I'm using server-side generated firebase's oob codes (like email verification and password reset) for implementing an organization/member pattern within my application.
I want to be able, as an organization owner, to invite members, who will receive an email containing a link so they can sign-up for the first time for my application, getting its email verified and performing a first-time-sign-in password reset.
My problem is, the oob codes have too little validity time for my use, and my invited members are getting "action code has expired" errors 99% of the time.
I want to know if there is a way to increase the expiration time for the oob codes, avoiding me having to reengineer the whole auth stack. Also, any suggestion for better ways to achieve this would be very welcome. =)
Thank you in advance!
Related
A hacker was able to create users in my client side based firebase site, I was restricting account creating by some sign up conditions on user's signup form data, I think he just injected signup code,
I immediately disabled authentication and removed the malicious accounts
If I used firebase cloud functions, will this hack still be able to create accounts, since firebase configuration was available to any client
are there any other actions ?
Update 4-9-2022
as temporary solution until using cloud functions, I made use of
making conditions using
https://firebase.google.com/docs/database/security/rules-conditions
if a user was created bypassing my logic I will make rules to disallow him from accessing certain paths
If you didn't do this already. You could fix this by adding some email verifier functionality. Or maybe try adding a captcha
Also check out: https://firebase.google.com/docs/auth/web/email-link-auth
Blocking the user by IP-address is pretty useless, so I can't really come up with another solution.
One question that you could ask yourself is, What is the reason they are doing this? If it is nothing too serious you could just accept and delete all those accounts after the "hacker" stopped making accounts.
This is just a general question on how Email verification can commonly be carried out in a secure way in web apps (I am targeting nodejs based frameworks, but I don't want any framework specific code, just the steps). I can't seem to find any general guides on the best practices for email verification, so asking here :)
What I have in mind is the following
When a user signs up, create a random token and store it in a DB table along with a field token_created_at that tells when the token is created. Then send a verification mail with that token and the user id.
When the user clicks on the link, the route get's the token and the id. We can then lookup the table to verify the token for that id. If when the route is clicked is already past the token_created_at field, we simply say they need to generate a new verification URL. If it matches, the account is verified.
This is what I have in mind ? Is this a right approach for email verification ?
Thanks in advance ! :)
I'm using react-native and firebase for my login/signup system.
I want to add the feature that when you signup with a mail and password you receive first a mail that you need to confirm before you can use that account for logging in.
I searched for documentation about it but i couldnt find anything that really fits to the feature.
This have been covered quite a few times before, so I recommend searching for previous answers. For example: https://stackoverflow.com/search?q=%5Bfirebase-authentication%5D+verified+before+sign+in
But nowadays I'd probably use an email link to sign in to Firebase, since that automatically ensures the email account exists.
I didn't work a lot with firebase but iirc there was a way to return a token when signing up and sending it when signing in later.
There is also a way that doesn't involve tokens which is to add a boolean to your DB and send an email with a certain randomly generated id. When the user clicks on the link in the email, you could then send that key to the backend and set the boolean to true.
This approach works as I personally tried it before but it needs effort to make.
I am working on my first Paypal site. I have a form on the site that the customer fills out with custom information. I want to take that information the user fills out and have it send a message to my email along with the payment confirmation that Paypal sends. Any Idea on how to do this? I'm using Angular and Ajax for the front-end and php for the email service. Thanks
What you want is Instant Payment Notification (IPN). It will automatically POST data about any transaction that hits your PayPal account (ie. sales, refunds, disputes, etc.) to a URL that you specify so that you can receive that data and process it accordingly.
Within your IPN script you can update your database, generate email notifications, hit 3rd party web services, etc.
It's a very powerful tool for automating lots of post-transaction processing tasks.
While demanding a custom email to you as the payment receiver, what you didn't mention is the business needs behind it, or put it in other words, what you are planning to do with the custom email.
(I think this topic could turn into a big essay... My conclusion is I'd recommend IPN or EC with IPN. But below is what was on my mind when I got the conclusion.)
The emails to receiver can be used as a primitive way to notify sellers about payments they received or other transaction events. However this requires either a person's manual work to check the emails, or a program to parse the emails and get info out of the emails. Manual work is error prone and once your business grows bigger the number of emails will be overwhelming. A program to parse the emails costs a lot to develop, is unreliable because emails by nature may be delayed (applies to the manual way above too), and as PayPal doesn't consider emails as the preferred way of notification, sellers shouldn't either - maybe the content / format may change. PayPal provides a few better ways, I'll mention later.
Thus, if you want to start small, checking your emails manually could work for a while, until it becomes overwhelming. Unfortunately this email from PayPal isn't customizable.
So here are the ways I know, starting from manual to automated:
Downloaded transaction log from your PayPal profile. This works best if you don't have to check transactions very often. If you only check transactions daily, weekly or even monthly, this works. My nonsense thinking is, it would work if someone really wants to check transactions every minute... but this is really funny.
Transaction detail report. This works only if you have a business account. It's generated daily and you have to download through sFTP. It's mainly used for end-of-day transaction checking. This can also be automated.
Instant payment notification (IPN). Sent automatically once a payment is made or transaction status changes. You need a script at an accessible URL to listen to this notification, and this script should process the IPN once it arrives, for example updating your order status. https://developer.paypal.com/webapps/developer/docs/classic/ipn/integration-guide/IPNIntro/
EC with IPN. If you use Express Checkout (EC) to receive payments, EC returns transaction status immediately with the response of your API call. But, you still need IPN because there are cases which are not triggered by API calls. This is a big topic so please check below page: https://developer.paypal.com/webapps/developer/docs/classic/products/express-checkout/
For other products, similar to #3 and #4 above.
All points above can be explained in a loooong article, or many loooong articles. I'm just too lazy to explain them here.
So conclusion again, do try #3 IPN or #4 EC with IPN.
And, all those ways above may be very confusing for people who just came into this topic. If you write down your business needs instead of demanding the email, people may be able to help in a more specific way.
I have a site with a tool on it. The tool is an HTML form that clients will save a local PDF after filing out. The form works. PayPal can be integrated for payment.
All of the code is run on the client side via javascript. I do NOT want to store any data or credentials on my server.
What I don't understand is how to protect this particular HTML file until someone has paid for it. I was hoping for maybe a randomized string for the file name that lasts 48 hours or something. Just not sure what to search for at this point.
The site backend is node.js and using Foundation CSS if that helps.
Thanks in advance.
If you use a unique/random filename as you mentioned, and have it expire after x amount of time, that will obfuscate, but not protect/secure. Obfuscation is probably more than enough for your needs, but not something that we should be providing as an official StackOverflow answer... so I continue.
It roughly sounds like you have one of those, excuse my wording here, "cheap self-help/how-to/etc pdf for sale that should really be free and probably is somewhere" type of websites. I am sure your product is fantastic and is of the utmost quality, but if you know the sites i'm referring to, and my assumptions are correct, the information below should be helpful.
As far as I understand your needs, you want a version of business logic similar to this:
User fills out form on your site
User gets redirected to paypal, or is "called to action" with a paypal button.
User pays or doesn't pay
User downloads/accesses file only if they paid.
There are a few options you can do:
If every user is getting the same file, the below methods should be similar, but simpler
Ensure you set the CUSTOM value for whatever PayPal payment method you're using to the unique ID you created for the user, and an email address if you can collect that from them. Then use PayPal's IPN to wait until a payment has been received. This IPN notification will have the CUSTOM value for the payment, which is unique per user per payment per file, and you just email them the appropriate file.
Use PayPal's Encrypted Website Payments API to create a secure button (pass BUTTONCODE=ENCRYPTED) using node.js. Secure buttons do not expose the form variables, so the client would never have access to the RETURNURL which is where your secret file is at, so there is no way they can attempt to download it. If they did find some way to decrypt the button, it would have taken them much longer than your 48 hour expiration. Either way, I doubt (no offense intended) users would be this interested in your product.
There are more ways to do this without storing user credentials on your server, but no way to do this without storing some type of data (see: code) on your server.