We are using Congnito hosted and users are clicking the "Forgot Password" option, entering their email which does not exist as a user, but then still being told to check their email for a reset code that never appears.
Is there any ways to change the messaging or send an email with instructions on creating a new account?
I am using cognito for auth and for account recovery I have selected below option
(Not Recommended) Phone if available, otherwise email, and do allow a user to reset their password via phone if they are also using it for MFA.
And whenever a user is getting created I am setting phone number as verified so both email and phone number will be in the verified status .
I am trying to send the OTP to both email and phone number for a specific app client
Right now its going only to phone number if the number is verified
I'd like to at least automate some of this process:
https://forwardemail.net/en/faq#how-to-send-mail-as-using-gmail
It asks for an app password to forward emails under a different email username. Can either the app password generation part or the email username part be automated?
No apps password must be created by the user in their google account after enabling 2fa.
Im not sure about googles TOS though using an apps password in a third party system like this. It should not be something that is shared in my opinion.
I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".
When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").
Is this normal behaviour?
Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for #gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.
If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).
Also see:
Github issue Facebook provider overwritten by Google provider
Mailing list Firebase Social Authentication Issue with fb and gmail flow
Authentication using Facebook at first and then Google causes an error in Firebase for Android
This is how I'm solving it:
https://firebase.google.com/docs/auth/android/account-linking
Just link the "accounts".
Update 2023:
You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex#gmail.com if there already is an account that signs in using the email address ex#gmail.com and a password.
If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.
You can find this under settings within Firebase Authentication.
There are some caveats to using this feature, please read about it here
To make the experience for our users more convenient we implemented a feature with allowed a user to automatically get logged in when he clicks on a link he received via email.
In the past he had to click on the link and then had to enter his password. By providing a special security token in the link, we can now automatically login the user without the need for entering his password.
A few days after we went live with this feature, internal pages (which can only be accessed via password or via the special email link) appeared in the google search results. We are using Gmail as a Email provider for sending emails from our system.
The only explanation I have for this behaviour is, that google is crawling the links in the emails. Which is not very nice from them if those are "private" links.
Is there a safe way to still allow users to login without password via a special link they receive in their email, without google being able to crawl the internal pages?