When using Firebase's Email & Password setting it seems like there are no security constraints on the password.
For example I could create the following user:
firebaseRef.createUser(
{
email: "john.doe#example.org",
password: "j"
});
I'd like to at least set a minimum password length. Does firebase provide a way to do this?
A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.
See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.
There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.
You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.
I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).
If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.
The problem is with the Reset Password form that Firebase sends. It would be nice to use it and not have to build this out as well.
Related
I'm working on a project where I'm using the authentification of firebase to use the forgot password thing. However, I have a collection users that I use as well and need the password field to be updated in the collection as well.
Any solutions please ? I can't seem to find a way to get password from authentification.
There is (very intentionally) no way to get a user's password from Firebase, and wanting to do so typically indicates an anti-pattern in your implementation.
If you already verify the user's credentials elsewhere, you shouldn't use Firebase to do the same (but for example mint a custom token based on the external credentials). If you use Firebase to verify the user's password, you shouldn't repeat that in your code (although you can for example decode the user's ID token to determine their identity).
I have a firebase powered app. The requirement is to update the account password by typing the currentPassword and the newPassword.
On the server (firebase cloud function + admin sdk) i need to check if the provided currentPassword is valid.
When an account is created for the first time, firebase automatically encrypts the password, and gives me back only the hash.
The problem is - this encryption is done automatically, under the covers.
Without having access to the encryption method, i can't obtain the hash of the currentPassword in order to compare it to the stored hash of the real password.. to see if this 2 hashes match.
So how can i check if the currentPassword is valid? How to get access to the same method firebase-auth uses for encryption?
I coudn't find anything relevant so far. am I using the wrong approach here? Why is it so hard to find it ?
I'm not quite sure that you can verify the password with cloud function, the point is to make sure that hackers would not be able to recover users' passwords even if they somehow hacked into the server, if you can recover the passwords by knowing the hash and salt, why wouldn't them hackers? However, you can do that in your app:
firebase.auth().currentUser.reauthenticateWithCredential(firebase.auth.EmailAuthProvider.credential(firebase.auth().currentUser.email, oldPassword);
Also, just to provide an alternative way for users who want to change their password, just send them a reset password email, this way, it's quite safe and they won't have to enter their old password:
firebase.auth().sendPasswordResetEmail(firebase.auth().currentUser.email)
passwordHash and passwordSalt are only available when you retrieve the user information via a call to listUsers(). Therefore they are only useful if you ever migrate user data from Firebase Auth to a different user management system.
For this use-case i needed to implemented 2 different approaches.
case 1: when the agent changes it's own password.
I use browser code as provided by #K.Wu - firebase automatically sends a password reset email to the user.
firebase.auth().sendPasswordResetEmail(firebase.auth().currentUser.email)
case 2: when a high privilege user: admin / manager changes the agent password
I use server code - firebase admin sdk. Here the manager doesn't know the currentPassword, and doesn't need to know since the firebase-admin can change account passwords without needing to send confirmation emails.
Still, What i don't uninterested is this:
When i create the user for the first time, firebase gives me a userRecord object which has 2 properties: passwordHash, and passwordSalt. But since i can't encrypt a given password manually, then what is the use of this 2 properties? When are they ever needed?
I considered them being specifically designed for when you compare the hash of a provided password - with this passwordHash that is stored in firebase. Seems this is not the case, and I'm still confused a bit.
Anyway splitting the password update functionality between client and server, based on who performs the action, as explained above - worked like a charm.
note: also this setup allows for the account creation to be done by admin / manager.
I think you can check against the password hash with scrypt. You need to download the scrypt config from account and compare. Please check the below docs
https://firebaseopensource.com/projects/firebase/scrypt/
Util function for scrypt if found here for hashing and verification
https://github.com/xeewi/firebase-scrypt
Note: Only listUsers() method will return the passwordHash. getUser() or no other function will return the passwordHash values.
I have a web app, using ASP.NET Identity 3.0, in which I create the users (instead of users registering themselves). I send a confirmation email to validate their email accounts. The idea is that they come in through the URL and, since they don't have a password set yet, they will set an initial password and validate their email in one fell swoop (I'm trying to kill two birds with one stone as elegantly as possible).
The problem is that I shouldn't confirm the email with UserManager.ConfirmEmail() if the password they entered isn't a valid password as per the complexity policy because this will expire the token. The only way I know to check if a password complies is to actually try to set it with UserManager.AddPassword() but I shouldn't try to change it unless I know the email confirmation token is valid.
How can I check if a password will be compliant without setting it? Or how can I check if a token is valid without expiring it?
ASP.NET Identity 3.0 does provide a password validator that you could use to check if a password is valid before taking other steps.
Here is where you can find the actual code.
Here is where you can find some unit tests that will give you an idea of how to use the password validator.
The general usage looks like this:
var validator = new PasswordValidator<User>();
var result = await validator.ValidateAsync(UserManager, null, passwordToValidate);
if (result.Failed) // Failed Validation
if (result.Succeeded) // Passed Validation
The 2nd parameter to ValidateAsync is the User instance, but that may not be applicable in your situation, so it is null here.
I hope this helps you out.
I wanted to create a discussion about the best way to handle a situation such as when you can have users that login with Gmail, Facebook or simple email and yet they have a password change.
Should we allow a password change outside of the simple email authentication?
I think this is why we have fetchProvidersForEmail() method in Firebase 3. It creates a problem when a password is changed when a user's initial provider was based on Facebook authentication.
The Firebase 3.x documentation is a bit nebulous in terms of best practices.
When using Firebase's Email & Password setting it seems like there are no security constraints on the password.
For example I could create the following user:
firebaseRef.createUser(
{
email: "john.doe#example.org",
password: "j"
});
I'd like to at least set a minimum password length. Does firebase provide a way to do this?
A FirebaseAuthWeakPasswordException is thrown when using a weak password (less than 6 chars) to create a new account or to update an existing account's password. Use getReason() to get a message with the reason the validation failed that you can display to your users.
See https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseAuthWeakPasswordException for more details.
There is currently no way to configure a minimum password length or strength for Firebase email+password Authentication.
You could build such a restriction into your app, but tech-savvy users can bypass that by calling the API. Or you could introduce a "isPasswordApproved" flag that only a server-side process can set, and then validate the password strength there. But neither of these sound very appealing.
I would argue that implementing front-end validation here should be enough (at least in a big portion of applications).
If the purpose of this validation is to protect the user himself, then there is no harm in allowing a user to hack your app and set the password to password, go to a forum and post the credentials, and jump out of a window.
The problem is with the Reset Password form that Firebase sends. It would be nice to use it and not have to build this out as well.