I want to allow users to sign in/up via GitHub and via email/password using firebase.
In the server side, I implemented using the firebase_admin SDK, the email/password like it:
user = auth.create_user(
uid=submission["id"], // customized id
email=submission["email"],
password=submission["pass"],
display_name=submission["name"] + " " + submission["lastName"])
It worked fine, but I want to get the same result when signing up via GitHub. That is, I want to be able to set my own uid. Notice that I want the code being mostly on the server side. And I want the user to click on the same button to either sign in or sign up.
I actually managed to authenticate the user with a custom uid from the server side using the next code taken from the firebase documentation:
provider_data=[ # user with Google provider
auth.UserProvider(
uid='google-uid',
...
But I don't understand how to sign in once the authentication is over. Is the sign in code should be in the client side?
Signing in always happens on the client, and never on the server. All you can do with the Firebase Admin SDK is create, delete, and modify accounts. The end user must provide credentials for that account when signing in to the client app.
Related
I am developing a web-app that uses Firebase (web client JavaScript). For authentication, I am trying to implement sendSignInLinkToEmail to sign in a user. But, I’m facing an issue.
Suppose the user is trying to login on his desktop and uses his phone for verification, I want to redirect him to the dashboard on the desktop after verification. How can I do this?
Ref: https://firebase.google.com/docs/auth/web/email-link-auth
const actionCodeSettings = { url: 'dashboardURL', handleCodeInApp: true }
This redirects to the dashboardURL on the phone (device used for verification), but I want to redirect on the desktop (device that initiated the login flow).
Firebase Authentication does not natively support this. You'll be logged in on the device where you open the link. You'll have to build this functionality yourself and a simpler approach would be to use Cloud Functions and Realtime Database.
The flow would be like:
User clicks on "send link" and is redirected to a page that listens for updates in realtime database at a key (randomly generated session ID depending on your requirements).
When a logs in on another device, call a Cloud Function that generates a custom token for signing in and then emit it the first device via realtime database.
Log the user in with signInWithCustomToken().
This is just a simplified version of a system that might use websockets, session Ids and additional factors for security. You can also use Firebase Anonymous authentication to ensure only that user can this token using security rules.
I want to maintain an account disabled until it passes the email verification.
Problem is, as a user registers itself via createUserWithEmailAndPassword, the newly created account is ready to be used.
The only way I can avoid authentication is to check email verification flag via js in client app and deny login, but I don't want to rely on client controls, I'd prefer that firebase itselfs deny the authentication until email is verified.
Is there a way to accomplish this?
You can (and should) also check if the email is verified in the back-end, either:
in security rules, if you're using Firestore, Realtime Database, or Storage
in your own backend code, using a Firebase Admin SDK
When you do this, the client-side check is nothing more than a way to show the correct UI for the current state ("hey there, your email isn't verified yet. Check your inbox, or click here to resend the email"). It's the server-side check that controls access to the data, which is precisely how you want it to be.
This has been covered quite regularly before, so also see:
the Firebase documentation on implementing role-based access control on Firestore
How do I lock down Firebase Database to any user from a specific (email) domain? (for Realtime Database)
Only let pre-verified users log into Firebase
In my project I need to link an existing email account whithout the user signed in.
I have the user's email, so I'm trying this code:
firebase.auth().getUserByEmail(useremail);
on the client side.
But it gives me the firebase.auth(...).getUserByEmail is not a function error.
Does anyone know how to get the user by email address on the client side so I can link the accounts, the existing one and the providers?
Thanks in advance.
Using sdk 17.4.5
For web clients, firebase.auth() returns an Auth object. As you can see from the API documentation, there is no getUserByEmail method. on it. You're probably looking at the API documentation for Auth from the Firebase Admin SDK, which does not work on web clients. It only works on backends running nodejs.
If you want to use getUserByEmail, you'll need to run it on a backend, and invoke that from your web client.
You should know that linking user accounts does actually require the use of this method. You link accounts after the user has signed in to both of them.
I am trying to use a 6 digit code to log-in a user.
The code is available for 20 seconds and is unique to every user.
Briefly explained:
User is already logged in on a mobile app
User press the button "Get Unique Code"
Then, user enter the code on a WebPage on his PC
If the code is correct, show data for that user
What am I asking is if there is way to properly authenticate the user who introduces that code correctly given that I have the userID and all the informations about the user?
I can try and "fake log-in" (display all the information for that user when the code is correct) but there are some issues with this and I would like to avoid it.
I am using Firebase Authentication and Firebase Firestore. JavaScript is used for Web.
You can implement any authentication scheme you want by creating a custom provider for Firebase Authentication.
See Authenticate with Firebase in JavaScript Using a Custom Authentication System and Creating Custom Tokens with the Admin SDK.
In this flow you:
Sign in the users yourself.
Create a custom token for those users in a trusted environment, such as a server you control, or Cloud Functions.
Pass that custom token to Firebase Authentication, which can then use it to identify the user, and secure access to Firestore, Storage, and Realtime Database.
I am using the Facebook login as an authentication for my PhoneGap application - once a user logs in, their data is retrieved from my database to display information. I am not using the SDK for any other purpose.
I have the Facebook auto login working fine - it retrieves an authResponse and my Facebook information. Since the access token changes with each login, what can I use to store locally and in my database to authenticate the user on my server for future logins?
Here is a flow that I think could work...
User sees logs in screen and enters Facebook credentials
Facebook securely validates and returns user information & access token
The app uses localStorage to store user email and access token
For future autologin, the localStorage values are used as email/password
I feel like this cannot be the correct answer, however.
I figured out a solution - I was confused about storing passwords on my database to fetch user information. Rather, these are the correct steps:
Use Facebook SDK to handle the login and retrieve the authResponse
Update the user table in my database with the temporary access token and retrieve user's information
For every POST or GET the user wishes to perform, I will match the FB.getLoginStatus() results from the database's access token (the check will be done server side)
If the tokens match, perform requests. Otherwise, force the user to login again.