Can an admin delete users from a firebase application? - firebase

On my application users are provisioned and delete by the admin. The documentation states that auth.removeUser requires an ID and password. Of course the admin user doesn't know its users passwords. Is there a way for the admin user to get permission to delete users?

Note that Firebase Simple Login is a separate service built on top of Firebase Authentication, intended to simplify authenticating users and generating Firebase Auth. Tokens for use in Security Rules.
All that said, if you log in to Firebase Forge (at https://<your-firebase>.firebaseio.com) and select the Auth tab, you can add or remove email / password users under the Email & Password button.

Related

Firebase authenication only for one user

I made a website and setup up a firebase signup for it. But I don't want users to signup with their emails. As the Website should be only accessed by a specific email and password which I would provide. How can I setup this functionality. Can someone explain the process.
Create the email/password account manually in the Firebase console
Give the account information to the user
Code the account password to the user, and code a way for them to sign in with the Firebase Auth SDK.

Authenticate only "admin" users registered with Firebase Auth

I have an app that lets users sign in via email and password. The app has a feed with posts that need to be moderated. I have an admin react website that lets the moderators remove or keep posts. Right now any user can login and see the content, however I wanna make the login only available for admin users. I made my account "admin" using Admin SDK of Firebase.
I was thinking to make a Cloud Function which verifies whether the email is an admin and return true or false accordingly. Then authenticate the user normally using Firebase Auth. Is this secure enough?
If you've set a custom claim marking the user as an application administrator, you can check in your client-side code for the presence of that claim. You can then use the result of that to show the correct UI.
On the server/in the database security rules, you'll also want to check the presence of this admin claim before allow the user to access/modify the moderator data.
Note that none of these prevents the users from authenticating. Authentication in Firebase is nothing more than entering your credentials to prove that you are you. Granting access to resources based on who you are, known as authorization, is up to the application, hence including it in your client-side code, and server-side code or security rules.

Can Firebase users created without a password still sign in?

In a scenario where a new Firebase user is created without a password, could the user sign in using just their email address (passing a null/empty string as the password)? Or does Firebase reject all attempts to authenticate with email + password when no password is specified in the user auth object?
The Firebase Admin SDK docs are clear that password is an optional property for createUser(), but the Password Authentication docs don't appear to specify Firebase's behavior when the user was created without a password. It would also be interesting whether an email link authentication (only) strategy can be enforced by leaving and/or setting a user's password as undefined, but this also doesn't appear to be explicitly called out in the docs.
Presumably Firebase rejects the email/password auth attempts, creating a de facto requirement for email link authentication (supported anecdotally), but any suggested links to Google authored docs would be greatly appreciated!
Firebase Authentication users are associated with one or more providers, and many of those providers don't need the user profile to have an associated password. For example: if you sign into Firebase with your Facebook account, the Firebase Authentication profile will not have an associated password. This applies to most providers, as in most cases the password is stored elsewhere (Facebook, Google, LinkedIn, Microsoft, etc), or ephemeral (email-link, phone auth).

How to change firebase password from admin section

I want to change user password form admin. Users are login with firebase email and password option. Admin is also login with firebase. How can change the user password with web api?
There is no way to change another user's password with the client SDK.
Firebase Authentication doesn't have any concept of an admin user. That means that it can't grant special privileges to a user that you consider an admin.
There is however an Admin SDK, that runs with administrative privileges, and has the option to change the password (and other profile data) of any user in the project. This SDK is meant to be used on a so-called trusted environment, such as your development machine, a server you control, or Cloud Functions.
You could wrap the Admin SDK in an API endpoint that you can call from your web client code. Just be sure to check in the custom function whether the user is authorized to change the password.

Lose password after sign in using Google provider

I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue

Resources