Firestore permissions inconsistent when user registers - firebase

I have Firebase auth set up with email & password, and after the user creates an account, I create a document for the user in Firestore.
It usually works, but sometimes (maybe 10%) the user is created in Auth but not in firestore, with the error code:
FirebaseError: [code=permission-denied]: Missing or insufficient permissions
function registerUser (name, email, password){
firebase.auth().createUserWithEmailAndPassword(email, password).then(function() {
// Registration successful, create firestore document
db.collection("users").doc(email).set({
name: name,
email: email,
level: maxProblemSet,
premium: false
})
.then(function() {
//Success
window.location.replace(myUrl);
}).catch(function(error){
//Registered with auth but not stored in database
alert(error);
});
}).catch(function(error) {
// Handle Auth Errors here.
alert(error);
});
}
My security rules for the users collection look like this:
match /users/{user} {
allow read, write: if request.auth.token.email == user;
}

Is it possible that you are logged in as a different user?
One possible way to debug this is by running the following in the Javascript console in myURL to verify the user identity as seen by Firebase:
firebase.auth().currentUser
If this works as expected, you could try to print the doc in the console to see if the doc is now visible:
db.collection("users").doc(email).get().then(function(doc) { console.log(doc.data()); })

Related

How to export Firebase Auth users, including providerUserInfo for Sign In with Apple users

I want to export all the users inside of Firebase Auth because I want to migrate away from Firebase. I can get the export of the users just fine with the command:
firebase auth:export users.json --format=json --project [my-project]
However, for all of the users that use Sign In with Apple the providerUserInfo is an empty array, so there is currently no way at all to import them into my own database and keep them as functional accounts that can actually login via SIWA again.
When I look at the auth user by adding an onAuthStateChanged listener and logging the auth user to the console, then providerData.uid is Apple's user id, the exact ID that I need to copy to my new database:
onAuthStateChanged(auth, authUser => {
if (authUser) {
const uid = authUser.providerData[0].uid;
if (authUser.providerData[0].providerId === "apple.com") {
console.log(`Apple ID: ${uid}`);
} else {
console.log(`Email address: ${uid}`);
}
}
});
So the value is definitely stored in Firebase Auth, and it's this value that I need to be able to export for all users.
So my question is: how can I fetch the providerUserInfo for such users? Would the accounts:lookup REST endpoint help? Sadly I can't really figure out how that endpoint is supposed to work, what the idToken you need to send is supposed to be.
I found a way to export all the users, including Apple's internal user id, by using the admin SDK:
const fs = require("fs");
const admin = require("firebase-admin");
admin.initializeApp();
const records = {};
function handleUser(userRecord) {
records[userRecord.uid] = userRecord;
}
const listAllUsers = nextPageToken => {
// List batch of users, 1000 at a time.
return admin
.auth()
.listUsers(1000, nextPageToken)
.then(listUsersResult => {
listUsersResult.users.forEach(userRecord => {
handleUser(userRecord);
});
if (listUsersResult.pageToken) {
// List next batch of users.
return listAllUsers(listUsersResult.pageToken);
}
})
.catch(error => {
console.log("Error listing users:", error);
});
};
// Start listing users from the beginning, 1000 at a time.
listAllUsers().then(() => {
const data = JSON.stringify(records);
fs.writeFile("users.json", data, err => {
console.log("JSON data is saved.");
});
});
ProviderUserInfo includes the following data:
{
displayName?: string,
email: string,
phoneNumber?: string,
photoURL?: string,
providerId: string,
uid: string
}
For SIWA (Sign In with Apple) users, their information is anonymized and you must gain explicit consent from the user to be able to collect their personal information. If you had such information you would use updateProfile() to attach it to their user ID at the top of their UserRecord. If there were a ProviderUserInfo entry for Apple, it would consist of:
{
displayName: null, // SIWA does not provide a display name
email: string, // an anonymized email, same as User.email
phoneNumber: null, // SIWA does not provide a phone number
photoURL: null, // SIWA does not provide profile images ​
​ providerId: string, // "apple"
​ uid: string // same as User.localId
}
As the available data is found elsewhere, it is pointless to include in the response and is omitted.
Transferring SIWA users is not a straightforward process. You must follow the steps outlined in the Transferring apps and users to new teams documentation. In short, you use a "Transfer ID Token" with a freshly signed in user's account details, to ask Apple's auth service "Did this user ever sign in for this old client ID?". The returned response will then either say "Yes, their ID with the old client ID was X" or "No, this is a new user". Based on that you migrate their old data across to your new database and authentication ID.
Importantly, after 60 days, you can no longer transfer users from the old service to the new one.

Firebase and VueJS: How to handle users that login with Google and don't register in my app? User profile management

I have an app with a LOGIN page and a REGISTER page. Both pages have a "Sign in with Google" button, as well as a regular login and password input form for those that don't want to sign in with Google. I am also using FireStore to create user profile documents for registered users. When the user also logs in, the app will query the user's profile for use throughout the app. This all works fine.
I noticed that a google user does not need to "register"...he can still click the login button and it will "sign him up" automatically because that's how Google Auth Provider works. However, since he did not "register", he does not yet have a profile. In this case, I had to write some logic so a profile would be created for a Google user. Although this logic works, I just wonder if this is the best way to do this. Are there best practices for handling Google/Social logins for people skipping the traditional "registering" pages? I know most people would probably head to the register page and register, but there will undoubtedly be some people that will skip that and go start to the LOGIN page and sign in via Google that way.
Here's how I'm handling the login page with Google login button:
login.vue
async logInWithGoogle() {
try {
const provider = new this.$fireAuthObj.GoogleAuthProvider()
const userCredentials = await this.$fireAuth.signInWithRedirect(
provider
) ....
Then in my Store (in my case, Vuex state management pattern), I have the following actions:
store.js
First, this onAuthStateChanged observer will notice the new user state and do the following code:
async onAuthStateChangedAction({ commit, dispatch }, { authUser }) {
if (authUser) {
console.log('user committing from onAuthStateChangedAction...')
commit('SET_CURRENT_USER', authUser)
console.log(
'fetchUserProfile action dispatching from onAuthStateChangedAction...'
)
await dispatch('fetchUserProfile', authUser)
} else {
dispatch('logOutUser')
}
}
That onAuthStateChanged observer will fetch the user's profile (and this is the logic I am concerned with...not sure if this is an ideal way to handle user's logging in via Google for first time and bypassing registration:
async fetchUserProfile({ commit }, user) {
try {
const docRef = this.$fireStore.collection('users').doc(user.uid)
const profile = await docRef.get()
if (profile.exists) {
commit('SET_USER_PROFILE', await profile.data())
console.log(
'user profile EXISTS and set from fetchUserProfile action'
)
} else {
console.log('profile does not exist! Creating...')
await docRef.set({
displayName: user.displayName,
email: user.email,
uid: user.uid,
photoUrl: user.photoURL,
providerId: user.providerData[0].providerId,
createdAt: this.$fireStoreObj.FieldValue.serverTimestamp()
})
const p = await docRef.get()
commit('SET_USER_PROFILE', await p.data())
console.log('user profile set')
}
} catch (error) {
console.log('can not fetch profile', error)
}
},
Thanks for any tips or assurances that I am on the right (or wrong) path on handling this. Thank you!
Why not create an empty document with the user's uid and prompt them to "complete their profile"? Until they do so, force redirect them back to the profile page indefinitely.

create user with self-specified uid

I am using flutter with firebase to manage my users, and in this link, it says you can specify the uid during user creation: https://firebase.google.com/docs/auth/admin/manage-users#create_a_user
My question: What's the equivalent in dart/ flutter? I understand firebase auto-generates one for you, but in my use case I need to be able to specify mine.
For flutter, I am only aware of createUserWithEmailAndPassword method but it does not have a 'uid' argument.
FirebaseAuth.instance.createUserWithEmailAndPassword(email: null, password: null)
In the link above, however, they provided an example (node.js) with such methods.
admin.auth().createUser({
uid: 'some-uid',
email: 'user#example.com',
phoneNumber: '+11234567890'
})
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log('Successfully created new user:', userRecord.uid);
})
.catch(function(error) {
console.log('Error creating new user:', error);
});
You can fully control the creation of Firebase Authentication users by implementing a custom provider. But as you can probably imagine, this is a sensitive operation, so the code requires that you have full administrative access to the Firebase project. For that reason, you can't run this type of operation in your Flutter app, but must run it on a trusted environment, such as your development machine, a server you control, or Cloud Functions.
Typically this means:
you'll gather the user's credentials in your Flutter app
send them (securely) to a custom endpoint on the server
and there validate the the user credentials are correct
and use the Admin SDK to create a token for the user
that you then send back securely to the Flutter app
There is no such option for any of the Firebase the client SDKs on any platform (Android, iOS, web, Flutter, etc).
Firebase Admin is a server SDK, and trusts that the code calling its methods is privileged and running in a secure and trusted environment. This is considered to be safe for inventing UIDs. The client SDKs are run on user devices, which is considered untrusted and could be compromised. In that case, the Firebase Auth product has to come up with an appropriate UID for the user.
Use the firebase cloud functions
const functions = require("firebase-functions");
const admin = require("firebase-admin");
admin.initializeApp();
exports.createUser1 = functions.https.onCall(async (data, _context) => {
try {
const user = await admin.auth().createUser({
uid: data.uid,
phoneNumber: data.phoneNumber,
disabled: false,
}); return {response: user};
} catch (error) {
throw new functions.https.HttpsError("failed to create a user");
}
});
then request from flutter app
{
"data":
{
"uid": "12345678",
"phoneNumber": "+905378227777",
"disabled": false
}
}

signInWithEmailAndPassword: getting auth/user-token-expired [duplicate]

I am using Firebase authentication in my iOS app. Is there any way in Firebase when user login my app with Firebase then logout that user all other devices(sessions)? Can I do that with Firebase admin SDK?
When i had this issue i resolved it with cloud functions
Please visit this link for more details https://firebase.google.com/docs/auth/admin/manage-sessions#revoke_refresh_tokens
Do the following;
Set up web server with firebase cloud functions (if none exists)
use the admin sdk(thats the only way this method would work) - [Visit this link] (
(https://firebase.google.com/docs/admin/setup#initialize_the_sdk).
Create an api that receives the uid and revokes current sessions as specified in the first link above
admin.auth().revokeRefreshTokens(uid)
.then(() => {
return admin.auth().getUser(uid);
})
.then((userRecord) => {
return new Date(userRecord.tokensValidAfterTime).getTime() / 1000;
})
.then((timestamp) => {
//return valid response to ios app to continue the user's login process
});
Voila users logged out. I hope this gives insight into resolving the issue
Firebase doesn't provide such feature. You need to manage it yourself.
Here is the Firebase Doc and they haven't mentioned anything related to single user sign in.
Here is what you can do for this-
Take one token in User node (Where you save user's other data) in Firebase database and regenerate it every time you logged in into application, Match this token with already logged in user's token (Which is saved locally) in appDidBecomeActive and appDidFinishLaunching or possibly each time you perform any operation with Firebase or may be in some fixed time interval. If tokens are different logged out the user manually and take user to authenticate screen.
What i have done is:
Created collection in firestore called "activeSessions".User email as an id for object and "activeID" field for holding most recent session id.
in sign in page code:
Generating id for a user session every time user is logging in.
Add this id to localstorage(should be cleaned everytime before adding).
Replace "activeID" by generated id in collection "activeSessions" with current user email.
function addToActiveSession() {
var sesID = gen();
var db = firebase.firestore();
localStorage.setItem('userID', sesID);
db.collection("activeSessions").doc(firebase.auth().currentUser.email).set({
activeID: sesID
}).catch(function (error) {
console.error("Error writing document: ", error);
});
}
function gen() {
var buf = new Uint8Array(1);
window.crypto.getRandomValues(buf);
return buf[0];
}
function signin(){
firebase.auth().signInWithEmailAndPassword(email, password).then(function (user) {
localStorage.clear();
addToActiveSession();
}
}), function (error) {
// Handle Errors here.
var errorCode = error.code;
var errorMessage = error.message;
if (errorCode === 'auth/wrong-password') {
alert('wrong pass');
} else {
alert(errorMessage);
}
console.log(error);
};
}
Then i am checking on each page if the id session in local storage is the same as "activeID" in firestore,if not then log out.
function checkSession(){
var db = firebase.firestore();
var docRef = db.collection("activeSessions").doc(firebase.auth().currentUser.email);
docRef.get().then(function (doc) {
alert(doc.data().activeID);
alert(localStorage.getItem('userID'));
if (doc.data().activeID != localStorage.getItem('userID')) {
alert("bie bie");
firebase.auth().signOut().then(() => {
window.location.href = "signin.html";
}).catch((error) => {
// An error happened.
});
window.location.href = "accountone.html";
} else{alert("vse ok");}
}).catch(function (error) {
console.log("Error getting document:", error);
});
}
PS: window has to be refreshed to log inactive session out.

Cloud Functions for Firebase auth.user API has empty displayName property

I have an Android app using Firebase with database, authentication and cloud functions modules. When a user creates a profile through the app and sets a user full name, the value of
FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
if (user != null) {
// user signed in
String displayName = user.getDisplayName();
// do whatever with displayName...
} else {
// ....
}
is pretty much as expected - whatever the user put in.
I also have a cloud function, which creates a database record for the new user:
const functions = require('firebase-functions');
const admin = require('firebase-admin');
admin.initializeApp(functions.config().firebase);
exports.createUserRecord = functions.auth.user().onCreate(function(event) {
const user = event.data;
const userName = user.displayName || 'Anonymous';
const userSignedUp = (new Date()).toJSON();
console.log('A new user signed up: ', user.uid, userName, userSignedUp);
return admin.database().ref('users').push({
name: `${userName}`,
email: `${user.email}`,
ref: `${user.uid}`,
signup: `${userSignedUp}`
});
});
This works mostly OK, except that both the log entry, and the resulting record in the database list Anonymous as the name value.
Can anyone please tell me where I am going wrong with this? Thanks.
Best regards,
~Todor
UPDATE:
Forgot to mention, the user is created with the email/password provider.
In FirebaseUI, creation of a user via email/password is done in two steps: the user is created using the address and password, then the user profile is update with the entered username. This can be seen in the FirebaseUI RegisterEmailFragment.
At this time, Cloud Functions offers only a trigger for user creation, the one you are using, functions.auth.user().onCreate(). There is no trigger for user profile update. Your trigger fires when the user is created. The event data contains the user profile as it exists at that moment, before it has been updated with the user name.
You will need to use some other means to obtain the user name. One option is to use a database event to trigger a function that would retrieve the user data after the profile is updated:
admin.auth().getUser(uid)
.then(function(userRecord) {
// See the UserRecord reference doc for the contents of userRecord.
console.log("Successfully fetched user data:", userRecord.toJSON());
})
.catch(function(error) {
console.log("Error fetching user data:", error);
});

Resources