I just realized I built a web app around a bug.
I use firebase authentication to login the user. Then I use the user-uid from firebase to find the user with the id in mongodb. The connection between firebase and mongodb work but when I close the browser, use a differnt browser or connect to the localserver via phone the user is still logged in. So one user loggs in and every client which is connected to the server is loggd in with the same data unless someone presses "Logout" or the server gets restarted.
I tried to set a persistence with firebase.auth().setPersistence(firebase.auth.Auth.Persistence.SESSION) but then I get the error Error: The current environment does not support the specified persistence type.
Why does the server saves the loggd in user, how can I fix that? :(
For people who landed on this by search engines:
I solved this by recoding the login system to a cookie based authentication.
You can use the tutorial by firebase:
https://firebase.google.com/docs/auth/admin/manage-cookies
Related
I am working on an application using Firebase and Node as Back-End.
My app has an admin access and I want to create temporary access to users accounts.
I also wanted to have a history of all the logins on users account with infos such as web browser, localisation etc... for security purposes.
My idea is to create a one time use temporary auth token for an user and give it to the auth function from Firebase.
But I want to stay connected as an Admin still, so I thought about an iFrame inside the main window.
I am having trouble finding infos on the web, wanted to know if you had any leads or better ideas/way to do it.
Thanks in advance,
Firebase Authentication on its own does not provide a log of user sign-in actions, but with the new, optional Firebase Authentication with Identity upgrade you get User activity and audit logging. From the feature overview:
User activity and audit logging
Monitor and log administrative access and end-user activity.
When you upgrade your project, you automatically enable admin activity audit logs in Cloud Logging. You can also enable user activity logging on the Authentication Settings page of the Firebase console.
To learn how to view and analyze your logs, see the Cloud Logging documentation.
Creating a custom token for the user you want to impersonate and then using that to sign in should work. If you want to sign in with two different users, you can create two instance of FirebaseApp, and sign in to the auth member for each user.
I'm a newbie in React Native and struggling in handling the state of authentication in my app.
I'm using Redux and haven't persisted the authentication state to silently log user in yet. I've added Firebase authentication
Basically what I want is when a user signs in, he will be signed out by the app when that same account signs in in a different device.
Or at least, can we disable the activity of the old user ?
Can anyone please guide me stages and requirements in order to achieve this ?
Thanks in advance!
You can not automatically signout the other/old user but check the authentication token while calling any API by the old user.
While you are logging in from a new device just generates an authentication token on firebase. And from the very next pass that token through header while calling any API.
This is the logic.
My goal is to logout a user from the web app in the user is logged in another browser.
Example: If the user is logged in chrome and now the user is trying to log in firefox then the user should be logged out from chrome.
Is there a solution to remove only that particular token from firebase
I have already used revokeRefreshTokens method to revoke the tokens. But that won't work because this method will remove all the tokens. Which means also the token in mobile app. So if the user logs into a browser then the user will be logged out from the app. The below code is the one I used
admin.auth().revokeRefreshTokens(uid);
Is there a solution to remove a user token alone from firebase. Thanks in advance.
You have to manage the session. PassportJS have such functions. See this post:
Express.js + Passport.js : How to restrict multiple login by the same user?
Since you are trying to do that with Firebase, here try this:
How to prevent simultaneous logins of the same user with Firebase?
Am trying to make an app that runs both online and offline but i want my user to be authenticated or to be logged in once. So after the initial login i want them not to be able to see the login form again, i want to show them a new part of the app. They should be only to see the login form only when they decide to logout. My problem is that it would have been easier for me to do this if they are always online but they might be offline too so i just need them to login once and next time they boot up the app they wont see the login form again rather they would see something else.
There is no authentication offline. Authentication is made so that the server-side makes sure it is used by a given identity because you can never trust the client-side. If there is no server-side, there is no authentication process.
If you just want to let the user use your application, even though he is online, why don't you store a local copy of the user profile within the local storage after a successful authentication? (with only non critical data of course).
This way, your application can rely on its memory to fetch the user profile and not the server while it is offline.
You could save an kind of "userIsAuthenticated"-Flag to local storage (see https://facebook.github.io/react-native/docs/asyncstorage.html).
Based on this flag you could decide which screen the user see on startup.
But be aware, it could drive your Users crazy, if they have allways to relogin, if the network-connection (maybe cause of bad 3g/4g) was Interrupted.
You also give a notice if a user is offline, that they have to be online to use this app.
BTW: To request if a user has Network-Connection you can use: http://facebook.github.io/react-native/releases/0.48/docs/netinfo.html#netinfo.
Don't forget to set permissions in AndroidManifest.xml to be allowed to use the request.
I have a self-hosted parse server (https://github.com/ParsePlatform/parse-server), I have some cloud code on my parse server to register the user because i'm using a custom authentification method. (has described here: http://blog.parse.com/announcements/bring-your-own-login/).
The flow works that way:
Start custom login process on client (ios)
Call a custom "registerUser" function in my cloud code to finish auth process
In the cloud code :
Validate my user (part of my custom authentification)
Sign in the user to parse (if it does not exists)
Login the user to parse
Send the login session token back to the client
Back in my client, "become" the user with the session token
My problem
I have a valid Session object for my user, which match the session token returned to the client. BUT, the installationID of the session does not match the Installation object of my user.
This is a problem because when I try to send a push notification to a specific user, I find the session, but can't find any installation corresponding to that session.
The installationID from the session comes from the cloud code, or parse server itself instead of coming from the user device.
Hypothesis
Either I am missing a step in the cloud code to associate the session (and thus user session token) to the user installation.
Or maybe there is a bug with the installationID in the session which does not correspond to any Installation in my database. I think this installationID comes from the parse server because it changes everytime I restart the server and become the session is created from the cloud code (login is done from the cloud code).
Can someone understand the problem and have a fix or a workaround for that ?
Thanks