I know how to remove registered users manually via web interface (which is also answered by this question). This can be done without providing user's password.
Is there a way to remove a user automatically without their password? I have only found removeUser API call which requires user's password.
It would help to simplify deployment for testing/stage environments.
There is no API to programmatically access the email/password users in Firebase.
For development purposes, you can delete them through the Login & Auth tab of your app's dashboard.
Related
I am making an admin tool page to allow admins to change users email for when they change or set their account to deactivate so they can not access the site anymore. Everything I have looked at seems to be using 'CurrentUser' but this will not work due to the fact they will be logged in as themselves which is marked as Admin level so they have access to the tool. So is there any way to change a users email for authentication without logging in as them?
If the Firebase Authentication client-side SDKs had an API that allowed you to change the email address of anyone but yourself that'd be a major security risk.
This is the reason an API to update any user by their UID only exists in the Admin SDK, which can only be run on a trusted environment as it requires full administrative access to your project.
If you want to expose this functionality to specific users of your app, you'll have to wrap the relevant call of the Admin SDK into a custom endpoint that you then call from the app. Just make sure to check that the user is authorized, before changing some other user's account.
I am using Firebase Auth to authenticate users using the Email/Password Method. Sometimes I detect spam users that create a lot of accounts from one IP address. I want to block them to protect my app.
I know that there is a method called "Disable User Account" in Firebase Console. I want to use it in my project.
I searched in Stack Overflow as well as the Firebase Docs and found that this only can be done in Admin SDK but I want to use it in the Firebase Web JS SDK. So is there a method to do that like user.DisableAccount?
There is no method to disable a specific user's account in the client-side Firebase SDKs, as that would be a security risk.
But if you look at the documentation for updating a user with the Admin SDK, you'll see there is a property disabled that you can set to true.
From that moment in, that user won't be able to sign in or refresh their ID token. Their existing ID token is still valid though, and by default, that means it may take up to an hour for them to get signed out of your app. If that interval is a concern for your use case, have a look at the documentation on managing user sessions, specifically the section on detecting ID token revocation. While more work, this allows you more granular control of the expiration of the token.
This image shows the Authentication for my Firebase Database Security: Authentication
I only allow Email/Password Sign-in method, everything else is disabled.
I don't allow my users to sign in manually.
My Android app logs in via code and it uses just one set of Email/Password:
My question is how come I am still getting this warning: Warning
I've followed thru the enter link description here but this sample uses Google sign-in method. And all the other samples or discussion I've read use the same method. Has anyone here tried Email/Password Sign-in Method? Thanks!
That authentication and the firebase realtime database are different things. Your authentication method doesn't control who has access to that database.
This means that anyone who has access to the keys, will be able to access your db. So if your client app (Android / ios / web app) access the database directly, your users will be able to do that too.
To secure it you need to use specific read/write rules. Your best explanation will be from their documentation which can be found here https://firebase.google.com/docs/database/security
I'm currently developing a web app using firebase authentication to make sure only authorized users can access the backend (e.g. firestore).
However, I don't really care about differentiating users but just want a single password based login/authentication. Meaning users come to the site, enter the password they know and then they get access to the protected data (e.g. from firestore). No need to create a own account.
However, I don't think firebase auth supports something like that.
What would likely work is just using .htaccess to protect the page and then provide users with anonymous accounts once they can access the app/page.
However, the browser popup caused by this is not nice enough for my purpose, I would prefer a nicely styled password form in the actual browser window.
What I could try is creating one account and sharing the password for that with all users (and set the email in the background). However, I'm not sure whether this works fine (e.g. multiple users being logged in at the same time on the same account).
Am I missing a simple option to implement such a single password based login shared between users?
Or is it e.g. possible to send a password to cloud functions, check it there and return an access token for an anonymous account from there to the user?
You can just create a single Firebase Auth email/password account and share the credentials with everyone. As long as you trust that each user will not share them with anyone else, and you trust that they will not maliciously overwrite each others' data, it should be fine.
CONTEXT:
In firebase settings, there's a permissions tab. This shows the users/emails that are associated with accounts that have admin access to the firebase project and console.
I could have sworn I once saw a document describing a method or some way of checking if a user account in firebase auth is also an administrator of the firebase project.
I seriously can't tell if it was in a dream (yes I dream code) or if I actually saw it. I often work late nights and fall asleep in front of my computer.
Question: Is there any way to tell if a user is also an administrator of the firebase app?
IE the user email matches an email that’s listed in the IAM/access management section of firebase as an 'owner' role?
Im currently writing an admin panel for my app, so such a feature would be very useful.
If such a thing does not exist, can anyone suggest an alternative way to manage and authorise users that are capable of logging into the admin dashboard to have control over the app? I already understand custom claims so I will use them if no better solution is suggested.
Well, using only the FirebaseAuth through your app, I don't think you can (as far as my knowledge goes). But you can easily implement the Admin SDK to manage your Custom Claims. Basically, you can use the Admin SDK and find out which "role" you want to access.
Referencing Firebase
Custom claims can contain sensitive data, therefore they should only
be set from a privileged server environment by the Firebase Admin SDK.
and
Custom claims can only be retrieved through the user's ID token.
Access to these claims may be necessary to modify the client UI based
on the user's role or access level. However, backend access should
always be enforced through the ID token after validating it and
parsing its claims. Custom claims should not be sent directly to the
backend, as they can't be trusted outside of the token.
Once the latest claims have propagated to a user's ID token, you can
get them by retrieving the ID token.
Therefore, you'll only need the FirebaseAuth implemented on your app's (client), but will need an extra implementation using a server.
Please see the Firebase use cases, they'll probably fit your needs, and you can pick the one that is "easier" for you.
It turns out it can't do what I wanted in the first place because it's only available on certain triggers.
Here it is: context.authType
https://firebase.google.com/docs/reference/functions/functions.EventContext#.authType
The level of permissions for a user. Valid values are:
ADMIN Developer user or user authenticated via a service account. USER
Known user. UNAUTHENTICATED Unauthenticated action null For event
types that do not provide user information (all except Realtime
Database).
Although it would be great if we could get this information on callable functions and firebase triggers because it would help further secure hosted backend admin apps for customer service or developers, who have high-level access to admin functions. This variable seems to not be available on callable functions but is available on newUser trigger - which is strange, because how can user signup ever be authenticated anyway?