I'm working on a web application which uses React and Firebase as backend.
This application shows a list of users and, for each user, I wanna know if his email has been verified.
So,
How can I check if an user's email (given an email address) has been verified ?
I already tried to do som :
firebase.auth().getUserByEmail(email).then((info)=>{
console.log("sucessfully fetched info:" +info);
})
.catch(()=>console.log("error")
But I got error, something like 'getUserByEmail is not a function'
Firebase Auth does not provide any APIs for a user to get any other user's profile data. That would be a security problem - profile data is private in Firebase Auth.
What you'll have to do is write some code that updates a database with the information you want, and have your clients query that database instead. How this happens in practice is entirely up to you. Each user account is probably going to have to update the database with its own email verification status.
Related
We are using Firebase on our project and we want only users who recieved an email invitation to be able to access register page and create a profile afterwards.
Can you do that using firebase?
There is nothing built into Firebase Authentication to allow only users you've invited to sign up. When the email+password provider is enabled, anyone can call the API and register.
What you can do though is have a list of the invited email addresses in an online database somewhere (such as Firebase's Realtime Database of Firestore) and check against that list whether a user is authorized after they have signed in.
For an example of how to limit access to the database to specific users, have a look at:
for Realtime Database: How do I lock down Firebase Database to any user from a specific (email) domain?
for Firestore: Restrict Firestore gmail sign in to specific domain
I want to maintain an account disabled until it passes the email verification.
Problem is, as a user registers itself via createUserWithEmailAndPassword, the newly created account is ready to be used.
The only way I can avoid authentication is to check email verification flag via js in client app and deny login, but I don't want to rely on client controls, I'd prefer that firebase itselfs deny the authentication until email is verified.
Is there a way to accomplish this?
You can (and should) also check if the email is verified in the back-end, either:
in security rules, if you're using Firestore, Realtime Database, or Storage
in your own backend code, using a Firebase Admin SDK
When you do this, the client-side check is nothing more than a way to show the correct UI for the current state ("hey there, your email isn't verified yet. Check your inbox, or click here to resend the email"). It's the server-side check that controls access to the data, which is precisely how you want it to be.
This has been covered quite regularly before, so also see:
the Firebase documentation on implementing role-based access control on Firestore
How do I lock down Firebase Database to any user from a specific (email) domain? (for Realtime Database)
Only let pre-verified users log into Firebase
I allow my users to modify their displayName by an input field and I would like the Firebase to validate it, avoiding bad characters like html code or similar. Firebase has a built-in input validation tool for email address, does it have for displayName also?
Create a HTTPS Callable Cloud Function trigger that can be called from your application and updates the user's info. Then keep and update the user profile in the realtime database to take advantage of the database rules to ensure the data is validated.
If the display name for example didn't meet the criteria, the database update operation would return permission denied with an error code of 1.
A successful write operation to the realtime database would mean a valid display name at which point you could go ahead with updating the user's info via the Firebase Admin SDK.
I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.
I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.
I am integrating FB Login in my website. For this purpose I am using Javascript SDK. Here are the steps which I am trying to follow.
User clicks on FB Login option, user is shown with POP UP by FB to enter his credentials.
FB sends response which includes accessToken, expire time etc.
After this user will see registration form dedicated to my website filled with email and other basic entries. He has to just choose some username and then click on signup.
As soon as user clicks on signup his details will be stored into DB, his username will be kept in session and he is signed in now.
User logs-out. Now, user again clicks on FB Login, if there is email already present in DB I am making the user log into my website by putting his username in session.
Here, are my questions now.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
Also, is there a need to store access token in cookie/session?
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
As far as I know once access token expires Javascript SDK will generate new access token. So, if user logs in after a long time then this validation might not be applicable.
Shall I also store Access Token for the user in my DB in step 3? If yes then what will be the best encryption medium to send it to server-side?
No, if you are not planning to do any automated tasks for the user with your server. In this case you'd need to change the access token to a long-lived token, but that's another thread.
Also, is there a need to store access token in cookie/session?
No, Facebook's JS SDK does all the access token handling for you.
If answer to my Q1 is yes then will I be able to use the access token stored in DB to validate user if he uses FB Login again?
No. You can save the Facebook User ID to your database, which is more constant than the email. Email can change, user id does not. So you should compare the user ID.
And just as a side-note:
Facebook also has a server-side login flow that should be used to authenticate the user. If you just use JS SDK to authenticate the user, it would be relatively easy to log in as any user imaginable from the client.