I used firebase realtime database as backend of an online registration app for tech fest in my college.But I only enabled custom email and password authentication.But i found some users created account anonymously and it seems they were not able to sign as i restricted login only after email verification.But still how is it possible even after i made sure to disable anonymous authentication.
Related
I'm trying to allow users to sign up to a Firebase website using only their email and phone number. At a later time, I would like to send them their auto-generated password via email. Is this possible to do with Firebase Auth or Realtime Database?
Sure thing. You'll have to create the account through the Admin SDK, so in a trusted environment like your dev machine, a server you control, or Cloud Functions. There you call createUser(...) with the email the user entered, the a temporary password that you made up.
You could do the same client-side, but in that case the password would be determined from the client too, which wouldn't be secure.
On my website, I have two portals for login. Portal A is login for learners. Portal B is login for teachers.
Both learners' and teachers' accounts are located in the same Firebase project, in another words, both types of accounts are located in the same authentication space. Both portals use the same simple login code:
firebase.auth().signInWithEmailAndPassword(user_email, user_password).catch(function(error) {})
Currently, the learners can login at both portals, and same for the teachers. What I am trying to do is to prevent the teachers to login at the learners' portal and vice versa. I am not sure how to implement this. I have made a setCustomUserClaim to give an identity to the two types of accounts on the authentication token. But I can only grab the auth token once the user is logged in, not before I think. Also, I have a Firestore collection that stores all the info of the users including their identity. But each user's document is named with their corresponding UID. The latter can be grabbed once they login in as well. Any idea on how to implement this?
Firebase Authentication has no built-in way to distinguish between these two types of users. It simply authenticates the credentials that a user enters, and ensure that they're correct. If certain users can only access a certain application or certain data, this is information that will have to come from you.
The above is important to realize, so I'll repeat it: Firebase Authentication allows all users to authenticate as long as they provide the right credentials. It has no way to block access to authentication based on application-specific information, such as your user-type. This type of authorization logic is part of your application, both in code and (if you use a Firebase Database) of your server-side security rules.
A common way to implement your scenario is to add the information about the types of users to a database (such as Firebase's Realtime Database, or Cloud Firestore). In this data you could for example store the email addresses of all teachers.
Now with this information, your code can then determine whether the person who signed in to the site is a teacher or not. If they're a teacher signing in to the student web site, you can redirect them, and vice versa.
I am working on a college app in which only the administrator has the right to create user accounts. On successful User Account creation, the user gets an email with his user email and password as plain text.
I am already familiar with the email verification and password reset mail in firebase but I am not allowed to do that.
I already looked at answer to this question: Send User Password via Email with Firebase but it is very less helpful as the answer provided is complicated to understand.
So all I want is the password to be sent via email whenever a user is created.
PS: I am working with Web Interface (JavaScript). How do I do that? It would be even nice if I get help with some code chunks included.
You can achieve this using firebase cloud functions following the steps below
Setup Admin SDK following the documentation https://firebase.google.com/docs/admin/setup
Add a Firebase Authentication Listener https://firebase.google.com/docs/functions/auth-events
You can send mail with sendgrid See this article
If you want to really get familiar with cloud functions you can start here
I'm not gonna post a bunch of code, unless I have to. It's mostly pasted straight from Firebase.google.com. I got every authentication method working fine but Github oAuth is all kinds of screwed up. So after a while I decided to go from Firebase v3.0 to 3.1. No fix.
The redirect page does pop up but I can't use my regular Github credentials - the Github account used to create the developer app (even though I log out of Github in my other web tab. My authAction() catch says:
An account already exists with the same email address but different
sign-in credentials. Sign in using a provider associated with this
email address.
So, I created a second dummy Github account and I now can log in using that. However upon logging in, user.email and user.displayName come back null.
Another strange thing: When logged out of every app, I log in to my Firebase app via Github oAuth and then open a new tab and navigate to Github, I'm already logged in! Presumably, somehow my token is shared between websites? Google, Facebook, Twitter, Anon, and Email/Pwd all work fine.
Anyone have this Github oAuth issue too or is it just me?...
When you get the error:
An account already exists with the same email address but different sign-in credentials. Sign in using a provider associated with this email address.
It means you already signed in using the same email with a different provider. You can sign in to the same provider and then link the github account to that current user. You can call firebase.auth(().currentUser.link(githubCred) or firebase.auth(().currentUser.linkWithPopup/Redirect(githubProvider)
As for Github not providing your email and name, you could have your github account settings set to not disclose your email and info. Typically you have to ask for the user:email oauth scope if you are using signInWithPopup/signInWithRedirect but that is currently not working with Firebase. The team is working on a fix.
Regarding your third issue, I am not sure I understand this correctly. When you sign in to Firebase using Github or any other provider, you will need to login to that provider before consenting to that app's permissions. If you navigate to that provider's site, it is normal to be logged in. If you try to sign in with Firebase using github on a different app, you would still be logged in to github but you would be asked to consent to that app's new permissions.
I want users to be able to register on my mobile (web based) app and login using their Facebook account. Is this possible using the JavaScript API?
The user can login using Facebook, and the userID and auth code of that user can be sent to my server to create the account, but I see a security flaw because then anyone could then log in as anyone by sending a userID and their own auth code. So can user accounts not be done with the JavaScript API and only with a server side API?
All Facebook requests are also signed with a secret key that belongs to the app you've registered to handle Facebook sign-ups on your website, so you can use that to verify it comes from Facebook and not someone else.
This is also outlined in the registration documentation
Strictly speaking, it is not possible for the Facebook SDKs to explicitly create a new user. However, when you implement a 'Login with Facebook' button (see here for JS and here for PHP), Facebook's OAuth dialog appears, which will prompt the user to log in (if they are not already) or to sign up with Facebook, thereby creating a new account, albeit not under your control.