I have a firebase powered app. The requirement is to update the account password by typing the currentPassword
and the newPassword
.
On the server (firebase cloud function + admin sdk) i need to check if the provided currentPassword
is valid.
When an account is created for the first time, firebase automatically encrypts the password, and gives me back only the hash.
The problem is - this encryption is done automatically, under the covers.
Without having access to the encryption method, i can't obtain the hash of the currentPassword
in order to compare it to the stored hash of the real password.. to see if this 2 hashes match.
So how can i check if the currentPassword
is valid? How to get access to the same method firebase-auth uses for encryption?
I coudn't find anything relevant so far. am I using the wrong approach here? Why is it so hard to find it ?
If you haven't yet connected your app to your Firebase project, do so from the Firebase console. Enable Email/Password sign-in: In the Firebase console, open the Auth section. On the Sign in method tab, enable the Email/password sign-in method and click Save.
Hey Tamim, this is the mechanism where you first ask the user to provide their existing password first. You re-authenticate with that. If successful, you then can ask the user for the new password and call updatePassword API to update the user's password. It is exactly what you are asking for.
To do so securely, after a successful sign-in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity and authenticity of the ID token and retrieve the uid from it. You can use the uid transmitted in this way to securely identify the currently signed-in user on your server.
I'm not quite sure that you can verify the password with cloud function, the point is to make sure that hackers would not be able to recover users' passwords even if they somehow hacked into the server, if you can recover the passwords by knowing the hash and salt, why wouldn't them hackers? However, you can do that in your app:
firebase.auth().currentUser.reauthenticateWithCredential(firebase.auth.EmailAuthProvider.credential(firebase.auth().currentUser.email, oldPassword);
Also, just to provide an alternative way for users who want to change their password, just send them a reset password email, this way, it's quite safe and they won't have to enter their old password:
firebase.auth().sendPasswordResetEmail(firebase.auth().currentUser.email)
passwordHash
and passwordSalt
are only available when you retrieve the user information via a call to listUsers()
. Therefore they are only useful if you ever migrate user data from Firebase Auth to a different user management system.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With