // the salt in raw bytes (base64 strings should be decoded first)
+	Iterations int    `json:"iterations"` // the iterations cost value (usually in the thousands)
+	Type       string `json:"type"`       // the hash name (sha1, sha256, sha512)
+}
+
+type BatchUserPasswordDjango struct {
+	Hash string `json:"hash"` // the django hash in plaintext format, for example "pbkdf2_sha256$..."
+}
 
 type UserResponse struct {
 	User             `json:",inline"`