I'm using Firebase Auth (web API) and am looking for a way to check the validity of a user's email / password combination for account removal.
Ideally a call like Firebase.isValidCredentials(email, password)
Problem context:
In my app, when a user requests to remove his/her account, I want to prompt to re-enter their password as confirmation. If correct, the account should be removed along with all other associated data (living under different Firebase nodes).
While the credentials check is done by Firebase.removeUser(), that also removes the auth:ed account with it, which breaks my ability to remove user data (as I've set Firebase Security to require active auth for manipulating user data nodes).
Appreciate guidance here, and if there's a Firebase recipe for removing user accounts along with user data.
Firebase.authWithPassword(email, password) can be used to confirm credentials of already authenticated users, in addition to signing in non-authenticated users.
(thanks Kato for the advice!)
Related
background of this question
I'm using firebase auth for user authentication on my app.
I realized that firebase doesn't have a log of user information changes, so I can't answer user questions about it.
So, I'm planning to move the feature of changing user account info (like email, display name, and password) from using the client-side firebase auth library to using server-side firebase auth SDK for the purpose of taking logs of these changes to use for user support. Also, I'd like to make logout a user who changes account info.
I've looked for the appropriate API on the document firebase.google.com/go/v4/auth and found UpdateUser function. The struct UserToUpdate which is a parameter of UpdateUser can set a new email address, new password and new display name, but I can't find to set the parameter to make a user logout.
my question
Is there a way to log out a specific user by firebase auth go SDK?
Firebase Authentication's client-side sign-in is based on ID tokens, which are valid until their built-in expiration (by default: an hour after they are minted). Since no server keeps a list of all the ID tokens it has minted, there is no way to mark a token as invalid on such a list either.
The common approach to revoke access for a user is to:
Revoke the refresh token, so that they can no longer mint new ID tokens with it.
Add the ID token(s) of the user to a self-managed list of revoked ID tokens.
Detect the presence of an ID token in this list from your server-side code and security rules.
Optionally detect the refresh token revocation on the client
Instead of logging the user out, you can also force-refresh their ID token/profile on the client to get the latest information from the server.
I wanted to create website where I have separate Sign In and Sign Up form. I also want to have Google authentication with Firebase.
I've implemented it like this both on sign in and sign up page:
await FIREBASE_AUTH.signInWithPopup(googleAuthProvider);
But this code will always create new user.
What I would like to do is to block creating new user on sign in page, only log them in if user already exists (e.g. as I require terms of use consent on sign up page, but I don't want to require it on sign up page - it would be quite weird)
There is no way in Firebase Authentication to prevent users from signing up, while still allowing them to sign in if they're already created. The reason for this is that Firebase Authentication merely focuses on allowing users to authenticate themselves, so to prove who they are by providing credentials. What they can then do in your app is known as authorization, and is up to you to implement in your front-end application code, back-end application code, and server-side security rules.
For example, if you use one of Firebase's databases (Cloud Firestore or Realtime Database), you'll typically maintain a list of approved user's in that list (either their email or their UID). Then before granting the user access to specific screens in your app or data in your database, you check if the users exists in that list. If not, you don't grant access to the screen or data.
I don't see an issue here, when a user uses google auth when they already have an account it will create a new account with their in some cases new data he might have changed in his google account.
In case your users hold other data in your database I'm pretty sure there's a google auth API for that issue.
I want to provide a way that users can change their sign in method in my App using Firebase Auth.
For example, if previously a user signed up using Email and Password, then he/she wants to switch to Facebook or Google Sign in method. Then how do I do this without changing the user's UID ?
Probably something like:
firebase.auth()
.signInWithEmailAndPassword('you#domain.com', 'password')
.then((userCredential) {
userCredential.user.updateSignInMethod(method: facebook)
.then((userData) => loginWithFacebookProcedure());
})
Is it possible? If yes, how to do that ?
Thanks
There is no direct ability to "switch" authentication providers with Firebase Authentication. Once an account signs up with a provider (such as email/password), that option will always be available to the user of that account.
What you can do instead is link additional providers to an existing account, which will allow the user to authenticate using any of the providers linked to that account. Until you unlink them.
So, if you really want to "switch", you will actually have to link to another provider, then unlink the old provider. But that seems like a waste of effort when you can simply retain all of the linked providers for the user to choose from.
When reauthenticating a Firebase user via the Google provider for a protected action (password reset, email change, acct deletion, etc), I notice that it creates an account if one doesn't already exist.
The problem this creates is that if a person is signed into multiple Google accounts on their machine and they select the wrong account at re-auth, Firebase will create an account and sign the user in under that account.
This could be particularly problematic at account deletion. The user expects to remove an account only to end up adding another. Also, things like TOS/privacy policy acceptance would then have to be moved to the sign in flow which means users would have to create an account, verify email, and sign in before being presented with terms and policies.
Is there any way to prevent a provider pop-up from creating an account and just return an error if the account chosen for reauth does not match the currently selected account? I thought about implementing this manually but the problem is that once the user signs in, the old token is removed from storage. Even if you store the initial email address and compare it to the address selected for reauth, you can't give the user the option to try again because they've already been unauthenticated from the original account and your only option is to sign them out entirely. This just makes for a tricky elevated auth flow.
I am using Firebase's auth feature and sometimes I see empty users in the console. This brings issues to some users because instead of logging into their main account (and using their UID to fetch their user data in a users reference), log into that empty account with a UID which is not theirs.
Not sure exactly how that can happen, but it seems like this could be a bug on Firebase's side, because a successful Auth should have at least 1 provider...
Any ideas about such issue and how I could fix it from my side if possible?
Ps.: Is that how "signInAnonymously" would create anonymous accounts?
This is an intended behavior when you authenticate with Firebase anonymously.
signInAnonymously() method signs in the user anonymously without requiring any credential and creates a new account in your Firebase Authentication system, except in the case where there was already an anonymous user signed in into the app.
See FirebaseAuth.signInAnonymously class reference for more details.