I have a firebase powered app. The requirement is to update the account password by typing the currentPassword and the newPassword.

On the server (firebase cloud function + admin sdk) i need to check if the provided currentPassword is valid.

When an account is created for the first time, firebase automatically encrypts the password, and gives me back only the hash.

The problem is - this encryption is done automatically, under the covers.

Without having access to the encryption method, i can't obtain the hash of the currentPassword in order to compare it to the stored hash of the real password.. to see if this 2 hashes match.

So how can i check if the currentPassword is valid? How to get access to the same method firebase-auth uses for encryption?

I coudn't find anything relevant so far. am I using the wrong approach here? Why is it so hard to find it ?

I'm not quite sure that you can verify the password with cloud function, the point is to make sure that hackers would not be able to recover users' passwords even if they somehow hacked into the server, if you can recover the passwords by knowing the hash and salt, why wouldn't them hackers? However, you can do that in your app:

firebase.auth().currentUser.reauthenticateWithCredential(firebase.auth.EmailAuthProvider.credential(firebase.auth().currentUser.email, oldPassword);

Also, just to provide an alternative way for users who want to change their password, just send them a reset password email, this way, it's quite safe and they won't have to enter their old password:

firebase.auth().sendPasswordResetEmail(firebase.auth().currentUser.email)

passwordHash and passwordSalt are only available when you retrieve the user information via a call to listUsers(). Therefore they are only useful if you ever migrate user data from Firebase Auth to a different user management system.

For this use-case i needed to implemented 2 different approaches.

case 1: when the agent changes it's own password. I use browser code as provided by @K.Wu - firebase automatically sends a password reset email to the user.

firebase.auth().sendPasswordResetEmail(firebase.auth().currentUser.email)

case 2: when a high privilege user: admin / manager changes the agent password

I use server code - firebase admin sdk. Here the manager doesn't know the currentPassword, and doesn't need to know since the firebase-admin can change account passwords without needing to send confirmation emails.

Still, What i don't uninterested is this:

When i create the user for the first time, firebase gives me a userRecord object which has 2 properties: passwordHash, and passwordSalt. But since i can't encrypt a given password manually, then what is the use of this 2 properties? When are they ever needed?

I considered them being specifically designed for when you compare the hash of a provided password - with this passwordHash that is stored in firebase. Seems this is not the case, and I'm still confused a bit.

Anyway splitting the password update functionality between client and server, based on who performs the action, as explained above - worked like a charm.

note: also this setup allows for the account creation to be done by admin / manager.

I think you can check against the password hash with scrypt. You need to download the scrypt config from account and compare. Please check the below docs

https://firebaseopensource.com/projects/firebase/scrypt/

Util function for scrypt if found here for hashing and verification

https://github.com/xeewi/firebase-scrypt

Note: Only listUsers() method will return the passwordHash. getUser() or no other function will return the passwordHash values.