I am trying to remove a user programatically from my firebase. The method removeuser takes 2 arguments, email and password. Now email is not hard to find out since this is stored in the auth variable + I am adding it in my database when a user is created. However, how am I supposed to find out the password from the user?
When I create a user I do add the generated md5_hash information with this user in my database. However, I can not convert this value back to the real password.
I also obviously do not want to store the real password in the database since this is just asking for problems.
So I'm wondering, is there anything overly obvious I am missing here on how to remove a user programatically from the database, with his password? (Why do I actually even need his password to remove him?)
EDIT: To clarify, I am only allowing an admin to delete users, so he has a list of every user that has been created in my firebase. Having a user delete his own user account is still not so easy since (I presume) the firebase hashing algorithm is not public, so there's no way for me to check if he did input the correct password.
Firebase Simple Login is a service built on-top of Firebase Custom Login, and provides useful primitives for authenticating users via common means.
By design, Firebase Simple Login does not give you access to the users' passwords programmatically, as it only increases the risk that they are not handled or stored securely. Today, the only two methods that can be used to remove an email / password hash mapping is either via the client API using the email and password, or via the admin panel at https://<YOUR-FIREBASE>.firebaseio.com.
Keep in mind that when using email / password login, Firebase Simple Login simply creates a new mapping between an email address and a password hash, but does not store any information in your Firebase. Also note that there is no way to "blacklist" a user id, so if you remove the mapping, the user could re-create it.
If you want to ban / block users, a better approach would be to create a new list in Firebase of your "blacklisted" users, and then use security rules to ensure that that user is in the list (i.e. user is blocked if root.child('blocked-users').hasChild(auth.uid)).
Related
I am creating a "masquerade" admin log in system where admins can log into different user's accounts.
I am using a passport/express authentication system. I am trying to figure out a way to sign into another user's account while they are signed in as an admin.
My current strategy is to modify the req.user object and switch the password and username on the user object, then forward the modified user object to the login function in order to sign in as a different user. Is this possible or should I find a different way about this?
Thank you!
I assume you are using express-session.When you are serializing user, what happens is that express-session put your user info into your session.You can change the info that you re putting in your session. You might add something like "currentAccount" if the user is admin. If admin changes to a user account, you may also create a new session with a new account or you might looking for a cookie/session manupilation library and change info in the current session. With deserializing, you can reach session info in your req.session.passport and your currentAccount info will be also in req.session.passport
I'm currently developing an authentication system with Firebase. I'd like my system to accept email/password, Google and Facebook as sign-up and sign-in methods.
So far, so good. Everything works good when the user signs up with each method separately. The problem begins when a user wants to sign up with another method and I need to link the new method to same account that was previously registered by the same user using another method.
My examples will mention only the email/password and Google methods.
Note: my Firebase auth system is set to accept only 1 account per email.
Example1 (works fine):
User register for the first time with Google
Perfect! I get his details and write it to the Firestore using the userID created by the auth system.
User tries to register again, now using his email/password (the same email from his 1st register with Google)
I get an error saying that the email is in use, I let the user know that he already registered with Google and I ask him to sign-in again with Google
Then, once he's signed in with Google, I let him create a password inside his account page.
I'll take that password and link it to his pre-existing account (which he is currently signed in) that was made when he first signed up with Google.
Great! Now I have a user that can login with either Google or his password.
Example 2 (the problem):
User registers for the first time using his email/password. Note that his email is one from Google (gmail).
Perfect! I get his details and write it to Firestore using the userID created by the auth system.
User tries to register again, now using Google sign-in method (with the same email).
Apparently everything works OK and the user signs in just fine.
But the fact is that, without any warnings, Firebase authentication has discarded his email/password method and replaced it with only the Google sign-in method.
Google Group - Firebase Talk - About this issue
From the link above and some other related questions here on StackOverflow, I understood that this behavior is like this because of security issues, and that is why Google has a "higher precedence" over other auth providers, since you can really trust those users and their emails.
But to remove a password that a user has created seems wrong to me. Not to mention doing it without any warnings.
And also, this seems to be in conflict with the following Firebase help page:
Firebase Help - Allow multiple accounts with the same email address
From the help page linked above:
You can configure whether users can create multiple accounts that use
the same email address, but are linked to different sign-in methods.
For example, if you don't allow multiple accounts with the same email
address, a user cannot create a new account that signs in using a
Google Account with the email address ex#gmail.com if there already is
an account that signs in using the email address ex#gmail.com and a
password.
From the excerpt above, what I understand is that I shouldn't be able to create the account using Google, if I have created it previously using a email/password combination. But that is not what happens, as per Example 2. Very strange!
Now the real question:
Since I'll not be able to change Firebase behavior, I'm thinking about changing my Firebase auth system to allow multiple accounts per email and handle all my users data in Firestore using their email as the primary key (instead of using the userID of the Firebase auth system), since every combination of email/sign-in method will be considered a different account in the Firebase auth system and therefore each one will have a different userID.
Ex:
johndoe#gmail.com / password = UserID X
johndoe#gmail.com / Google sign-in = UserID Y
johndoe#gmail.com / Facebook sign-in = UserID Z
All of the accounts above will store and access data in the Firestore using the johndoe#gmail.com as the "primary-key" (collection).
But since I'm early in my development, this seems a bit "hacky" I might bring some complications in the future.
What do you recommend? The main goal here is to let my users sign-up and sign-in using any method that they want to. All of the methods should allow them to access their data in my application (that will be in Firestore).
I refuse to silently delete a user's password that they previously created just to let them sign-up and in with Google.
Any other ideas or comments?
Sorry for the long question, but I think it illustrated the problem well.
One option is to enforce password users to verify their email address right after they sign up. In the example #2, Firebase will keep the account's existing password if the email address has been verified e.g. by sending a verification link to the email address and the user has clicked the link.
I am creating a login for my chrome extension where I am going to be using the firebase email and password.
I am going to be putting the create User firebase code on my website and when someone can enter in there email and the script will create a random set of digits and set that as the password. It will then email that password to the user and the user uses the email he entered and the random digit password he received via email to login.
My question is If a user signs up and then logs in with his email and password. Whats to stop him from giving that email and password to his friend and he also logs in. I want to control the amount of users I allow within my chrome extension and only want the person who logged in to use the chrome extension (I want so the login can only be used once) Is this possible for firebase or not?
Also If anyone knows a simpler method than that I described above with sending the email please let me know becuase to do that above I have to create something that sends an email and creates the password.
I would also like to know if firebase has something where I can set a date on a user and after that date passes the user is logged out and has to register again.
But my main question is that if a user where to register if he has the ability to share the login with his friend or if only he can use it.
I really appreciate your reply and help on my issue in advance Thanks A lot.
You'll likely have to do this from the server side (e.g. in a Cloud Function).
One option would be to use the session management features in the auth admin SDK: https://firebase.google.com/docs/auth/admin/manage-sessions - if you report back from the extension with the logged in user, you can revoke access for users who are seen in too many places at the same time. This limit might not be 1 - you may want to allow your users to log in on multiple machines at once.
For even more control, look at the option for managing your own session cookie: https://firebase.google.com/docs/auth/admin/manage-cookies - this allows you to set your own expiry and control the logged in state more granularly.
I am just developing a Web-Add-In for Outlook 2016. I would like to save username and password, so the user does not need to fill in this data every time.
How can you realize this in a secure way with JavaScript? Code Snippets are welcome.
I would like to separate your question into two as follow ...
I would like to save username, so the user does not need to fill in this data every time.
There is very convenient object in Office.js API: RoamingSettings. The settings created by using the methods of the RoamingSettings object are saved per add-in and per user. That is, they are available only to the add-in that created them, and only from the user's mail box in which they are saved. Basically username is the perfect candidate to be stored in this object.
I would like to save password, so the user does not need to fill in this data every time.
The RoamingSettings object should not be used for the passwords, tokens and other authentication data. Documentation clearly stated the following ...
While the Outlook Add-in API limits access to these settings to only the add-in that created them, these settings should not be considered secure storage. They can be accessed by Exchange Web Services or Extended MAPI. They should not be used to store sensitive information such as user credentials or security tokens.
As the common sense, storing user password into insecure store is bad idea. Even storing hash of the password is not that great as JavaScript code is very exposed to the client and user password may be subject to dictionary attack as you will not be able to hide your salting / peppering with JS. The user should authorize to your service (add-in) every time. Bottom line: DO NOT store the user password insecurely in the mailbox.
I want to add a new data to firebase authentication which has data like displayname, phone number, image. But i want to add more such gender, birthday and more. is it possible to add new?
There is no way to add arbitrary additional data to Firebase Authentication user profiles. If you want that, consider using the Firebase Realtime Database (or Cloud Firestore) for storing the additional information.
This approach has been covered in quite a few questions in the past, so I'll link you to those:
Firebase: setting additional user properties
Add extra User Information with firebase
How do I link each user to their data in Firebase?
Swift & Firebase - How to store more user data other than email and password?
Store additional information during registration with Firebase in Android
How to add additional information to firebase.auth()
Since a few weeks ago you can add small bits of information to the Firebase Authentication user profile. While this might sound like what you need, it is explicitly not meant for storing user metadata such as you need. Instead this is intended for storing so-called claims: properties about the user that you then access in the security rules. See the documentation for setting custom claims.
I had the same problem when introducing user roles for authorization in my React with Firebase application. Somehow I wanted to be able to pass a roles property to the authenticated user, but found myself again in Firebase's restrictive framework of doing it their way.
I found a way around it by (1) managing users myself in the Firebase database and (2) merging the authenticated user with the database user when the application loads. Then I am able to add additional user properties (e.g. roles) to my database user, because it will be merged with the authenticated user anyway.
If you are interested in this approach, checkout this tutorial.