I am working on a mobile app, where I already set up the following authentications in firebase:
phone number (OTP)
Google login
Facebook login
Question 1: For users logged in via OTP, I would like to request their email address, and ask them for verifying. I dont need password, because they will still log in with their mobile number, I just want them to verify their chosen email address. How can I do that in firebase? I know its possible to ask for verification with email/password login, but I dont need any passwords. Maybe I shall just add a dummy password in the background?
Question 2: Users logged in via facebook already have an email address that they use to log in. However I want them to verify their email address. As far as i know, email verification in firebase only possible with email/password authentication. How can I do an email verification with facebook authentication? Or lets say user can type in any email address (without password), and I send them a verification email. It is basically the same problem as in 'question 1'
Question 3: Users logged in via facebook / google authentication. How can I verify their phone numbers? I assume I can just simply do an OTP verification and link it to their existing authentication right?
Thank you,
Related
My auth flow:
Firebase sendEmailVerification() needs an already authenticated user to work as the first arg.
My auth flow at the moment works like this.
Signing up the user with email and password signUpWithEmailAndPassword()
Now the firebase auth object contains the currentUser
Sending a verification mail to the just signed up user sendEmailVerification()
Logging him out and redirecting him to /email-verification where he can send the verification mail again.
Problem:
Now the problem. When the user now wants to request to send the email verification again I have three options for what I know.
Store email and password in state before logging him out -> and then logging him in again on sendAgain and logging him out afterward. Would that be a security concern?
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
Force him to input his email and password again every time he wants to send the verification mail again, which feels redundant and old school.
If you require that the user verifies their email address in order to sign in, consider using the email link provider of Firebase Authentication.
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
This logic may apply to your application, but it is simply not how the email+password provider in Firebase Authentication works. When the user enters the correct credentials, they are signed in to Firebase Authentication. If your app requires them to have verified their email address before they can use it, that's the exact check I'd recommend implementing.
So if you want to continue using the email+password provider, reframe the statement to:
In order to use the app, the user needs to sign in with their credentials and verify their email address.
You can then implement that in these two steps:
Ask them to sign in if they're not signed in already.
Then if the account doesn't have a verified email address, ask them to find the email and click the link - and give them to option to send another verification email.
By default firebase's sending a link to verify the user email, but I want to send a otp with that email. So is there a way to customize that email or send a otp and then once the user entered the correct code on the app get Firebase to mark that user account to email verified?
What you're describing is quite literally what the default Firebase flow does: it send an email with a link that includes a OTP to verify the email address.
You can do a certain amount of customization of the email action handler page that the emails link to. If that is not enough, you will have to implement your own flow, and can then use the Admin SDK in a secure environment to mark the user's email as verified.
This question already has an answer here:
Verify a user's email address before confirming registration, with Flutter and Firebase
(1 answer)
Closed 1 year ago.
Is it Possible? can I send email verification before I create a user with email and password in Firebase authentication using flutter?
I wanted to know this because if I register the entered mail and then if I send email verification, then if the email account is not valid(i.e the email format is correct, but it is not present in google database to send link to email), then it would simply create a record in Firebase authentication which is a loss of storage, so I would like to know.
Thank you
There are two providers for signing in with email to Firebase:
Through Email+password. There is no way to require the user to verify their email address before they can sign in with this provider. You can of course prevent users without a verified email address from using the app, and accessing the data.
Through Email link. Here the user gets an email with a sign-in link, so their email address is implicitly verified as part of signing in.
If you want to require the user to verify their email address before they can sign in, it might be best to have them sign in through an email link.
In addition to #Frank's answer, when a user signs up you can send verification email to them. You can always check if the user has verified their email in your app by checking the isEmailVerified property as well as in security rules.
Talking of database storage, you can run a scheduled cloud function every midnight to delete data of users who have not verified their email.
You can refer to this answer for a detailed explanation on periodically deleting unverified users.
I am creating an app where the user has to signup with an Email and Password. I want firebase to first verify the email if it does exist and it is an email and sends a link to the user to verify the email after this creates the account in firebase. So how can I do it can anyone tell me?
This has been covered quite a few times before, so I'll provide some links below. The bottom line is that the Firebase email+password provider provides no way to require email verification before account creation. The closest it has to that is the email link provider, which sends an email that signs the user into an account (without entering a password).
Some previous questions on the topic:
Verify a user's email address before confirming registration, with Flutter and Firebase
Firebase email verification at SignUp
How to prevent user authentication in Firebase/Vue.js BEFORE email is verified
more...
I already have user that register using email and password.
When the user log out, and then login with google that has the same email, the login success with the same userId from Auth, But the email password auth is disappeared (the envelope icon is gone). It's kind of replaced.
My App for SignIn has 3 buttons:
SignIn with Phone
SignIn with Email n Password
SignIn with Google
Let say I have user A that already sign up with :
email: awesomeA#gmail.com
pass: somepassword
And then the user A is for some reason sign out, then log in again using Google, but with the same email (awesomeA#gmail.com)
In Console Auth, userId A is same as before, but the icon in firebase Auth is only showing google, the icon for email password Auth is gone
NB: Why I use email password as primary auth? Because my app contains payment information. So if the device is being stolen, I want to make it secure using firebase re-authentification system. So as long as the thief doesn't know the password, he cannot use the virtual wallet to buy anything
If you send a verification email to the user with sendEmailVerfification(), and the user confirm it, it will be added to the providers instead of replacing it. Basically having a gmail email just means "verified" as well.
When you use Google login to authenticate with Firebase, you will never have access to the user's password. That is also true for other third-party logins that work with Firebase authentication (Facebook, Twitter).