FirebaseUI has the option of authenticating a user silently via AuthUI.getInstance().silentSignIn(). My issue is that I need to sign in specific users silently, and with FirebaseUI it doesn't always work as expected. There seems to be some kind of a caching mechanism which decides which user will get signed in, and I as a developer don't have that much control over it as I'd like. Specially when signing in Email/Password accounts.
Firebase Auth on the other hand has those very clear methods like FirebaseAuth.getInstance().signInWithEmailAndPassword(strEmail, strPassword) or FirebaseAuth.getInstance().signInWithCredential(GoogleAuthProvider.getCredential(account.getIdToken(), null)) (after using .startActivityForResult(Auth.GoogleSignInApi.getSignInIntent(m_gacGoogleApiClient), RC_GOOGLE_SIGN_IN))
Is it possible to safely use those Firebase Auth methods directly instead of AuthUI.getInstance().silentSignIn(), or or will this cause problem because the underlying system of AuthUI may then not be in sync with the state of Firebase/FirebaseUI?
Because if that is not possible, I will be forced to ditch FirebaseUI entirely. I like the initial sign-up procedure of FirebaseUI a lot, it makes many things easier, but the silent sign-in is very important to me.
The FirebaseUI Authentication components don't keep their own state. So mixing AuthUI methods with regular Firebase Authentication methods should not create problems with mixed state.
If you experience any problems, please report in an issue here, on on the Github repo of FirebaseUI for your platform.
Related
Client Framework: Vuejs
Backend DB: Firebase Firestore
Auth system: Firebase Auth
__________________________
I'm building a Vue application that uses Firebase Auth. In the past, most developers created custom form that collects user info (name, email, password, phone #, and etc.) using HTML Input field to gather Email and password, and then, from the client side we could perform TWO important actions in one sequence to give a single step to user.
USE Auth SDK to Call firebase auth method to create new user by passing email and password to the method as parameters.
Upon completion of this action, we then grab the UID that is returned by Firebase, and using Firestore SDK, we then make the next call to create a NEW User in DB, using the name,email, Phone # and the UID.
This flow works great which provides a smooth one step User Flow and we can provide proper error message and navigation.
Then came along and Firebase Team offered FirebaseUI to use as replacement to our custom form and sequence. The FirebaseUI has some strange behaviors related to how to "Sign up" new user and also lacks flexibility and a modern look for form entry.
Based on my understanding, the main reason Google wants us to use it:
A) It provides a more secure way to collect email and password and send it to Firebase Auth.
B) It provides easy way to use multiple providers.
My question is, Is it really unsecured to build our own form as I explained earlier and not bother with Firebase UI, when I'm only using email/password auth and passing it via HTTPS?
Please clarify, is it safe just build my own custom form or SHOULD I use FirebaseUI?
FirebaseUI doesn't really offer anything special in terms of security. Use it if you like the way it works. If it doesn't work the way you want, fork the source code and make it work the way you want. If you want something completely different, feel free to implement it yourself.
The point of FirebaseUI isn't to ensure security. It's to be convenient. You are ultimately responsible for security, so be sure to audit any code you use in order to ensure it meets your needs.
I'm working on a React-Native, Expo and Firebase project. I have built my firebase functions as cloud functions. The login, signup and register are built as a cloud function aswell. I'm using Email and Password to authenticate/signup the user.
I have used the method to store the token on the device and log the user in if it exists. However the token expires after 1h and after that my method does not work.
I have tried to use
firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION)
but that does not seem to work with cloud functions and returns error code: The current environmet does not support the specified persistence type.
What kind of workaround for this problem is there? Building a seperate cloud function that only refreshes the token, and in that case how do i achive that? What pros and cons is there for different solutions? Thankfull for feedback and
thoughts.
According to React Native Firebase's documentation, setPersistence method is not supported in React Native, link is mentioned below.
https://rnfirebase.io/docs/v5.x.x/auth/reference/auth#Unsupported-Methods
You can check this answer if this may help you,
https://stackoverflow.com/a/46143694/11758792
Firebase allows users to change their email client side with
firebase.auth().currentUser.updateEmail("example#example.com")
However, I would like to disable this feature entirely - obviously, I offer no way to access it on my app by default, but if an attacker managed to trick the user into install a Chrome extension or otherwise was able to access client credentials, I would always want it to fail if possible.
Is there anywhere on the Firebase auth console where I can change this functionality or a Cloud function that would stop users from changing their email?
At this moment in time, I do not see anything in the console or otherwise to disable this functionality. As it stands, there are only two Cloud Functions available for Firebase Auth events - user creation and deletion, so that would probably not be applicable to this use case either. The only thing I can think of is to just use the Admin SDK and your own API / backend to facilitate custom authentication for this scenario.
Is there a way to keep all the data local, and sync it online with firebase when the user decide to login in to the app?
I know about the offline capabilities of firebase, but I don't think they are meant for this use case.
Typically you'd use an anonymous login for that situation. The data will be synchronized with the Firebase server in that case, but the user doesn't have to sign in yet. For more information, see the documentation on anonymous auth.
I'm aware that using Twitter/Facebook Firebase authentication with React Native throws an error since obviously that's not the right env to open up a new auth window. Also, Email/Password auth should also fail since it's reliant upon LocalStorage which React Native doesn't support. Is the best way to implement any sort of Firebase authentication in React Native to create a Swift/ObjC bridge then really just use the Swift/ObjC Firebase auth library? If so, does anyone have any examples of doing this?
Update: As of Firebase 3.x, Firebase Authentication will correctly persist users in React Native apps.
Ahh, I didn't realize that React Native didn't polyfill localstorage. So if I understand your question right, email/password auth with Firebase works fine in React Native, except it is not persisted across app starts, so the user has to log in every time.
One possible solution would be to manually persist the auth token yourself. Something like:
Call authWithPassword(...) as usual.
In the onComplete handler, retrieve authData.authToken and store it locally (e.g. using AsyncStorage).
On next app start, retrieve the auth token from storage and call authWithCustomToken(authToken, ...).
We'll look into making Firebase do this automatically, but it's a bit tricky to do this without affecting other consumers of Firebase besides react. I've added this to our internal bug database though and we'll see what we can come up with. We'll update this answer when we have a solution. Thanks!