Passwordless Sign in with firebase without link sent to email

[Charlie]

I'm working on a system that works similarly to whatsapp web. The idea is that a user is logged in with his account via firebase on his phone. And then he wants to do a fast sign in (maybe a 10 minute session) on a computer. So I read that a passwordless sign in was possible sending a link to the users email. Is it possible to generate this link (generate it somehow) on the phone (without sending it to the email). Thanks to this, the user on the computer could for example read a QR code generated on the phone with the passwordless sign in. Help please!

PD: I posted the same question on StackOverFlow but hadn't received any help. Here's the link if you prefer to answer there: Link

[Kato Richardson]

Hi Charlie,

That should be reasonable. The Admin SDK provides a way to generate email sign in links. So you could convert that to a QR code rather than sending it in an email. 

If you want even more control over the process, you could also completely customize the auth experience and sign your own JWT tokens once the client is verified.

☼, Kato

On Mon, Mar 22, 2021 at 8:08 AM Charlie <charlied...@gmail.com> wrote:

I'm working on a system that works similarly to whatsapp web. The idea is that a user is logged in with his account via firebase on his phone. And then he wants to do a fast sign in (maybe a 10 minute session) on a computer. So I read that a passwordless sign in was possible sending a link to the users email. Is it possible to generate this link (generate it somehow) on the phone (without sending it to the email). Thanks to this, the user on the computer could for example read a QR code generated on the phone with the passwordless sign in. Help please!

PD: I posted the same question on StackOverFlow but hadn't received any help. Here's the link if you prefer to answer there: Link

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/42623b97-f8ba-45d7-9562-1f954cf09cc7n%40googlegroups.com.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Charlie]

Thank you so much for your help. You have been very helpful.

I cannot find this generate link class in the flutter Fireauth instance. The 3 options related to links are

- isSignInWithEmailLink

- signInWithEmailAndLink

- sendSignInWithEmailLink

Do I need another package?

Thanks again for your help!

[Kato Richardson]

You need to call out to a server to perform that function. If clients could generate their own links, they would be able to bypass the verification workflow.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/201add22-f672-44b3-b5c2-8fecbe24c8a4n%40googlegroups.com.

[Charlie]

So I have to create a Google Cloud Function for example that will be called inside my app and then the function will return to my app the link of the Sign In. Is that right? How long does this code last? Is there a way to disable it after it has been used or a certain amount of time has passed (or maybe both)?

Thanks again :)

[onabanjo ademola]

i don't think there's a way to remotely sign out user on firebase. 

You can try setting a global timeout variable that triggers signOut() method after a specific period of time.

This approach is controlled by the client which makes it unsafe.

Write a rule against this users to prevent them from accessing your database.

For example You could trigger a write to a specific database path to flag out all users with passwordless signin method via firebase function.

Make sure to save the user tokenId and timestamp to this path to differentiate the one signin on computer from the one signin on Android.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7dd01c53-29c8-40fb-a96f-8367c1d863fen%40googlegroups.com.

[Charlie]

I don't understand what's the advantage of " You could trigger a write to a specific database path to flag out all users with passwordless signin method via firebase function. " What can I do with those ID's? This method will remain unsafe as I can't sign this users out remotely (apart from hard coding it in the linux app), right?

Thanks

[Charlie]

Hey, I haven't solved the problem yet.

So I have to create a Google Cloud Function for example that will be called inside my app and then the function will return to my app the link of the Sign In. Is that right? How long does this code last? Is there a way to disable it after it has been used or a certain amount of time has passed (or maybe both)?

Thanks again :)

El lunes, 22 de marzo de 2021 a las 19:36:28 UTC+1, Kato Richardson escribió: