Password reset code

[Harold Ibouanga]

Hi there,

Hope you can help me. I'm implementing Firebase Authentification on my application and wanted to know if it is possible to manually send reset password email, which implies, get the oobCode from Firebase. I want to do that because, when Firebase sends the reset email, there is the apiKey in the link https://test13013.firebaseapp.com/__/auth/action?mode=resetPassword&oobCode=XXXXXXX&apiKey=XXXXXXX.

I don't want to expose my apiKey, because anyone can use it to query my Firebase user database.

Is there a way to get oobCode for a specific action (reset password, email verification, user, update, etc...)

Thanks

harold

[Bassam]

Hey Harold,

The API key is needed on the landing page to process the action. It is also possible a developer could use the same landing page for multiple projects with different API keys, we have to pass the API key corresponding to the code so it can be processed correctly.

Besides, if someone is determined to get your API key, they can just inspect your source code or the network requests. Anything that lives on the client is not really a secret. 

Check this reply for more on this: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public

To also allay your concerns, Firebase Auth adds throttling to lookup APIs so such an attack is not feasible.

If you ever suspect anyone using your API key maliciously, you can always revoke it and create a new one from the Google Cloud Console.

Best regards,

Bassam

[Harold Ibouanga]

Hi Bassam, 

Thanks for the support. In fact, I'm using Firebase in rest API mode, so I'm not going to put API Key on the landing page. I use it rather on the server side. I agree that by listening to the network, a malicious person can easily find the API key, but it seems tougher than inspecting the code on client side.

Since Firebase Auth adds throttling to lookup APIs so such an attack is not feasible, It looks great.

Thanks