I want to unverify users that are verified, everytime they sign out in my app. This is to achieve the behaviour I want for my app using firebase SDK. But, somehow, I can't find any solution (If it's really possible) for that. Can anyone enlighten me? Thanks, BTW! :)
There is no API to set the emailVerified property of the current user profile to false in the client-side SDKs for Firebase Authentication.
What you can do though is modify the user profile by using the Admin SDK and set the property to false there.
Since the Admin SDK can only be used in trusted environments, it won't run in the client-side app, and you'll have to do this by making a custom API that your app can call. If you don't have an existing server where you can run this API, consider using a serverless solution like Cloud Functions or Cloud Run.
Related
I'm developing an android app with firebase as a backend and I heard a word named Admin SDK. I had searched for it and found it is used to manage data.
But I have a doubt that firebase provides a console webpage (console.firebase.google.com) to manage data, but why there is a separate Admin SDK?
Can someOne please explain...
The firebase admin SDK provides a simple and easy way to modify firebase settings and data using API calls.
For example, you might ask: why should you even have a regular SDK to store data? After all, you can store and save data directly from the web interface. It is, however, simply not secure or practical to have users update their own data each time using the console.
Similarly, the admin SDK is just like the regular SDK but with administrator permissions. For example, it allows you to bypass the rules set up using your firestore rules. The Firebase admin SDK is meant to be used on your backend - so you know it is running trusted software. You know that it will act the way you expect it to, unlike code running client-side that can't be trusted.
For example, let's say that you want to be able to delete a user's post if certain conditions are met. The user will make the request to your server, and it will check if the conditions are met, and then delete the post using its admin privilages. Sure you could technically automate this using firestorm rules, but those can be quite cumbersome and might not work in more complicated examples.
You can also even use it to integrate with other applications like connecting your app to a moderation tool or a curse detector that can't or shouldn't run on the client's device.
Is your question is why does Admin SDK exists?
There are several administrative tasks such as deleting users, listing collections and many more which the client cannot and should not be able to do.
Firebase Admin SDK has admin access to your Firebase project's resources.
It does not obey any security rules and can read/write any of your database, storage bucket..
That is why you must use Admin SDK in a server (or cloud function only). Although I feel Firebase Admin SDK is more useful if you use your own servers and authentication method. If you are using a custom server then:
It can be used to generate custom token so you can authenticate users using your own method (maybe legacy auth system) but still use Firebase Authentication to handle the auth tokens thereafter.
If you use your own database (and not any from Firebase), the Admin SDK can verify the ID Token sent by client and get identity of that user. Thereafter it's could be a simple if-else statement for you to decide if the user has access to the request resource or not.
I'm working on a React-Native, Expo and Firebase project. I have built my firebase functions as cloud functions. The login, signup and register are built as a cloud function aswell. I'm using Email and Password to authenticate/signup the user.
I have used the method to store the token on the device and log the user in if it exists. However the token expires after 1h and after that my method does not work.
I have tried to use
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION)
but that does not seem to work with cloud functions and returns error code: The current environmet does not support the specified persistence type.
What kind of workaround for this problem is there? Building a seperate cloud function that only refreshes the token, and in that case how do i achive that? What pros and cons is there for different solutions? Thankfull for feedback and
thoughts.
According to React Native Firebase's documentation, setPersistence method is not supported in React Native, link is mentioned below.
https://rnfirebase.io/docs/v5.x.x/auth/reference/auth#Unsupported-Methods
You can check this answer if this may help you,
https://stackoverflow.com/a/46143694/11758792
I want to develop an Ionic app for android and ios using firebase backend.
Requirement:
1. I want to use anonymous authentication silently so that user does not have to be worry about login.
2. I just want to display list of some items on the home page using Firestore api.
Question/Problem:
1. How does firebase will get to know that only the my app using the firestore get api.
2. If I am storing api credentials/secrets in my android app and if other user somehow knows these credentials, will that person be able to use api on behalf of my credentials and I will not be able to track the usage.
Top Level:
If someone know my firebase api credentials/secrets, will that person be able to utilize my firebase quota in case I am using firebase anonymous authentication.
Thanks in advance.
The settings you use to initialize the Firebase SDK are not "secrets". It's all very much public information that identifies your app from all the other Firebase apps out there. Every Firebase app has a similar set of public data. Once you publish your app, you should assume that everyone is able to see that data.
This means that anyone can use that data. That's why it's important to use Firebase Authentication along with security rules to make sure that people logged in can only make use of whatever resources you specify. That's the only way to lock down the data in your Firebase project. If you are concerned about security, then you should be thinking about your security rules from the very beginning.
Firebase allows users to change their email client side with
firebase.auth().currentUser.updateEmail("example#example.com")
However, I would like to disable this feature entirely - obviously, I offer no way to access it on my app by default, but if an attacker managed to trick the user into install a Chrome extension or otherwise was able to access client credentials, I would always want it to fail if possible.
Is there anywhere on the Firebase auth console where I can change this functionality or a Cloud function that would stop users from changing their email?
At this moment in time, I do not see anything in the console or otherwise to disable this functionality. As it stands, there are only two Cloud Functions available for Firebase Auth events - user creation and deletion, so that would probably not be applicable to this use case either. The only thing I can think of is to just use the Admin SDK and your own API / backend to facilitate custom authentication for this scenario.
I need to allow my app to fetch general information available in the Database but without making the information accessible elsewhere. In other words, allowing only my app to access some data.
As far as I know, Anonymous login is not an option for me because at a later stage I am login using email and password.
Basically, I am looking for an alternative to Firebase Secret, in order to allow my app to access the data, but not make that data publicly available by making it .read": "true".
In Firebase 2.x the way to do this was using Firebase Secret, but do not know how to achieve the same access without officially login in.
There is a similar question here, but it asks whether or not it is possible rather than alternatives.
Although the Secrets are deprecated now, you can find it under Project settings -> Service accounts -> Database Secrets.
Instead of the Secret, you should use the Firebase Admin in your project.