I am starting a little learning project that would involve the following scenario:
User enters the page, there is a counter on the page which is connected to real-time database on firebase he/she presses the button, counter goes up, database is updated, but this user is not allowed to increase the counter anymore. Even when the app is closed and he/she opens it in couple of days.
The question is: is it possible to achieve something like this without explicitly login user in? So that on subsequent sessions the prohibition persists based on IP address or something. Maybe it could be achieved with local storage?
Thanks for any responses and ideas!
What you're describing requires that you can identify the app instance: the specific installation of your app on a certain device. For Firebase the easiest way to do this is using Firebase's anonymous authentication. This creates a unique identifier for the app instance, without requiring the user to enter any credentials.
Related
I made a one to one chat app for a website using firebase and firestore. Now I want to write the firebase firestore rules for the same. The app works this way ...first if the user is sandeyshc#gmail.com then the user gets the chatids and friends gmails...then the user checks in the messages tab with chatids and get all the chat related details. Now I want to implement firestore rules for this app. How to implement it?
The best way to solve that is to use a combination of firestore rules and cloud functions.
First of all both users should have the same chat stored on different locations.
With the firestore rules you should restrict for each user to only change his own chat and only to be able to write his own messages in that chat.
When he writes his own message a cloud function should be triggered that sends a push notification to the other user and also writes that message to the chat of the other user by using admin rights in the cloud function.
That way both users have the same chat in different locations. You could do it also by giving them access to a single chat but consider in future the use case that one user can delete chats or messages. You probably don't want that one user can delete the messages from the other one.
Also one importand note: awoid saving users under they're email. You should store them always under the Application Auth User Uid. Emails can have chars that are not supported as database keys and you can get in other different bugs in future by using the email.
Here is an example of a open source chat app made in react and firebase. It uses the realtime database but you can easyly reuse the concept. You can see there how the functions are written and how to use it on the frontend.
In the firebase API
https://firebase.google.com/docs/auth/web/manage-users
we can delete users, but how could we prevent users from simply registering again, in the GUI for firebase we have the option to disable users , how could we do this in the program, for example if we are building a admin panel that checks posts for a listing site that have been reported, and we want to disable the creator or the reporter for spamming as part of availiable actions.
Thanks.
I develop in react if that changes the answer.
To prevent the user from re-registering, you should disable account instead of deleting it. This will prevent the user from signing in again, and from refreshing their ID token. If you want to do this programmatically, have a look at updating a user with the Admin SDKs. For example, in Node.js it'd be:
admin.auth().updateUser(uid, { disabled: true })
Keep in mind however that even after disabling the account, their existing ID token will remain valid until it expires (typically within an hour), and cannot be revoked. If you want to prevent them from posting in the meantime, you'll also want to keep a list of blacklisted/blocked UIDs somewhere, and check against that list before allowing them to write/access the data.
You will not be able to programmatically disable a user from the frontend of your app. You will need a backend, and use the Firebase Admin SDK to update the user account to become disabled. The API is updateUser.
Well they can always register again (in case the website is public/ not invite-only), with completely different credentials.
You can do a matching of the new data and existing blocked users, and if it matches above a threshold, flag them.
And you can improve your reporting, the faster you detect a user who should be blocked, the better.
Can't say I'm super familiar with Firebase but ill try and help (can't hurt).
Have you tried to blacklist the IP of the user in question?
Hope I helped :)
Have a good day!
I have created a project as that has admin, teacher and student. They all have login forms and redirect to different based on who logged in, thus i have 3 folders student folder, admin folder and teacher folder and afer each one login the page will take them to the appropriate pages in their folders but without destroying the session it redirects user to the contents of admin pages. Personally i think it is because i put
session_start();
if(!isset($_SESSION["username"])){
header("location:index.php?action=login");
}
to each page. please help what can i add to make sure that each individual user can access what they are required to access
You have at least 2 issues here:
You assume that opening a new tab should not share the session with other tabs. I don't remember the details on PHP sessions. But, afaik, the state is stored on the server, and it uses some magic such as cookies to figure out what is the session that you are using. Problem is that two different tabs will hardly start a new session. In fact, the only possibility I see is if the session id is passed along with each request as a url or a header - then you can pick the correct session... which is pretty seldom used because use cases where such approach is needed are limited. (tbh, running 2 different sessions in 2 tabs is not a very real scenario). If you really want to run separate sessions on the same machine, you can try to run several incognito windows.
Second, more important issues, is the logic behind your application. Possibility of going to any page, once you have passed a login for any of the users means that the ritual of providing 3 logins into your system is totally useless, since there are no internal checks if the user is having rights to go to one or another page. Proper thing to do, is, once you logged in, to store the role (student, teacher, admin) as a session parameter. Then, on each page you should verify not only that the user name is set, but that stored role matches the role definition needed to view this particular page. If role does not match, then you should handle it appropriately. You may log user out, or display an access error message and provide a link tor redirect to allowed page.
My Ionic 3 mobile app i'm currently building allows login with firebase using both Email/Password and Facebook providers.
Everything's working great - but when the user logs in, in order to have a 'remember me' function that prevents them having to log in every time the app is closed (closing the app fully, or the system kills it), i need to be able to get some sort of token, store it, then use it later to take them straight past the authentication screen.
I've managed this already, but currently i'm storing their email and password, and i know this is a horrible thing to do. (I'm using Ionic Storage).
Is there a way to get a token that represents a user, and can be used to re-authenticate them?
I know about custom token logins, but they can only be created in NodeJS using the admin SDK - is there any solution i can run directly on the phone?
Thanks.
I have built an e-commerce website using express.js. The authentication method used is passport.js. We store the cookie with all the information we need in redis.
Everything was fine until we started driving more traffic.
Now the problem
When user A comes to the site, logs in and makes a purchase, every day or two 2-3 customer details are wrong.
User A comes to the site and make a purchase. The email and address of the user A sometimes becomes the email and address of user B
We cannot easily replicate this as this happens only once in 50 purchases.or sometimes twice in 50 purchases.
So I had to call all my contacts and check what is the wrong thing we have done. And curiously one guy replied me that he also have the same issue. He is saying it the problem with passport.js, and he wrote custom authentication method to remove passport and till now he has not faced any issue. He also uses exactly my set up. NODE-EXPRESS-REDIS
I am quoting his words here
Whenever a user logs in from one computer, open the site in another computer then refresh the page, You can see the logged in details of the first user in second computer, and this issue is not frequent but it comes once in a while