1

I've been using Firebase's REST Auth API and everything's been great so far.

I'm trying to implement a password change feature (not reset, change), and I want to ask the user for the current password, validate it, then allow them to set their new password. Reading over the documentation, I see two approaches I can take:

  1. Use the password to re-login and check for a 200 return code. The issue with this is that the previous idToken will expire and I'll have to reset my Redux state—which isn't too bad.

  2. I know I can obtain the user's password hash , and if there's a way I can obtain Firebase's hashing algorithm, apply it, and compare to the database's password hash, I can also verify the password. This method just seems like a lot of work.

Is there a more straightforward approach, or am I best off sticking with option 1?

Improve this question
3
  • Why do you need to verify the current password? Isn't your user logged in ? Commented Jul 30, 2021 at 18:07
  • @Dharmaraj Isn't it standard to ask the user to verify their current password? If a user leaves their phone on the table, they may get their password changed without them knowing. Commented Jul 30, 2021 at 18:09
  • You are right . I didn't consider 'user leaves their phone' case. Commented Jul 30, 2021 at 18:10

1 Answer 1

Reset to default
1

Approach 1:

Asking user to enter their password sounds good but that's redundant and the API call of resetting password does not depend on that. So anyone can just make a direct API request to change the password.

Approach 2:

This kind of sounds overkill to me. Also you'll have to deal with complex flow with scrypt and chances of someone bypassing it still exists.

I would go with approach one but to prevent someone from bypassing it, I'll perform the password reset part in a Cloud function. Because you are getting a new token which is just generated after user has entered the password, you can compare the timestamp of token creation (auth_time property) in the Cloud function. If it is older than N minutes, ask the user to enter password again.

The auth_time property of decoded id token is the time, in seconds since the Unix epoch, when the end-user authentication occurred. You could also use iat which is the time at which this ID token was issued but that token could be of the older session (when user had not entered the password).

You can then update user's password using Firebase Admin SDK's updateUser method.

Do note that this does not prevent anyone who gets the ID Token from a device where a user is already logged in from changing the password using REST API directly. This is just a workaround to get the desired password change flow. It's up to the user to prevent any malicious user from getting physical access to their device.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Hey Dharmaraj :). So with the first approach, the current password isn't a part of the reset password API, but the user's idToken is, which can only be obtained by logging into the account. So anyone not on the current authenticated device will not have access to the idToken without having the user's login credentials. Anyone who tried to change the password on the authenticated device (and thus have the idToken as part of state) will need to type in the current password. Does this sound safe to you?
@SamLiu this is purely a workaround to get desired auth flow... if anyone gets the id token from a device where use is already logged in, they can still change the password using the REST API. But if you want to prevent changing passwords directly from your web app you can make route that process through a cloud function as mentioned in answer.
What do you mean by cloud function. I was thinking of using another one of Firebase's API <a href="firebase.google.com/docs/reference/rest/…> to make the password change.
@SamLiu my intention to say that was, the API you are referring to can be used just with existing ID token that user has and does not require you to ask password to the user before hand. (but so do using Cloud function is). The auth flow you are trying to create whether it be approach 1 or 2 is redundant and just for sake of asking user.
Oh, I see what you're saying now—anyone with an idToken can bypass the current password request in the app and just directly make the API call with that idToken. One more question: is it even possible for someone to get the idToken? It's in the Redux state of my application; is there a way for someone to extract that value in a production app?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.