In a scenario where a new Firebase user is created without a password, could the user sign in using just their email address (passing a null/empty string as the password)? Or does Firebase reject all attempts to authenticate with email + password when no password is specified in the user auth object?
The Firebase Admin SDK docs are clear that password is an optional property for createUser(), but the Password Authentication docs don't appear to specify Firebase's behavior when the user was created without a password. It would also be interesting whether an email link authentication (only) strategy can be enforced by leaving and/or setting a user's password as undefined, but this also doesn't appear to be explicitly called out in the docs.
Presumably Firebase rejects the email/password auth attempts, creating a de facto requirement for email link authentication (supported anecdotally), but any suggested links to Google authored docs would be greatly appreciated!
Firebase Authentication users are associated with one or more providers, and many of those providers don't need the user profile to have an associated password. For example: if you sign into Firebase with your Facebook account, the Firebase Authentication profile will not have an associated password. This applies to most providers, as in most cases the password is stored elsewhere (Facebook, Google, LinkedIn, Microsoft, etc), or ephemeral (email-link, phone auth).
Related
I have a firebase project for which I have created a firebase firestore database. I use firebase auth for signing users in.
I want all documents in reference with a specific user to have their id equal to the users uid.
At first, I set the document id to the FirebaseAuth.FirebaseUser.uid
The problem with that is that the FirebaseUser.uid can change under certain circumstances (E.g. the user changes his Google account password)
Is there a persistent uid I can use to refer to a specific user no matter the authentication provider ? If not, what would be best practice ?
Normally, for a given user in Firebase Auth, the user unique ID (the uid generated by the Auth service) will never change.
For example, you can, with the Admin SDK, change the email of a user without changing its uid, see this doc.
You can also have several identity providers for the same account, with the same uid, see here:
You can sign in users to your apps using several methods: email
address and password, federated identity providers, and your custom
auth system. You can associate more than one sign-in method with a
user: for example, a user can sign in to the same account using an
email address and a password, or using Google Sign-In
Note that changing the password of an identity provider account (e.g. "changing the Google account password" as you mentioned) has no impact at all on the uid or on the other user account elements (actually the identity provider password is not stored in Firebase Auth).
So, in conclusion, using the uid generated by the Auth service is the best solution for your requirement.
I am using the Firebase authentication functionality. I am using Facebook, Google, Twitter and email and password as providers. The default functionality is to use a single email by authentication.
If I authenticate with an account with Facebook, Twitter or Google and then try to enter but using email and password to do it, it shows me a warning where it says that I already use another authentication method and it allows me to do it with the previous one.
If I authenticate with email and password and then try to authenticate with Google, Twitter or Facebook these authentication methods overlap, that is, take both and in the Firebase console I can see that they are both.
Now, if I authenticate with email and password, Facebook (I think) or Twitter and then try to authenticate with Google, it deletes the previous authentication methods. That is, if with the first authentication methods I had id1 after authenticating with Google, the entry with id1 is deleted and one is created with id2.
This generates a problem in my application because it is a way to lose the user's registry previously created with id1.
I'm not sure if this is the expected behavior but I do not think so. Obviously whenever I refer to doing a 'new authentication' with another method I make sure to use the same email.
It sounds like you are looking for account-linking. This is possible in Firebase-authentication. Users are identified by their Firebase Userid and you can link multiple authentication providers to a userid.
Try to check this documentation. I think this is what you are looking for: https://firebase.google.com/docs/auth/web/account-linking
I hope it helps.
The Google provider overwriting the existing providers is due to Google emails being verified as Google owns these email addresses.
To work around this, you will need to verify the email after the user signs up by sending an email verification. This guarantees that Google sign-in will not unlink the providers as the email is considered to be verified. So if a user signs up with Facebook (using a Google email), verify the email so next time the user signs in with the same Google email, the Facebook provider would remain on the user.
In my app, if a user registers using email and password, but later tries to log in or register using a Google account that shares that email, the account gets converted to a Google account and the user can no longer sign in with their email and password. I've configured the project with One account per email address setting on.
Is there any way of preventing this?
This is the expected behavior as Google accounts are verified: Firebase Overwrites Signin with Google Account
There are 2 ways around this:
1. Verify emails of password users. Google provider will be added to the account without unlinking the password if the user is verified.
2. You will need to switch to "multiple accounts per email", but this means 2 accounts will be created here, one email/password and another for Google.
I recommend the first approach. Firebase Auth does this for security reasons. Any person can claim an email. Unless the ownership is verified, the password must be unlinked to prevent the impersonator from gaining access to the account.
we are building an angular 5 app with Firebase.
We allow users to login with email+password or google account and we don't allow to have multiple accounts related to the same email address.
We built a form to allow users to ask for a Password Reset Email if they forgot their email password credentials and works perfectly if the user has an email+password account.
The problem arises when the reset email is asked for a google account. We'd expect for firebase to throw an error, not allowing to send the email, but the email is sent and if the user proceeds resetting the email the account is transformed from google type to an email+password.
Is there a way to prevent this behaviour ?
There is no way to prevent this. When a user resets their password, they are making a conscious decision to do so. Firebase is providing a way to recover an email account, in case it was hijacked. In the process all providers are unlinked and a password is set on the account.
You have a way to check if the email is associated with google provider or not. Checkout the fetchSignInMethodsForEmail and fetchProvidersForEmail APIs. These APIs would return the array of sign in methods or providers associated with an email.
I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue