I use createUserWithEmailAndPassword(string, string) in flutter, but I noticed if the user used a fake email address, like making us some random Gmail or yahoo account that doesn't exist, the user would still be registered, is there a solution to this
Or some logic that checks if the email account is real, then I can use the result in an if else statement to create the account
If you are looking for a solution that doesn't involve blocking the user experience, you'll be disappointed. We could come up with a new solution for checking whether an email exists or not, but this doesn't guarantee you anything. The user may use an existing email that doesn't belong to him/her.
The best you can do is send a verification email to your user, which is supported by Firebase. However, the user experience is going to be blocked until the user verifies the email.
Update
Check here how to send the user the verification email and here how to see if the email has been verified.
Related
My auth flow:
Firebase sendEmailVerification() needs an already authenticated user to work as the first arg.
My auth flow at the moment works like this.
Signing up the user with email and password signUpWithEmailAndPassword()
Now the firebase auth object contains the currentUser
Sending a verification mail to the just signed up user sendEmailVerification()
Logging him out and redirecting him to /email-verification where he can send the verification mail again.
Problem:
Now the problem. When the user now wants to request to send the email verification again I have three options for what I know.
Store email and password in state before logging him out -> and then logging him in again on sendAgain and logging him out afterward. Would that be a security concern?
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
Force him to input his email and password again every time he wants to send the verification mail again, which feels redundant and old school.
If you require that the user verifies their email address in order to sign in, consider using the email link provider of Firebase Authentication.
Let him logged in the whole time. Which doesn't feel too good as he wouldn't be able to log himself out again as he officially isn't signed in till he verifies his email.
This logic may apply to your application, but it is simply not how the email+password provider in Firebase Authentication works. When the user enters the correct credentials, they are signed in to Firebase Authentication. If your app requires them to have verified their email address before they can use it, that's the exact check I'd recommend implementing.
So if you want to continue using the email+password provider, reframe the statement to:
In order to use the app, the user needs to sign in with their credentials and verify their email address.
You can then implement that in these two steps:
Ask them to sign in if they're not signed in already.
Then if the account doesn't have a verified email address, ask them to find the email and click the link - and give them to option to send another verification email.
Lots of questions about email verification here on SO, but none seem to cover my scenario.
We would like to add users ourselves after an intake meeting. Our representative has a form to enter some details like company name, VAT number, contact data (which contains an email field), ... This data is saved in Firestore.
After this, an email is sent to the supplied email address which contains a link that takes the user to a form where his/her email address is displayed with a password and a password confirmation input field. When submitting this field, the user is created.
But now the user receives an email asking to confirm their email address. I assume, for security and privacy reasons, there's no way I can set the user's email address as verified.
I've looked at customizing the verification email, but that doesn't seem to solve my problem.
Creating the user with a random password after the intake meeting also doesn't seem to be a solution, as the user still has to verify and then reset the password in 2 steps. Or can I somehow redirect after the email verification to the 'set password' page? That would be an acceptable solution.
Is there any way to achieve the desired flow described above?
As a general workflow, you could achieve this using a Cloud Function along with either database system. You can also make use of App Check to further secure this process.
Representative adds base user information in their portal. Store the data securely in the database of your choice.
Send the user an invite email containing a short-lived verification token linked with the email added by the representative (this could be generated and fired off using an onCreate Cloud Function once the invitee's data is added to the database). This token should follow some standard like JWT so you can deserialize the contained email address or be exchangeable for the underlying email address.
When user clicks/copies the link to their browser, present them with an input form asking for the desired email and password. Note: the email field should be editable! The rep may have used an email the new user doesn't want to use with your platform.
If the token is still valid and not consumed, continue with the next steps.
If the token has expired and not consumed, send another email to reconfirm their email and restart this step.
If the token is already consumed, show an error and don't continue.
Submit the email, password and emailed token to your backend via a Callable Cloud Function.
Sign the user in using the authentication token returned by the function on success. Show an error otherwise.
In the callable function for creating the user:
Confirm the request comes from your app (if using App Check)
Confirm the validity of the emailed token
Pull the data the representative entered from the database linked with the emailed token's original email address.
Using that data, the updated email, the new password, and emailVerified=true, call the createUser API.
Using the User ID from the returned UserRecord, create the user's profile data in the database and also create a Custom Authentication Token.
Once their data has been created and the token generated, return the authentication token as the result of the request.
I know stripe doesn't have anything to do with verifying emails.
I have a form on my website where I collect a new user's email, password and cc info.
As of now I do not verfiy the user's email. I simply create the user in my system and create the strip user and subscription after I get the card token with stripe.js.
I want to verify the email address, but I am not sure at what point in the process to do it. I don't think it makes sense to charge the customer and start the subscription and then verify the email address.
Should I wait and start the stripe subscription when the customer verifies the email address? It seems like this is one of the most common scenario's online. Is their a best practice for this scenario?
Again, I am not asking technically how to verify the email address (I use firebase auth), I just want to know when I should and how it should fit into my onboarding flow.
You can after Firebase Auth account creation, check if the emailVerified is true. If not, send an email verification and pass a continueUrl to continue the subscription process, instructing the user to check their email to continue the subscription process. This is a common process for many subscriptions that require email verification.
You can learn more about passing continueUrl via email verifications:
https://firebase.google.com/docs/auth/web/passing-state-in-email-actions
You can build your own custom landing page where you continue the subscription using the following instructions: https://firebase.google.com/docs/auth/custom-email-handler
Make sure you check email_verified in the idToken after ID token verification to confirm verification, server side.
As said in the title, no matter how I try the Facebook login, the emailVerified field is always false. Is this by design? I've read through the whole firebase docs by now, can't seem to find any information regarding this. Just to be sure: I've tried with 4 different verified accounts, the result is always the same. Any idea what could cause this kind of behavior?
the reason why Google provider emails are verified and Facebook emails are not is because Google is considered a trusted provider (You can create an email account using Google). Let's take another example. If you set up an email with yahoo, you will get an email myself#yahoo.com. If you sign in using yahoo OAuth 2.0, you know for sure that user is verified since Yahoo is the actual owner and issuer of that email address. However, you could also use that same email to create a facebook account or some other account like github or twitter and verify using your phone number or some other means. In that case, if you sign in using Facebook, the email is not verified (facebook does not own or manage that email address). Normally if you wish to verify the email in that case, you have to send the email verification (experimental at the moment and only available in web and iOS but should eventually come to android).
The solution I provide would probably be useless to the OP since it was asked last year but hope it helps someone else. While I agree with bojeil's answer, it's somewhat annoying for real users to verify their Facebook email address when signing in with Facebook.
I encountered this problem on Android today and applied a work around since isEmailVerified() If condition always threw false and returned the user back to login page, here's the work around extracted from my code:
FirebaseUser mUser = mAuth.getCurrentUser();
if(!mUser.getProviders().get(0).equals("facebook.com")) {
if (mUser.isEmailVerified()) {
Intent mainIntent = new Intent(getActivity(), MainActivity.class);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
startActivity(mainIntent);
} else {
Snackbar.make(getView().findViewById(R.id.loginLayout), "Please verify your account!", Snackbar.LENGTH_LONG).show();
}
}else{
Intent mainIntent = new Intent(getActivity(), MainActivity.class);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
mainIntent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
startActivity(mainIntent);
}
The first If statement checks if the user is signing in with Facebook,if yes the user is taken to the MainActivity, if not the isEmailVerified() method is invoked normally for email/password users and for Google sign in usersisEmailVerified()always returns true.
Firebase provides a process for "verifying" an email address -- but NOT for all platforms yet. This feature is not available for Android ... in fact, one cannot even query whether an eMail has been verified using Android code (even if you used a web or server code to perform the verification).
The "expected" process would normally be:
Authenticate a user's email (using any of the providers)
Call the Firebase function to send an eMail for verification
Respond to a verification link by setting verified Check, using client, to see if the eMail has been verified (could be days for the
user to handle)
Until eMail is verified, disallow appropriate
functions in your code (e.g. linking different authenticated
providers)
If you use an Android client currently, you cannot instigatge step 2.
I have my little web application, with simple registration strategy - provide email and password and you are done.
Recently bot's starting to attack my application, registering big number of users from non existent emails using the same passwords.
I want to prevent that. My idea is to extend login verification, but check the existance of email address. Do you know any web services (prefereably WCF) that could do that?
This is definitely not the way to solve this problem. Try one of these
Allow user to enter only username and send auto-generated password to their email.
Send a verification link to the user email and approve him/her only after verification
This has been discussed on How to check if an email address exists without sending an email? . Basically there are ways verify email addresses, but in practice none of them is reliable. However, you can still check via SMTP, and if the server denies the existence of the expected user, send him an email with a verification link anyway. This does not prevent spammers from setting up fake servers that acknowledge the existence of any user, of using other peoples email addresses, but it's probably the closest you can get to your initial requirement of having no verification email.
I would recommend you to update your registration form. Try to use something tricky for bots. For example, post the form via AJAX with JSON object wrapper.
Try a service like: http://elasticemail.com/
You can use the api to check if the email was delivered. There is also a 'bouce list' you can check.