Context:
I am developing an iOS app with sign-in with apple. This features gives users the ability to hide their emails and use an anonymous email to register. In order to be able to send information to these email addresses apple requires you to register both your emails and domain from which emails will be sent.
I followed these 2 guides to register and verify the domain:
https://sarunw.com/posts/sign-in-with-apple-2/
https://help.apple.com/developer-account/#/devf822fb8fc
Important to note:
In properly follow the directions I needed to make the .well-known folder myself
Domain is publicly accessible
I did make sure I added v=spf1 include:_spf.google.com ~all to my DNS records
I already have a Let's Encrypt SSL cert
Enviornment:
Wordpress running on AWS Lightsail
Problem
When I click the verify button, I am given a 1 line error message:
Verification failed for domain
I am not sure how to proceed with verifying my domain.
Troubleshooting steps I have taken:
Instead of verifying example.com, verify www.example.com incase it is being redirected
Move apple-developer-domain-association.txt to the root directory instead of /.well-known
Verify using Safari instead of Chrome
Download new verification file
Email Apple support (They just sent the same guide I found in their dev docs)
Checked to make sure I had a supported TLS 1.2 cipher using SSL Labs (I do have 1, do I need all?)
Response in Network Inspect Tool:
{
"responseId":"XXX",
"resultCode":13004,
"resultString":"Verification failed for domain",
"userString":"Verification failed for domain",
"creationTimestamp":"2020-01-23T21:48:37Z",
"protocolVersion":"QH65B2",
"userLocale":"en_US",
"requestUrl":"https://developer.apple.com/services-account/QH65B2/account/ios/identifiers/verifyDomain",
"httpCode":200
}
Related
I am new to firebase and I am trying to handle firebase user authentication in React.js. I did manage to create users with email and passwords. But, now I would like to send the user an Email link to reset their password.
My code currently look like this.
// This line of code belongs to the top
import { auth } from '../firebaseConfig'
//This part goes under the React component
<p onClick={async () => {
try{
await sendPasswordResetEmail(auth, // My Email Id)
alert('Password reset link has been sent to your email')
}
catch(err){
alert(err)
}
}}
>Forgot your Password ?</p>
However, I do not get any error messages and I do get the alert message that says "Password reset link has been sent to your email." Unfortunately, I didn't receive any email. Note that I have given my own email id as the parameter for testing purposes.
firebaser here
Did you check your spam folder? We recently see a lot of the emails from Firebase Authentication ending up in the user's spam folder or being marked as spam in a system along the way. This is being tracked in this status message on the Firebase dashboard and in public issue #253291461.
To reduce the chances of the messages getting marked as spam, consider taking more control of the email delivery yourself.
As a first step, consider using a custom domain with your project. Email that comes from a custom domain has less chance of being marked as span.
As a second step, consider setting up your own SMTP server.) for delivering the email, so that the emails are not being delivered from Firebase's shared infrastructure anymore.
While these steps are more involved, they typically will drastically reduce the cases where the messages from Firebase Authentication are marked as spam.
Full Guide Based on Frank's Answer
Firstly create a new email account you can use to relay the Firebase emails through the SMTP server with. I personally chose Gmail, but I tested with Outlook and it also works.
You can now find an SMTP server host that will work for your scenario. If you're sending less than 1000 emails per month you can find free and reliable hosts. I chose SMTP2GO's free option.
Now you've found the SMTP host, add the email address you've chosen as a single sender email (note that if you do own a domain, you can alternatively use that to send emails).
Note that you will have to verify the email, usually by your host sending a link to the email's inbox. Make sure to check spam.
Once verified, navigate to where you host allows you to add SMTP Users and add a new user. This will allocate an SMTP username and password.
Navigate to the Firebase console, and choose the Authentication option from the sidebar (within the Build product category).
Go to Templates → SMTP Settings and enter the details of your SMTP server. The username and password fields are to be filled with the SMTP user login you created in the step above.
It is better to use TLS, but I believe SSL should work too but it is untested.
Click save, and you're all set up - but there may still be steps to perform depending on your email provider.
Provider Specific Steps
If the emails are being sent to an account managed by Google you will have no issues with your emails being quarantined by anti-spam policies and it will work immediately.
If you are using Outlook, you will have a different problem on your hands. Outlook's built in defender will most likely have auto-quarantined your email under multiple policies - that bit is important.
These policies are likely to be both spam and phish policies. If you unblock one of them, the other will catch it and re-quarantine.
Unblock both policies for the email address, and test. You can see the status of quarantined messages in Microsoft 365 Defender app under Review → Quarantine. Please note that you will need to be an administrator to add global allow policies to your email accounts.
If this still doesn't work it is likely that your company has an additional external filter (as mine did), and you will have to add the IP's manually to the Tenant Allow/Block Lists spoofed senders tab.
The problem: None of the emails sent trough any of the 8 Wordpress installations on the VPS trough contact form are being received by gmail. Please help, I'm a begginer. Didn't found simple tutorial online that works. But here is what happens:
Tried to host my own VPS server (Debian9)
Made virtual hosts and added 8 domain names
Connected them all to Cloudflare (to increase speed)
Added free Zoho accounts to the DNS records MX/SPF (to have mails like mymail#mysite.com)
v=spf1 include:zoho.com ~all and _domainkey
Installed Postfix, configured it with the idea that I'll be able to send from Wordpress contact forms and password reset emails
Wrote to my VPS provider. He says:
Since you are sending emails from www-data#servername.cloud the SPF check fails, because we do not allow sending emails with our domain.
EMAIL ERROR LOG:
Aug 6 02:30:44 2n5z postfix/smtp[1050]: C739381595: to=<somemeail#gmail.com>, relay=gmail-smtp-in.l.google.com[2a00:1450:4010:c08::1a]:25, delay=0.42, delays=0/0.01/0.08/0.33, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4010:c08::1a] said: 550-5.7.26 This message does not have authentication information or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. z2si1913276ljj.406 - gsmtp (in reply to end of DATA command))
Full log here: https://pastebin.com/6wwepVrM
Otherwise it says it's spam.
I have just today realised that the authorisation emails sent from my perfectly legitimate Firebase backend are being flagged as malicious by Microsoft Outlook's "Advanced Threat Protection"
There is no reason for this other than perhaps it was flagged during development due to me sending myself repeated confirmation emails in order to test the functionality.
This warning does not show up in regular hotmail/outlook accounts, but I am an Office 365 subscriber so it appears as though I am lucky enough to get this "advanced" protection which protects me from my own completely non-malicious website.
Should I contact Microsoft or Firebase for a solution?
Thanks a lot!
Update: I contacted Firebase support and received the following:
My name is XXXX from Firebase Support, thank you for reaching out to us, problems on Microsoft services such as this “Advanced Threat Protection” is not in my area or expertise, I would suggest to open a ticket with Microsoft for this issue, I see that there is already a topic on Stack Overflow, please be sure to check other Firebase community channels as well.
I understand that this isn't Google's problem to solve, but it would seem any Firebase app using email verification is going to run into trouble with Microsoft email systems. Which is a lot of corporate and government systems...
Any suggestions on how to get some attention paid to this from either Google or Microsoft?
Cause
This error is caused by having inconsistent domains in the email. By default, user management emails link to the default action handler, which is a web page hosted at a URL in your project's Firebase Hosting domain ([project].firebaseapp.com), rather than the the same domain you may be sending emails from (veritification#yourdomain.com).
Solution
Make this “action link” go directly to your website. This will solve the outlook warning, and also make it less likely you'll end up in spam filters in general. On your website, you have 2 options for how to handle the actual validation.
Both solutions below require your domain to be authorized.
This can be done under Authentication -> Sign-In Providers -> Authorized Domains
Option 1 - Use Custom Email Action Handlers (Hard option)
You can setup a custom email action handler so that these actions take place directly on your website, rather than on the firebase hosted page. This is a more integrated experience.
This can handle
Resetting passwords
Revoking email address changes—when users change
their accounts' primary email addresses, Firebase sends an email to
their old addresses that allow them to undo the change
Verifying email addresses
1. Create your custom email handler page
custom email action handler page - firebase docs
2. Update Email Template In Firebase
This can be done under Authentication -> Templates -> Email Address Verification -> Customize Action URL
Option 2 - Just Redirect (Easy option)
Link the email back to a page on your website, that will immediately perform a javascript redirect to the [project].firebaseapp.com authentication page, carrying through the URL parameters required to perform necessary verifications and changes.
For Example
action url for email template: https://www.yourdomain.com/account-action (firebase will attach the appropriate params to the url automatically)
Javascript redirect on your website goes to ”https://project-name.firebaseapp.com/__/auth/action?” + params
I recommend ensuring you implement the continueUrl in your verification email delivery so that the user can easily get back to your website.
If you're using Firebase hosting, and you're serving from their built-in your-project.web.app address, then you can simply use the other built-in, your-project.firebaseapp.com, as your site address instead -- no configuration needed.
The .web.app address is a bit sexier, but the various action emails are actually sent from the .firebaseapp.com, and Outlook is suspicious of the mismatch. Having users originate from the .firebaseapp.com address solves the issue.
I opened a GitHub issue about this: https://github.com/firebase/firebase-js-sdk/issues/5021][1]
I'm using Firebase Authentication for my web app, and customizing the redirect domain for Firebase Authentication's Google Sign-In feature so that Google's authentication page will
show Continue to: https://auth.mydomain.com,
instead of Continue to: https://my-app-12345.firebaseapp.com.
So I did four steps according to instructions on Firebase's documentation:
(1) Create a CNAME record for auth.mydomain.com that points to my-app-12345.firebaseapp.com
(2) Add auth.mydomain.com to the list of authorized domains in the Firebase console
(3) In the Google OAuth setup page, whitelist the URL of the redirect page which is https://auth.mydomain.com/__/auth/handler
(4) Edit my app's JavaScript code which initializes Firebase library:
var config = {
...
// from 'authDomain: my-app-12345.firebaseapp.com,'
authDomain: 'auth.mydomain.com',
...
};
After that, however, when my app invokes firebase.auth().signInWithRedirect(provider) method, web browser will show privacy warning like the following:
Your connection is not private
Attackers might be trying to steal your information from auth.mydomain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
...
This server could not prove that it is auth.mydomain.com; its security certificate is from firebaseapp.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to auth.mydomain.com (unsafe)
And certificate information is as follows:
firebaseapp.com
Issued by: Google Internet Authority G3
Expires: Tuesday, 13 November 2018
This certificate is valid.
Details
Subject Name
Country: US
State/Province: California
Locality: Mountain View
Organization: Google Inc
Common Name: firebaseapp.com
And below is URI:
https://auth.mydomain.com/__/auth/handler?apiKey=apiKey&appName=%5BDEFAULT%5D&authType=signInViaRedirect&providerId=google.com&scopes=profile&redirectUrl=https%3A%2F%2Fwww.mydomain.com%2Flogin&v=5.0.4
Why does customizing the redirect domain for Google Sign-In prompt NET::ERR_CERT_COMMON_NAME_INVALID warning, and how should I do to avoid the warning message from prompting, e.g. adding Subject Alternative Names into the certificate, using auth.mydomain.com's own certificate?
By the way, in the above warning page, if Proceed to auth.mydomain.com (unsafe) is clicked, authentication will work as expected.
Because auth.mydomain.com points to my-app-12345.firebaseapp.com via CNAME record, host of firebaseapp.com should provision SSL certificate for auth.mydomain.com. It has to be done in Firebase Hosting page even if my-app-12345 is not using Firebase Hosting. Here is step-by-step method for doing that based on Firebase's documentation:
In Firebase project my-app-12345's console, click Hosting on the side menu.
When Set up hosting pop-up appears, click Continue. Then click Finish.
In Hosting page, click Connect domain.
When Connect domain pop-up appears, enter auth.mydomain.com. Then click 'Redirect auth.mydomain.com to an existing website' checkbox. Then enter my-app-12345.firebaseapp.com. Then click Continue.
When 'Add the TXT records below to your DNS provider to verify you own mydomain.com' pop-up appears, follow the instruction. And click Verify. (Verifying may take some minutes). Then click Finish.
Now auth.mydomain.com will be appeared in domain section with Pending status. It will soon be changed to Connected. And after some time, the NET::ERR_CERT_COMMON_NAME_INVALID warning issue will be gone.
P.S. With help of Firebase technical support team, I have got the answer to my own question.
just to clarify, as of Jan 6th 2020, the method above (using 'Redirect' within Firebase Hosting) doesn't work anymore.
Following something written in https://levelup.gitconnected.com/how-to-connect-a-domain-to-your-firebase-project-cd47373bad79 - we can see for Authentication, we need to use "Custom Domains" and not "Redirect"
This is because if redirection is used, the SSL signed between the exit and entry points of the custom domain and Google's authentication servers will fail the handshake.
In other words:
If you are setting it up for the first time:
In Firebase project my-app-12345's console, click Hosting on the side menu.
When Set up hosting pop-up appears, click Continue. Then click Finish.
In Hosting page, click Connect domain.
When Connect domain pop-up appears, enter auth.mydomain.com. Then do not tick 'Redirect auth.mydomain.com to an existing website' checkbox. Then enter my-app-12345.firebaseapp.com. Then click Continue.
If you've already setup a Redirect domain, and you cannot get it to work - you can simply edit the entry, and change to a "Custom" type.
Wait 10 ~ 30 minutes once that has changed to have this function properly.
I have an ASP.NET MVC5 site that uses forms authentication, but is also using client certificates for an added layer of security by setting:
<security>
<access sslFlags="SslNegotiateCert" />
</security>
The client certificate is optional because it isn't required until the user actually attempts to log into the site. When the user attempts to log in, the site will validate the Thumbnail, Issuer, and compare the Subject to the user attempting to log in (there will be a different certificate per user).The problem is that every time a user comes to the site they are prompted to provide a client certificate when they first enter the site, which may cause issues if:
they accidentally select the wrong certificate
want to log off & log back in with a different user (not re-prompted for a cert)
Is there a way to silently\automatically detect a client certificate based on the log-in provided rather than having the user select a certificate on first entering the site?
EDIT: Adding more specific example of Actual\Desired behavior
Actual Behavior:
User opens up Chrome and goes to http://www.example.com
Chrome pop-up asks user what client certificate they want to use
User chooses "user3 (www.example.com)"
User sees unauthenticated home page view & clicks the "Log In" button
User enters Username: "user2" and Password: "****"
Site validates that ClientCertificate.Subject == Username (fails because certificate is for "user3")
Desired Behavior:
User opens up Chrome and goes to http://www.example.com
User sees unauthenticated home page view & clicks the "Log In" button
User enters Username: "user2" and Password: "****"
Browser does something to silently detect if client has certificate "user2 (www.example.com)" with little to no user interaction
Question: Is the "Desired Behavior" possible in some way? (header? javascript? browser plug-in?)
By default, and due to security issues, there is no way to select a certificate for the user at all when he is visiting a website.
The user can configure their browser to use a specific certificate for a website by default if he wants, but that's a different thing.
For the second part, the certificate is used to secure the connection between the browser (client) and the server, so if you want to use another certificate you should entirely finish the connection between the browser and the server, unfortunately you would need to close the browser and open it again for that to happen in most cases. Or by cleaning the certificate cache, but that needs to be done manually by the user in his browser.
You can find a very good explanation about how certificates and SSL works here:
https://security.stackexchange.com/questions/20803/how-does-ssl-work
I am not aware of a way to do this within a single application. One way to do it is to create two asp.net-mvc applications. The second site would be a sub-directory application with the SslNegotiateCert in the sub-directory's web.config and contain all the secure methods/logins etc.