I was interested in adding the Touch ID option into my app. I have found many SO posts and other articles on how to implement it and how to handle errors. My question is if the user logs in, and then goes to the preferences VC and (if the device supports it) enables Touch ID....how do I retrieve the users email and password from Firebase...or store it?
I could be wrong, but I can't imagine Firebase would allow me to pull the user's password. So, would I just store the password from the log in VC in a constant and pass it from VC to VC just in case the user wants to enable Touch ID?
That doesn't seem like a great option either..
Edit
I want to clarify my question.
Initially in my app a user logs into the app using Firebase using an email and password. Later on if the user wants to he/she can enable Touch ID so instead of typing johnSmith#email.com and abc123 it knows on this phone that the user is johnSmith#email.com and the password is abc123.
My question is: How to I retrieve that users email and password? I do NOT have a child in my database with a list of emails and I DO NOT have a list of passwords.
The only thing I can think of to get the user is the following
let user = FIRAuth.auth()?.currentUser
But is that enough for a Touch ID log in? That is just a random string and not his/her email
And how do I get the password?
As long as Firebase doesnt support TouchId you will have to manage the username and password combination yourself. You will have to ask the user once for the username and password when he/she enables Touch Id and store the username/pw yourself.
The way to store sensitive information is by using Keychain, here is a sample project from Apple on how to do that.
Next time the user login gets confirmed by Touch Id you pull the username/pw from keychain and authenticate the user.
Related
I need to implement a standard user registration/activation workflow with Firebase. There doesn't seem to be an obvious way to implement this. When I say "standard", I mean how most email/password accounts work - not necessarily specific to Firebase. I'm sure you're familiar with this. This is the workflow:
User enters their username/password on a form with some validation and submits details
The back-end creates the user record in the database, but the account remains deactivated (i.e. user cannot authenticate - the activated flag is set to false)
The back-end sends an email to the user with a link to activate the account
The user clicks the link in their email which triggers activation. This is probably a Web API of some description.
At this point, the user record's activated flag ticks over to true, and the user can now authenticate
The link probably also has a deep link that opens the app or navigates to a web page
The user can now log into the app
How do I configure Firebase to do all this?
Currently, the app allows the user to register. I am using the Flutterfire SDK. I call createUserWithEmailAndPassword, which successfully creates the user in Firebase. But, the user is already activated. The user should have a state of "disabled" in firebase until the account becomes activated. I can't find any settings to default the user to disabled when the account is first created.
I also managed to get Firebase to send out an activation email by calling sendSignInLinkToEmail, but this call is really designed for email authentication - not email activation. Opening the link should activate the account, but I have not figured out how to do this. This documentation makes it sound like it is possible. Perhaps, the Flutterfire SDK is missing this? I don't want to allow people to log in without a password. I only want to use this call to send out an email.
What am I missing here? Is this non-standard behavior for Firebase? If so, why? If the user is allowed to use an app with an email address that is not activated, they can impersonate someone else. We need to confirm at least that they are custodians of the email address that they are claiming to have.
Do other Firebase people just not worry about this?
Lastly, I know I can achieve this by creating a collection for users in Firebase and putting an "activated" flag there. But, if I do that, I've got to write a cloud function that accepts the link and then updates the user in the collection based on the received link. But I thought this would be automatic in Firebase. If Firebase doesn't have this built-in, I have to put all the security over the top to stop users from authenticating when they have not yet activated their account.
This is a pretty valid concern. I suppose the way around this is to check whether the signed-in user is verified whenever the app is launched. The User object that is returned from Firebase Auth has an emailVerified flag. Check this page for more details.
Using this flag you can choose to show a different screen or pop-up that has a button to send a verification link to the registered email address. Until the user verifies this address, you can limit access to some of the app's screens if you want.
Please note that I have not checked if this emailVerified flag is true for sign ups using Federated login providers like Google Sign-in and Apple Sign In. You might want to check that out.
I am new to Firebase and I have been working within IOS to identify the users by an automatically generated key. Essentially I'm creating a leaderboard with highscores and levels. Instead of having the user sign up for an account I want them to already have an ID so they can just start playing and write their high scores to the leader board. At the moment I have this code:
let user = Auth.auth().currentUser
ref?.child("Highscore").child((user?.uid)!).setValue(highscoreArray)
For some reason I'm getting an error that the "user" is non-existant. Is there a way to automatically generate one without having to force the user to choose a username etc. Also I've tried childByAutoID and i keep getting new IDs within the simulator everytime I run it.
Thanks for the help.
Minimally, you have to put the user through a sign-in process. Auth.auth().currentUser won't return anything but null until that process is complete. There is no workaround for this requirement. The only way you get a uid is after the user signs in a creates an account.
If you don't want to user to have to do anything to sign in, you can enable and implement anonymous authentication to sign them in without requiring any input from them. You can then upgrade their account later in order to make it permanent, since anonymous accounts don't transfer between devices or survive an app uninstall.
As far as I know, on the new Facebook API, there is no way to get the Facebook username. Also, if the user registered to Facebook, his or her account might lack an email address if he or she logged in with a phone number.
However, I am working on a project, where, upon login with Facebook, if the user does not have a user, then the Facebook login is interpreted as a registration. Since, according to my best knowledge, there is no way to get the Facebook username using the API, I am using the email field to generate a username, taking into account only letters.
However, in some cases, the username generated this way is duplicated, or the Facebook account does not have an email address. The best solution I can think about is to redirect the user to a form where he or she can enter the email and/or the username, but that would not help the user-experience.
Is there a way to gather these data without making the user enter them? Or something close to it?
First of all, you should always present the data you want to store to the user BEFORE you store it, and let him change it.
That being said, the (App Scoped) ID is the only thing that is really unique, you can either use the email directly (if the user is already registered, just add the Facebook ID to your database) and present an input field if there is no email - or generate a username with his first and last name. Present the chosen username to the user and let him change it, or tell him that it already exists.
After all, wouldn´t a user WANT to choose his username?
If you want to make it smooth for the user and don´t want to bug him in anyway, you can just store his Facebook ID. Or just use the email directly as username (including the # sign and the domain), as i wrote above. If that´s not good enough, you need to implement your own routine to auto-generate usernames. There´s no general logic from Facebook to do this.
I'm working on an app where I'd like to be able to do things with a user's Facebook username. I know that I can get this through the basic user object, but I'm worried about the case where the user doesn't have a FB username when they register with my site/application, but does gets one later. The question is how to test this with FB test users:
A user (a regular user, anyway) has to be verified before they can get a username. Is it possible to verify test users?
If so, is it then possible to give a test user a username?
Is it possible to change that username as part of the testing process (on the chance that my code doesn't work perfectly the first time :)?
What I'm thinking of doing is setting up a realtime subscription on "username", which I've established is possible. If the user above suddenly gets a username, my app gets notified and I can do whatever I do with it. But that implies that a lot of other things are possible, which they may not be. I could retrieve and check the user object on login and keep updating the fields, but I'd prefer to avoid that if possible. Any advice out there?
You cannot claim usernames for test users. You will have to use your own account or test with a real fake account, which Facebook frowns upon.
Many sites implement different methods and I am having a hard time deciding on which method would work best for my site.
My user profiles contain the following data:
username
password (in hash/digest form)
email
I'd like the password reset method to be secure, user-friendly, and efficient.
You should add two fields, reset_code and reset_expiry
This is the process for a secure password reset functionality.
User selects "Forgot password".
User prompted for email/username.
If valid, generates a GUID, and stores it in reset_code and also stores Now()+24 hours in reset_expiry in the database against that particular user.
Then it sends an email to the email address with a link to confirm the password reset. This email would contain a link to your website with the user's username AND reset_code embedded. (This stops a malicious user resetting a third parties password just by knowing their email)
Once the user clicks on the link in the email, they will be directed to your website.
Your website will validate that: the username and reset_code matches, and the current time hasn't exceeded the reset_expiry time.
If all is okay, we can complete the password reset. This can be done by either:
a) Onscreen a new randomly generated password
b) A new randomly generated password via email
c) The ability to enter a password of his/her own choosing
You should not store the passwords of your users, not even in encrypted form. You should only store the hash/digest necessary for authentication. Then, you can't "recover" the password (because you don't know it), you can just reset it, and/or give the user a temporary one-time password that allows him to set a new password.
Update: if you are doing the above, the standard procedure is to have a "require-password-reset" form. The user enters his id (typically his email) and a "token" (eg, a random string) is generated, stored in some table with some expiration date, and sent to his email along with a link to the "password-reset" form. In this form the token is checked, the user is allowed to enter a new password, and instructed to attempt a new login.
Update 2: A small privacy issue might arise: What should we do if the user id (email, user name, or whatever) entered in the request form does not exist in our database? To output a message "User does not exist. Check the id and retry." may be ok, but in some cases it would cause a privacy problem: anyone can check if other someone is registered in your database! If you want to avoid that, you must output the same message ("a mail has been sent with instructions...") even if the user wasnt found (and hence a mail was not actually sent).
Similar privacy issues advise to just output the message "login incorrect : bad user or password" when the user tries to login unsuccessfully - don't disclose if it was an incorrect user or password.
I agree with Leonbloy. Storing the password leads to trouble like the Gawker incident from a few weeks ago (1.5 million userid/pwd combinations were discovered and published).
You should, however, have a "reset password" function that e-mails the new password to the original e-mail address used to open the account.
There should be no provision for changing the e-mail address during the password reset. If the user doesn't have access to the old e-mail account anymore, too bad. Abandon the account and start over.
And use a good Captcha on the reset screen.