A year ago we have deployed an app (created with flutter) in the appstore, it has been downloaded and used frequently. The app simply enhanced the views of the website.
So far, we have been using the basic firebase authentication to store the users email and password :
try {
await firebaseAuth.createUserWithEmailAndPassword(
email: email, password: password);
} on FirebaseAuthException catch (signUpError) {
if (signUpError.code == 'email-already-in-use') {
try {
await firebaseAuth.signInWithEmailAndPassword(
email: email, password: password);
return null;
} on FirebaseAuthException catch (loginError) {
if (loginError.code == 'error-wrong-password')
throw PasswordChangedException();
throw LoginException(errorCode: loginError.code);
}
}
With those email and password, we signed the user in on mentionned website and displayed the data.
(The problem often occured was, that if the user changes the password on the website, our app would not work anymore, because the pw would not match our firebase auth pw.)
However we are now in contact with the website and would now have access to the API via OIDC authentication.
The question is now how we merge firebase authentication and the authentication of the website via OIDC?
In my view, firebase authentication (email/pw), or just the access of firestore, should be dependent on the authentication via OIDC, that if I change the password (via website), the firebase authentication would still work. How can one implement that behaviour?
Related
For a Flutter- Firebase Mobile App , is it possible to have additional checks done (while using Email/Password Auth) like appending the phone's Device ID and have it checked with the Firestore Database to ensure the Email-Device uniqueness (to prevent running same app on multiple devices with same email/password) on Signin.
Current Signin Method (https://firebase.flutter.dev/docs/auth/usage/) only accepts Email+Password and couldn't find a way to append additional user info for authentication.
signInWithEmailAndPassword() method:
try {
UserCredential userCredential = await FirebaseAuth.instance.signInWithEmailAndPassword(
email: "barry.allen#example.com",
password: "SuperSecretPassword!"
);
} on FirebaseAuthException catch (e) {
if (e.code == 'user-not-found') {
print('No user found for that email.');
} else if (e.code == 'wrong-password') {
print('Wrong password provided for that user.');
}
}
Email password authentications requires email and password only for authenticating users. If you need to store any additional data then you would have to store them in either Custom Claims or any database. You can read this information as necessary. However, users can still reverse engineer the application and sign in without that additional check since Firebase requires E-Mail and Password only and it'll still work even without your additional auth extension.
Whenever a user logs in, you can check if any session for that user account exists in database and then perform relevant actions depending on if a session exists or no.
We have an App that uses firebase auth. Now we would like to send the user from the app to our website in order for him to perform some actions.
Is it somehow possible to automatically login the user when he comes from the App? He has already provided his login credentials and we have the auth object from firebase. Can we pass a token or somthing to our website and have the firebase SDK on the site log him automatically?
The common way to do this right now is as follows:
After the user signs in in one website, get the ID token via currentUser.getIdToken()
Post the ID token to your backend to serve the destination website.
On your backend, using Admin SDK, get the ID token, verify it, check the auth_time to make sure it is a recent login to minimize any window of attack. If everything checks out, mint a custom token via admin sdk createCustomToken.
Return the custom token to the website.
On the client side, sign in with custom token: signInWithCustomToken and the same user is now signed in on the website.
I was able to do this a bit easier, without having my own backend server to create a custom token, as long as you are using Google auth. It might work for other providers but here's how I did it with Google auth on Android:
Android:
activity.startActivityForResult(
googleSignInClient.signInIntent,
object : ActivityWithResultListener.OnActivityResultListener {
override fun onActivityResult(resultCode: Int, data: Intent?) {
if (data != null) {
val credential = GoogleAuthProvider.getCredential(account.idToken!!, null)
idToken = account.idToken!!
// Then pass the token to your webview via a JS interface
}
)
Web:
const idTokenFromApp = AndroidBridge.getAuthToken(); // This is the idToken from the Android code above
if (idTokenFromApp) {
// from https://firebase.google.com/docs/auth/web/google-signin
// Build Firebase credential with the Google ID token.
// https://firebase.google.com/docs/reference/js/v8/firebase.auth.GoogleAuthProvider#static-credential
const credential = firebase.auth.GoogleAuthProvider.credential(idTokenFromApp);
// Sign in with credential from the Google user.
firebase.auth.signInWithCredential(credential).catch((error) => {
// Handle Errors here.
const errorCode = error.code;
const errorMessage = error.message;
logError(`Error logging in: ${errorCode} ${errorMessage} token: ${idTokenFromApp}`, error);
});
}
I want my users can login using many different provider but they will get same result if they use only one email address. For example, in stackoverflow I can login by Facebook, Google ... but I still can keep my profile as well as my posts ...
In Firebase Web, for example if my user created an account with email/password provider, his email="ex#gmail.com" password="123456". This account has uid="account1" and I use this uid as a key to store additional information about him in Firebase Database.
Once day, he choose login by Google provider and Facebook provider (still ex#gmail.com), I test with 2 cases in auth setting:
"Prevent creation of multiple accounts with the same email address": new Google login will override old "account1" and I can not create new Facebook account with "ex#gmail.com" due to error: "An account already exists with the same email address". Which both I don't want to happend
"Allow creation of multiple accounts with the same email address": with this option I can create many account with same email address but they have diffrent uid and I don't know how to link these uid to "account1"? I also can't get email (email = null) after login by Google and Facebook.
So can firebase help me do the thing that I love in many App (login by many different ways but same result)?
This is supported by Firebase Auth through the "Prevent creation of multiple accounts with the same email address" setting. However, Google is a special case as it is a verified provider and will overwrite unverified accounts with the same email. For example, if an email/password account is created and not verified and then a user signs in with Google with the same email, the old password is overridden and unlinked but the same user (same uid) is returned.
For other cases, this is how it is handled.
Let's say you sign in with Email/Password using an email/password with account user#example.com. A user then tries to sign in with a Facebook provider using the same email. The Auth backend will throw an error and linking will be required. After that is done, a user can sign in with either accounts.
Here is an example:
var existingEmail = null;
var pendingCred = null;
var facebookProvider = new firebase.auth.FacebookAuthProvider();
firebase.auth().signInWithPopup(facebookProvider)
.then(function(result) {
// Successful sign-in.
});
.catch(function(error) {
// Account exists with different credential. To recover both accounts
// have to be linked but the user must prove ownership of the original
// account.
if (error.code == 'auth/account-exists-with-different-credential') {
existingEmail = error.email;
pendingCred = error.credential;
// Lookup existing account’s provider ID.
return firebase.auth().fetchProvidersForEmail(error.email)
.then(function(providers) {
if (providers.indexOf(firebase.auth.EmailAuthProvider.PROVIDER_ID) != -1) {
// Password account already exists with the same email.
// Ask user to provide password associated with that account.
var password = window.prompt('Please provide the password for ' + existingEmail);
return firebase.auth().signInWithEmailAndPassword(existingEmail, password);
} else if (providers.indexOf(firebase.auth.GoogleAuthProvider.PROVIDER_ID) != -1) {
var googProvider = new firebase.auth.GoogleAuthProvider();
// Sign in user to Google with same account.
provider.setCustomParameters({'login_hint': existingEmail});
return firebase.auth().signInWithPopup(googProvider).then(function(result) {
return result.user;
});
} else {
...
}
})
.then(function(user) {
// Existing email/password or Google user signed in.
// Link Facebook OAuth credential to existing account.
return user.linkWithCredential(pendingCred);
});
}
throw error;
});
The above code by #bojeil is correct Except it misses out one line.
var existingEmail = null;
var pendingCred = null;
**var facebookprovider = new firebase.auth.FacebookAuthProvider();**
firebase.auth().signInWithPopup(facebookProvider)
you have to initialize facebookprovider before passing it as an argument.
I am currently working with ionic2 and firebase technology. How can I verify if the gmail account with which the user is signing in to my app really exist.
You can send your users a verification email and have them verify their email address.
var user = firebase.auth().currentUser;
user.sendEmailVerification().then(function() {
// Email sent.
}, function(error) {
// An error happened.
});
https://firebase.google.com/docs/auth/web/manage-users#send_a_user_a_verification_email
I am authenticating using email/password like so:
firebase.auth().createUserWithEmailAndPassword(email, password).catch(function(error) {
// Handle Errors here.
});
And listening to auth here:
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
console.log(user);
} else {
// No user is signed in.
console.log("Not signed in");
}
});
Which works fine. On examining the user object that auth returns, the uid is a random string, is there a way to set this uid when I create the account? For example, uid="someUserName"?
Thanks
Firebase Authentication is not like a database where you can add properties and such. It handles UID's and such for you. What you can do, is in your Firebase Database add a users directory and store additional info there (such as a username) with the UID as the key.
Here's an example:
If you're going to use this often, it's probably a good idea to go into your database rules and add an index on this username: