Note: I'm on the Blaze Plan
I have a firebase auth user that just set up a paid account, and they're receiving a RESET_PASSWORD_EXCEED_LIMIT yet my other paid accounts aren't. How do I reset this user's password? I'm not sure what the individual reset limit is, I couldn't find it in the docs.
I have 110 users which I've gained over 48 hours
Failed Solution: I re-created the account, but the new account, even though it was able to generate email password resets, it actually was a link that didn't work, leading me to believe it's a bug. The user had to create a new account with a new email.
From Firebase Support
An OOB link is the link generated for the reset password email, it
contains an oobcode which is a one-time code, used to identify and
verify a request. Saying this, each user is permitted to use a certain
amount of links, then if he exceeds the internal quota, the error
message “RESET_PASSWORD_EXCEED_LIMIT” will appear.
To reset the quota, you just need to click the link and reset the
password, this workaround is not good for a real user, but if you are
testing it can help you to reset the quota. The real workaround for a
real user would be to wait for a period of time until the OOB links
naturally expire.
To avoid hitting this quota, I recommend you to add a validation in
your UI of the number of retries that the user can request a
reset-email password email. For example, setting a restriction of four
requests maximum in ten minutes would avoid triggering our alerting
system. This is not the exact quota, but I am giving you a good limit
that you can set in your application.
Related
I use Scrypted to allow viewing Nest cameras in HomeKit. When I go through the process of giving Scrypted permission to access my camera information, that token seems to expire after a week (approximately). I haven't seen any setting anywhere that allows me to change this. Is there some hidden option somewhere that can allow this permission to not expire.
I finally found the expiration page - but I don't see how to remove the 7 day limit. It offers to raise the daily token limit, but not to remove expiration.
Per https://developers.google.com/identity/protocols/oauth2#expiration this is because your oauth client id is unverified. You'll need to go through the oauth client verification process to get longer lived tokens.
I'm using Firebase Authentication specifically the FirebaseUI library, Also users can sign in via Email, Google, Facebook, or Twitter.
Firebase Authentication does not support adding custom fields such as wallet balance, profile settings, etc. (This strikes me as being a very unfortunate thing to do), So I decided to create a table for users in MySQL and it contains default fields that are already Firebase supported and custom fields.
Now let's suppose the user trying to sign in, If the user signed in successfully, Then I will create a second connection with the server to check if the user does not exist and after that add the user to the table.
Sometimes the second connection will fail for some reason, In this situation, I want to sign-out directly and never let the user can continue to use the app as a logged-in user.
The Questions
Are there factors that can lead to failing sign-out? Yes?, Please
tell me what is the factors until I can handle that.
Can the user sign-out even if the network is not available?
What is the estimated time it may take to sign-out? Milliseconds or
Seconds?
Can the user sign-out even if the network is not available?
What is the estimated time it may take to sign-out? Milliseconds or Seconds?
When you sign the user out from Firebase, all it does is remove the tokens that it keeps for that user. This means that the signing out is both instantaneous, and can be done when there is no network connection.
We are using calendar API of google and it's working fine and we have achieved almost each requirement.
But we stuck at below point,
How to generate new "Refresh Token" once it's revoked or expired?
Also I need more information on when "Refresh Token" expire and how would I know the life of this refresh token, so I can automatically create new before it expired?
Any answers is highly appreciated.
You may want to check this related SO post, refresh token doesn't expires unless the user revokes it. Until it does, your app must catch this issue then ask the user for permission in order to avoid encountering such problem. Here is the link for the documentation of Google:
Save refresh tokens in secure long-term storage and continue to use
them as long as they remain valid. Limits apply to the number of
refresh tokens that are issued per client-user combination, and per
user across all clients, and these limits are different. If your
application requests enough refresh tokens to go over one of the
limits, older refresh tokens stop working.
If you'll continue reading until Token expiration:
You must write your code to anticipate the possibility that a granted refresh token might no longer work. A refresh token might stop working for one of these reasons:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
Hope this clarifies your concern.
I have been looking and playing with Firebase and I found it really interesting.
So far I have tried some simple authentication and security policy setting but now I have a problem which does not seem to be covered in the documentation and I couldn't find anything on Google or here.
The problem is that I cannot find a way to limit the number of concurrent logins per email/password.
I would like to have an option where paid customers can only login from 1 IP at a time. In other words I don't want people to be able to purchase an account and then share the same with friends and family and then all connect to the system at the same time using the same credentials.
Thank you in advance.
You will control access by writing to a path in Firebase whenever a user logs in. Then you can check that path to ensure only one user exists at a time:
write a value to a path each time a user logs in (e.g. logged_in_users/$user_id)
use onDisconnect() to delete that value when user disconnects
check that path for a value on an additional login attempt
show an error if the value exists or allow login if not
This takes care of the UX portion. To secure it against exploits, you will take advantage of Firebase's comprehensive security rules:
generate your own authentication tokens using the custom login strategy
include the IP address as part of the data inside the token
reject login attempts if the logged_in_users/$user_id is set to a different IP address
write security rules to prevent read/write from other IPs
Assuming you've generated tokens containing an IP address, your security rules could look something like the following:
".read": "root.child('logged_in_users/'+auth.uid).val() === auth.ip_address"
I have designed login page for one of our website where I have used following resources
Login Name and Passowrd lable and textboxes
Combo box for multilingual support
Submit button.
Now to make this page more secure I am planning to use following extra points.
CAPTCHA/ RE-CAPTCHA
Number of Retry: block after 3 unsuccessfull login attempt.
I have seen these extra things by visiting other sites. I would like to know
Whether these extar point makes somediffrence for security?
How should we implement number of retry? When should we again unblock user account.
What is right approach?
You could use ASP.NET's login control and the default SQL membership provider. If you do this, implementing the number of retries before a user is locked out is as easy as setting a config value.
Take a look at MSDN here, and scroll down to "Using the SQLMemberShipProvider" section.
Look at the NoBot control from the AjaxControlToolkit (http://www.asp.net/AJAX/AjaxControlToolkit/Samples/NoBot/NoBot.aspx). That provides some "bot protection" without the user needing to decipher a captcha.
General - Require a strong password and limit the login tries/user (not IP/cookie). If you add a five minute lock-down for a user name after three fails a bruit force attack would take more years than you site will live (dictionary attacks are not possible since you require strong passwords)*.
Protect your users - In your form, don't post the password in clear text, post a hashed version eg.
md5([your domain] + [password])
The reason you add your domain is to protect the hash of the password from the server owner (you), so if your user DB get hacked the hashed passwords you stored are useless even if your users use the same password on multiple sites. If you like stronger hash you could look for some SHA version. Make a js script that replaces the password with the hashed one before sending. Remember to have this hash calculated on the registration page, never let the password be sent from the browser in clear text. You don't want to know it!
http://en.wikipedia.org/wiki/Cross-site_request_forgery, also have your server sign the cookie values to make cookie forgery harder.
Encryption - Either use TSL/SSL or get a RSA script and encrypt your form data with your severs public_key.
Man-in-the-middle - The hardest threat to guard against, I guess that https is the easiest way but a trusted certificate costs money. If you self sign users today don't bather to look if it's the right cert or not, this requires too much form the users. Buy a cert or hope you don't have a man-in-the-middle.
I would never use re-captcha for login since a lock-down of user name is more effective and less disturbing for a user. Though re-captcha is good for account registration so you don't end up having a lot of scripted accounts.
Limiting login tries/username could be used to block a user to log in. Bruit force attacks are still available since they can attack a lot of usernames and not only one, thus keeping the attack under the limit/username block. But for a site with few (less than 10.000?) user accounts you should be quite safe.
If you are updating an existing site that has had security issues, captcha can't hurt. If it is a new site, is it public or for internal use? You can always add this later if you run into issues. If there are sensitive materials, you'll get more mileage out of enforcing strong passwords from users (though this can be annoying to them) than you'll get out of captcha (also annoying).
Several options here. You can record IP address on each attempted login and record failed attempts. 3rd fail from same IP inside of 15 minutes blocks further attempts (every attempt fails with locked account message). Additional attempts reset the 15-minute "timer." Really, there is no timer, but with each attempted login, the log it checked to see whether it has been locked within the last 15 minutes.
The login attempt log can be stored in many ways -- often a database table. There may be value in keeping a record of every login (in case there is ever a breach), or maybe you only want failed logins. Optionally, you could remove failed logins from the log when the user successfully logs in. You could have a database routine that cleans up the table from time to time of failed login records that have exceeded the waiting period (15 minutes, or whatever).
Obviously, 15 minutes is arbitrary -- this can be 1 minute or 24 hours or until the user calls your customer support line to get it reset.