Firebase auth verification - javascript

I have a sign up form where a user is required to type their email and password. Firebase won't let you create a user if their email and password don't meet certain conditions, namely, it should be a valid email and a password should be strong enough. On top of that validation I have that of my own. What I would like to do actually is somehow inform the user about those validation errors thrown by Firebase.
Problem: I can show the firebase errors only after the submit button is clicked.
It would be nice if it were possible to do this before a form submit. That's to say, if a number of symbols typed by a user in the password field is less than 6 the user should be notified about that.
So I think it would make sense to listen to what a user types and when they stop, make a request to some endpoint that returns an error object if the values entered don't meet the criteria. The responsibility of this request is to validate the fields and that's it.
Is it possible to make such a request in Firebase? From what I know it's impossible but I'd like to make sure, perhaps there're some nice workarounds or something.

This is something you're going to have to code up on your own. The Firebase SDK isn't going to make this any easier for you. I suggest being prepared to handle rejected promises from the call to createUserWithEmailAndPassword in order to determine if there's a problem with what the user entered, and prompt the user accordingly.

Related

Extract Respondent Email from Google Forms Responses using Google Apps Script

I'm using Google Apps Scripts to handle response data from a Google Form, and the form asks the users to prove a username at the start of the form. The usernames have been provided to them earlier.
I'm now trying to match the given username to the email ID that was used to respond to the form (setLimitOneResponsePerUser() has been set to true, thus all users have to be signed in to respond), using values in a spreadsheet.
But I can't seem to get a value from Response.getRespondentEmail() (returns blank) unless I have Form.setCollectEmail() set to true, which I'm trying to avoid, as that means they'll have to manually enter the email ID's every time.
Is there a way to extract the email ID that was used to create a response?
NOTE: I cannot use the event object as the script does not run on a ResponseTrigger, rather it runs daily at a given time, and iterates through all the submitted responses for that form.
Answering my own question, in case others check this thread out.
So it turns out there currently isn't a way to auto-collect email address using Google Scripts unless either:
Form.setCollectEmail() is set to true, in which case the respondent has to manually enter in an email ID each time (and can be faked, because it won't be cross-checked with the actual account used to sign in)
OR
The script runs on a Form ResponseTrigger, in which case the associated email ID will be part of the Event object e. But this method cannot be used for analysing responses at a later stage.
Unfortunate that this hasn't been implemented in Google Apps Script yet, but let's see what happens in the future.
Hope this is helpful to anyone else who stumbles upon this thread.

How to execute a function in my javascript when someone opens console log in my page?

So basically my req is to hide 2 fields username and password in a form from viewing it in console log. So what i am planning to do is to listen to event console log and when it executes i remove the values from username and password.
How can i do it? i am also using jquery in my page.
Thanks
You can't do that, and you shouldn't try. Never expose sensitive data like passwords like this.
No you cannot hide these data, because javascript is client-side.
Despite of the advises you received, Facebook uses this system and expose in browser username and password by accessing https://www.facebook.com/login.php?login_attempt=1&lwv=110 when you try to connect, along with all inputs from your form. This procedure is often used before submitting for different reasons: verify email if it is not duplicate, how many login attempts were...
As long as you have SSL connection the only user that can see username, email or password in console is the one who enters these sensitive data in the form so it is not a threat.

How do password managers know when I've logged in successfully?

So you know how you are presented with a login screen and then, you fill it out, and then the browser loads the next page? At this point, somehow the password manager bar pops up for LastPass, 1Password, or some other extension, asking if you want to save the password. How do they know you've just logged in successfully??
Forms are sometimes submitted and other times the js intercepts the form submit and sends AJAX.
The response comes back and may set a new cookie, but sometimes the existing session cookie continues to be used (allows session fixation attacks but some implementations do that).
A new location is loaded or reloaded but sometimes the javascript reloads a portion of the document instead
But somehow these password managers DETECT that I've logged into a site successfully! How? Is it because I entered something in a password field, and then some form was submitted or some network request was sent? But how do they know it was successful?
Anyone familiar with these password managers able to give some useful info?
The reason I ask is that I want to develop an extension that detects when you've logged in and somehow tries to extract your user id from the service. It is for the purposes of sharing your user id with friends automatically, and letting them know (with your permission) what sites you are using a lot.
Any hints on techniques to extract the logged-in user's id on the service would also be helpful.
They aren't actually aware of a successful login in most cases. They are aware that a form with a password field was submitted, and the response was a 200OK. This may still be a page displaying an error message.
As for extracting user IDs, I'm pretty sure you mean profile pages or something similar. That will have to be done on a site by site basis as sites will have their own APIs and route structures.
As someone already answered this question, I will agree with him.
They aren't actually aware of a successful login in most cases. They are
aware that a form with a password field was submitted, and the response
was a 200OK. This may still be a page displaying an error message.
Since browsers watch for the request having a password field in it and the response status, But still you can fool the browsers easily. To get to know about the logged in userid you definitely need backend support / api. It depends on the authentication frameworks used in the back-end. But you can get the form fields easily, but extracting / finding userid from the form fields is a quiet difficult task, In most cases, form will be having only two fields there you can manage to get the userid. But in some cases like banking sites they will send few dummy fields fool such tools, Also many fields will be encrypted in the client itself to protect man in the middle attacks. In some cases userid is different from email, So its difficult task.
They only detect if the form was submitted, and it a code 200 (OK) was returned. They don't necessarily know if you were logged in, but this method works on most websites. They might also detect if a new page was loaded afterwards, since a failed login doesn't usually redirect the user. I have, however, had a prompt to save an incorrect password before.
They can detect your current tab. and each HTML element of that page.
May we they have list of login page case to detect keywords like
login,username,forgot password. and check all keyword to identify this is login page.
They just ready page and even they can read your password (yes) .
If you made request from that page & response will be 200ok it means your password is correct.
Whenever to request to server with username and password the server checks these two entry into their database and the server will found your data it will return response code 200 and using AJAX success call back script will catch the response code and will show successful message.
and also return some sort of information you can store into localStorage of browser or into cookie for further use.
I have created a couple of pages static HTML and form: So when form is submitted it goes to second page.
Let's test
<form action="test1.html">
<input type="text" />
<input type="password" />
<input type="submit" />
</form>
</body>
Chrome don't bothered anything happened. While firefox has given a popup to save password even when form is submitted to an error page.
So firefox only looks for a form submitted with a password field and asks for save password popup box.
If want to create an extension which can check wheather user is successfully logged-in and then you want to ask for password remember popup. For that you have to check for server response. I couldn't create a dynamic page to to proof read it with browser example.

How to find or create a questionnaire with the function of the prohibition on the same answer?

I need help.
We need to find a questionnaire in which the answer to the question (for example, telephone number) may not be the same for two users.
For Example:
Enter a phone number:
First the user enters a phone number: 123456789
And completes the survey.
The second user starts to question and answers the same phone number 123456789.
He receives an error message or a request to enter a different answer.
Or is there any easy implementation of this problem using php or javascript.
Maybe it is possible to implement with surveymonkey api.
I would be glad of any help or advice.
Google forms writes to a spreadsheet database, allows regular expression fields and attached scripts. Set the field to mach your required format, then validate the response with a script.
Your requirement is persistent storage. You will either require a database, such as MySQL, and use PHP to access it, or a third party application such as SurveyMonkey. However, I can't tell you the limitations of SurveyMonkey, you will have to check their documentation.
I realize that this late and this thread is limited but for others looking for same answer. Here is how I did exactly the same thing for one of my coworkers using Examinare Framework and Examinare Survey Tool.
First, create a html form that sends the phone number to a form.
Inside that PHP file call Examinare PHP Wrapper and check if a recipient has this phone number on their recipient profile.
https://developer.examinare.com/apidocs/listrecipientsbygroup/
A tip: And loop through it the results.
If the recipient not exist, create the recipient. Make sure you add a fake or real email to prevent getting an error.
https://developer.examinare.com/apidocs/addrecipient/
Mark the recipient as a active in the survey.
https://developer.examinare.com/apidocs/markrecipientstosurvey/
Redirect to the survey.
If you want the recipient to return to a certain path then add redirect_url variable to the url with a valid url.
Hope it helps you and future seakers.

What is the best approach for confirming html form fields?

A lot of times you get a form where you need to enter an email address (or other form field) twice in order to confirm that you typed it correctly the first time. Some forms disable the copy and paste action (via javascript) in the browser to force the user to type the email address again.
Personally I find this highly annoying. What are your thoughts? Are there other options?
If you really want to check the email address you could implement a confirm email address function, which sends an email to the provided email address. The email could contain a link which allows the user to confirm his/her email address.
For obscured fields like password fields, it is always best to implement a double entry input field in case the user made a typo.
I find it highly annoying as well since, in many cases, the initial entry was done from an autofill that I know is correct.
Please note that this should be a community wiki!
I think it depends on the site, if its something like a commerce site, I'd support disabling the copy and paste because if the address is typed in wrong it can cause pains for both the site and the customer. It's easier for everyone to just inconvenience the customer for 2 seconds during the process instead of having to deal with it later.
I personally disagree with disabling the copy and paste thing. If the user enters the wrong email twice and identically (worst case scenario) it's his fault really.
You should just believe the user. If he mistypes the address, live with it.
First of all, if you confirm registration by sending an email, on the “Now wait for an email and click a confirmation link there” screen you can still show the address to which an email was sent. It can be followed by a link “Oops, mistypes my email address” letting you to correct yourself.
Second, if you use email for notifications, user will not get them, and, curious, he will go to his/her profile settings to check the notification parameters. You just have to make sure that “E-mail” input is next to “Get notifications” checkbox.

Categories