reauthenticate(credential)
865 views
Skip to first unread message
Art Freeman
Dec 21, 2016, 7:37:35 PM12/21/16
to Firebase Google Group
Where do you find / how do you construct - the credential? (This is for an email-password authentication).
You have access to the user's email (user.email) but how can you get hold of the password? Is it encrypted somewhere?
What I'm trying to do is reauthenticate the user programatically. My users are benign. I don't want to make them log in again.
You have access to the user's email (user.email) but how can you get hold of the password? Is it encrypted somewhere?
What I'm trying to do is reauthenticate the user programatically. My users are benign. I don't want to make them log in again.
Bassam
Dec 21, 2016, 7:52:13 PM12/21/16
to Firebase Google Group
If you want to reauthenticate a password user with a credential, in web it should look as follows:
firebase.auth().currentUser.reauthenticate(firebase.auth.EmailAuthProvider.credential(firebase.auth().currentUser.email, providedPassword);
You have to ask the user to provide the password to reauthenticate. The password must not be stored on the client. This would be a huge vulnerability.
If you wish to not ask the user to type the password again, you could also use password managers that help store and retrieve a password depending on how compatible their API is with Firebase.
Art Freeman
Dec 21, 2016, 11:42:38 PM12/21/16
to Firebase Google Group
Thanks, Bassam, for your reply.
Is there any way to bypass the need for reauthentication? For instance, say a user has been logged in for a week, and he wants to change his password. An error would then occur, not allowing the change, due to to much time having elapsed, and so the reauthentication requirement. But if that requirement could somehow be turned off, it would simplify matters.
Is there any way to bypass the need for reauthentication? For instance, say a user has been logged in for a week, and he wants to change his password. An error would then occur, not allowing the change, due to to much time having elapsed, and so the reauthentication requirement. But if that requirement could somehow be turned off, it would simplify matters.
On Wednesday, December 21, 2016 at 4:37:35 PM UTC-8, Art Freeman wrote:
Bassam
Dec 22, 2016, 2:59:00 AM12/22/16
to Firebase Google Group
Hey Art,
That is by design. It is a security precaution to ensure that the owner of the account is the one updating the password. The owner of the account would always have knowledge of the password.
I am not aware of a way around this for password users. Why do you need to change the password of a user without their knowledge?
OAuth provider SDKs provide a way to refresh tokens offline after consent. That gives you the ability to reauthenticate with a credential continuously without user action.
You could use custom auth which can be created using the admin SDK. you have full control there and can create a new token to re-sign in the user when reauthentication is required.
In general, it is recommended that a user provides the old password before updating it.
Bassam
Art Freeman
Dec 22, 2016, 11:01:20 PM12/22/16
to Firebase Google Group
Hi Bassam,
I don't need to change the user's password without their knowledge. I was just trying to make things simpler for the user by not having to reauthenticate. I'm thinking in particualr about the cases where the user wants to change their own email or password. If they've been logged in for a long time (if auth() has kept them logged in for say many days) then they'd have to reauthenticate at that time - an extra step for them. So, it's a simple fix for me. I'll just have them enter their password when they commence their email / password change. I already have their email (user.email) and so I can reauthenticate them in the background if necessary. Thank you very much for taking the time to reply to this question. Best, Art.
I don't need to change the user's password without their knowledge. I was just trying to make things simpler for the user by not having to reauthenticate. I'm thinking in particualr about the cases where the user wants to change their own email or password. If they've been logged in for a long time (if auth() has kept them logged in for say many days) then they'd have to reauthenticate at that time - an extra step for them. So, it's a simple fix for me. I'll just have them enter their password when they commence their email / password change. I already have their email (user.email) and so I can reauthenticate them in the background if necessary. Thank you very much for taking the time to reply to this question. Best, Art.
On Wednesday, December 21, 2016 at 4:37:35 PM UTC-8, Art Freeman wrote:
Reply all
Reply to author
Forward
0 new messages