Why would Firebase validation emails not come through TO MY OWN DOMAIN? - firebase

I use Firebase Auth for my solutions.
I get validated users every day - it's working.
I just tried to create two new accounts, using dummy email addresses from my own domain (the domain set up to send Firebase validation emails) and I do not receive messages.
That is, I do not receive the typical validation email.
I manually sent a password reset from the Firebase console to both new accounts; one email showed up.
I'm guessing this is a config issue on my hosted server / domain...but I don't know where to start looking.
Again, there is no issue with validation emails going out successfully - just not to the domain used to send those emails!

Related

Firebase reset password not sending link to email in Firebase Console [duplicate]

I am new to firebase and I am trying to handle firebase user authentication in React.js. I did manage to create users with email and passwords. But, now I would like to send the user an Email link to reset their password.
My code currently look like this.
// This line of code belongs to the top
import { auth } from '../firebaseConfig'
//This part goes under the React component
<p onClick={async () => {
try{
await sendPasswordResetEmail(auth, // My Email Id)
alert('Password reset link has been sent to your email')
}
catch(err){
alert(err)
}
}}
>Forgot your Password ?</p>
However, I do not get any error messages and I do get the alert message that says "Password reset link has been sent to your email." Unfortunately, I didn't receive any email. Note that I have given my own email id as the parameter for testing purposes.
firebaser here
Did you check your spam folder? We recently see a lot of the emails from Firebase Authentication ending up in the user's spam folder or being marked as spam in a system along the way. This is being tracked in this status message on the Firebase dashboard and in public issue #253291461.
To reduce the chances of the messages getting marked as spam, consider taking more control of the email delivery yourself.
As a first step, consider using a custom domain with your project. Email that comes from a custom domain has less chance of being marked as span.
As a second step, consider setting up your own SMTP server.) for delivering the email, so that the emails are not being delivered from Firebase's shared infrastructure anymore.
While these steps are more involved, they typically will drastically reduce the cases where the messages from Firebase Authentication are marked as spam.
Full Guide Based on Frank's Answer
Firstly create a new email account you can use to relay the Firebase emails through the SMTP server with. I personally chose Gmail, but I tested with Outlook and it also works.
You can now find an SMTP server host that will work for your scenario. If you're sending less than 1000 emails per month you can find free and reliable hosts. I chose SMTP2GO's free option.
Now you've found the SMTP host, add the email address you've chosen as a single sender email (note that if you do own a domain, you can alternatively use that to send emails).
Note that you will have to verify the email, usually by your host sending a link to the email's inbox. Make sure to check spam.
Once verified, navigate to where you host allows you to add SMTP Users and add a new user. This will allocate an SMTP username and password.
Navigate to the Firebase console, and choose the Authentication option from the sidebar (within the Build product category).
Go to Templates → SMTP Settings and enter the details of your SMTP server. The username and password fields are to be filled with the SMTP user login you created in the step above.
It is better to use TLS, but I believe SSL should work too but it is untested.
Click save, and you're all set up - but there may still be steps to perform depending on your email provider.
Provider Specific Steps
If the emails are being sent to an account managed by Google you will have no issues with your emails being quarantined by anti-spam policies and it will work immediately.
If you are using Outlook, you will have a different problem on your hands. Outlook's built in defender will most likely have auto-quarantined your email under multiple policies - that bit is important.
These policies are likely to be both spam and phish policies. If you unblock one of them, the other will catch it and re-quarantine.
Unblock both policies for the email address, and test. You can see the status of quarantined messages in Microsoft 365 Defender app under Review → Quarantine. Please note that you will need to be an administrator to add global allow policies to your email accounts.
If this still doesn't work it is likely that your company has an additional external filter (as mine did), and you will have to add the IP's manually to the Tenant Allow/Block Lists spoofed senders tab.

Is there any way to send a one-time code in firebase to the users email

I have read the functions docs and the authentication codes on the firebase website, but I have no clue if it will be secure or not. I've read the whole of this doc: https://firebase.google.com/docs/auth/custom-email-handler
They seem to do all the verification on the website but I can't find the verifyPasswordResetCode(actionCode) function in the node.js doc so what way would you go around this?
Basically, if the user forgets their password/needs to verify their email I want the user to go to my website (I've already configured the custom action URL that is sent when the user requests to reset their email to go to 'mywebsite.com/auth/action/.../'. I know that the my front end (IOS App) needs to verify the code and then In my functions (that's hosted on my website) I need to reset their password, but how would I securely transfer information from the email to my app, to my website with the function to reset their password with the action code. Or can I do it all on my website instead of where they input their new password on the website? I'm guessing using dynamic links?
Thanks,
Nathan

Firebase Authentication: Emails sent but not received on special email addresses such as *#gmx.at

I am using Firebase Authentication in my Ionic App. Some users have reported to not receive the verification email which is sent after a user signs up, or when the resendVerificationEmail is triggered.
This works fine for email providers like #gmail.com or #live.de, but for those other users with special providers like #gmx.at it's not working. The emails are sent successfully according to firebase but they are never received.
Possibly the emails get filtered?
Has anyone else ran into this problem? The message template can not be modified but would using a custom SMTP server possibly help?
The problem is solved by using my own private SMTP server for sending the Authentication emails.
I am using a hosting service for my domain that comes with email service so I am using that one. Using other services such as Mailgun or Mailjet etc. might also solve the problem.
You can set up your custom SMTP server right in the firebase console under Authentication/Templates.
I had the same problem with others emails providers (orange.fr sfr.fr free.fr ...). After deeper analysis, it appeared that it is the domain address inside the (generated) link that is detected as SPAM by emails providers (maybe everything that sounds like *.firebaseapp.com)
https://your-subdomain.firebaseapp.com/__/auth/action...
I changed it to a custom one of mine (through Authentication->templates->"Customize action URL" (bottom right)):
https://www.my-custom-domain.com/__/auth/action
and no more problem!
Some doc (note on blue background):
https://firebase.google.com/docs/auth/custom-email-handler?hl=en&authuser=0#link_to_your_custom_handler_in_your_email_templates

Verifying Email in Meteor Application

I am trying to send a verification email to users upon registration. I'm using Accounts.createUser to add users to the database and that works fine without any email verification system. HThen, when I try implementing email verification by using Accounts.sendVerificationEmail, it does not send any email. I have set MAIL_URL and I'm using Mailgun. When I try sending an email within terminal, it sends as expected. I have tried using the process provided here: https://themeteorchef.com/snippets/sign-up-with-email-verification/ where the method is server-side and then I use Meteor.call to call that method but that isn't sending the verification email. I have also tried implementing Accounts.onCreateUser() and calling Accounts.sendVerificationEmail(user._id) from within but that is also not sending the email.
In my server code I have the following in the startup function: Accounts.config({sendVerificationEmail: true, forbidClientAccountCreation: false}); I've also noticed that when I add in any kind of email verification code server-side, createUser fails and tells me the username is not defined but works 100% as expected without any email verification.
Here are some links to various sources I have been trying to use in order to get this working:
verify email using accounts.ui package
https://themeteorchef.com/snippets/sign-up-with-email-verification/
Meteor 1.3 verify email when creating user
I've also been using the Meteor docs but I can't seem to get it working. I also have installed related packages (email, accounts, accounts-ui). Any help is appreciated!
Thank you to #PankajJatav for asking me to read through the server console more carefully! The problem for me was that I am using mailgun as my smtp service. I was using the default sandbox domain when trying to implement my email verification system but the sandbox domain is only for testing purposes. In order to actually get emails sent, I had to go to mailgun and add in the recipients as an authorized recipient. If you set up mailgun with your own domain right from the start, this shouldn't be an issue.
Once again, thank you to #PankajJatav

How to provide the Write Access in Firebase without giving Read Access?

I am having a strange situation in my app where Unauthorised users can send me the messages. whereas It will be only one user who can have the read access to those messages.
I am using the $bindto to write on the database (with my google logged in and google authentication enabled) and reading it through email password authentication method .
I want that user could send the message without any authentication process.
Is this possible?
There is no way we can stop unautheticated user to get the data from firebase database. For this situation that I faced I was worried about that if a user download the JS file he can get the access of all my database. But there is a catch :
Since you whitelist your IP/domain name no one other than that domain can take the access.So, even if they download your file they will no be able to get the access as request will not be from authenticated IP/domain name.
The other way is using the anonymous authentication method so that u can anyhow authenticate user and by that you can atleast have the trail of who are working or modifying your data (IP tracking access log is also useful).

Resources