I allow my users to modify their displayName by an input field and I would like the Firebase to validate it, avoiding bad characters like html code or similar. Firebase has a built-in input validation tool for email address, does it have for displayName also?
Create a HTTPS Callable Cloud Function trigger that can be called from your application and updates the user's info. Then keep and update the user profile in the realtime database to take advantage of the database rules to ensure the data is validated.
If the display name for example didn't meet the criteria, the database update operation would return permission denied with an error code of 1.
A successful write operation to the realtime database would mean a valid display name at which point you could go ahead with updating the user's info via the Firebase Admin SDK.
Related
I'm working on a web application which uses React and Firebase as backend.
This application shows a list of users and, for each user, I wanna know if his email has been verified.
So,
How can I check if an user's email (given an email address) has been verified ?
I already tried to do som :
firebase.auth().getUserByEmail(email).then((info)=>{
console.log("sucessfully fetched info:" +info);
})
.catch(()=>console.log("error")
But I got error, something like 'getUserByEmail is not a function'
Firebase Auth does not provide any APIs for a user to get any other user's profile data. That would be a security problem - profile data is private in Firebase Auth.
What you'll have to do is write some code that updates a database with the information you want, and have your clients query that database instead. How this happens in practice is entirely up to you. Each user account is probably going to have to update the database with its own email verification status.
I want to maintain an account disabled until it passes the email verification.
Problem is, as a user registers itself via createUserWithEmailAndPassword, the newly created account is ready to be used.
The only way I can avoid authentication is to check email verification flag via js in client app and deny login, but I don't want to rely on client controls, I'd prefer that firebase itselfs deny the authentication until email is verified.
Is there a way to accomplish this?
You can (and should) also check if the email is verified in the back-end, either:
in security rules, if you're using Firestore, Realtime Database, or Storage
in your own backend code, using a Firebase Admin SDK
When you do this, the client-side check is nothing more than a way to show the correct UI for the current state ("hey there, your email isn't verified yet. Check your inbox, or click here to resend the email"). It's the server-side check that controls access to the data, which is precisely how you want it to be.
This has been covered quite regularly before, so also see:
the Firebase documentation on implementing role-based access control on Firestore
How do I lock down Firebase Database to any user from a specific (email) domain? (for Realtime Database)
Only let pre-verified users log into Firebase
I'm currently developing an authentication system with Firebase. I'd like my system to accept email/password, Google and Facebook as sign-up and sign-in methods.
So far, so good. Everything works good when the user signs up with each method separately. The problem begins when a user wants to sign up with another method and I need to link the new method to same account that was previously registered by the same user using another method.
My examples will mention only the email/password and Google methods.
Note: my Firebase auth system is set to accept only 1 account per email.
Example1 (works fine):
User register for the first time with Google
Perfect! I get his details and write it to the Firestore using the userID created by the auth system.
User tries to register again, now using his email/password (the same email from his 1st register with Google)
I get an error saying that the email is in use, I let the user know that he already registered with Google and I ask him to sign-in again with Google
Then, once he's signed in with Google, I let him create a password inside his account page.
I'll take that password and link it to his pre-existing account (which he is currently signed in) that was made when he first signed up with Google.
Great! Now I have a user that can login with either Google or his password.
Example 2 (the problem):
User registers for the first time using his email/password. Note that his email is one from Google (gmail).
Perfect! I get his details and write it to Firestore using the userID created by the auth system.
User tries to register again, now using Google sign-in method (with the same email).
Apparently everything works OK and the user signs in just fine.
But the fact is that, without any warnings, Firebase authentication has discarded his email/password method and replaced it with only the Google sign-in method.
Google Group - Firebase Talk - About this issue
From the link above and some other related questions here on StackOverflow, I understood that this behavior is like this because of security issues, and that is why Google has a "higher precedence" over other auth providers, since you can really trust those users and their emails.
But to remove a password that a user has created seems wrong to me. Not to mention doing it without any warnings.
And also, this seems to be in conflict with the following Firebase help page:
Firebase Help - Allow multiple accounts with the same email address
From the help page linked above:
You can configure whether users can create multiple accounts that use
the same email address, but are linked to different sign-in methods.
For example, if you don't allow multiple accounts with the same email
address, a user cannot create a new account that signs in using a
Google Account with the email address ex#gmail.com if there already is
an account that signs in using the email address ex#gmail.com and a
password.
From the excerpt above, what I understand is that I shouldn't be able to create the account using Google, if I have created it previously using a email/password combination. But that is not what happens, as per Example 2. Very strange!
Now the real question:
Since I'll not be able to change Firebase behavior, I'm thinking about changing my Firebase auth system to allow multiple accounts per email and handle all my users data in Firestore using their email as the primary key (instead of using the userID of the Firebase auth system), since every combination of email/sign-in method will be considered a different account in the Firebase auth system and therefore each one will have a different userID.
Ex:
johndoe#gmail.com / password = UserID X
johndoe#gmail.com / Google sign-in = UserID Y
johndoe#gmail.com / Facebook sign-in = UserID Z
All of the accounts above will store and access data in the Firestore using the johndoe#gmail.com as the "primary-key" (collection).
But since I'm early in my development, this seems a bit "hacky" I might bring some complications in the future.
What do you recommend? The main goal here is to let my users sign-up and sign-in using any method that they want to. All of the methods should allow them to access their data in my application (that will be in Firestore).
I refuse to silently delete a user's password that they previously created just to let them sign-up and in with Google.
Any other ideas or comments?
Sorry for the long question, but I think it illustrated the problem well.
One option is to enforce password users to verify their email address right after they sign up. In the example #2, Firebase will keep the account's existing password if the email address has been verified e.g. by sending a verification link to the email address and the user has clicked the link.
I have to update a document from the settings menu of my web app. I'm using cloud firestore as my db service. When updating the document, I want to send those data with the verification password so that it will be re verifing the user before updating. This cannot be done in the front end because of the security reasons. Is there any way of doing it?
First of all you need to understand what you want to do?
If you need to deal with updating some document by current user (in our case user should be authenticated), so you can use Firestore Security rules. In short firestore rules help you to restrict access to your database: you can do check if user is authenticated or not, validate data before write and more. All these checks are being done on the server side, so you need not worry about your webapp. For more read official docs.
On the other hand you can use firebase cloud functions and manually send http request with Authorization header. To perform this action you need token from firebase. You can generate it by calling method on your currentUser. For more read this doc.
Edit: If you want re-verify with password you can signIn user with password again and do next operation
I am trying to remove a user programatically from my firebase. The method removeuser takes 2 arguments, email and password. Now email is not hard to find out since this is stored in the auth variable + I am adding it in my database when a user is created. However, how am I supposed to find out the password from the user?
When I create a user I do add the generated md5_hash information with this user in my database. However, I can not convert this value back to the real password.
I also obviously do not want to store the real password in the database since this is just asking for problems.
So I'm wondering, is there anything overly obvious I am missing here on how to remove a user programatically from the database, with his password? (Why do I actually even need his password to remove him?)
EDIT: To clarify, I am only allowing an admin to delete users, so he has a list of every user that has been created in my firebase. Having a user delete his own user account is still not so easy since (I presume) the firebase hashing algorithm is not public, so there's no way for me to check if he did input the correct password.
Firebase Simple Login is a service built on-top of Firebase Custom Login, and provides useful primitives for authenticating users via common means.
By design, Firebase Simple Login does not give you access to the users' passwords programmatically, as it only increases the risk that they are not handled or stored securely. Today, the only two methods that can be used to remove an email / password hash mapping is either via the client API using the email and password, or via the admin panel at https://<YOUR-FIREBASE>.firebaseio.com.
Keep in mind that when using email / password login, Firebase Simple Login simply creates a new mapping between an email address and a password hash, but does not store any information in your Firebase. Also note that there is no way to "blacklist" a user id, so if you remove the mapping, the user could re-create it.
If you want to ban / block users, a better approach would be to create a new list in Firebase of your "blacklisted" users, and then use security rules to ensure that that user is in the list (i.e. user is blocked if root.child('blocked-users').hasChild(auth.uid)).