In case a user forgot their password, how can I send them an email to reset it without firebase authentication?
As in they receive an email with a link that takes them to a page/webpage where they can reset their password and confirm the change, then they can login with their new password.
Assuming you are using Firebase Auth in your app: I don't know what you mean by "without firebase authentication?" That's not possible, but perhaps you mean through a specific means. Here are the two most common ways:
You can manually send a password reset by going into your firebase dashboard, go to Authentication, find the email, and on the right of the UID a menu icon comes up when you hover..you can choose to send a password reset email.
You can call this in a flutter app FirebaseAuth.instance.sendPasswordResetEmail(email: email);
Related
I am new to app development but wanted to start with flutter and appwrite. I want to build an app with Appwrite and Flutter. This app should have a restricted area were only registered users should have access.
I want to use a modified email/password authentication, with a phone number instead of the email.
I know how I can create a user with a phone number and confirm this number using the send secret. But I could not find anythig to get a session with only phone number and password.
Is my desired behavoir even possible with appwrite or am I just missing something?
Thank you in advance for your help!
Unfortunately, phone and password authentication is not supported. You can hack a workaround for this by using the email and password where the email is <phone number>#fakedomain.com.
What's your reason for not using Appwrite's Phone Auth system?
I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.
How do I reset user password in app without sending email link using firebase in flutter?
If you've already established the user's identity by signing them in, you can update their password
Letting a user change the password of an account that they're not signed in to, would be a pretty big security risk though.
If you have another flow for password reset in mind, you can always update the password of any account through the Admin SDK, which can be used on trusted environments such as your development machine, a server that you control, or Cloud Functions/Cloud Run.
I work at flutter.
I have a task when the user gets to the login page, he should see the login password field and enter their data (as in the picture), and not the button that offers google-button I found some examples but there is also no this, please tell me if there is such an option as it can be through the API to log in.
and in the future, I will need to work with the Google calendar.
https://developers.google.com/apps-script/reference/calendar/calendar#createAllDayEvent(String,Date)
https://medium.com/flutter-community/flutter-implementing-google-sign-in-71888bca24ed
https://pub.dev/packages/google_sign_in
https://developers.google.com/identity/sign-in/android/sign-in
I'm confuse if you don't want to offer the user to use google sign in don't use it then. You can use Firebase Auth instead to sign in with email and password like this:
await FirebaseAuth.instance.signInWithEmailAndPassword(
email: txtEmail.text,
password: txtPassword.text,
);
It will check from FirebaseAuthentication on your Firebase Project whether the user already register with email and password in your database, so the user will be listed there with flag email instead of google, but if the user whom register with google reset their password which will apply to your apps only not their account they will get flag email and google.
So I suggest you make register page and then use the FirebaseAuth method:
FirebaseAuth.instance
.createUserWithEmailAndPassword(
email: txtEmail.text, password: txtPassword.text)
Then the user will be listed in Authentication and they can login with email and password
I'm making a simple social media app. Now I'm trying to provide security while registering users.
I'd like something like. By the way, JUST code for when things go wrong, like if username exists in db, not when things go right for example: Auth.auth().crateUser()
if username already exists in db {
(dont let user register.)
} else {
(let user register)
}
if email is not valid {
(dont let user register.)
} else {
(let user register)
}
Something like that. I'm thinking maybe using alerts, etc.
Any answer is VERY appreciated...
You can tell Firebase Authentication to only allow a single user with each specific email address to register in your project. You do this by enabling the One account per email address setting in the authentication providers panel in the Firebase console.
If you mean with email validation that you want to ensure the user actually has access to the mail address that they enter, that is called email verification in Firebase. Firebase doesn't require that the user verifies their email address before they can sign in. But if your application requires that, you can tell Firebase to send a verification email from within the app. Then when the user clicks the link in that email, a property is set on their account that you can then check in your code (or in the server-side security rules if you're using the Realtime Database, Cloud Firestore, or Cloud Storage). For more on this flow, see the blog post Email Verification in Firebase Auth.
An alternative to this flow is to use Firebase's newer Email link provider. This prevents the need for the user to enter a password, instead using an email with a link for them to sign in. This automatically then also sets their email address to verified.