so I wanted to keep a user logged in after they reload the app. I did that by using
Async Storage, What I did was if a user's id is present in the Async Storage, I would consider them logged in. The drawback was I couldn't use the Firebase auth because it wont consider the user logged in. I know that it's a bad idea to store passwords in Async Storage so i stored the uid. Is there any way I could log in they user with just their uid so if i use firebase.currentUser it won't show null.
I am using firebase v9 and react native
I think you are using the web version of firebase. You have to consider using the react-native-firebase library which handles this behavior automatically for free.
And the answer to your question. No, you can't log the user in using his uid.
Related
I use Flutter and Firebase, just ask myself how to allow users to add items to cart when they're not logged in yet and keep the cart when they logging in, anyone have an idea for this ?
On Firebase you'd typically start the user off with an anonymous authentication account. With that sort of account, Firebase generates a user ID (UID) for the user, without them having to enter any credentials. You then associate the cart/items with the UID, and then when you/they are ready to identify themselves, you can sign them in with another provider, and link that to the anonymous account.
I've provided links to the documentation for Android developers above, but the same functionality is available in the FlutterFire libraries too. For example, anonymous sign-in on Flutter is as simple as:
UserCredential userCredential = await FirebaseAuth.instance.signInAnonymously();
you can store this data in a separate database SQL lite as an example
In my Flutter management application, I would like to disconnect a user other than the one I am logged in with.
I use Firebase as my database, and use email and a password to log in. I don't use a token
I know that in order to disconnect the user I am currently logged in with, it has to be done like this:
FirebaseAuth.instance.signOut();
I can't figure out how to disconnect another user.
In the Firebase client-side SDKs, you can only sign out the currently signed in user. There is no way to sign out a user on another device.
If you want to add user management functionality to your client-side application, you'll want to use a combination of the client-side SDK and a server-side Admin SDK to build this functionality:
Use the Admin SDK in a trusted environment (such as a server you control, or Cloud Functions) to implement the user management functionality.
Create an endpoint that clients can call that exposes this functionality, for example as a callable Cloud Function.
In that endpoint be sure to check whether the user is authorized, for example by checking their ID token to see if it has a certain UID or custom claim.
Call the custom endpoint from your client-side code.
While preparing my web app for production I am noticing that Firebase saves a lot of users's data once they sign up/register to my app and these data is save on localStorage.
What is my concern is auto generated uid, I don't want users to be able to know their own uid and I don't want that piece of data to be saved on localStorage.
So I have two questions, should I concern about this ? since I do not have so much experience with authentication in general and I am afraid someone could do something...
Is there any way to remove the localStorage and firebase auth to work correctly ?
Cheers
Do not rely on uid to identify an authenticated user. You should only use the ID token JWT for current user, by calling currentUser.getIdToken() and if you are using your own backend server, verify the ID token using the Firebase Admin SDKs by calling verifyIdToken. Learn more about ID tokens: https://firebase.google.com/docs/auth/admin/verify-id-tokens
No , Because firebase auth is part of authentication with server database. if your trying to do like this then your application will not be able to signup or login.
I have an Ionic application using Firebase so I opted to use Angularfire. Currently running Angularfire4. In my application I store the uid and I want to get email related with that uid. I use the email/password login provided by firebase. How can I translate the uid to an email?
The only method found is when using nodejs.
The only data that is exposed in the client-side Authentication SDKs is the profile of the currently authenticated user.
There is no way to look up user data for a UID with the Firebase Authentication client-side SDKs. While admittedly convenient, it would make leaking user-data way too easy.
The only way to look up user data by UID is using the Admin SDK that you found. The idea is that you run those in a trusted environment (e.g. a server you control, or Cloud Functions) and selectively expose the user data that your app needs.
I am using Firebase Web for a SaaS solution. My purpose is to have access to users' email at any time, either for sending notifications or triggering alerts from the backend.
For security reasons, Firebase auth does not allow to list users' email or to fetch emails based on user IDs. As a consequence, I keep a copy of the email into a specific collection in the Firebase database when a user account is created. The copy is made by a Cloud function that is triggered on user creation (following guidelines: https://firebase.google.com/docs/auth/extend-with-functions).
Thanks to the copy available in the Firebase database, I can access users' email. However, my issue is when a user changes his email.
Firebase auth provides the updateEmail function that returns a promise. I use this last to update the email in Firebase auth. Then, when the promise resolves I update the user email in the Firebase database. However, this has a major drawback: all the logic is performed on the client side and since both operations are not performed in a transaction if the client refreshes or closes his browser (or assume it crashes), then it is possible that Firebase auth is updated but not the Firebase database, thus leading to an inconsistent state.
I looked at the documentation, expecting the possibility to trigger a Cloud function when user auth information is updated. Unfortunately, I cannot find such a feature.
Another solution I thought about is to update the database from the Web client. Then, this last triggers a Cloud function that updates Firebase auth with the admin SDK. This last solution works but bypasses the check performed by updateEmail that ensures the new email is not used by another account. Also, the account hijacking protection performed by updateEmail is evicted, which is really bad from a security point of view.
Any idea to solve this problem properly is welcome.
Here are a couple of options:
When calling updateEmail, update the email in your database first before calling updateEmail. THowever, if an error occurs, you need to catch it and undo that change in your db.
When a user wants to updateEmail, send their id token and new email to your server or firebase function http endpoint. There you verify the ID token with the admin SDK, then use the client SDK require('firebase'), using the uid from the ID token, admin.auth().createCustomToken(uid), then using client SDK, firebase.auth().signInWithCustomToken(customToken). You can then call user.updateEmail(newEmail) on the backend and save the email.
Always save the uid only and just use Admin SDK admin.auth().getUser(uid) to look up the user and get their email. This guarantees you get the user's latest email as you will not be able to catch the email revocation if the user chooses to do so.
No need to save anything. Use the CLI SDK to download all your users and their emails. Check https://firebase.google.com/docs/cli/auth#authexport
This is also better as you will always be able to get the latest email per user even if they revoke the email change.