In my project I need to link an existing email account whithout the user signed in.
I have the user's email, so I'm trying this code:
firebase.auth().getUserByEmail(useremail);
on the client side.
But it gives me the firebase.auth(...).getUserByEmail is not a function error.
Does anyone know how to get the user by email address on the client side so I can link the accounts, the existing one and the providers?
Thanks in advance.
Using sdk 17.4.5
For web clients, firebase.auth() returns an Auth object. As you can see from the API documentation, there is no getUserByEmail method. on it. You're probably looking at the API documentation for Auth from the Firebase Admin SDK, which does not work on web clients. It only works on backends running nodejs.
If you want to use getUserByEmail, you'll need to run it on a backend, and invoke that from your web client.
You should know that linking user accounts does actually require the use of this method. You link accounts after the user has signed in to both of them.
Related
This is what I am trying to accomplish: I have a static website hosted with Firebase Hosting and it has a Google Forms Form. Upon clicking the submit button, I want to also send the user an email confirming that we received the form. I have written a Firebase function using an HTTP endpoint. However, that endpoint is exposed to the public. Is there any way I can protect this function? I know that we can do an auth verification with a logged-in user but I don't need the visitor to create an account to submit the form.
Thank you!
HTTP triggers deployed by the Firebase CLI are always accessible to anyone with an internet connection. The only access control is provided by Google Cloud to restrict access by IAM, which is not going to be helpful to you here.
What you should do instead is protect the endpoint to be accessible only by users signed in with Firebase Authentication. There are plenty of examples of this.
How to protect firebase Cloud Function HTTP endpoint to allow only Firebase authenticated users?
Callable functions also make it easy to check if the end user is authenticated at the time of the call.
Another possibility might be, to use req.headers["x-forwarded-for"] in order to compare the request's source IP address. It's not exactly a domain-check, because TCP/IP does not know about the DNS, but it still could be combined with a reverse lookup (or simply a list of IP address/es). It depends on the scenario (what the function actually does), because this would also work while not being authenticated. It is from where vs. who ...be aware the another Firebase hosting on the same IP address could not be told apart, but it would rule out direct access from the client-side .
I am trying to use a 6 digit code to log-in a user.
The code is available for 20 seconds and is unique to every user.
Briefly explained:
User is already logged in on a mobile app
User press the button "Get Unique Code"
Then, user enter the code on a WebPage on his PC
If the code is correct, show data for that user
What am I asking is if there is way to properly authenticate the user who introduces that code correctly given that I have the userID and all the informations about the user?
I can try and "fake log-in" (display all the information for that user when the code is correct) but there are some issues with this and I would like to avoid it.
I am using Firebase Authentication and Firebase Firestore. JavaScript is used for Web.
You can implement any authentication scheme you want by creating a custom provider for Firebase Authentication.
See Authenticate with Firebase in JavaScript Using a Custom Authentication System and Creating Custom Tokens with the Admin SDK.
In this flow you:
Sign in the users yourself.
Create a custom token for those users in a trusted environment, such as a server you control, or Cloud Functions.
Pass that custom token to Firebase Authentication, which can then use it to identify the user, and secure access to Firestore, Storage, and Realtime Database.
I've a requirement to integrate Auth0 in our project (Reactjs/Hapijs/MySQL). I checked the documentation and they have many examples and that is great, however, I can't find any related to how exactly do I use my existing user database.
In my application I have users and those users can have one or more projects. With the authorization that we currently use, a user logs in, I check what projects does he own and send it to the React application.
I am missing a document that explains me how to use Auth0 and still be able to check in my database what projects user owns.
My idea on how that should work (I might be wrong):
User sends username and password to our server
Our server makes request to Auth0 (with provided credentials)
Auth0 replies back to our server with some token
We look in users table in our database and try to verify the existence of that user
If it is a match then we simply look (as we already do) for user projects.
Is this how it is supposed to work?
There are a few options available for scenarios where you want to integrate Auth0 with applications that already have existing user databases. You can either:
continue to use your existing store
progressively migrate your users from your custom store to the Auth0 store
You don't mention it explicitly, but judging from your expected flow it seems you would be wanting to implement the first option. There is specific documentation that you can follow that explain how you can setup your custom database connection, see Authenticate Users with Username and Password using a Custom Database. It mentions MySQL, but others database servers are supported and there are many templates that will allow you to quickly setup things.
When you complete this the final flow will be the following:
Using either Auth0 authentication libraries (Lock) or your custom UI you'll ask the user for their credentials
Either Lock or your custom UI submits the credentials to Auth0 authentication API
Auth0 authentication API validates the credentials by calling scripts that execute against your custom database (these scripts were provided by you when you configured the database connection)
If the credentials are valid the Authentication API will return a token to the calling application that will have user information and proves the users is who he say he is.
The scripts you need to provide are the following, but only one is mandatory:
Login script (executed each time a user attempts to login) (mandatory)
Create user script
Verify email script
Change password script
Delete user script
The optional scripts are only required when you want to provide the associated functionality through Auth0 libraries, if only need the login to work then you can skip them. The login script, in the case of a valid user, is also where you return the profile information of the user, for example, you could in theory include their owned projects in the user profile.
I find the documentation provided by microsoft confusing(Link).
How can I for example get an authentication token and where can I download the javascript libraries? I couldn't find any information on this.
Basically I want to know how to get the calendar of an user in my javascript webapp.
I did try sending an request to
"https://outlook.office365.com/api/v1.0/me/calendarview?startDateTime="+begin+"&endDateTime="+end"
This shows me an authentication popup but after submitting the correct username/mail and password, it doesn't do anything. There is no response back.
To get an access token, you need to use the OAuth2 Authorization Code Grant flow. https://dev.outlook.com/RestGettingStarted walks through the process. Basically you need to register your app to get a client ID and secret, then use those to go through the process.
I would like to access a user's Outlook emails with my javascript app.
Google makes this very easy using Oauth and it's restful Gmail API.
I have tried researching similar options for Outlook, but I can't seem to find a good way to authenticate a user with Oauth 2.0, then access their message inbox.
Are there any Microsoft technology experts that can point me to some resources to get started here?
I am restricted to using only client-side code as this is for a phonegap mobile application. I would like to continue using oauth-io but I realize that may not be an option.
I was having a hard time tracking down the process for getting the emails as well. Anyway, first things first, you'd need to register your app for OAuth here. This page describes some more details on the registration and also how to access the needed API.
Although you can do the calls via Javascript, there are some security issues because you'd eventually need to send your client secret. It might be safer to do some parts in the server side.
First step is getting the user to login and retrieving the access token.
https://login.live.com/oauth20_authorize.srf?client_id=[CLIENT_ID]&scope=wl.imap wl.offline_access&response_type=code&redirect_uri=[REDIRECT_URI]
On the server side, exchange the access code for an access token:
https://login.live.com/oauth20_token.srf?client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&code=[ACCES_CODE]&grant_type=authorization_code&redirect_uri=[REDIRECT_URI]
Get user's email and other account info (Python sample codes):
https://apis.live.net/v5.0/me?access_token=[AUTH_TOKEN]
Retrieve emails via IMAP using the email address from emails>preferences in previous reply (see more details here). It would look something like this in Python:
import imaplib
mail = imaplib.IMAP4_SSL('imap-mail.outlook.com')
username = [username]
access_token = [access_token]
auth_string = 'user=%s\1auth=Bearer %s\1\1' % (username, access_token)
mail.authenticate('XOAUTH2', lambda x: auth_string)
mail.list()
You can look at existing IMAP libraries to retrieve the actual emails from there. Here's one for python.