I created an amplify backend using the CLI. I used the manual process to set up the authorization amplify add auth and everything is working except that every time a user logs in they are prompted to verify their e-mail by the Amplify SignUp component
In the Cognito console I can see that their e-mail has been verified and the process of sending the code and entering it works as expected. But if the user signs out and signs back in they receive the prompt again?
I found my answer in the thread of this github issue: https://github.com/aws-amplify/amplify-js/issues/2730#issuecomment-468005207
During the configuration when I chose the read attributes I did not select the "Email Verified?" attribute. Since it couldn't be read it came back falsey and so amplifies SignUp component prompts the user to verify every time.
Related
I am creating a messenger app. In order to register a new user what I want is to get email and password from the user and before creating the account I want to verify the email provided by the user.
But the problem with firebase email verification is that you have to create account/user first then you can send the email verification link to the user.
Now this can lead to major problem: Suppose if some fake user used my email and created account but failed to verify email. But still he manages to create an account with my email.
So if later I will try to register my self to the app then I am firebase is going to show me Email already used.
To solve this issue I want to delete account created if user fails to verify his email just after he tried to register himself.
To do this I created an email verification screen which is pushed as soon as new user register through his email and password. Now here app will be waiting for user to verify his/her email by clicking the link send by firebase. I have also provided a cancel verification button. So if user cancel the verification I am just deleting the account which was already created. I am also handling if user press back key without verifying email which will also delete the user account.
Main Problem: Now the the last thing I need to handle is if user force quit the app. In order to handle this I tried to delete the account in dispose method as well as I used WidgetsBindingObserver. But both of them doesn't work for me.
Please help me to solve this!
The idea of email Link verification was created to solve this problem. Instead of creating an account and then verifying the email after, the account is just directly created from your email. So obviously you must have access to the email to create the account. See https://firebase.flutter.dev/docs/auth/usage/#email-link-authentication for details on how to implement this style of link authentication.
A similar discussion of how to handle quitting the app is occurring here How to execute code before app exit flutter . However abrupt quits from an app whether done by the user or the system are hard to handle by nature.
I wouldn't recommend deleting the account when quitting/ closing etc. the app since it is something legitimate users may do before confirming their email (especially if the email is delayed in being sent for whatever reason). This will cause a lot of frustration.
You could setup a Cloud Http Task to trigger the deletion of that account after a certain time (e.g. a few hours) of the account not being registered.
If they do register in time, you can cancel the task before it runs.
I am currently developing an angular+ionic app. Everything is working ok but I got a question with the forgot password workflow: sendPasswordRestEmail -> user clicks link -> user fill form -> user submit form -> password and oobCode send with the firebase auth api, which I am accessing through angular fire package.
As I said everything is working as intended. The only "issue" I see is that firebase not only sends password reset email to user that created their account with an email/password but also users that are using an external provider like Google ( sign in with google). I havent test login with Facebook at this point but it is happening with google provider. I just want to make sure if this is the intended workflow or something may be wrong... a bug or something? before I post an issue on github, because even though the user can "change its password" when using an external provider, it is having no effect on their external account(gmail account) which of course should have no effect.
Sending a password reset email from Firebase allows the user to reset the password on their Firebase Authentication account. It has nothing to do with the password they may have with any social provider associated with that account.
I have ignored the email/password sign up process and the necessary email verification for a long time and only used the very basic functionality to get started and build on top of that. But now I reached the point where I cannot avoid to use a more production-grade email/password sign up process. Currently I am using these Firebase services: Authentication (email/password only), Firestore and Cloud Functions with a react-native application.
When a user signed up successfully (signed in but without an verified email!) the react native application won't offer functionality until the user has verified his/her email. Right after the sign up the client will send an email with an verification link (through the default firebase server), the user can verify his/her email by clicking the link.
The issue: How to react suitable to a change of emailVerified or any other event which fires if the email got verified?
I have now searched the whole day for a working solution. These are my approaches:
Use your own website to which all verification links are linked (tried this but did not work at my first attempt)
use actionCodeSettings in the email verification link to redirect the user and let the client reload its components
Use Cloud Messaging and inform the client about changes to the email verification status
call a Cloud Function (from an external server) which updates a tmp document in Firestore to which the client subscribed
reload()/loop
I am thankful for all comments, helpful links etc.!
There is a method in the Firebase SDK: isEmailVerified() which tells if the user has verified the email or not.
For react native, I found straightforward documentation: Email Verified. On the launch of the app, you can check if the user has verified the email or not and then make changes accordingly!
Happy Coding!
I am using Firebase Auth in my app. I update the email like follows:
firebaseAuth.currentUser?.updateEmail(email)
The email is updating 100% (I do a re-auth when necessary as well). My problem is after the e-mail has changed, the user is being logged out of his account and has to login again.
When I call
val user = firebaseAuth.currentUser
after updating the email the user is null and my app wants you to login again with the new email address.
Is this the correct behaviour? It makes for a really bad user experience having to login again after changing the account email.
I think Firebase is doing this on purpose for security reasons. You could work around this by calling the Firebase's login function automatically after changing the user's email.
However, I don't think that it is a normal behaviour if you're using the most recent version of Firebase. They explicitly state in their documentation that you need to re-authenticate the user to perform any profile change (if he hasn't signed in recently).
Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in. If you perform one of these actions, and the user signed in too long ago, the action fails with the FIRAuthErrorCodeCredentialTooOld error.
On my side, this effect only occurs on other devices on which the user has signed in, not on the device on which the edit action was performed.
For some reason, my firebase project apikey associate with database changed. I can still create another api key, update into the application.
But when user try to reset password, the link use the old key and lead to "Your request to reset your password has expired or the link has already been used" (I think I read this problem somewhere and now I found the reason).
Is there anyway to update new api key for an existing firebase project?
Thank you
Somehow, my original apiKey was recovered. You can find the original key (which were deleted from console.google.com) associated with the application on the main firebase page, through
Overview > Project settings > GENERAL
Basically, when users requested to recover the password, firebase will send an email with recovery link. If you have a look at the link, you will see the API included in the link is the one that no longer exists.
I recommend you to contact firebase support. I don't have an official way to solve the issue but here is quick I can think of, following as
Create new API at console.google.com > choose your firebase project
Create a page with a function that can read URL parameters. Make it receive firebase recovery password URL and replace dead API with new
one, then redirect you to new firebase recovery password URL
Edit email template by adding the page you created on step 2, with firebase recovery full URL as a parameter
To be more accurate, here is an example.
I have my project called "MyFirebaseProj", my domain is "example.com"
I go to console.google.com, choose "MyFirebaseProj", on API Manager panel, choose Credentials > Credentials. Click on Create credentials > API Key. So I got a new API key call "MyNewLongAPI".
I created a recover-password.html password and have this javascript function https://codepen.io/hieunc229/pen/mWwVbv (this one will read the firebase url, get oobCode and generate new URL). Edit the javascript so it will redirect the user to new URL. Upload this one into my host (mydomain.org/recover-password.html)
On Firebase console, Authentication > Email Template > Reset Password. Change the link to something like
<a href='http://example.com/recover-password.html?url=%LINK%'>%LINK%</a>
Then save it
Now when user go into your recover password page, they will be redirected into firebase url with new API and it should works
Hope it helps!
If anyone run into the same issue, as I get in touch with Firebase team and they are investigating about it. Currently there haven't been a way to help it.