I'm working on an enterprise application in which administrators create new users (there is no sign-up form). I am using Firebase Auth, which is great in many ways, but I've come across a problem for my use case. When you use firebase.auth().createUserWithEmailAndPassword(email, password), the user thereby created is automatically signed in. This obviously won't work when an admin is creating the user accounts. Is there any way to avoid this behavior? Thanks.
This is a good use case for the Firebase Admin SDKs. Instead of creating the user client-side, you create the user in a managed environment, like a server or Cloud Functions. You have the client make a call to your endpoint when you want to add a new user. This codelab shows how to incorporate custom claims using the Firebase Admin Auth SDK. This is a little different from what you're exactly looking for, but it can get you started in the right direction.
Related
Client Framework: Vuejs
Backend DB: Firebase Firestore
Auth system: Firebase Auth
__________________________
I'm building a Vue application that uses Firebase Auth. In the past, most developers created custom form that collects user info (name, email, password, phone #, and etc.) using HTML Input field to gather Email and password, and then, from the client side we could perform TWO important actions in one sequence to give a single step to user.
USE Auth SDK to Call firebase auth method to create new user by passing email and password to the method as parameters.
Upon completion of this action, we then grab the UID that is returned by Firebase, and using Firestore SDK, we then make the next call to create a NEW User in DB, using the name,email, Phone # and the UID.
This flow works great which provides a smooth one step User Flow and we can provide proper error message and navigation.
Then came along and Firebase Team offered FirebaseUI to use as replacement to our custom form and sequence. The FirebaseUI has some strange behaviors related to how to "Sign up" new user and also lacks flexibility and a modern look for form entry.
Based on my understanding, the main reason Google wants us to use it:
A) It provides a more secure way to collect email and password and send it to Firebase Auth.
B) It provides easy way to use multiple providers.
My question is, Is it really unsecured to build our own form as I explained earlier and not bother with Firebase UI, when I'm only using email/password auth and passing it via HTTPS?
Please clarify, is it safe just build my own custom form or SHOULD I use FirebaseUI?
FirebaseUI doesn't really offer anything special in terms of security. Use it if you like the way it works. If it doesn't work the way you want, fork the source code and make it work the way you want. If you want something completely different, feel free to implement it yourself.
The point of FirebaseUI isn't to ensure security. It's to be convenient. You are ultimately responsible for security, so be sure to audit any code you use in order to ensure it meets your needs.
I'm making a little Snapchat clone, and a part of this app I'm trying to build is the ability to add a friend and start a conversation with them. I'm using Firebase to manage my users and I'm a little stuck now trying to figure out what works and why I'm getting problems trying to use some methods or functions.
What I want is this simple line of code to work:
var userByEmail = await _admin.app().auth().getUserByEmail("b#gmail.com");
print(userByEmail.toString());
However this has been giving my some problems, most recently, the following error message:
Unhandled Exception: FirebaseAuthError(auth/invalid-credential): Must initialize app with a cert credential or set your Firebase project ID as the GOOGLE_CLOUD_PROJECT environment variable to call verifyIdToken().
Getting to this point made me want to first ask a question about FirebaseAdmin and Auth before continuing and potentially screwing up my app settings.
Is there a simple way to do what I'm trying to do?
I have a Firebase.instance.initializeApp() in my Main function, do I only ever call that once or should I start initilizeApp in the initState of each Stateful Widget where needed?
What does this error message actually mean?
You are trying to use the Firebase Admin SDK in your Flutter code, which is not possible. The Admin SDKs give full administrative access to your Firebase project, which would be a serious security concern if you allow that in your Flutter app.
If you want to allow certain administrative functionality in your application, you will have to make that functionality available yourself. For example, to look up a user by their email address, there are two common approaches:
Store the minimal information about each user in a cloud-accessible database (such as Firebase's Realtime Database or Cloud Firestore) when each user registers with your app, and then look it up from there.
Wrap the getUserByEmail from the Admin SDK in a custom API that you make for yourself, on a server you control or in Cloud Functions. In that API you validate that the user making the call is authorized to do so, then call Firebase through the API you were trying to use, and return the minimal result back to the caller.
Both of these are feasible and can work to solve a variety of use-cases. But if you've never built backend code before, you might find the first approach easier to get started with.
Also see:
How to get Firebase UID knowing email user?
Flutter get User Data from Firebase
The right way to do what you want is using Firebase auth, authenticating your user and using a collection to store and retrieve users information. That auth information provided by firebase should only be used for authentication and security purposes.
The Firebase admin must have a user logged in to work properly, but its purpose is to provide a more administration environment and should not be used inside a clients app, unless its an admin app.
With all that said, lets go for the rescue:
Authenticate your user (using firebase auth);
After auth, save all the user information you want to share with other user inside its own collection (you will need to create one);
When an authenticated user (this is important) 'request any other users data, you query for the data in the previous created collection.
I am trying to make a Flutter app where the user can sign in into multiple accounts (different email IDs) and can switch between them from the UserAccounsDrawerHeader. For example, in Gmail app, users can switch between multiple Gmail accounts. Is this possible using Firebase Auth for Flutter?
In the default scenario, Firebase Auth generally does not support allowing a user to be signed in with multiple accounts at the same time. If you want to add support, what you will have to do is use initailizeApp() to initialize a new App instance - one for each user account, and sign in the user to each one of them. You will then have to pass that app instance around to the other Firebase APIs to use that account for authenticated access (for example, Firestore queries).
To be honest, it's not clear to me from the provided APIs how to do that last part. but perhaps Firestore.getInstance(app) might do it.
In any event, it is not trivial to implement. There is not a simple configuration or trick that will allow multiple simultaneous sign-ins. Usually apps just make the user sign out, then in again with another account.
I have an application in Vue JS, and as a back end I have firebase, both for the Auth (email and password) and for the database (cloud firestore)
The problem is that I do not know how to do a user administration for an administrator user, where he can create or disable users (I am not interested in modifying information or checking emails, I am interested in creating users and deleting or disabling them from An option within my app.
The problem is that I can't find a way to do it from a Front End, I only see things with back ends in node, Java and go, but since I don't have a back as such that I have done (I already indicated that I only use firebase as back and Vue as front) I don't know how to make this page.
If you could help me or give me an idea / guide on how to do it, I would appreciate it.
You can use Google Cloud Functions to handle the backend as admin-auth is not directly possible on the frontend.
When an JWT auth token is return check if the user is an admin with custom claims. you can create a separate list and add emails of the admins there in your RTDB or Firestore and then redirect to the admin page.
I want my users to sign in with multiple accounts (Not linking multiple providers)
like gmail, it allows you to use multiple signed in accounts at the same time
you can check all inboxes for all accounts at the same time
e.g. I am a User and I want to use two accounts
john#example.com & john21#example.com
I want both emails signed in (there are two auth tokens in this case)
I have searched about it in Firebase docs, I couldn't find anything
Is this possible in Firebase Auth?
From one project, no i don't think you can have two users signed in.
You can create another Firebase project and add your app there (you'll be able to add your sha-1 on either one). You can then look up their approach to using two Firebase projects in one app.
You'll be able to sign in with two users in this way if there are two projects to sign in with. You'll have to manage your users across both the databases on your own i.e same user will have to have an account with same credentials made in both the projects.
It's complicated but it can be done. I use anonymous sign in from two separate projects simultaneously in my app, both users are the same... Just their projects are different.
I was thinking about this issue, reading through the documentation and found that you can re-authenticate a user by credential. So maybe you can do it this way:
when a new user wants to sign in you take his info as AuthCredential object like this:
AuthCredential credential = EmailAuthProvider.getCredential("user#example.com", "password1234");
//there is also GoogleAuthProvider, FacebookAuthProvider...
then to actually signing him in you use signInWithCredential(AuthCredential) :
FirebaseUser user = FirebaseAuth.getInstance().signInWithCredential(credential);
Now you need to save the credential object and the user object somewhere safe.
If you want to add new user you do the same and save the new objects.
After that whenever in your app you want to switch between the users you get that user's object and call reauthenticate(AuthCredential) method:
myFirstUserObject.reauthenticate(myFirstUserCredential);
I didn't really test this, you think it could work? I don't know exactly how to save the objects and if there is a safe way to implement it without exposing each user's credential?
Multiple simultaneous logins in the same project is not supported with Firebase Auth.
You could possibly have multiple logins between multiple projects if you manually initialize the Firebase SDK with the settings for the other projects.