Firebase Auth has a method to send a verification email so the user can reset his/her password. This link redirects the user to a website where the new password will be written and saved.
Is there a way to reset a user's password using flutter and firebase inapp? I mean, could I send a verification code through SMS or email that would be then typed into the app and the user would choose a new password all inside the app?
Thank you!
To be able to change a user's password directly through the API, the user will have to enter their current password in order to be able to update it.
If you use the Admin SDK however you can implement whatever flow you want, and update the password at the end of the flow. But of course in that case it is up to you to ensure you do it securely.
You can do so by using custom email handlers along with dynamic links to open them in your app. This might require a custom domain to do so. Once the user visits your application on the custom route/page, you can then use applyActionCode method to process the email action. Checkout my answer here for a detailed explanation on processing the email actions:
How to build a custom Email action handler in Flutter for Firebase Authentication
Related
I would like to customize the email template (using the Trigger Email extension templates) to send verification links to users.
I understand it is not possible to change the template from the Firebase console as it prevents spam.
I am aware of the ability to customize action email handlers (The page that the user lands on when the link in verification email is clicked), as well as the ability to update the auth user's emailVerified property manually.
Is there also a way to generate the verification link that firebase would have used? One with the following properties:
mode
oobCode
apiKey
continueUrl
lang
My ideal solution is to send a custom template to the user upon registration with the generated verification link. Direct users to a custom handler page, and use the applyActionCode() function as shown in The Docs to verify the email (I hope this implicitly updates the emailVerified property on the Auth.User record.)
I have achieved this by creating the user and generating the link on the backend with the admin SDK.
So your frontend would call a callable function or bespoke API endpoint for instance for the registration instead of using the SDK directly.
The callable would go about this:
Creating the user in Auth: auth.createUser()
Creating the user in your DB (Firestore, Mongo etc.)
Assigning custom claims if required: auth.setCustomUserClaims
Building the link for signin: auth.generateSignInWithEmailLink()
Sending the email to an email transactional API
You will need an ESP e.g Sendgrid, MailChimp, MailGun etc. for the last step. There you will have all the freedom to build your own templates.
Please note that the generateSignInWithEmailLink will take care of verifying an email address and signing-in. It could therefore be used for login and registration.
Cheers
In a Firebase project, I have activated multiple sign-in methods (e-mail, Google, and Microsoft), which all work fine. I also have it activated to only allow one account per e-mail address.
The problem arises when a user successfully signs in via Google or Microsoft, then signs out and then signs in via e-mail, using the same e-mail address as before using Google or Microsoft. Then his account type changes to e-Mail and it seems like a no way back.
Is there a way to change user account types from e-mail back to Microsoft or Google?
Your code must have different functions written for different signin's. When the user first logs in, store his login method on firestore. You can get this from the signin function triggered or simply by the button user clicked. Then during each login add a check that if user exists and user's current signin method is not the same as the one stored on firestore, notify the user to use the correct one.
Or you can let the user signin using whatever they please but ultimately in your code, the function which is triggered will tell you the current signin method and you'd have the first/previous method stored. So you can do stuff accordingly.
What you are writing in question seams not how it works. When you sign in using Google provider your email is verified automatly and if you try to sign in using same email authentication will throw error that account with that email allredy exists.
If you created first account using email and password and didn't verify your email addres then if you sign in using google provider with same email address in it, email and password provider will gone because of was not verified and you wont be able to login using email end password unless you will setup a new password for this email.
If email was verified and you sign in using google provider with same email address. This provider will be added to providers array and you will be able to login using email and password and google provider.
To add multiple providers to your accaunt you can use linkWithPopup() function. If you created accound with diferent email address and want to be able to log in on this account with provider who has diferent email address for example.
I am working on an application in which I want the user to reset the password using FirebaseAuth but I do not want the user to reset the password on the template provided by the Firebase. Instead I want to send the user in my application to reset the password.
Is there any way of implementing that?
You can do so by using custom email handlers along with dynamic links to open them in your app. This might require a custom domain to do so. Once the user visits your application on the custom route/page, you can then use applyActionCode method to process the email action. Checkout my answer here for a detailed explanation on processing the email actions:
How to build a custom Email action handler in Flutter for Firebase Authentication
I am currently developing an angular+ionic app. Everything is working ok but I got a question with the forgot password workflow: sendPasswordRestEmail -> user clicks link -> user fill form -> user submit form -> password and oobCode send with the firebase auth api, which I am accessing through angular fire package.
As I said everything is working as intended. The only "issue" I see is that firebase not only sends password reset email to user that created their account with an email/password but also users that are using an external provider like Google ( sign in with google). I havent test login with Facebook at this point but it is happening with google provider. I just want to make sure if this is the intended workflow or something may be wrong... a bug or something? before I post an issue on github, because even though the user can "change its password" when using an external provider, it is having no effect on their external account(gmail account) which of course should have no effect.
Sending a password reset email from Firebase allows the user to reset the password on their Firebase Authentication account. It has nothing to do with the password they may have with any social provider associated with that account.
I am using flutter for this project. My goal is to send a verification email to the admin once the user has registered his/her account. The profile will be registered once the admin verifies it through email.
I am aware that we can send a verification email to the user itself to verify the email id by using Firebase Auth. I was wondering whether there is a way to change the reciever's address from the user to an admin's email id(custom email id). If no then is there any other way to perform this task ?
Thank you in advance for the help.
I am using Cloud Firestore as a database service.
You can use Cloud Functions to know when a user was created or deleted.
But if you want to get an email only after the email was confirmed, then you would have to do it inside your app, triggering some logic that sends you a message from inside your app once you detect the email is verified.
You can't change the destination of the verification email. It will always go to the email address that was used at the time of signup.
If your goal is to prevent the user from doing anything with some backend resource until after an admin authorizes them, what you can do is use custom claims to add a flag to the account that can be checked by security rules or your backend endpoint. The presence of that flag can be used to tell if an admin has authorized them. You will have to build out some amount of backend infrastructure to make all that work.
As far as I remember there are Firebase Authentication triggers that you can use to listen to new user creations. You need to setup a Firebase function that listens for user creation events.
functions.auth.user().onCreate((user) => {
//send email to admin
}
Another step that you can take is to disable the newly created account and also send email to the user as well telling him that his account is disabled until admin approves it. You can achieve this using Firebase Admin SDK. And maybe create another cloud function that admin activates to enable the account back. So maybe something like this:
functions.auth.user().onCreate((user) => {
// disable this account
// send user email to let him know that his account is disabled until approval
// send email to admin to ask for his approval for the account
}
() {// another cloud function that enables the user account called by admin}
This may not be the best solution but it will work.