Suppose that a user has 3 auth accounts linked together (email/password, gmail and facebook). Does calling confirmPasswordReset() deletes the gmail and facebook accounts from the user Auth? In other words, after calling confirmPasswordReset(), the user is only able to sign in with email/password. Is that the default behaviour?
Thanks for any help.
Changing the Email-Password does not delete associated accounts.
confirmPasswordReset (String code, String newPassword)
Changes the user's password to newPassword for the account for which
the code is valid. Code validity can be checked with
verifyPasswordResetCode(String). This use case is only valid for
signed-out users, and behavior is undefined for signed-in users.
Password changes for signed-in users should be made using
FirebaseUser.updatePassword(String).
https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuth#public-taskvoid-confirmpasswordreset-string-code,-string-newpassword
Related
I'm in the middle of adding firebase email/password sign in inside a React app. Specifically, it's an e-commerce site, and users will be signed in anonymously before they create an account (for things like cart data).
Here's the ideal user flow:
User registers by providing an email and password
User is not signed in immediately and instead gets a verification email
If a user tries signing in before verifying their email, they cannot sign in
User then clicks on the verification link and can sign in
I'm having issues with #3 because it appears like the only way to check if an email is verified is by calling:
const { user } = await firebase
.auth()
.signInWithEmailAndPassword(email, password)
if (user?.emailVerified) //let them enter the dashboard
However, this process signs in the user even if the email is not verified. That destroys the data on the anonymous account. And merging the two accounts isn't possible because the user thinks they are not signed in (hence it could cause UX issues if the accounts are already merged).
Any ideas?
If you're using the email+password provider, there is no way to prevent the user from signing in without a verified email address. You can of course keep them from using your app and accessing data, but you can't keep them from signing in.
If you want to ensure the user can only sign in after their email address has been verified, consider using the email link provider. You can then later allow them to set a password on the same account, either through the Admin SDK, or by creating a email+password account and linking that with the email link account. Also see the documentation on differentiating email/password from email link for some of the nuances here.
In a scenario where a new Firebase user is created without a password, could the user sign in using just their email address (passing a null/empty string as the password)? Or does Firebase reject all attempts to authenticate with email + password when no password is specified in the user auth object?
The Firebase Admin SDK docs are clear that password is an optional property for createUser(), but the Password Authentication docs don't appear to specify Firebase's behavior when the user was created without a password. It would also be interesting whether an email link authentication (only) strategy can be enforced by leaving and/or setting a user's password as undefined, but this also doesn't appear to be explicitly called out in the docs.
Presumably Firebase rejects the email/password auth attempts, creating a de facto requirement for email link authentication (supported anecdotally), but any suggested links to Google authored docs would be greatly appreciated!
Firebase Authentication users are associated with one or more providers, and many of those providers don't need the user profile to have an associated password. For example: if you sign into Firebase with your Facebook account, the Firebase Authentication profile will not have an associated password. This applies to most providers, as in most cases the password is stored elsewhere (Facebook, Google, LinkedIn, Microsoft, etc), or ephemeral (email-link, phone auth).
Convert an anonymous account to a permanent account
When an anonymous user signs up to your app, you might want to allow
them to continue their work with their new account—for example, you
might want to make the items the user added to their shopping cart
before they signed up available in their new account's shopping cart.
To do so, complete the following steps:
When the user signs up, complete the sign-in flow for the user's authentication provider up to, but not including, calling one of the
methods. For example, get the user's Google ID token, Facebook access
token, or email address and password.
Get an for the new authentication provider:
Pass the object to the sign-in user's method:
If the call to succeeds, the user's new account can access the anonymous account's Firebase data.
What does this mean as in what code is actually required (specifically to link an email/password to an anonymous account)? Note the above quoted text is quoted accurately.
I've tried this code but it does not work as expected:
firebase::auth::Auth* Auth = firebase::auth::Auth::GetAuth(App);
firebase::auth::User* User = Auth->current_user();
firebase::Future<firebase::auth::User*> Future =
User->is_anonymous() ?
User->LinkWithCredential(firebase::auth::EmailAuthProvider::GetCredential(email, password)) :
auth->CreateUserWithEmailAndPassword(email, password);
I am using ionic 3 and firebase for the backend.In my app I am trying to let users sign up with just username and password. Well firebase by default doesn't provide that option. So I am getting user's input as username (for example: 'mike123') then i add #myapp.com. so it looks like an email: 'mike123#myapp.com'. That is all fine, but a problem just came up when user's want to reset their passwords. Is it possible to let users type in any valid email address at the time they want to reset their password?.
You can change the password of the user by https://firebase.google.com/docs/auth/admin/manage-users#update_a_user. Note that this is in the Firebase Admin SDK, so will require that you run code in a trusted environment, such as a server you control or Cloud Functions.
But faking username+password by faking an email address is non-ideal. I'd consider creating a custom auth provider for your needs.
If the email provided when sending the Reset Password request doesn't exist for any user, then it will fail.
In Android, calling sendPasswordResetEmail with a non-existing email, it would return a:
FirebaseAuthInvalidUserException: There is no user record corresponding to this identifier. The user may have been deleted.
You should ask for a valid email from the user and save their preferred username separately upon the user creation.
I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue