I am new to Firebase and I am working on an iOS project in which I want to send OTP(One Time Password) to the email id given by a user.
Can I use below method to include any OTP? Or is there any method/way in firebase so that I can send an email with custom email body.
Note: I am not using any web service.
-(void)sendEmailVerificationWithCompletion:
(nullable FIRSendEmailVerificationCallback)completion
{
}
There is currently no way to change the message that is sent for an email verification or password reset request.
Firebase Authentication has no built-in support for one-time passwords or two-factor authentication. If you need those for your project, you can implement that with another provider and then mint a custom Firebase Authentication token for the user. You will need a server for that though, as minting this token requires use of your account credentials.
Through Firebase it is not possible except custom firebase authentication token mentioned above by Frank. Perhaps you should use your own database and from there you can send the OTP.
Related
My use case is something like this.
I'm developing a rest api and single page web application.
But I don't want to store my user credentials (email, password) with me.
I want to store it in more secure place. From that place I need to verify credentials and issue tokens, as well as first time user register with the system that user's email ID should be verified and also If an user forgot his password there should be a way to reset it as well.
Finally in my node.js back-end I need to protect my routes from unauthorized accesses.
Do I can achieve all this things using a authentication service provider.
I go through the firebase docs and found It is little bit harder to implement my what I want using the firebase.
Is authentication services capable to provide reset password and email verification and store user credentials.
Or it just a token generator only?
If you are asking if Firebase Auth provides the ability to generate tokens for verified email/pass credentials it securely stores with email verification and password reset, the answer is yes. Learn more from their official documentation: https://firebase.google.com/docs/auth/web/password-auth
They also provide the ability to issue session cookies better suited for a Node.js server side managed sessions: https://firebase.google.com/docs/auth/admin/manage-cookies
You don't need to store the credentials. Firebase Auth will store them for you using industry best practices.
I am fairly new to Swift and I am required to develop an app which authenticates username and password through a REST API in Azure. I have successfully called the API and received the JSON string for a valid user.
Now I want to make the user login to the app with his credentials after authentication, a session should be created so that user data persists after login and till he doesn't log out.
I am confused on how to create the session of the user. Can I get any resource where I can find how it is done?
PS: I don't want to use Parse or any other framework. I already have created custom API in azure which I call for retrieving data as JSON String.
The short version of this question is: If you use Firebase's OAuth capabilities to obtain a user's email address, do you still need to confirm/authenticate the user's email address yourself?
One of the usual benefits of using OAuth is that - depending on OAuth provider - you can get a confirmed email address, but is this really the case when using Firebase for a webapp, e.g. with a binding like AngularJS?
After a user authenticates, there seems to be two data objects - authData available to the client side, and auth available for security rules on the server side. While authData contains details such as name and email, but auth contains just a Firebase uid plus provider. Therefore, if I am to obtain that user's email address, it must be provided by the client, and hence can't (in theory) be trusted?
Based on my understanding of Firebase's documentation, if I were to use GitHub OAuth for my app, I'd need to do something like the following:
Get user's to log in/create account with Firebase/GitHub
Client JS retrieves the email address from GitHub OAuth response
Client JS "submits" this email for confirmation - could be done multiple ways
Email address should be saved in Firebase with status "unconfirmed" (such a field being read-only to the user)
I need my own server-side logic to process such email submissions and send a confirm email request, e.g. through something like Mandrill
I need additional server-side logic to receive the clicked confirmation and mark the email address as "confirmed" in Firebase
Therefore Firebase can help me with steps 1-3, but steps 4-6 need to be done via my own server-side code?
The answer to this question is therefore a Yes/No, but with some justification/explanation!
Thanks to #Kato for confirming my assumptions in the question were correct, so I'll explicitly provide this as an answer, as well as provide an alternative I hadn't thought of.
So the short answer is, "Yes, you need to obtain or verify the user's email yourself when using Firebase OAuth", and the steps I listed above is one way.
An alternate approach that still requires server-side code but doesn't require emailing, would be to have the user write their token to their users table entry and then have server side code use that to retrieve the verified email address from the provider themselves. e.g. with a GitHub authorization token and appropriate scope, you can retrieve the user's verified email and not then need them to verify it to you again.
I need to provide a way to update, via API, some user informations in the mobile app like email, name and also the password(is optional; solution for that).
My problem is that because I'm using the API to change those data, how do I keep this secure ? what is the solution for updating the information only if my user is logged on the app. And how my API would know that it really is the user trying to change his informations and not someone trying to hack or something.
I'm using Rails 4 and Devise for authentication.
While signup and login generate a authentication token and send in the response.
Once the token is received by the app it can store it in local storage and will send this authentication token every time it sends a request to the server. This is how you will get to know that the user authentic and when the user logs out of the app delete that token from the app's local storage.
I use rails as backend for ios applications. So far i have been using devise as it looks flexible and comfortable to use with less effort . And i have read about omniauth and that too looks easy to integrate with devise. My question is, consider my ios app requires authentication and the following are the different methods that i should be able to allow user to do
Login using email and password
Login using Facebook account
Login using Twitter account
Login using email can be handled by the devise itself but how about login using Facebook and twitter? Actually in one of my project i came up with the following approach which has all three of these login process. The ios app authenticates the user from the device(not devise) itself and sends the user information like username, email etc whatever required along with auth type so i save this a separate user with username that is sent and one of the field as password. And the next time he sends me these details i allow him to login to the app. But now i realised this is not the best way to do. I read about FBgraph which can be used to verify the access token validity, so should i get the token from user and then verify it and get the profile information and save it in user model and give them the token.
Also i have another doubt which is, For login using email and password i allow user to login through email and password and then for the each requests the user sends me the username and password. Is this is alright or do i have to create a token in login request and send the token as response and then the user can send the token for all the other request he makes.
Sorry if it is confusing but to tell you shortly i need to know what should i do if i have all these three login process. Any help is greatly appreciated. Thankyou
There are couple things to consider when dealing with external applications like on other devices:
You should use an API to communicate with your Rails server
Your server should send an authentication token after the first user authentication using his email and password. It is not a good idea to send user's email and password for each requests.
Devise
Devise is great for authentication both in-app and for remote applications using the token_authenticatable hook. This will allow any registered user to have a unique secret token to use in order to be authenticated on your server.
More information here
OAuth2
OAuth2 is becoming the standard way to authenticate on remote services giving the user the possibility to use his Facebook account to login for example.
This would be the easier way to allow your users to authenticate using their Facebook or Twitter account (note that twitter will not give you the user's email address).
Devise can handle OAuth2 clients.
Finally, you could also create your own OAuth consumer to authenticate users using your service. Doorkeeper is a great gem to protect your API endpoints and to allow users to use OAuth2.
Conclusion
Devise is great for authentication. Using their token module coupled with OAuth2 integration could do the trick in your case.
Here is the OmniAuth wiki page from Devise
Here is the Simple Token Authentication wiki page from Devise