Firebase password resets - authentication

I'm trying to create a password reset mechanism and am stuck. Any suggestions how to do this with Firebase basic email/password authentication

[Engineer at Firebase - Update 2014-01-27]
Firebase Simple Login now supports password resets for email / password authentication.
Each of the Simple Login client libraries has been given a new method for generating password reset emails for the specified email address - sendPasswordResetEmail() on the Web and Android, and sendPasswordResetForEmail() on iOS.
This e-mail will contain a temporary token that the user may use to log into their account and update their credentials. This token will expire after 24 hours or when the user changes their password, whichever occurs first.
Also note that Firebase Simple Login enables full configuration of the email template as well as the sending address (including whitelabel email from your domain for paid accounts).
To get access to this feature, you'll need to update your client library to a version of v1.2.0 or greater. To grab the latest version, check out https://firebase.google.com/docs/.
Also, check out https://firebase.google.com/docs/auth/web/password-auth for the latest Firebase Simple Login - Web Client docs.

This is something that Firebase doesn't do very well. As you'll notice it requires the user to remember their old password. Usually if you want to reset a password it's because you've forgotten it. Hopefully the improve the methods they provide for account management.

https://www.firebase.com/docs/security/simple-login-email-password.html
authClient.changePassword(email, oldPassword, newPassword, function(error, success) {
if (!error) {
console.log('Password change successfully');
}
});

This was the first google result that came up when trying to figure out my issue.. for anyone who uses yeoman angularfire generator but would like to add the send email feature, this should work.
add the following to the simple login factory in simpleLogin.js:
resetPassword: function(emailIn){
return auth.$resetPassword({
email: emailIn
}, function(error) {
if (error) {
switch (error.code) {
case "INVALID_USER":
console.log("The specified user account does not exist.");
break;
default:
console.log("Error resetting password:", error);
}
} else {
console.log("Password reset email sent successfully!");
}
});
},
and call it from your login.js file
$scope.resetPassword = function(email){
simpleLogin.resetPassword(email)
};

Related

react-native: notify server that user logged into Facebook oAuth

So this is probably a thing I am missing.... I am building a react-native app for IOS, using facebook SDK for Facebook login (react-native-fbsdk).
it all works fine.... but, I want the app to access my server, and my server needs to know that the user is logged in (and who the user is).
I know how to do it with the standard oAuth server flow, but how do I do it in this case? how do I even get the code or access token?
In the FB documentation all I see is how to make requests from the app to FB API, I didn't find where to have a callback on the server, so that I can setup the session cookie with user info.
Thanks!
Use the LoginButton and set the required permissions. It will return you the access token, that you can send to your server. The server gets the username, email etc. via this access token from the facebook oauth service. Then the server can open the session and send the session id back to your react native app.
<LoginButton
readPermissions={["email", "public_profile"]}
onLoginFinished={
(error, result) => {
if (error) {
//alert("login has error: " + result.error);
} else if (result.isCancelled) {
// cancelled
} else {
AccessToken.getCurrentAccessToken().then(
(data) => {
console.log("acces token:", data);
const token = data.accessToken.toString();
// call your server
// server can get user info from facebook
// returns back the session id
}
)
}
}
}
onLogoutFinished={() => true}/>

AWS Cognito Admin Control

AWS Cognito works pretty well in our environment, we have roughly 7000 users.
However we have customers who cannot seem to find the verification emails that get sent out (and they have no idea what a spam folder is).
Is there a way as admin to email_verify them? Is there a way as admin to reset their password (and enter their new password for them) without a verification email?
I can't seem to find the right methods in the AWS Java SDK's AWSCognitoIdentityProviderClient.
You can call adminUpdateUserAttributes if you have access to the admin API. It is not explicitly documented, but email_verified is an attribute you can update.
Eg. Using the javascript aws sdk:
var params = {
UserAttributes: [ /* required */
{
Name: 'email_verified', /* required */
Value: 'true' //NEEDS TO BE A STRING
},
/* more items */
],
UserPoolId: 'STRING_VALUE', /* required */
Username: 'STRING_VALUE' /* required */
};
cognitoidentityserviceprovider.adminUpdateUserAttributes(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
Unfortunately, Cognito can't solve this problem directly. Currently, Cognito does not allow the developers to update the email_verified and phone_verified attributes. The only way these can be marked as true is through the code verification process. One workaround could be to use phone numbers instead of email addresses for verification.

getAuth() returns null

I need to use the user authentication for facebook,twitter and google. I initially created a firebase account and used this following code.
var ref = new Firebase("https://keks.firebaseio.com");
ref.getAuth();
console.log(ref.getAuth());
This always returns null in my console. Why this happens? Can someone help me?
Calling getAuth() doesn't authenticate the user, it only returns the current authentication state. The API documentation says:
Returns the current authentication state of the Firebase client. If the client is unauthenticated, this method will return null.
Since you are getting null, it means your user hasn't been authenticated yet. You can authenticate the user, by calling authWithOAuthPopup():
function authHandler(error, authData) {
if (error) {
console.log("Login Failed!", error);
} else {
console.log("Authenticated successfully with payload:", authData);
}
}
ref.authWithOAuthPopup("<provider>", authHandler);
This last snippet comes from the Firebase documentation on authentication.
Since both parts of my answer come from the Firebase documentation, I highly recommend that you spend some time there.

how to retrieve login status while using offline_access

I'm facing a little problem because of the offline_access permission I'm requesting for my website.
I'm using the code that is given in the documentation in order to define if someone is logged or not :
if ($user) {
try {
// Proceed knowing you have a logged in user who's authenticated.
$user_profile = $facebook->api('/me');
} catch (FacebookApiException $e) {
$user = null;
}
}
But as I have an offline access, it seems that I'm always having a value for $user. So how can i log out someone from my website ?
Is there any way to retrieve a status via the php SDK ?
Thanks for the help,
Stéphane
In PHP try using GetLogoutUrl and sending the user there. You can also call the JS FB.logout() call from client-side. If you want to remove the app from the user, call HTTP delete to me/permissions.

How can I reauthenticate with Facebook after the OAuth 2.0 changes to the sdk?

In our app we had some actions that we required the user to reauthenticate before proceeding. We used code like below to make this happen.
FB.login(
function(response) { /* code here */ },
{auth_type: 'reauthenticate', auth_nonce: '...'}
);
It looks like the auth_type option is no longer supported, because I am getting the following log message: 'FB.login() called when user is already connected.' and the user is not being asked to reauthenticate.
Does anyone have any ideas how to reauthenticate after the changes for OAuth 2.0?
It appears that, for the time being (and I qualify that because Facebook seems to change their API response on a whim), you can get auth_type: reauthenticate to work properly IF you also specify permissions (the scope parameter in OAuth 2.0). Check out this example:
http://www.fbrell.com/saved/a78ba61535bbec6bc7a3136a7ae7dea1
In the example, click Run Code, and then try the "FB.login()" and "FB.login() with Permissions" buttons. Both are coded to use auth_type: reauthenticate, but only the latter actually gives you the FB prompt once you are logged in.
Here are the relevant examples:
// DOES NOT PROMPT
document.getElementById('fb-login').onclick = function() {
FB.login(
function(response) {
Log.info('FB.login callback', response);
},
{ auth_type: 'reauthenticate' }
);
};
// PROMPTS AS EXPECTED
document.getElementById('fb-permissions').onclick = function() {
FB.login(
function(response) {
Log.info('FB.login with permissions callback', response);
},
{ scope: 'offline_access', auth_type: 'reauthenticate' }
);
};
So, the answer is, Yes, auth_type: reauthenticate DOES work, but ONLY if you also specify a valid scope parameter. (And yes, I tried it with an empty scope, and it acted the same as not using scope at all.)
You can use an iframe to make sure the cookie is always valid.
facebook auto re-login from cookie php
Using FacebookRedirectLoginHelper::getReAuthenticationUrl everything works fine.
Internally the method put 'auth_type' => 'reauthenticate' and pass also all the permissions required.
Now the issue is that only prompt to the user to re-enter the password without the possibility to "switch" between users or without the possibility to insert also the username.
Does someone found a solution for this issue?
I manage an application with multi accounts and when the user need to generate again the token this is an issue :(
Thanks, Alex.