In the firebase API
https://firebase.google.com/docs/auth/web/manage-users
we can delete users, but how could we prevent users from simply registering again, in the GUI for firebase we have the option to disable users , how could we do this in the program, for example if we are building a admin panel that checks posts for a listing site that have been reported, and we want to disable the creator or the reporter for spamming as part of availiable actions.
Thanks.
I develop in react if that changes the answer.
To prevent the user from re-registering, you should disable account instead of deleting it. This will prevent the user from signing in again, and from refreshing their ID token. If you want to do this programmatically, have a look at updating a user with the Admin SDKs. For example, in Node.js it'd be:
admin.auth().updateUser(uid, { disabled: true })
Keep in mind however that even after disabling the account, their existing ID token will remain valid until it expires (typically within an hour), and cannot be revoked. If you want to prevent them from posting in the meantime, you'll also want to keep a list of blacklisted/blocked UIDs somewhere, and check against that list before allowing them to write/access the data.
You will not be able to programmatically disable a user from the frontend of your app. You will need a backend, and use the Firebase Admin SDK to update the user account to become disabled. The API is updateUser.
Well they can always register again (in case the website is public/ not invite-only), with completely different credentials.
You can do a matching of the new data and existing blocked users, and if it matches above a threshold, flag them.
And you can improve your reporting, the faster you detect a user who should be blocked, the better.
Can't say I'm super familiar with Firebase but ill try and help (can't hurt).
Have you tried to blacklist the IP of the user in question?
Hope I helped :)
Have a good day!
Related
A hacker was able to create users in my client side based firebase site, I was restricting account creating by some sign up conditions on user's signup form data, I think he just injected signup code,
I immediately disabled authentication and removed the malicious accounts
If I used firebase cloud functions, will this hack still be able to create accounts, since firebase configuration was available to any client
are there any other actions ?
Update 4-9-2022
as temporary solution until using cloud functions, I made use of
making conditions using
https://firebase.google.com/docs/database/security/rules-conditions
if a user was created bypassing my logic I will make rules to disallow him from accessing certain paths
If you didn't do this already. You could fix this by adding some email verifier functionality. Or maybe try adding a captcha
Also check out: https://firebase.google.com/docs/auth/web/email-link-auth
Blocking the user by IP-address is pretty useless, so I can't really come up with another solution.
One question that you could ask yourself is, What is the reason they are doing this? If it is nothing too serious you could just accept and delete all those accounts after the "hacker" stopped making accounts.
I'm using react-native and firebase for my login/signup system.
I want to add the feature that when you signup with a mail and password you receive first a mail that you need to confirm before you can use that account for logging in.
I searched for documentation about it but i couldnt find anything that really fits to the feature.
This have been covered quite a few times before, so I recommend searching for previous answers. For example: https://stackoverflow.com/search?q=%5Bfirebase-authentication%5D+verified+before+sign+in
But nowadays I'd probably use an email link to sign in to Firebase, since that automatically ensures the email account exists.
I didn't work a lot with firebase but iirc there was a way to return a token when signing up and sending it when signing in later.
There is also a way that doesn't involve tokens which is to add a boolean to your DB and send an email with a certain randomly generated id. When the user clicks on the link in the email, you could then send that key to the backend and set the boolean to true.
This approach works as I personally tried it before but it needs effort to make.
Is it anyhow possible to check from a website with paypal js client lib and API's whether a user/customer has already payed for a digital downloadable good?
Is it possible to check whether the user has a valid subscription (which is payed)?
Is it possible to allow a purchase only once and paypal redirects the user back with a notice he already has purchased it?
What I like to achieve:
If the user has already payed for a document/subscription, he should not need to
pay a second time but rather directly get the download. My idea, if
the user previously payed for it, I'd like to replace the paypal pay
button with a download button.
The whole check should happen from the Website and not
server-to-server communication.
Download must no be secured if not payed. I do know this may NOT be secure and the user may be able to download the document without paying. That is okay, because this is a test whether the user is willing to pay for something and implementation should be as simple as possible for now.
I lack to find the functionality within the PayPal API's. I found the list payments, but for me this seems more like a server to server API or?
How do you know who the "user" is when they visit your site? Are you proposing having them log in to your site with their PayPal account? (Connect with PayPal integration?). That would be very unusual, and unsuitable for people who paid with PayPal as a guest.
So what you are proposing is somewhere between impractical and not possible.
Instead, you need to authenticate the user yourself -- provide them with a username/password to login, for example, or a unique link, though be warned such links could be shared. Then, once authenticated, check your own database as to whether they paid/subscribed or not. You need to maintain your own records.
Expecting a payment processing service to somehow do any of this for you is a misplaced expectation.
Typical implementations are to send an email with the download link, or to use a digital product delivery service such as for example e-junkie
I am new to Javascript and have been using a global boolean hasAccessPermissions that retrieves data from an API to store if the user has admin privileges or not.
And with this data, I am showing some elements of the screen only to admin users. However, I've been told that it is a security breach, since the non-admin user has access to this code and can see and alter what he sees by editing my boolean locally.
How can I hide UI elements based on user access privileges in JS 'the correct way' ?
Answering my own question, since it's been a while without an answer.
You don't. Everything that runs in JS can be viewed and modified by the user, you would need to handle user permissions on the server-side.
I am curious about submitting a form data internally.
Here is an example.
I want to register an account for a website. The website will give a form to register which upon submitting will create an account for me.
But I don't want to go to that site. Instead I'll give a form in my style and collect the same information. Upon submit, I want to create the account automatically. Automatically in the sense, I'll submit the form internally.
The reason why I need this feature is, I don't want my users to create a separate account in another website also. I mean it should save user's time in creating account only. Rest of the things will be taken care by me.
Please let me know if anyone had tried this and had success.
I know it is very difficult for existing accounts and some internal errors. But I also need to track them.
Please let know if this is possible or not.
An Example
There is site called othersite.com which has a form for creating / registering users.
I will a similar form to the user on mysite.com. But upon submit the form information is sent to both mysite.com and othersite.com. Both sites create accounts parallelly with a single form submission.
Unless you are working with AJAX requests and CORS enabled sites, which I assume is not the case, client side technologies ( browser/javascript ) will not help you much to do that.
You have to ask yourself what are the options to integrate with the second site in order to automatically create the account. Following some common patterns used these days:
REST API: You have an url where you can use HTTP to talk to and ask to create the account. Many social networks and other popular services usually expose it. Facebook API
Database: Although it is less recommended you could just insert a new record into the account table if you own and have access to the database used by the second site.
Client Libraries: Some sites provide client libraries so that you can use them together with your project code base. Eg: Twitter Libraries