onChangePasswordPress = () => {
var user = firebase.auth().currentUser;
user.updatePassword(this.state.newPassword).then(function(){
console.log('Password is changed');
}).catch(function(error){
console.log(error.message)
})
it says currentUser in the 2nd line means only a user who is logged in can change his/her password.So how can we change a password of a user when a user is not logged in his/her account . How to make a function of changing a password when a user is not logged in his/her account in react native
For a user to be able to update their password, they need to have recently signed in. This is a security requirement, as allowing changing a password without being signed in would be a huge security risk.
If the user forgot their password, you can send them a password reset email. This email contains a link they then click that allows them to set a new password.
If you want to allow an application admin to change a user's password, you can build that using the Admin SDK. But to prevent the security risk outlined before, this can only be done from a trusted environment, such as your development machine, a server you control, or Cloud Functions.
Related
I'm in the middle of adding firebase email/password sign in inside a React app. Specifically, it's an e-commerce site, and users will be signed in anonymously before they create an account (for things like cart data).
Here's the ideal user flow:
User registers by providing an email and password
User is not signed in immediately and instead gets a verification email
If a user tries signing in before verifying their email, they cannot sign in
User then clicks on the verification link and can sign in
I'm having issues with #3 because it appears like the only way to check if an email is verified is by calling:
const { user } = await firebase
.auth()
.signInWithEmailAndPassword(email, password)
if (user?.emailVerified) //let them enter the dashboard
However, this process signs in the user even if the email is not verified. That destroys the data on the anonymous account. And merging the two accounts isn't possible because the user thinks they are not signed in (hence it could cause UX issues if the accounts are already merged).
Any ideas?
If you're using the email+password provider, there is no way to prevent the user from signing in without a verified email address. You can of course keep them from using your app and accessing data, but you can't keep them from signing in.
If you want to ensure the user can only sign in after their email address has been verified, consider using the email link provider. You can then later allow them to set a password on the same account, either through the Admin SDK, or by creating a email+password account and linking that with the email link account. Also see the documentation on differentiating email/password from email link for some of the nuances here.
As per firebase documentation changing a password—require that the user has recently signed in.
But in my case user has signed with same login credentials on multiple devices(e.g. 50) and when he reset password for his account user get logout from all devices.
I don't want them to logout from all devices, is there any way to achieve this ?
There is no way to configure what you want in Firebase's built in email+password provider. You could build your own provider that works the way you describe, but I'd recommend against it.
The main reason for changing the password of an account is to counter the risk that the account/password was compromised. If you allow the user to change the password on one device, but to continue using the account on other devices without entering the new password, a malicious user can continue to use the compromised credentials on those other devices.
I want to change a user's password without authenticating the user, and I want to do this with Ionic.
Currently, this is what I have:
const user = firebase.auth().currentUser;
const credentials = firebase.auth.EmailAuthProvider.credential(user.email,
this._password);
user.reauthenticateWithCredential(credentials)
The problem is that I want to change the user's password without authenticating the user, and that's something I cannot do with firebase.auth().currentUser . The latter won't work if we are dealing with multiple users.
Firebase provides only one way to reset the password without authorization i.e. reset password by email.
You can send a password reset email to a user with the
sendPasswordResetEmail method. For example:
var auth = firebase.auth();
var emailAddress = "user#example.com";
auth.sendPasswordResetEmail(emailAddress).then(function() {
// Email sent.
}).catch(function(error) {
// An error happened.
});
You can also customize email template format. Hope this helps.
It is not possible in the client-side JavaScript SDK to change a user's password without authenticating that user. If it existed it could be called by any malicious user of your app, which would be a pretty massive security risk.
The only way to change a user's password without knowing/specifying their current credentials is through the Firebase Admin SDK. This Admin SDK is made to be run in a trusted environment (such as your development machine, a server you control, or Cloud Functions), and thus can't be abused by users of your app.
I am using ionic 3 and firebase for the backend.In my app I am trying to let users sign up with just username and password. Well firebase by default doesn't provide that option. So I am getting user's input as username (for example: 'mike123') then i add #myapp.com. so it looks like an email: 'mike123#myapp.com'. That is all fine, but a problem just came up when user's want to reset their passwords. Is it possible to let users type in any valid email address at the time they want to reset their password?.
You can change the password of the user by https://firebase.google.com/docs/auth/admin/manage-users#update_a_user. Note that this is in the Firebase Admin SDK, so will require that you run code in a trusted environment, such as a server you control or Cloud Functions.
But faking username+password by faking an email address is non-ideal. I'd consider creating a custom auth provider for your needs.
If the email provided when sending the Reset Password request doesn't exist for any user, then it will fail.
In Android, calling sendPasswordResetEmail with a non-existing email, it would return a:
FirebaseAuthInvalidUserException: There is no user record corresponding to this identifier. The user may have been deleted.
You should ask for a valid email from the user and save their preferred username separately upon the user creation.
I'm looking for a way to customize logins to allow for an administrator to provide a user with an account and a one-time-use temporary password (via email), that enables the user to log into a site (the user can't create an account on their own).
The first time the user logs in, they are instructed to change the temporary password given by the administrator.
I have accounts-ui and accounts-password working, but the user can create a new account at will.
If it matters, I plan to use Autoform and Iron Router for this.
I search the Meteor docs for "enroll", but the information is sparse IMO. Is there a fully working example somewhere to help me get started?
To disable the usual way of creating an account, use Accounts.config:
forbidClientAccountCreation Boolean
Calls to createUser from the client will be rejected. In addition, if you are using accounts-ui, the "Create account" link will not be
available.
Then, instead of having a temporary password, I think you should create the account without password and then use Accounts.sendEnrollmentEmail to send the user an email to choose one.
To create an account without a password on the server and still let
the user pick their own password, call createUser with the email
option and then call Accounts.sendEnrollmentEmail. This will send the
user an email with a link to set their initial password.
So, something like that:
Accounts.config({forbidClientAccountCreation: true});
Meteor.methods({
adminCreateAccount: function (accountAttributes) {
if(Meteor.user() && Meteor.user().role == "admin") {
var accountId = Accounts.createUser({
'username': accountAttributes.username,
'email': accountAttributes.emailAddress
});
Accounts.sendEnrollmentEmail(accountId);
}
}
});
What you can do is
let the admin create user (Accounts.createUser)
add a marker ( eg user.profile.changedInitialPwd) which will be set when the user
changed his pwd)
use some verification logic to make sure, the user has changed his password before he is allowed to sign in
E.g.
Accounts.validateLoginAttempt(function(attempt){
if (attempt.user && !attempt.user.profile.changedInitialPwd ) {
console.log('Initial password not changed');
return false; // the login is aborted
}
return true;
});