Is it possible admin of app can see the firebase sms verification code As we are developing an application used by farmers mostly in remote places around globe, There is an issue in login using OTP if it is possible that admin can see the OTP(mostly not receiving OTP due to network issues), we will be login at the other end(admin) and make it possible for the users to use the app.
No, Firebase Authentication doesn't let you see the code. You'll have to build a custom solution for it.
Related
I'm developing a mobile app using Firebase and its email authentication feature. I found that there are some unknown sign up with email with 21cn.com domain even though I'm not publishing the app yet. It seems like these email addresses are related to this website(https://mail.21cn.com/w2/).
Is there a way to prevent these unknown signup from outside or how can I improve the project safety?
I was looking around even in my projects and it is not possible to audit who and/or how added the accounts for Firebase Auth (not even in the Activity logs in the GCP Project associated with your Firebase Project)
So, if you don’t know those accounts, I’d suggest deleting them. Also, if the app is not yet published, maybe someone else (if more users are implied in the project) added those accounts directly to Firebase Auth.
Also you may want to change the password of your account.
In general the security of the Firebase Console is up to you.
I developed an app to test the google login feature using flutter and google authentication. The project is a closed project and only I have access to it. But recently I saw that there was a google sign in from an unknown Email ID. How did the user login without the build of my app? Has my account been hacked? What is going on?
Anyone with knowledge of your project's API Keys can access your Firebase Project using simple CURL Commands.
This is why it's a good idea to add restriction to those API Keys
In case you haven't, go to https://console.cloud.google.com and
Select your project
Click the menu icon at the top left (hamburger icon)
Go to API & Services and then credentials
You can view the APIs for your Google Cloud Project (linked to your Firebase Project) and then set restrictions for the API keys, refresh them or restrict access to specific platforms like Android or iOS.
You can also set restrictions on which components of Firebase the API key is allowed to access. For example, if your project doesn't require the use of Cloud Firestore, you can ensure that the API Key cannot be used to make calls to the Firestore Database
All said and done, I would still recommend that you shoot a mail to the Firebase Support team at https://firebase.google.com/support/troubleshooter/contact
To anyone still wondering about this:
If you provide a native google sign in and the registered
email adresses look like this:
karolynmccorkle.91842#gmail.com
normabrock.69306#gmail.com
guillermogeorge.53163#gmail.com
kylegomez.35423#gmail.com
opalbarrett.09499#gmail.com
they are probably test accounts used to generate Google Plays Pre-Launch reports.
You can read about it in the Play Console Help here.
If your app has a sign-in screen and you want the crawler to test the
sign-in process or the content behind it, you need to provide account
credentials.
Note that you do not need to provide credentials if your
app supports "Sign-in with Google,” which enables the crawler to log
in automatically.
I want to implement the Firebase Invite Feature, where a user can send a link which is unique to his/her friends and whenever the other receiver installs the app using this link my application recognize it and act accordingly.
Now I have searched quite a while about Firebase invite and I came to know that you can send the link only via email and android messages. However, I want the user to send via any other social networking app.
What approach should be followed while implementing this?
Firebase Invites is a UI layer to send dynamic links to other users through email. If you want to send the links with another service, you can create them directly using Firebase Dynamic Links.
I thought after firebase version 3.0.0 phone Auth would be integrated. However, I keep getting the error that firebase.auth().verifyPhoneNumber() is not a function (Node.js). I am currently working with react native, which means I am using the web API. Does anyone know how to proceed from here?
"firebase": "^4.8.0",
EDIT: I am implementing facebook, google and email as sign-in methods. My app however, requires that the users verifies his/ her phone number. All I see in the docs is how to signIn via SMS but no verification.
Thanks in advance!
When you signInWithPhoneNumber, you are essentially verifying a user's phone number. You could sign in with Facebook/Google and then linkWithPhoneNumber/updateWithPhoneNumber to the currentUser. This would update the user's phone number and verify ownership too. Phone number authentication has been supported in Firebase since version 4.x.x. BTW, this doesn't work out of the box for react-native. You would need to use a similar approach to this: Ionic2 authentication firebase
I used firebase.auth.signInWithPopup() from this documentation. However, I am getting this warning on the popup window saying that my app isn't verified yet. See image below.
I don't know where to start from here since as far as I can remember, I can't find anything about this on the firebase auth docs. Any advice?
Google now requires apps be verified when you request certain sensitive data:
https://developers.googleblog.com/2017/07/new-security-protections-to-reduce-risk.html
Firebase is not exempt. Why should it be? Any attacker can create a Firebase account with Google provider enabled and try to phish Google users with it.
Verify your app through this link OAuth consent screen