I have the "happy path" of signing up a user implemented using Flutter & AWS Amplify. I have made the user to verify their account using their phone numbers so that the verification code is sent to the phone and the signup process is completed.
I realised that, during testing, one could easily make a mistake. So I want the user to be able to go back and change the phone number so that the verification code is sent to the correct one. However, using Amplify, you cannot change the details if the user is not signed in, and the user cannot be signed in unless their account is "confirmed". Of course, their account cannot be "confirmed" if they don't receive the verification code and with the wrong phone number due to their mistake, they will never receive the verification code...
Has anyone faced the same problem and could help me how to solve this please?
I read that you could use Lambda functions to "auto-confirm" the account without any verification which means they can sign in, which would allow me to change their phone number if they have entered a wrong phone number. But I am not sure if this is the easiest way to do it
Related
How to implement phone number verification in Flutter. In my app user is signed in via email, after the sign in process i need to add the phone number and verify it via OTP. I tried in Firebase the phone number verification is added with the authentication flow.
I don’t want to include the authentication flow, i just need to verify the number. How to implement this?
Please someone help me on this.
It is not possible to implement phone number verification without using Firebase Authentication as phone number verification is a feature within the Firebase Authentication system.
I am new to app development but wanted to start with flutter and appwrite. I want to build an app with Appwrite and Flutter. This app should have a restricted area were only registered users should have access.
I want to use a modified email/password authentication, with a phone number instead of the email.
I know how I can create a user with a phone number and confirm this number using the send secret. But I could not find anythig to get a session with only phone number and password.
Is my desired behavoir even possible with appwrite or am I just missing something?
Thank you in advance for your help!
Unfortunately, phone and password authentication is not supported. You can hack a workaround for this by using the email and password where the email is <phone number>#fakedomain.com.
What's your reason for not using Appwrite's Phone Auth system?
I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.
I have a REST Api with following path for user to register:
send verification code (/phone-code) -> 2. verify code (/verify) -> 3. enter personal information and register (/sign-up).
On the second step I mark phone as validated if entered code is correct and on the third step i check if phone is marked as validated. But imagine one person verifies the phone and another (let's say a hacker) tries to skip first 2 steps and triggers /sign-up with first person's phone. As the phone is already validated, a hacker registers successfully.
So the question is how to make /sign-up safe? One idea that comes to my mind is double-check code on the second and the third steps. But that comes with a coast of increasing the duration of validation code which is not very safe. Could you advise me something better?
Use some kind of session system on your service that uses cookies. When you sign up and verify, you remember the phone number and whether it was verified in the session.
You shouldn't have to ask for the phone number again, because the phone number should be known and in the session.
I am working on an iOS app using Amazon Web Services and I am setting up a user data base using the Cognito Userpool. During the sign up process, if a user enters the wrong phone number by mistake and in result isn't receiving a verification code, I am trying to allow them to then enter a new phone number, and update their phone number user attribute. Right now I am using a Lambda function which uses the AdminUpdateUserAttribute function, which is then connected to a APIGateway which allows me to run it from XCode. The function itself works and it successfully updates the phone number attribute.
Problem
The problem that I am running into though, is that after the phone number attribute has been updated with the Lambda function, a verification code is automatically sent to the newly updated phone number via SMS. The verification code is weird though because when I use that code to confirm the user, it doesn't work. Meaning that code is invalid for confirmation purposes. But if I use the Resend Confirmation Code function it will then send a valid confirmation code to the newly updated phone number.
Question
So I guess the questions I have are:
How can I prevent the automatic SMS from sending after I update the user's phone number attribute?
Or, is there a way I can use the verification code that is automatically sent as a confirmation code?
Thank you in advanced.