Email Verification and Password Reset Link

[samp...@gmail.com]

I have two more questions:

1. How are people verifying emails?

2. Is there a way to provide a password reset link instead of sending the user a temporary password?

[Jay]

We are still struggling with this exact issue. Here are a couple of options we have tried

1) Leverage an external service to send validation emails.  We have worked with Zapier with pretty good success. It has the ability to observe and interact with firebase nodes to trigger Zapier Events (like to send an email when a node is written to)

2) Utilize our own server hardware to handle verification (this is what we are using now). We have a small Firebase app on the server that observes user requests (emails) and then handles the verification. The user is marked as verified once the verification cycle completes so the user can then log in.

[Marty Nelson]

1) We started with Zapier as well but it quickly became more trouble than it was worth requiring multiple cascading Zaps - which also gave me pause given their per Zap pricing model. So we did a small node app hosted on heroku that calls Mandril API. Mandrill is free up to 12,000 emails a month and $7/mo keeps the heroku app going (the node app does a few other things as well like Stripe integration). I'd be happy to put the relevant code bits in a public gist if that would be helpful.

2) We check auth.password.isTemporaryPassword in our client app and redirect to change password screen. So functionally it behaves as a reset link.

[Jacob Wenger]

Jay and Marty have already offered some great advice. I'll chime in with some words of my own:

1. We realize the lack of email verification is a major pain point for developers using Firebase Authentication. We will most definitely build it directly into the service. We don't have a timeline for the feature although it is top of mind for me at the moment.

2. As for the password reset link, I think Marty is on to the right solution. His method should work great. You also do have the ability to update the email template that we use when sending the email. You can update it from the Login & Auth tab of your App Dashboard. You can change the template to include a custom URL that includes the token. For example, you can change the template to be:

Visit the following URL in the next 24 hours to log in and update your account: https://your-website.com/reset/%EMAIL?token=%TOKEN%

Hope that helps,

Jacob

                          

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/083106b7-a4b5-4a18-9dde-97dc0835b811%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Mika Genic]

If I may I want to again raise the issue of the email verification feature.

This feature has been asked for often in the last few years, see for example in http://stackoverflow.com/questions/17723195/is-there-any-way-to-do-email-confirmation-for-firebase-user-creation-and-or-pass and as you say above "is a major pain point for developers using Firebase Authentication"

Two workaround solutions have been suggested but they are both problematic:

First is using a third party server or service (zapier) but that kind of takes the point out of creating serverless apps with firebase and can be cumbersome and expensive.

Second is creating a user with a random temp password and using SendPasswordResetEmail to ask the user to reset but that is problematic because:

   - the temp password is created on the client and easily sniffed, so this solution is not secure

   - it's impossible to send different emails for registration and password resets, two inherently different operations

   - the user cannot give his password upon registration (and just confirm with an email link) but has to provide the password after the email which is strange and confusing

Are there any different better approaches or plans for a direct solution ?

Thank you very much!

[dr]

I wanted to get opinions on a flow as follows.

1. User "signs up" with app. (email)
2. Backend process calls fb.createUser(email, strong password)
1. Generate token from fb token generator, (expire and temporary (no password set))
2. Store strong password in place only token can read
3. Send email with link which includes generated token
3. Client reads token and authenticates
4. Client reads temporary password
5. Client calls fb.changePassword and authenticates with new password
6. Client deletes temporary password or calls backend service to clean up

[dr]

Marty, could you post your code in a public gist?

[kofifus]

I have created a promises wrapper around FB that provides email verification using the resetPassword workaround

see: https://github.com/kofifus/FireBaseWrapper

Hope this helps

[Chris Beckett]

+1 - We implemented our own *Fireside* server running on Vultr to fix our biggest issues:

- email verification
- custom auth claims
- files

Until Firebase supports Node workers/triggers, it just isn't a complete solution for many apps.

[kofifus]

Thx Chris. As my solution shows it is possible to get email verification without a separate server but like you said this is not a natural solution and does not support the other features you mentioned.

[kofifus]

As Firebase 2.4.0 supports promises I scrapped my solution above and rewrote the code 

see https://github.com/kofifus/FirebaseEmailVerification

it basically add registerUser and authUser to Firebase to support email verification.

Hope this helps, any feedback welcomed