Firebase resetting password without verifying the account - firebase

Is there a way for a user to reset his firebase password without actually verifying the account when resetting the password?
Initially when an account is created the "verified" in the userinfo is set to false, once the account is created we receive an email with the verify account url.
However, when the user "forgets his password", the password reset mail is send to the user and when he actually resets the password, the firebase userinfo "verified" is set to true.

E-Mail verification just confirms that the email belongs to that person by generally sending a link or so. Now if a user can access the link to reset password then they definitely own that email (unless someone else has access to their device).
If that's a strict requirement to not set emailVerified to true on verifying email then you'll have to implement your own logic using Firebase Admin SDK which would run on a Cloud function or custom server.

Related

What is the best practice for firebase resending sendEmailVerification()?

My auth flow:
Firebase sendEmailVerification() needs an already authenticated user to work as the first arg.
My auth flow at the moment works like this.
Signing up the user with email and password signUpWithEmailAndPassword()
Now the firebase auth object contains the currentUser
Sending a verification mail to the just signed up user sendEmailVerification()
Logging him out and redirecting him to /email-verification where he can send the verification mail again.
Problem:
Now the problem. When the user now wants to request to send the email verification again I have three options for what I know.
Store email and password in state before logging him out -> and then logging him in again on sendAgain and logging him out afterward. Would that be a security concern?
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
Force him to input his email and password again every time he wants to send the verification mail again, which feels redundant and old school.
If you require that the user verifies their email address in order to sign in, consider using the email link provider of Firebase Authentication.
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
This logic may apply to your application, but it is simply not how the email+password provider in Firebase Authentication works. When the user enters the correct credentials, they are signed in to Firebase Authentication. If your app requires them to have verified their email address before they can use it, that's the exact check I'd recommend implementing.
So if you want to continue using the email+password provider, reframe the statement to:
In order to use the app, the user needs to sign in with their credentials and verify their email address.
You can then implement that in these two steps:
Ask them to sign in if they're not signed in already.
Then if the account doesn't have a verified email address, ask them to find the email and click the link - and give them to option to send another verification email.

Firebase authentication without email

Currently, I am trying to develop a web portal where I want to allow specific users to enter in the site. This means I want to use specific username and password to enter my side without using any email address. How it is possible? I see that for custom login I have to use an authentication server and it is allowed in the Functions tab in Firebase. But I have to purchase it. Is there any workaround available to create my custom login without an email.?
Firebase Authentication has no username-password authentication. The best you can do is whenever user enters the user name you can append #yourapp-com to make the format like an email and use it with the password.
Use the same method when user tries to login, when they enter their username, append with that domain and use signInWithEmailAndPassword method. So technically you are using email and password (but the email cannot receive emails) but your users enter username and password only.
That was the easy work around but you can also store usernames and passwords in database. However make sure you properly hash the password in the database. You can use cloud functions to authenticate user. The auth flow would be like:
User enters username and password
A cloud function is triggered which then verifies the username and password
If the password matches, use the Admin SDK to generate a Custom Token and send it back to client
Use the signInWithCustomToken method and log the user in with that token.

Firebase recover password transforms account type

we are building an angular 5 app with Firebase.
We allow users to login with email+password or google account and we don't allow to have multiple accounts related to the same email address.
We built a form to allow users to ask for a Password Reset Email if they forgot their email password credentials and works perfectly if the user has an email+password account.
The problem arises when the reset email is asked for a google account. We'd expect for firebase to throw an error, not allowing to send the email, but the email is sent and if the user proceeds resetting the email the account is transformed from google type to an email+password.
Is there a way to prevent this behaviour ?
There is no way to prevent this. When a user resets their password, they are making a conscious decision to do so. Firebase is providing a way to recover an email account, in case it was hijacked. In the process all providers are unlinked and a password is set on the account.
You have a way to check if the email is associated with google provider or not. Checkout the fetchSignInMethodsForEmail and fetchProvidersForEmail APIs. These APIs would return the array of sign in methods or providers associated with an email.

is it possible for users to choose any email at the time of password reset in frebase?

I am using ionic 3 and firebase for the backend.In my app I am trying to let users sign up with just username and password. Well firebase by default doesn't provide that option. So I am getting user's input as username (for example: 'mike123') then i add #myapp.com. so it looks like an email: 'mike123#myapp.com'. That is all fine, but a problem just came up when user's want to reset their passwords. Is it possible to let users type in any valid email address at the time they want to reset their password?.
You can change the password of the user by https://firebase.google.com/docs/auth/admin/manage-users#update_a_user. Note that this is in the Firebase Admin SDK, so will require that you run code in a trusted environment, such as a server you control or Cloud Functions.
But faking username+password by faking an email address is non-ideal. I'd consider creating a custom auth provider for your needs.
If the email provided when sending the Reset Password request doesn't exist for any user, then it will fail.
In Android, calling sendPasswordResetEmail with a non-existing email, it would return a:
FirebaseAuthInvalidUserException: There is no user record corresponding to this identifier. The user may have been deleted.
You should ask for a valid email from the user and save their preferred username separately upon the user creation.

Forms Authentication - How to verify username and pwd of inactive user?

I'm using forms authentication for an app that allows users to register but not active. We will send out an activation code via snail mail (long story) and the user can return with that info and activate their account.
I want to create a page where the user can come back and enter their username, password and generated key to activate the account. The key I have stored in another table and I plan to generate it. I'm having trouble verifying the username and password with an inactive account. I've tried Membership.ValidateUser(username,password) and it fails but if I activate the account, it works.
Ideas on how to check this?
Activate the account first.
If you are sending them the activation code in an email, have a anonymous access page which receives the activation code from the email (perhaps via querystring), activates the account, and redirects them to a login page with forms authentication activated (assuming the username and password are already created).
If the access code is invalid and fails, you can optionally deactivate the account.
I would not set IsActive = false. That is for disabling an account, preventing any type of login. Instead, I do not see a problem leaving them with the ability to login. I would use a Membership Role to specify when a user is verified. I.e. "Verified".
If they have not activated their account and attempt to login, you simply check to see if they have the Verified role. If not, redirect them to a page of "You account is not yet activated. Please wait for snail mail". Or a "Please enter your verification code below." message.
When they do finally enter the proper verification code from snail mail, you simply add them to the Verified role.
This gives you the control of allowing them to login and "check" the status of their account. And, resolves your IsActive issue.

Resources