I'm setting up a new application using Angular with Firebase. I'm using only Auth system. But like said in the Firebase docs, only 150 emails/day can be sent for Password reset.
https://firebase.google.com/docs/auth/limits#email_limits
I have two questions:
1) If a user spam the recover password button (that use the function sendPasswordResetEmail() ) does it consume this email limit ? If yes how to prevent that ?
(Doc: https://firebase.google.com/docs/reference/js/firebase.auth.Auth.html#sendpasswordresetemail )
2) Does the SMTP parameters (own server or other mail service) from Firebase project settings use the email limits ?
The 150 emails per day for passwords resets limit applies to emails sent through Google's mail servers. If requests are identified as spam, and email doesn't get sent, they don't count. If spam requests are not identified and email is sent, it does get counted. If you're running into spam problems and hit this (or other limits) because of that, reach out to Firebase support for personalized help in troubleshooting
The limit is on emails sent through Google's mail servers, if you use your own mail server, the limit doesn't apply.
Related
On a website using firebase that contains auth I'm implementing a "forgot password" feature.
The return status of sendPasswordResetEmail() is 400 if the user supplies an email that doesn't have an account associated with it. It returns 200 if the email does have an account.
That means that an attacker can keep guessing emails until they get a 200. Then they know of a valid email. Then they can start guessing passwords for it.
Is there a way to get sendPasswordResetEmail() to always return 200? I'll like the only response, whether a good or bad email is entered, to be "Check your email for a reset link". If the email is invalid then firebase should quietly not send an email.
Or is there some other mechanism that would increase security?
firebaser here
API calls from client-side SDKs to Firebase Authentication are rate-limited to reduce the risk in such a dictionary attacks. We also just launched new configuration options that allow you to enable email enumeration protection for example by always returning INVALID_LOGIN_CREDENTIALS regardless of the type of error.
If you suspect you're project is actively seeing such an attack, reach out to Firebase support so they can investigate and adjust quota if needed.
I am new to firebase and I am trying to handle firebase user authentication in React.js. I did manage to create users with email and passwords. But, now I would like to send the user an Email link to reset their password.
My code currently look like this.
// This line of code belongs to the top
import { auth } from '../firebaseConfig'
//This part goes under the React component
<p onClick={async () => {
try{
await sendPasswordResetEmail(auth, // My Email Id)
alert('Password reset link has been sent to your email')
}
catch(err){
alert(err)
}
}}
>Forgot your Password ?</p>
However, I do not get any error messages and I do get the alert message that says "Password reset link has been sent to your email." Unfortunately, I didn't receive any email. Note that I have given my own email id as the parameter for testing purposes.
firebaser here
Did you check your spam folder? We recently see a lot of the emails from Firebase Authentication ending up in the user's spam folder or being marked as spam in a system along the way. This is being tracked in this status message on the Firebase dashboard and in public issue #253291461.
To reduce the chances of the messages getting marked as spam, consider taking more control of the email delivery yourself.
As a first step, consider using a custom domain with your project. Email that comes from a custom domain has less chance of being marked as span.
As a second step, consider setting up your own SMTP server.) for delivering the email, so that the emails are not being delivered from Firebase's shared infrastructure anymore.
While these steps are more involved, they typically will drastically reduce the cases where the messages from Firebase Authentication are marked as spam.
Full Guide Based on Frank's Answer
Firstly create a new email account you can use to relay the Firebase emails through the SMTP server with. I personally chose Gmail, but I tested with Outlook and it also works.
You can now find an SMTP server host that will work for your scenario. If you're sending less than 1000 emails per month you can find free and reliable hosts. I chose SMTP2GO's free option.
Now you've found the SMTP host, add the email address you've chosen as a single sender email (note that if you do own a domain, you can alternatively use that to send emails).
Note that you will have to verify the email, usually by your host sending a link to the email's inbox. Make sure to check spam.
Once verified, navigate to where you host allows you to add SMTP Users and add a new user. This will allocate an SMTP username and password.
Navigate to the Firebase console, and choose the Authentication option from the sidebar (within the Build product category).
Go to Templates → SMTP Settings and enter the details of your SMTP server. The username and password fields are to be filled with the SMTP user login you created in the step above.
It is better to use TLS, but I believe SSL should work too but it is untested.
Click save, and you're all set up - but there may still be steps to perform depending on your email provider.
Provider Specific Steps
If the emails are being sent to an account managed by Google you will have no issues with your emails being quarantined by anti-spam policies and it will work immediately.
If you are using Outlook, you will have a different problem on your hands. Outlook's built in defender will most likely have auto-quarantined your email under multiple policies - that bit is important.
These policies are likely to be both spam and phish policies. If you unblock one of them, the other will catch it and re-quarantine.
Unblock both policies for the email address, and test. You can see the status of quarantined messages in Microsoft 365 Defender app under Review → Quarantine. Please note that you will need to be an administrator to add global allow policies to your email accounts.
If this still doesn't work it is likely that your company has an additional external filter (as mine did), and you will have to add the IP's manually to the Tenant Allow/Block Lists spoofed senders tab.
I have built an app that uses email & password authentication from Firebase, to enable users to log in, as per the Firebase documentation. The app itself uses Flutter as the coding language. I also have email verification enabled, to prevent spam accounts.
When a user adds their email address and password and clicks 'submit', they're given a notification telling them to check their emails for the verification link, which they must do before being allowed to log in.
The problem I am having is that users do not receive the verification email, so cannot log in. I've come across similar questions on this forum, where the answers have centred around checking spam/junk folders. I have asked the users to do this but they still have not received the email.
I've also tried using my own SMTP server, which is one from which I know I can send emails. Even with this, the users do not receive their verification email. This makes me think the emails aren't being generated/sent, as opposed to them being sent and not being received.
Can anyone suggest why this might be the case? Why is it that users are not receiving the verification email and what can I do to correct this?
If you don't use custom domain, sometimes emails go in spam folder
I use Firebase Auth with Phone in my application. This kind of auth provides sending sms to a user with code to be entered.
I wonder if there a way to configure how much sms could be sent to a particular user at time period.
I know that there is FirebaseTooManyRequestsException which means that the server handles such situations, but I want to limit the user by my own rules.
See phone_number_sign-in_limits. If you want to change limit then you should contact support.
Email is sent using Amazon simple Email service form my website. When an email is sent to any Yahoo or Gmail address, it is delivered to Inbox; but when it is sent to Hotmail,it is delivered to Junk.
Why only Hotmail Treats my email as junk?
When an external user sends email messages to an Outlook.com account,
SmartScreen® filter technology evaluates the content of the messages
and assigns each message a rating based on the probability that it is
a junk email. This rating is stored as a message property called a
spam confidence level (SCL) within the message itself. The SCL rating
stays with the message as it is sent to other anti-spam protection
layers within Outlook.com. Rules inside Outlook.com are set to handle
email messages with various SCL ratings. If a message has an SCL
rating lower than a certain threshold, it is considered to be spam,
and a rule then deletes the message rather than sending it to the
user's junk email folder. If the message has a higher SCL rating than
the threshold, the email is delivered to the user's junk email folder
rather than to the inbox.
https://mail.live.com/mail/junkemail.aspx
Not all the Anti-Spam system depends only on 3rd party blacklists. Major email service providers builds their own reputation table in addition with the use of major 3rd party blacklists like spamhaus, barracuda etc. In your case, you are using Amazon SES to send mails.
I, myself found enormous marketing mails coming from Amazon SES. If the reputation of your email service provider is bad in hotmail then it may trigger the suspicious level of your mail regardless of your email service provider reputation at other blacklist providers. In addition to this, if your subject, body content contains some suspicious words then your mail will end up in junk folder.
Most emails sent from third party applications such as Wordpress, Joomla, or Amazon get diverted to junk and sometimes they fail and get stuck behind a security layer. I know for a fact with Wordpress Contact Form 7, this is the case many times.
After so many years and finally attending a seminar for this particular issue, I finally was able to solve this problem specifically for Hotmail (Outlook.com).
Before you do anything ensure your SMTP settings in your web config file (ASP.NET) are written correctly or in case of plugins (Wordpress) make sure the fields are filled correctly. This means ensuring these are the settings you are using for Outlook:
From: your email ("asdf#outlook.com")
From Name: "Your name or company name"
Host: smtp.live.com
Type of Encryption: TLS
SMTP Port: 587
SMTP Authentication: Yes
Username: Same you use to login (usually the complete email address)
Password: Enough said there
IMPORTANT - Send a test email even if it fails. The point is to trigger an activity in Outlook and have them flag it as an
unauthorized connection
Now, to the fix:
Go to Outlook.com
Login
go to Account Settings
Choose Security & Privacy
Click on "See my recent activity"
The most recent activity should be the fail attempt. Authorize it as a trusted connection.
Done!
Re-test and you shall see your emails showing in the inbox as an authorized connection. Doing these steps let Outlook know that your emails from Amazon are legitimate connections and not Amazon trying to spam your account with solicitations etc.
Mostly it is a email service provider specific thing but you can do below checks
Ensure valid sender email address
Try not to use keywords like gift, prize etc. which are preferably spam activities
Try using https://litmus.com which may help on this/ rendering email in different email clients