I am using flutter for this project. My goal is to send a verification email to the admin once the user has registered his/her account. The profile will be registered once the admin verifies it through email.
I am aware that we can send a verification email to the user itself to verify the email id by using Firebase Auth. I was wondering whether there is a way to change the reciever's address from the user to an admin's email id(custom email id). If no then is there any other way to perform this task ?
Thank you in advance for the help.
I am using Cloud Firestore as a database service.
You can use Cloud Functions to know when a user was created or deleted.
But if you want to get an email only after the email was confirmed, then you would have to do it inside your app, triggering some logic that sends you a message from inside your app once you detect the email is verified.
You can't change the destination of the verification email. It will always go to the email address that was used at the time of signup.
If your goal is to prevent the user from doing anything with some backend resource until after an admin authorizes them, what you can do is use custom claims to add a flag to the account that can be checked by security rules or your backend endpoint. The presence of that flag can be used to tell if an admin has authorized them. You will have to build out some amount of backend infrastructure to make all that work.
As far as I remember there are Firebase Authentication triggers that you can use to listen to new user creations. You need to setup a Firebase function that listens for user creation events.
functions.auth.user().onCreate((user) => {
//send email to admin
}
Another step that you can take is to disable the newly created account and also send email to the user as well telling him that his account is disabled until admin approves it. You can achieve this using Firebase Admin SDK. And maybe create another cloud function that admin activates to enable the account back. So maybe something like this:
functions.auth.user().onCreate((user) => {
// disable this account
// send user email to let him know that his account is disabled until approval
// send email to admin to ask for his approval for the account
}
() {// another cloud function that enables the user account called by admin}
This may not be the best solution but it will work.
Related
In a Firebase project, I have activated multiple sign-in methods (e-mail, Google, and Microsoft), which all work fine. I also have it activated to only allow one account per e-mail address.
The problem arises when a user successfully signs in via Google or Microsoft, then signs out and then signs in via e-mail, using the same e-mail address as before using Google or Microsoft. Then his account type changes to e-Mail and it seems like a no way back.
Is there a way to change user account types from e-mail back to Microsoft or Google?
Your code must have different functions written for different signin's. When the user first logs in, store his login method on firestore. You can get this from the signin function triggered or simply by the button user clicked. Then during each login add a check that if user exists and user's current signin method is not the same as the one stored on firestore, notify the user to use the correct one.
Or you can let the user signin using whatever they please but ultimately in your code, the function which is triggered will tell you the current signin method and you'd have the first/previous method stored. So you can do stuff accordingly.
What you are writing in question seams not how it works. When you sign in using Google provider your email is verified automatly and if you try to sign in using same email authentication will throw error that account with that email allredy exists.
If you created first account using email and password and didn't verify your email addres then if you sign in using google provider with same email address in it, email and password provider will gone because of was not verified and you wont be able to login using email end password unless you will setup a new password for this email.
If email was verified and you sign in using google provider with same email address. This provider will be added to providers array and you will be able to login using email and password and google provider.
To add multiple providers to your accaunt you can use linkWithPopup() function. If you created accound with diferent email address and want to be able to log in on this account with provider who has diferent email address for example.
When the user wants to update the email, I'm using verifyBeforeUpdateEmail to verify before updating it.
await FirebaseAuth.instance.currentUser.verifyBeforeUpdateEmail(
email,
ActionCodeSettings(
androidInstallApp: true,
androidPackageName: 'com.example',
iOSBundleId: 'com.example',
handleCodeInApp: true,
url: 'https://example.page.link/emailVerify',
));
Can I let the user know if the email has been verified and updated? I've tried dynamic_links but it does not pick up the email verification.
The verifyBeforeUpdateEmail() method sends a verification email to a new email address. So the user needs to execute an action in order to verify the email (click on the link provided in the email). So normally the user will know he/she has verified the new email.
If you want to add an extra mechanism to "let the user know if the email has been verified and updated" you could adopt one of the following approaches:
#1 Implement a custom email action handler
As explained in the doc, "by default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain. You can instead create and host a custom email action handler to do custom processing and to integrate the email action handler with your website".
This way, you could implement any business logic in parallel of the email verification, like sending a confirmation email or updating a flag, etc..
#2 Use a Cloud Function
There is no Authentication Cloud Functions trigger in response to the verification of an email, unfortunately. We can only trigger a Cloud Function upon the creation and deletion of Firebase user accounts. But you could implement a scheduled Cloud Function which checks if the email has been verified.
I have a use case where I need to signup incoming customers in following way
The customer visits the site.
If the customer is new, then he will register himself on the site with email and phone number.
After this, the admin will send the email with OTP to that customer.
Once the customer has received the OTP, he can signin to the system and set new password.
I am using Firebase as backend for this and Ionic in the frontend.
I am confused as to how should I go for implementing this?
I was thinking of storing new users in real-time database and once the admin has confirmed then trigger a function to send OTP via mail.
Any suggestions on this?
I'm hoping your using angular
Use Firebase Auth
Set default route to login screen
When customer enters check the firebase auth state if authenticated proceed to home screen
Note: firebase.auth().onAuthStateChanged((user) => {}) can recognize user if previously logged in.
I not authenticated show login screen and register screens.
Use Firebase auth so it have a parameter called "verified" set to false by default.
when admin verifies set verified to true and trigger a cloud function to send Otp.
Firebase Auth has a method to send a verification email so the user can reset his/her password. This link redirects the user to a website where the new password will be written and saved.
Is there a way to reset a user's password using flutter and firebase inapp? I mean, could I send a verification code through SMS or email that would be then typed into the app and the user would choose a new password all inside the app?
Thank you!
To be able to change a user's password directly through the API, the user will have to enter their current password in order to be able to update it.
If you use the Admin SDK however you can implement whatever flow you want, and update the password at the end of the flow. But of course in that case it is up to you to ensure you do it securely.
You can do so by using custom email handlers along with dynamic links to open them in your app. This might require a custom domain to do so. Once the user visits your application on the custom route/page, you can then use applyActionCode method to process the email action. Checkout my answer here for a detailed explanation on processing the email actions:
How to build a custom Email action handler in Flutter for Firebase Authentication
I know stripe doesn't have anything to do with verifying emails.
I have a form on my website where I collect a new user's email, password and cc info.
As of now I do not verfiy the user's email. I simply create the user in my system and create the strip user and subscription after I get the card token with stripe.js.
I want to verify the email address, but I am not sure at what point in the process to do it. I don't think it makes sense to charge the customer and start the subscription and then verify the email address.
Should I wait and start the stripe subscription when the customer verifies the email address? It seems like this is one of the most common scenario's online. Is their a best practice for this scenario?
Again, I am not asking technically how to verify the email address (I use firebase auth), I just want to know when I should and how it should fit into my onboarding flow.
You can after Firebase Auth account creation, check if the emailVerified is true. If not, send an email verification and pass a continueUrl to continue the subscription process, instructing the user to check their email to continue the subscription process. This is a common process for many subscriptions that require email verification.
You can learn more about passing continueUrl via email verifications:
https://firebase.google.com/docs/auth/web/passing-state-in-email-actions
You can build your own custom landing page where you continue the subscription using the following instructions: https://firebase.google.com/docs/auth/custom-email-handler
Make sure you check email_verified in the idToken after ID token verification to confirm verification, server side.