On my Firebase App: Any user can delete my Firebase App by just executing 'firebase.app().delete'. How do I prevent that from happening?
I tried to block the script by going to Firebase > Authentication > Settings > User Actions > Unchecking "Enable Delete". That did not work.
I tried to splice out the .delete in the firebase.app() by executing 'firebase.app().remove('delete')' but it still does not work
None of them work, How do I fix this? My Firebase Version is 8.6.0
The firebase.app().delete() just deletes instance of Firebase client and that essentially means none of related Firebase services will work unless user refreshes the page. This has nothing to do with Firebase Authentication and does not delete user's account.
If you are trying to prevent user from deleting their account by running firebase.auth().currentUser?.delete(), then you can uncheck Enable delete from Authentication settings.
Related
I am working on an application using Firebase and Node as Back-End.
My app has an admin access and I want to create temporary access to users accounts.
I also wanted to have a history of all the logins on users account with infos such as web browser, localisation etc... for security purposes.
My idea is to create a one time use temporary auth token for an user and give it to the auth function from Firebase.
But I want to stay connected as an Admin still, so I thought about an iFrame inside the main window.
I am having trouble finding infos on the web, wanted to know if you had any leads or better ideas/way to do it.
Thanks in advance,
Firebase Authentication on its own does not provide a log of user sign-in actions, but with the new, optional Firebase Authentication with Identity upgrade you get User activity and audit logging. From the feature overview:
User activity and audit logging
Monitor and log administrative access and end-user activity.
When you upgrade your project, you automatically enable admin activity audit logs in Cloud Logging. You can also enable user activity logging on the Authentication Settings page of the Firebase console.
To learn how to view and analyze your logs, see the Cloud Logging documentation.
Creating a custom token for the user you want to impersonate and then using that to sign in should work. If you want to sign in with two different users, you can create two instance of FirebaseApp, and sign in to the auth member for each user.
I just realized I built a web app around a bug.
I use firebase authentication to login the user. Then I use the user-uid from firebase to find the user with the id in mongodb. The connection between firebase and mongodb work but when I close the browser, use a differnt browser or connect to the localserver via phone the user is still logged in. So one user loggs in and every client which is connected to the server is loggd in with the same data unless someone presses "Logout" or the server gets restarted.
I tried to set a persistence with firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION) but then I get the error Error: The current environment does not support the specified persistence type.
Why does the server saves the loggd in user, how can I fix that? :(
For people who landed on this by search engines:
I solved this by recoding the login system to a cookie based authentication.
You can use the tutorial by firebase:
https://firebase.google.com/docs/auth/admin/manage-cookies
My goal is to logout a user from the web app in the user is logged in another browser.
Example: If the user is logged in chrome and now the user is trying to log in firefox then the user should be logged out from chrome.
Is there a solution to remove only that particular token from firebase
I have already used revokeRefreshTokens method to revoke the tokens. But that won't work because this method will remove all the tokens. Which means also the token in mobile app. So if the user logs into a browser then the user will be logged out from the app. The below code is the one I used
admin.auth().revokeRefreshTokens(uid);
Is there a solution to remove a user token alone from firebase. Thanks in advance.
You have to manage the session. PassportJS have such functions. See this post:
Express.js + Passport.js : How to restrict multiple login by the same user?
Since you are trying to do that with Firebase, here try this:
How to prevent simultaneous logins of the same user with Firebase?
SOLVED
I am trying to put authentication on firebase. I finish my code, and, when I tried it, it says:
The given sign-in provider is disabled for this Firebase project. Enable it in the Firebase console, under the sign-in method tab of the Auth section.
I tried to search on YouTube and Google. But I didnĀ“t find anything.
The message is telling you exactly what to do, go to the firebase console of your project and turn the corresponding auth methods on. If you are only trying to use Gmail (Google) login, then just enable Google in the sign-in methods inside the Authentication tab, like this:
Also, make sure that you only put the sign-in options that you needed and turned on inside the siginOptions parameter, if Google is the only one you want, then just put firebase.auth.GoogleAuthProvider.PROVIDER_ID and remove everything else.
The issue is telling you that you are trying to use auth firebase service but you have not enable it from firebase, SO please visit to firebase console of your peoject and enable may be it will be phone, gmail, email password or any else just enable it.like this image added below:
enter image description here
I've been looking through the Google Sign-In guides and it says to use the signOut function (https://developers.google.com/identity/sign-in/web/sign-in) for it's self-described purpose. I understand that it doesn't sign you out of Google (that would be frustrating), but I don't understand what it actually does. Does it switch some "logged in" variable from true to false? If so, how do I check it? The reference doesn't provide much detail https://developers.google.com/identity/sign-in/web/reference#googleauthsignout
The way Google Sign-In for Websites works is that users coming back to your website will be automatically signed-in with no prompt or action necessary.
When using signOut() this doesn't happen and the user will have to sign-in again. Signing out doesn't revoke any permissions though, but only removes any currentUser information form the current session.
When the user then decides to sign-in again they will be logged in right away without a new permission prompt.
To disconnect a user completely and revoke all permissions/tokens there's the extra disconnect() method.
One thing to note is that the signOut functionality only works if you have deployed your website to some hosting. So if you are testing on localhost you won't see the expected behavior. Not sure why that is the case, but I have encountered this problem in the past, but signOut worked as expected as soon as the website was deployed.
To keep your website updated with the current sign-in state you should be listening to isSignedIn and/or currentUser changes, that will also trigger when the user signs out: https://developers.google.com/identity/sign-in/web/listeners