What is on Firebase the query to get users email if they signed up using social login?
I'm using javascript, i know how to access database etc. but i'm not personally saving users email address, firebase does that automatically.
There is no client-side API to get a listing of users, as that would make it very easy to leak information about your users.
If you want to expose this information, you have two common options:
Store the information you want to expose in a database (such as the Firebase Realtime Database, or Cloud Firestore), and then access that from the app.
Create an endpoint (for example through Cloud Functions) that uses the Admin SDK to return a list of users.
Neither is pertinently better in all situations, although I believe the first one is a lot more commonly used.
Also see:
How do I return a list of users if I use the Firebase simple username & password authentication (back from before Firebase had an Admin SDK that contains functionality to list users)
Retrieving a list of users who have registered using Firebase Auth (more recent, and mentions the Admin SDK in an answer by one of its authors)
How can I list all users using firebase admin sdk
Related
I am working on an application using Firebase and Node as Back-End.
My app has an admin access and I want to create temporary access to users accounts.
I also wanted to have a history of all the logins on users account with infos such as web browser, localisation etc... for security purposes.
My idea is to create a one time use temporary auth token for an user and give it to the auth function from Firebase.
But I want to stay connected as an Admin still, so I thought about an iFrame inside the main window.
I am having trouble finding infos on the web, wanted to know if you had any leads or better ideas/way to do it.
Thanks in advance,
Firebase Authentication on its own does not provide a log of user sign-in actions, but with the new, optional Firebase Authentication with Identity upgrade you get User activity and audit logging. From the feature overview:
User activity and audit logging
Monitor and log administrative access and end-user activity.
When you upgrade your project, you automatically enable admin activity audit logs in Cloud Logging. You can also enable user activity logging on the Authentication Settings page of the Firebase console.
To learn how to view and analyze your logs, see the Cloud Logging documentation.
Creating a custom token for the user you want to impersonate and then using that to sign in should work. If you want to sign in with two different users, you can create two instance of FirebaseApp, and sign in to the auth member for each user.
On my website, I have two portals for login. Portal A is login for learners. Portal B is login for teachers.
Both learners' and teachers' accounts are located in the same Firebase project, in another words, both types of accounts are located in the same authentication space. Both portals use the same simple login code:
firebase.auth().signInWithEmailAndPassword(user_email, user_password).catch(function(error) {})
Currently, the learners can login at both portals, and same for the teachers. What I am trying to do is to prevent the teachers to login at the learners' portal and vice versa. I am not sure how to implement this. I have made a setCustomUserClaim to give an identity to the two types of accounts on the authentication token. But I can only grab the auth token once the user is logged in, not before I think. Also, I have a Firestore collection that stores all the info of the users including their identity. But each user's document is named with their corresponding UID. The latter can be grabbed once they login in as well. Any idea on how to implement this?
Firebase Authentication has no built-in way to distinguish between these two types of users. It simply authenticates the credentials that a user enters, and ensure that they're correct. If certain users can only access a certain application or certain data, this is information that will have to come from you.
The above is important to realize, so I'll repeat it: Firebase Authentication allows all users to authenticate as long as they provide the right credentials. It has no way to block access to authentication based on application-specific information, such as your user-type. This type of authorization logic is part of your application, both in code and (if you use a Firebase Database) of your server-side security rules.
A common way to implement your scenario is to add the information about the types of users to a database (such as Firebase's Realtime Database, or Cloud Firestore). In this data you could for example store the email addresses of all teachers.
Now with this information, your code can then determine whether the person who signed in to the site is a teacher or not. If they're a teacher signing in to the student web site, you can redirect them, and vice versa.
We have a web app that caters to a small set of users that are guaranteed to have an account on Office 365.
To save them from remembering one more password, and to use Microsoft's infrastructure for OAuth, we decided to allow them to login using their Outlook credentials.
It is a react app, we are using the msal library and we have successfully been able to receive the accessToken from Microsoft. (Thus, authenticating the user's identity.)
What I am not confused about now is what I should do with that token:
I need to have my own User database. What information should I store in it? Should I store the access_token as well?
How do I verify the user's identity on my backend server?
Basically, what is the ideal way of managing this kind of a scenario? Wherein a third party authenticator is used (and solely) used to confirm the identity of the user and get the name, profile image and other things only.
Any references to existing workflows or an explanation of the steps involved will be highly appreciated.
I am building a admin panel for a android app in javascript and php in which i created a users table with Firebase Authentication UID so every user key is UID but in this user table i am not inserting Auth Identifier. now in my admin panel how can i retrieve Auth Identifier (Phone Number) using UID(user Key)
An alternative to storing the data in the database (as Qasim answered) is to use the Firebase Admin SDK to look up the user's profile by its UID.
The Firebase Admin SDK runs with administrative privileges, and thus can perform certain sensitive operations that the regular client-side SDKs are not allowed to do. As such, it is meant to be only run in trusted environments, such as your development machine, a server that you control, or Cloud Functions for Firebase. With these last two you could create your own API, that your admin panel then calls. Just be sure to secure the API, because otherwise you're leaking user information.
You can only get the firebase authenticated User info from the current session/user, and if you need to query for it later then you need to save it in your own datastore.
For more details, see this https://www.firebase.com/docs/web/guide/user-auth.html#section-storing
I am writing administative function which allows system admin to create new accounts.Since system admin is already authenticated to system after registering users to firebase with createUserWithEmailAndPassword() function i get auth error.
How do i handle this kind of situation ?
The regular Firebase JavaScript/Web SDK only allows users to create their own account. There is no way to create an account for another user.
For such tasks you'd typically use the Firebase Admin SDK, which you'd run in a trusted environment (such as on a server you control or in Cloud Functions). Creating a user is a simple API call there.