I'm making an iOS app where user sign in using email and password. When they enter both (email, password), then I want firebase to send verification code (not link) to verify user before they enter to the app, for security purposes. It is something like phoneAuth but I want it to be an email instead. Does firebase has this ability?
Nope, this is not something that is built into Firebase Authentication's email+password provider.
The simplest way I can think of getting close to this, is using the Admin SDK to generate an email verification link, parse the oobCode/actionCode out of that, and then in the client call applyActionCode to verify the email address (iOS API).
Related
My auth flow:
Firebase sendEmailVerification() needs an already authenticated user to work as the first arg.
My auth flow at the moment works like this.
Signing up the user with email and password signUpWithEmailAndPassword()
Now the firebase auth object contains the currentUser
Sending a verification mail to the just signed up user sendEmailVerification()
Logging him out and redirecting him to /email-verification where he can send the verification mail again.
Problem:
Now the problem. When the user now wants to request to send the email verification again I have three options for what I know.
Store email and password in state before logging him out -> and then logging him in again on sendAgain and logging him out afterward. Would that be a security concern?
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
Force him to input his email and password again every time he wants to send the verification mail again, which feels redundant and old school.
If you require that the user verifies their email address in order to sign in, consider using the email link provider of Firebase Authentication.
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
This logic may apply to your application, but it is simply not how the email+password provider in Firebase Authentication works. When the user enters the correct credentials, they are signed in to Firebase Authentication. If your app requires them to have verified their email address before they can use it, that's the exact check I'd recommend implementing.
So if you want to continue using the email+password provider, reframe the statement to:
In order to use the app, the user needs to sign in with their credentials and verify their email address.
You can then implement that in these two steps:
Ask them to sign in if they're not signed in already.
Then if the account doesn't have a verified email address, ask them to find the email and click the link - and give them to option to send another verification email.
By default firebase's sending a link to verify the user email, but I want to send a otp with that email. So is there a way to customize that email or send a otp and then once the user entered the correct code on the app get Firebase to mark that user account to email verified?
What you're describing is quite literally what the default Firebase flow does: it send an email with a link that includes a OTP to verify the email address.
You can do a certain amount of customization of the email action handler page that the emails link to. If that is not enough, you will have to implement your own flow, and can then use the Admin SDK in a secure environment to mark the user's email as verified.
I have ignored the email/password sign up process and the necessary email verification for a long time and only used the very basic functionality to get started and build on top of that. But now I reached the point where I cannot avoid to use a more production-grade email/password sign up process. Currently I am using these Firebase services: Authentication (email/password only), Firestore and Cloud Functions with a react-native application.
When a user signed up successfully (signed in but without an verified email!) the react native application won't offer functionality until the user has verified his/her email. Right after the sign up the client will send an email with an verification link (through the default firebase server), the user can verify his/her email by clicking the link.
The issue: How to react suitable to a change of emailVerified or any other event which fires if the email got verified?
I have now searched the whole day for a working solution. These are my approaches:
Use your own website to which all verification links are linked (tried this but did not work at my first attempt)
use actionCodeSettings in the email verification link to redirect the user and let the client reload its components
Use Cloud Messaging and inform the client about changes to the email verification status
call a Cloud Function (from an external server) which updates a tmp document in Firestore to which the client subscribed
reload()/loop
I am thankful for all comments, helpful links etc.!
There is a method in the Firebase SDK: isEmailVerified() which tells if the user has verified the email or not.
For react native, I found straightforward documentation: Email Verified. On the launch of the app, you can check if the user has verified the email or not and then make changes accordingly!
Happy Coding!
I don't want to authenticate the user via their phone number that I have already done by using their email id and password. I just want to confirm that they are entering a valid phone number by sending them an OTP and verifying it. All the solutions that I have looked up go on to straight up authenticate the user. I am using firestore as my database.
Firebase allows you to link multiple authentication methods. You can find more details at https://firebase.google.com/docs/auth/web/account-linking
So, once the user is authenticated with email/password, initiate phone number authentication. When you get AuthCredential link it to current firebase user as mentioned in above link.
Other solutions would be to use external SMS gateway like twilio and doing phone number verification on your own. Which isn't required for your use case. In case you still want to try this, there is a free SMS gateway (which uses your own mobile number to send SMS) at https://www.sg.yagnyam.in/.
Firebase Auth has a method to send a verification email so the user can reset his/her password. This link redirects the user to a website where the new password will be written and saved.
Is there a way to reset a user's password using flutter and firebase inapp? I mean, could I send a verification code through SMS or email that would be then typed into the app and the user would choose a new password all inside the app?
Thank you!
To be able to change a user's password directly through the API, the user will have to enter their current password in order to be able to update it.
If you use the Admin SDK however you can implement whatever flow you want, and update the password at the end of the flow. But of course in that case it is up to you to ensure you do it securely.
You can do so by using custom email handlers along with dynamic links to open them in your app. This might require a custom domain to do so. Once the user visits your application on the custom route/page, you can then use applyActionCode method to process the email action. Checkout my answer here for a detailed explanation on processing the email actions:
How to build a custom Email action handler in Flutter for Firebase Authentication