In my Firebase application users can remove their accounts. I want to do the same thing which Google do when you're trying to remove your account: ask the user's password once more.
Is it possible to invoke this dialog using Firebase Auth API? Or in some other way?
You can ask the user to reauthenticate. This is actually common practice for certain sensitive operations like deleting a Firebase user, updating a password or email. You would reauthenticate and check the auth_time in the new ID token is recent.
So to reauthenticate with email/password in JS:
firebase.auth().currentUser.reauthenticateWithCredential(firebase.auth.EmailAuthProvider.credential(email, password))...
If you want to reauthenticate with a Google provider:
var customParams = {login_hint: firebase.auth().currentUser.email, prompt: 'consent'};
firebase.auth().currentUser.reauthenticateWithPopup(new firebase.auth.GoogleAuthProvider().setCustomParameters(customParams))...
Related
background of this question
I'm using firebase auth for user authentication on my app.
I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it.
So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.
I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.
my question
Is there a way to log out a specific user by firebase auth go SDK?
Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.
The common approach to revoke access for a user is to:
Revoke the refresh token, so that they can no longer mint new ID tokens with it.
Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
Detect the presence of an ID token in this list from your server-side code and security rules.
Optionally detect the refresh token revocation on the client
Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.
I use Flutter and Firebase, just ask myself how to allow users to add items to cart when they're not logged in yet and keep the cart when they logging in, anyone have an idea for this ?
On Firebase you'd typically start the user off with an anonymous authentication account. With that sort of account, Firebase generates a user ID (UID) for the user, without them having to enter any credentials. You then associate the cart/items with the UID, and then when you/they are ready to identify themselves, you can sign them in with another provider, and link that to the anonymous account.
I've provided links to the documentation for Android developers above, but the same functionality is available in the FlutterFire libraries too. For example, anonymous sign-in on Flutter is as simple as:
UserCredential userCredential = await FirebaseAuth.instance.signInAnonymously();
you can store this data in a separate database SQL lite as an example
On sign in using firebase's Google OAuth provider, it automatically creates an account for the user if one does not exist. Is there a way to not create an account and return an error on sign in?
(https://firebase.google.com/docs/auth/web/google-signin)
When you call the sign-in method, it will create an account for the user if it does not exist.
If you want to check if an account exists or not, you would have to perform the "Login with Google" OAuth flow yourself (without the Firebase SDK) and then use a Cloud function to check if a user with the email exists (you might also have to maintain a list of users (their emails) in Firestore). If not, then you can create a new account with the access token you received.
I want to provide a way that users can change their sign in method in my App using Firebase Auth.
For example, if previously a user signed up using Email and Password, then he/she wants to switch to Facebook or Google Sign in method. Then how do I do this without changing the user's UID ?
Probably something like:
firebase.auth()
.signInWithEmailAndPassword('you#domain.com', 'password')
.then((userCredential) {
userCredential.user.updateSignInMethod(method: facebook)
.then((userData) => loginWithFacebookProcedure());
})
Is it possible? If yes, how to do that ?
Thanks
There is no direct ability to "switch" authentication providers with Firebase Authentication. Once an account signs up with a provider (such as email/password), that option will always be available to the user of that account.
What you can do instead is link additional providers to an existing account, which will allow the user to authenticate using any of the providers linked to that account. Until you unlink them.
So, if you really want to "switch", you will actually have to link to another provider, then unlink the old provider. But that seems like a waste of effort when you can simply retain all of the linked providers for the user to choose from.
I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue