I'm using react-native and firebase for my login/signup system.
I want to add the feature that when you signup with a mail and password you receive first a mail that you need to confirm before you can use that account for logging in.
I searched for documentation about it but i couldnt find anything that really fits to the feature.
This have been covered quite a few times before, so I recommend searching for previous answers. For example: https://stackoverflow.com/search?q=%5Bfirebase-authentication%5D+verified+before+sign+in
But nowadays I'd probably use an email link to sign in to Firebase, since that automatically ensures the email account exists.
I didn't work a lot with firebase but iirc there was a way to return a token when signing up and sending it when signing in later.
There is also a way that doesn't involve tokens which is to add a boolean to your DB and send an email with a certain randomly generated id. When the user clicks on the link in the email, you could then send that key to the backend and set the boolean to true.
This approach works as I personally tried it before but it needs effort to make.
Related
A hacker was able to create users in my client side based firebase site, I was restricting account creating by some sign up conditions on user's signup form data, I think he just injected signup code,
I immediately disabled authentication and removed the malicious accounts
If I used firebase cloud functions, will this hack still be able to create accounts, since firebase configuration was available to any client
are there any other actions ?
Update 4-9-2022
as temporary solution until using cloud functions, I made use of
making conditions using
https://firebase.google.com/docs/database/security/rules-conditions
if a user was created bypassing my logic I will make rules to disallow him from accessing certain paths
If you didn't do this already. You could fix this by adding some email verifier functionality. Or maybe try adding a captcha
Also check out: https://firebase.google.com/docs/auth/web/email-link-auth
Blocking the user by IP-address is pretty useless, so I can't really come up with another solution.
One question that you could ask yourself is, What is the reason they are doing this? If it is nothing too serious you could just accept and delete all those accounts after the "hacker" stopped making accounts.
This is just a general question on how Email verification can commonly be carried out in a secure way in web apps (I am targeting nodejs based frameworks, but I don't want any framework specific code, just the steps). I can't seem to find any general guides on the best practices for email verification, so asking here :)
What I have in mind is the following
When a user signs up, create a random token and store it in a DB table along with a field token_created_at that tells when the token is created. Then send a verification mail with that token and the user id.
When the user clicks on the link, the route get's the token and the id. We can then lookup the table to verify the token for that id. If when the route is clicked is already past the token_created_at field, we simply say they need to generate a new verification URL. If it matches, the account is verified.
This is what I have in mind ? Is this a right approach for email verification ?
Thanks in advance ! :)
So basically I have a registration endpoint in my express app. I am trying to make it so that users have to verify their email prior to their account being activated(the account is deactivated by default). I have everything set up, the only thing that is confusing me is how to create a hash that I can send as part of a link that a user clicks to verify their account. I have thought of using JWT and just creating a token and sending that along, however this seems a bit overkill. So my question is, is using JWT for this purpose a solid solution or is there a better alternative? If so, what is that alternative?
Thank you!
This question can lead to opinionated answers and I will try to give you one.
If all you want to do is verify email, then JWT seems like an overkill to me. Just create a hash using nanoid, shortid package from npm or using standard nodejs crypto.
Save the hash to DB record of the user, send out the link as in
https://my.server.com/whatever-path-you choose/${your-generated-hash}
This should be handled by the server where the endpoint:
looks up and verifies the user by the hash
enables the account
burns the hash (i.e. delete the hash from DB)
redirects to the page of your liking, most probably login page.
My 2 cents.
do a token that includes user id and a secret value to make it more safe but don't push your code online to hide this secret
also then put it as a cookie
another way without jwt is using res.locals
In the firebase API
https://firebase.google.com/docs/auth/web/manage-users
we can delete users, but how could we prevent users from simply registering again, in the GUI for firebase we have the option to disable users , how could we do this in the program, for example if we are building a admin panel that checks posts for a listing site that have been reported, and we want to disable the creator or the reporter for spamming as part of availiable actions.
Thanks.
I develop in react if that changes the answer.
To prevent the user from re-registering, you should disable account instead of deleting it. This will prevent the user from signing in again, and from refreshing their ID token. If you want to do this programmatically, have a look at updating a user with the Admin SDKs. For example, in Node.js it'd be:
admin.auth().updateUser(uid, { disabled: true })
Keep in mind however that even after disabling the account, their existing ID token will remain valid until it expires (typically within an hour), and cannot be revoked. If you want to prevent them from posting in the meantime, you'll also want to keep a list of blacklisted/blocked UIDs somewhere, and check against that list before allowing them to write/access the data.
You will not be able to programmatically disable a user from the frontend of your app. You will need a backend, and use the Firebase Admin SDK to update the user account to become disabled. The API is updateUser.
Well they can always register again (in case the website is public/ not invite-only), with completely different credentials.
You can do a matching of the new data and existing blocked users, and if it matches above a threshold, flag them.
And you can improve your reporting, the faster you detect a user who should be blocked, the better.
Can't say I'm super familiar with Firebase but ill try and help (can't hurt).
Have you tried to blacklist the IP of the user in question?
Hope I helped :)
Have a good day!
I am trying to remove a user programatically from my firebase. The method removeuser takes 2 arguments, email and password. Now email is not hard to find out since this is stored in the auth variable + I am adding it in my database when a user is created. However, how am I supposed to find out the password from the user?
When I create a user I do add the generated md5_hash information with this user in my database. However, I can not convert this value back to the real password.
I also obviously do not want to store the real password in the database since this is just asking for problems.
So I'm wondering, is there anything overly obvious I am missing here on how to remove a user programatically from the database, with his password? (Why do I actually even need his password to remove him?)
EDIT: To clarify, I am only allowing an admin to delete users, so he has a list of every user that has been created in my firebase. Having a user delete his own user account is still not so easy since (I presume) the firebase hashing algorithm is not public, so there's no way for me to check if he did input the correct password.
Firebase Simple Login is a service built on-top of Firebase Custom Login, and provides useful primitives for authenticating users via common means.
By design, Firebase Simple Login does not give you access to the users' passwords programmatically, as it only increases the risk that they are not handled or stored securely. Today, the only two methods that can be used to remove an email / password hash mapping is either via the client API using the email and password, or via the admin panel at https://<YOUR-FIREBASE>.firebaseio.com.
Keep in mind that when using email / password login, Firebase Simple Login simply creates a new mapping between an email address and a password hash, but does not store any information in your Firebase. Also note that there is no way to "blacklist" a user id, so if you remove the mapping, the user could re-create it.
If you want to ban / block users, a better approach would be to create a new list in Firebase of your "blacklisted" users, and then use security rules to ensure that that user is in the list (i.e. user is blocked if root.child('blocked-users').hasChild(auth.uid)).