This question already has an answer here:
Firebase auth don't allow previous 10 passwords
(1 answer)
Closed 19 days ago.
We are using the firebase's native support for resetting passwords. Now, we have a requirement of preventing use of previously used passwords and for that we are planning to store the hashed password in our DB, but the question is how do we intercept the firebase reset password function, can cloud functions be used in any way for this?
Firebase Authentication doesn't support a feature like this. There is no way to intercept a password reset unless you build your own implementation, which I recommend. Only bonuses for it, you get your own unique design + you have full control of error checking and rules.
If you want to know how you create your own password reset landing page, check out the docs or this question: Firebase - Customize reset password landing page
Related
This question already has answers here:
Is it safe to expose Firebase apiKey to the public?
(10 answers)
Closed 1 year ago.
In my Flutter web app, the credentials to access the Firebase backend are set in index.html and anyone who clicks "view source" can see them.
What's to stop someone from using that to spoof the client and get access to the Firestore database with their own code instead of the client that's meant to access it?
You will always have to leave a way for users to access your database - and thus also giving them some way to locate your database. You should write secure firestore security rules to govern the usage of your database. Users will always be able to access your database through other means than your front end. After all, your front end is just a portal for displaying the data in a user-friendly way. By however adding security rules you can limit the usage of your database to how it is intended.
I am working on a simple app that allows users to search for something using an API and save it to view later.
However, I don't want to integrate authentication in the app. I can, but would rather not as a UX decision. Do you know of a way to generate a device token, that is unique to every device and can be used to store which assets a device has saved in the db?
I am thinking of expo push tokens as a possible solution, but that would require users to accept push notifications - so what happens if a user says no?
Sounds like you could just use react-native-uid to generate a unique id for your device and then store it in AsyncStorage and fetch it from there going forward.
For more inspiration, or perhaps just a more canonical way to do this... read up on suggestions surroundings the recently deprecated constant for installationId here:
https://docs.expo.dev/versions/latest/sdk/constants
I haven't used this before but if you're looking for something bullet proof then this is probably your goal of getting the same concept.
Firebase Anonymous Authentication might be ideal to use in this case. This can be used to create a user in Firebase auth without any credentials and can be useful especially when you are using either of Firebase's databases since you can use security rules with user's UIDs.
However, once the user logs out of the account by any means including but not limited to using sign out option in your app, clearing app data or uninstalling the app, the same account with that UID cannot be recovered. I looked up for AsyncStorage and apparently that gets cleared to if the app is deleted.
This question already has answers here:
Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?
(2 answers)
Closed 3 years ago.
I am working with log-in log-out management, and it turns out that it's quite important to use the FirebaseAuth for all operations. But since only I have the service account key and only I can alter how the app is working, I'm wondering how someone can read or write in my database other than what I've programmatically given to them within the app. Can someone help explaining this to me? I would be really glad.
If your security rules allow access to unauthenticated users, then anyone with an internet connection will be able to read and write the entire contents of your database. It will be especially easy with the Firestore REST API.
A judgement of how "bad" that is for your project is entirely up to you to determine.
I am developing a Flutter App and want to use Firebase Auth for user login. My problem is that I want to first ask for the email, check that the format is valid, and then send the user to a LogIn screen or SignIn screen depending on whether the email already exists on Firebase.
I read this question where it says that the only solution is to perform a signIn with createUserWithEmailAndPassword() method and check the error message, a solution that in the long term is not very reliable.
As flutter is evolving very fast, do you guys know of a better solution to accomplish this?
Thanks in advance!
I think you could also create a cloud function to make that check in the server, that would be an alternative method. The question stated a restriction about making the check within the app.
As regarding making the check using the error message, that was already fixed and now you can check it using the error code. (I updated my answer)
As you are signing up means mostly you will save user's data like profile name or something. While signing up new user save user's email into firestore if it's first time. Then from next time run a query whether email is present in firestore or not, which implies whether user is already authenticated or not (first time or already created account). If no document found with that corresponding email means user is new guy , you can sign in. If document found with corresponding email then login user instead of sign up.
This question already has answers here:
How do I return a list of users if I use the Firebase simple username & password authentication
(7 answers)
Closed 7 years ago.
I am using simple email/password combination to authenticate users in Firebase. Is there a way to expose users' registration details like email or account creation date by the standard REST API or any other library (preferably React.js with ReactFire or Re-base)?
For example, I want to be able to get a list of all registered users or pass a UID to a query and retrieve email address or creation date. I know I can achieve this by storing the needed user details in my custom data store under the user UID for example, but I am looking to access the original data and not my own copy of it. I also understand that exposing such details might not be a recommended practice as it causes a security risk, but I still want to explore the possibility of achieving this.
Firebase does not expose that data through any API. Like you've said, the only option is for you to store that data in your Firebase instance, and then query it there.