Here's my question. To access our web app, the users must be invited.
Each user belongs to a Company. The first person in that company is the admin, who can invite other users. They'll get an email link to sign up.
Now the next phase, how do we add the newly signed up user to the existing company? My initial hunch would be to use Dynamic Links, but I'm a little lost.
Related
I have a list of people with all their personal information (name, first name, date of birth, email, etc.). I created an account for each of these people in my database. I'm using Firebase.
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
So I created a system using a custom token for authentication. I send them as a parameter of an URL to every one of my users.
When the user clicks on the link for the first time: he gets redirected to the signup page with all the fields pre-filled (name, date of birth, email, etc) except for the password. He types the password he wants and gets signed up.
When the user clicks on the link every other time: he gets redirected to the login page. A simple email + password interface with the email field already pre-filled. He types his password and gets logged in.
This is working great BUT I'm wondering: is this bad practice to do so?
Is this insecure to let anyone who gets the email create an account in the name of my user? Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Since I already have all my user's info, I don't want them to type it again when signing up to my website.
If you already have the user's information, and you are allowed to process it, then it's a good practice to not let the user do something that it's already done.
is this bad practice to do so?
Not at all. That seems to me like a practice that is present almost everywhere. If you want to edit the profile data, you always have the existing data already pre-filled. The user has just to verify it or change it if needed.
Is this insecure to let anyone who gets the email create an account in the name of my user?
That sounds not like the best option if someone else can use that URL and create an account on behalf of the user. Most likely you should consider letting the user create the account only if it can validate the data through an SMS, or any other service that is specific to that user in particular.
Should I assume that someone, other than my user, may have total access to my user email account? Should I be prepared for this eventuality?
Yes indeed. You should always prepare for that. Never trust the users. There's not a perfect world out there.
I'm currently building a POS/Store admin app, when a user gets into my app, the Owner of the store will then be asked to login only once for setup purpose (e.g. a new machine), the app will then display a list of staffsName that has already been added by this owner, and then everytime a staff wants to start a new transaction, he/she will only need to click on his/her name, then enter his/her 4-digit pincode to 'login' and process the transaction.
How do i go about achieving this?
I was thinking of using firebase auth for the 'login' of the staff, but then when i log in using the staff credential, I will lose access to the uid of the owner, which is needed to access the owner's store data such as his/her products.
i'm also thinking of using firestore to store the 4digit pincode, but then i'm also concerned about security
There are multiple ways you can approach this, one where you utilize the email login by simply appending a fake domain to the username to create a valid email domain. This user account could be the designated 'user' in question, or utilize credentials inside custom claims or hidden in a database that allows the client or server (depending on your preference) to then log in as the user.
Moreover if you want the manager to login once you can add Authentication State Persistence to specify whether a signed in user should be indefinitely persisted until explicit sing out, page reload etc.
Another approach requires the user also to have a valid auth that is not an email password and you link your pin auth to that main account with Firebase Auth Linking per the documentation: https://firebase.google.com/docs/auth/web/account-linking.
This does however require that the user be registered from an auth provider such as Google, Twitter, Apple, etc. then the user will have to activate this link by logging in for authentication purposes. This can in theory be automatically generated and processed without the user knowing.
It is a long way around it since this is essentially a custom solution but it does create the flow you are looking for without having to use a custom auth provider.
So I'm making this app for pharmacists and their patients. Pharmacists can manage their patient's data through the app - and most importantly sign up their patients to the app.
The ideal flow goes like this - at an appointment, pharmacist gets patient's email address. Pharmacists can then create a user account, either setting a password right then for the patient, or sending an email letting the user set one up.
Is there anyway for one user to create an account for another user within firebase?
Cheers
As long as its at a manageable rate as you could hit quota limitations.
The pharmacist can create a new password account with the email provided and some random password and then trigger the reset password flow. This will send a reset password link to the user.
You can then build a custom landing page for resetting the password where the user would take control and finish setting up their account.
Check the docs on building custom email action landing pages:
https://firebase.google.com/docs/auth/custom-email-handler
I've created a system where a user can sign up for my application, start a paying subscription & then has access to my app.
I need to create another system that allows the user to invite their team members but in such a way that if the original account's subscription ends, I can also deny the invited users access to the app.
I'm not sure how to do this.
Effectively, the interaction flow would be as follows:
User signs up -> Pays for app -> Enters dashboard -> Inputs team member email -> team member receives email -> team member follows link -> creates password -> enters dashboard in new user account that's linked to original
So if the original subscription ends I can also deny the user access to the app.
I hope this makes sense & appreciate any tips on how to do this.
A common pattern for this is to include a invitedBy key in the users collection. When the first member invites other team members, set the invitedBy key in the invited members to the _id of the inviting member. In your code that expires the subscription of the first member, do:
Meteor.users.find({ invitedBy: userId })
and then take the appropriate actions to cancel/suspend their subscriptions or ask them to pay up.
The key is to include a reference to the inviting user in the signup link that is sent to the invitees. In my app I manage this with a separate Invitations collection that contains the inviting user's _id along with a token that is used in the url.
ASP.Net C# and FaceBook Connect.
I'm using Facebook connect on my site. If a new user connects through FB i create an account for them and all is fine. What i would also like to do is check to see if they already have a registered account.
So if someone connects that has not logged in but has an account i would like to be able to locate the account in my application a link it. I hoping this could be done via the email address?
Any ideas
Thanks
Richard
UPDATE: You need Connect.registerUsers:
This method is used to create an
association between an existing user
account on your site and that user's
Facebook account, provided the user
has not connected accounts before.
This method takes an array of account
data, including a required email_hash
and optional account data. For each
connected account, if the user exists,
the information is added to the set of
the user's connected accounts. If the
user has already authorized the site,
the connected account is added in the
confirmed state. If the user has not
yet authorized the site, the connected
account is added in the pending state.
If the user deactivates their external
user account, then call
connect.unregisterUsers. To get the
number of friends a user has in the
pending state, use
connect.getUnconnectedFriendsCount.
If that doesn't resolve your question, this question is not a duplicate of yours, but the answers might give you a way forward:
How do we register users — Facebook Connect users logging in the first time — when we cannot get an email address from facebook?