2

I want the user to be able to login with phone and password.

If the user enters the app first time, he es registered by validating his phonenumber, thats the current state at firebase. But I dont want to always send a sms code to the user every time he wants to login.

Now in the next step of the authentification the user should enter an email and a password, so I can link the credentials with the phone. The user is now able to login with email and password and with phone and verification code.

But I want to have the function that the user can login with phoneNumber and password. So I can write a cloud function for "doesPhoneNumber" exist which goes through the user-db and tells me if the user can login or have to sign up.

The next function is now my actual problem, i want to send the phone number and the password to a extra cloud function to receive the authToken but how can I verify if the credentials are correct within that function?

nixn
  • 1,337
  • 3
  • 16
  • 33

2 Answers2

1

It can be achieved using firebase custom token

The cloud function need to save the registered phone and password first.

When client request to login, the cloud function then doing query to validate the phone and password. If it is valid, then cloud function will create custom token and send it back in response.

The client then using that custom token to login to firebase auth. The documentation for sign in with custom token can be seen in :

Other solution is make the phone as email by putting @somesite.com at the end of number. For example 08234545@somesite.com then make client sign in with email and password.

Faruk
  • 5,438
  • 3
  • 30
  • 46
  • And how would you validate the password without storing it in the database? – nixn Mar 16 '18 at 19:28
  • Well, there is another "hack" solution, make the phone as email. For example 012345@site.com So you can use sign in with email and password – Faruk Mar 16 '18 at 21:03
  • By this approach you disable the abillity for Users to get their passwords reset. – nixn Apr 02 '18 at 14:34
  • Nope, we can still easily update the user password using firebase admin sdk directly without sending reset password to email. The documentation can be read in https://firebase.google.com/docs/auth/admin/manage-users#update_a_user – Faruk Apr 03 '18 at 03:59
  • You can use firebase cloud functions or your own server to create webservice for updating / resetting password. There is security risk, but you can still make it more secure with instead sending userId as parameter you can send `idToken` for the server to verified. – Faruk Apr 03 '18 at 04:03
  • @faruk firebase admin sdk allows to create users with phone number and password, is there any way to login with phone number and password ? – Vino Sep 03 '18 at 18:24
  • You can find the email of the user that has that phone number, and then use the Firebase Javascript SDK to sign in with email and password. See this question: https://stackoverflow.com/questions/51752457/firebase-verify-email-password-in-cloud-function/51755426#51755426 – Ricardo Smania Apr 03 '19 at 12:36
0

You shouldn't handle your users login.

There are endpoints available for each platform for loggin in. Those endpoints tell you whether the login was successfull or not and return your desired user informations

Read more: https://firebase.google.com/docs/auth/

Sebastian Schneider
  • 4,896
  • 3
  • 20
  • 47