I need to change the forgot password link in firebase authentication template emails from a URL to a 6 digit verification code only.
The code will be generated on 'forgot password' and emailed to the user, once received the user would need to enter this verification code into the app... and after confirmation, he/she can change their password. How can I achieve this in firebase.
If you check the Customize account management emails and SMS messages documentation you can see that the oobCode is generate and added directly to the URL, and you cannot generate it otherwise.
On this community post a similar problem to yours is suggested and the proposed solution is to generate you own verification mechanism, although it is possible it represents a lot more work on your end than using the pre existing email with url configuration.
Related
Building an app where I have to generate documents for users to sign (where the users are not employees that are part of the docusign account). Based on the docs here: https://developers.docusign.com/platform/auth/, I should be using a JWT Grant for authentication.
My question is: when any user opens up the document to start signing, is there a way to maintain the progress that the user has made while keeping embedded signing? I've seen the "Finish Later" button, but that sends an email to the user.
The status of the signing for the specific user is maintained by DocuSign. If they go back to sign again, they'll see whatever progress they made so far. In order for you to do that, you'll have to call the same API to generate a new embedded signing URL for the same user, just the same way you did the first time. You can completely avoid having any emails sent to the user if that's what you want.
Final comment - all of this has nothing to do with JWT. You can use JWT or use Auth Code Grant and the rest is the same.
I am following the sample as well as the document that describes custom email verification with Mailjet. I get the password reset journey to work but cannot figure out why I have 2 sets of UI elements as shown in the pic. The one below seems to be the one configured to use Mailjet because the email is formatted as I specified in Mailjet. The one on top sends with the default MSFT email verification format.
Thanks for your help! :)
You must have an OutputClaim verified.Email in your technical profile that also references your DisplayControl. Remove that output claim and it'll disappear, leaving only the custom email control.
I am trying to implement the email verification system on Parse-Server (/Heroku), when a user account is created; so that the user can confirm his/her account creation.
Things are working well for those matters:
I can create a working account.
The user receives the verification email that is expected.
The problem is this:
When the user clicks on the link inside the verification email. This is what appears in the browser:
{"error":"unauthorized"}
Has anyone seen a similar issue and knows how to solve it?
I have a webapp in which preferably I would like users to be able to interact with without having to sign up. Although there are many features, let's consider one: clicking a "like" button - I would like users to only be able to click "like" once. Without user accounts, my Firebase is open to spam (someone could get the url to my Firebase and constantly submit data to my database; the only thing that prevented this was client code, but the spammer could easily bypass it by running their code elsewhere).
So I considered Firebase's anonymous accounts feature; each anonymous account would only be able to vote once during their session and I would store votes on user local storage. This too can be bypassed if a spammer constantly makes a new anonymous account and clears their storage. In fact, they wouldn't have to clear their storage as the storage check occurs in client code, which is easily bypassable.
So now I am considering Firebase's email account feature. As I was coding it, I realized what stops a spammer from entering a ton of fake email addresses? This could fill up my db quick with unnecessary accounts and also could lead to spam of the "like" button. Does Firebase check if the email is valid? Would Firebase send a confirmation email that the user would have to verify?
Firebase provides email verification feature. Send Verification code to user's email id.
You can use it to verify the user's email. It will send a unique token to the user's email. Firebase authentication sets a flag for email verified. You can check it on your landing page and if it's set to false do not allow user to perform any task. Unless the user clicks on that token, the flag will remain set as false.
I'm developing an web application using Django.
Currently I am working on sending "reset password link" thorough email (amazon simple email service - SES)
The mechanism I used, is the same with the answer of "simeonwillbanks" below link
Secure ways to reset password or to give old password
Give users a reset password option.
This option saves a unique token for a user. The token eventually expires (hours, day or days).
A link is emailed to the user which includes the token.
User clicks on the emailed link.
If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
Once the user sets a new password, delete the token and send the user a confirmation email.
What I worry about this, I am not sure this way is safe in terms of security. What if the email is captured by a hacker?
I tested on several major websites how they care this.
get an "reset password" email and copy the link.
give the link to other and see if he can change password on my account.
From this test, I figured out that somebody else also can change my password only with the link.
If I cannot do anything on the link, is there way to make email more secure?
like as the mechanism of ssl(https) on website?
Thanks!
It's somewhat secure, though is toast if the user's email was compromised.
I prefer using an HMAC in the URL, which avoids storing tokens in the DB.
If you include the user's IP address in the URL, and in the HMAC, you can be sure the reset link click came from the same computer (router actually) that requested the reset, and that it can't be shared.
Instead of the IP, you could set a device cookie with the username/email and an HMAC, and then check this when the reset link comes in from the email.
The system should ask the user the answer to a secret question after he clicks the link. Even better, send an SMS to his mobile with a short random code and ask for that. This is called https://en.wikipedia.org/wiki/Multi-factor_authentication
Then show the change password form (over HTTPS of course).
While we're here, you should display the same "success" message whether or not the user has an account, to avoid user enumeration attacks.
Also, use a localhost MTA relay or asynchronous email so that a hacker can't tell whether you sent an email (a slow response would indicate that a user exists).