Yes, I have an account on https://codingcompetitions.withgoogle.com/ and I participated in many contests, but whenever I tried to sign in, it keeps me in this status My status, which means I cannot access my account and submit code at all. Can anyone please help me?
To be more detailed, I clicked sign in and pick my account, and enter my password, it says verifying... and then brings me back to the same status.
Related
If I disable a user from console user credentials will not be refreshed in one hour and user will be deauthenticated. Upon trying to log in, user will get the FirebaseException with the ErrorCode AuthError.UserDisabled.
Showing the user that his account is disabled is good, but I also want to show him his firebase account ID (which is a complex string with letters and numbers) for support inquiries. How can I get the user Id to show it to user when the account has been disabled? This is happening in Unity.
As far as I know the UID matching the credentials is not exposed in this error message, so you will have to look it up another way. The best I can think of is using the Admin SDK to find the user by their email address.
So, I wanna make a flutter app where there will be login for 10-15 people and these people will provide some sort of invitational code or token that other people need to put in textfield and then they can join the room of that person. I will do login for these 10-15 people with email authentication in firebase. So, please tell me how these people can generate invitational code or token for others to join them without any sort of id and pass.
try dynamic link with flutter and after link open then you can ask user to enter code and then if it is success then let the user in. enter link description here
I have my firebase authentication set to prevent multiple accounts for the same email, but it doesn't seem to be doing that. See following pictures:
Has anybody experienced this issue before?
**Edit: Here's the details for reproducing this bug:
Pretty much the problem boils down to the updateEmail() function.
When a user signs up for my app I want to ensure I have an email for the user so searching for that user is easier. The problem is Facebook authentication doesn't ensure the user has an email for the following two reasons:
The user could have not allowed email permissions.
The user could have created their Facebook account only using a phone number.
Because of this, my
login code is somewhat complex but here's a link to my code with comments to explain everything (Note that I'm using custom Facebook/Google buttons which is why I had to manually do some stuff): Login Gist
If you look at the func getFBUserData() and see the comments above it, the bug is happening in the Case 1's first bullet point:
// 1) user's facebook does have email. This is common case
// - in this case, sign them into Firebase
// - could be that they previously didn't have email but now they do, so update Firebase user's email
This is the edge case where for some reason a user first didn't allow email permissions, then changed their minds and allowed them. What's interesting is that the code will still throw the .errorCodeEmailAlreadyInUse error, but the account will show up in the Firebase console as seen in the picture in the SO question and the following which I just did: http://imgur.com/yMjYXgH
I'm tracking the free trial sign-ups for an online service that requires
email verification to complete the sign-up process.
How do I create a goal to track the sign-ups given that email verification required?
The registration process is as follows:
Click on free signup button (goes to
"/signup/")
Fill out sign-up form, including email address (goes to "/check_your_email/")
Click account verification link in email.
Arrive at the new account confirmation page. I plan to define this URL ("/confirm/signup/username/hashcode/")
as the goal
If the user closes their browser, then opens their browser, and clicks on email verification link, will the goal be tracked properly?
If the user closes their browser it will be considered a new visit when the browser opens up again to complete the sign-up process. This will increase the reported visit counts and you might also have problems with using visit level reports.
There could also be a problem if the user is not using their default browser then opens the link from an email program and their default browser is used.
You should probably set up two goals: one for the /check_your_email/ page and another for the verification page. That way you will be able to see if there's a significant drop-off between the two and work from there.
If you define "/confirm/signup/username/hashcode/" as the Goal, even if the user closes their browser and comes back to this page it will still be recorded as a Goal conversion.
You will have a problem with the conversion funnel : for those that did not confirm during the same visit, it will look like their visits dropped at the /check_your_email/ step, and you should see a similar number of visits coming from (direct) - email is usually recorded as Direct visits.
Also bear in mind to use appropriate Regular Expression if the confirmation URL varies with usernames.
net website, i would like to implement forget password. I am using following steps
Form having input box for login Id and email Id and CAPTCHA
when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
New passowrd is send to user at email.
Please help me whether i am doing right or not?
Is there any other secure mechanism for the same?
[EDIT]
Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt
What message should i shown to user when he enter loginId and email address at forgotten password page?
Whether message would be same for valid user and mallicious user?
Advantage of using CSRF token? Any help / link
When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?
Please help?
I can see why you'd want a CAPTCHA, but I'd take a different approach.
When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.
For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.
In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.
One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.
Followup
So to answer your further questions.
What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
Already addressed above.
Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.
Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:
An email was sent to ********#hotmail.com. Please check your inbox to continue.
Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.
I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.
Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.
You shoud check the answer to the question : Can anyone provide references for implementing web application self password reset mechanisms properly? from D.W. on security.stackexchange.
It is the most complete answer I found on the subject. I also suggest you to read this article : Everything you ever wanted to know about building a secure password reset feature