在Firebase Admin中验证无密码电子邮件注册 [英] Verifying password-less email signup in Firebase Admin
问题描述
我正在尝试让我的应用程序用户通过电子邮件+链接(无密码)登录.基于
I'm trying to have users of my app sign in by email + link, password-less. The client (written in React Native) asks for the sign-in link using the Javascript SDK like so, based on this answer:
var actionCodeSettings = {
// URL you want to redirect back to. The domain (www.example.com) for this
// URL must be in the authorized domains list in the Firebase Console.
url: `${BASE_URL}/verifyEmail?email=${email}`,
// This must be true.
handleCodeInApp: true,
iOS: {
bundleId: BUNDLE_ID
},
android: {
packageName: BUNDLE_ID,
installApp: true,
minimumVersion: '12'
},
dynamicLinkDomain: 'myapp.page.link'
};
await firebase.auth().sendSignInLinkToEmail(email, actionCodeSettings)
}
然后,用户打开电子邮件并单击登录链接.理想情况下,它会深度链接回应用程序,但万一没有发生(例如,它们在另一台设备上执行),我仍然需要它来验证其在我的服务器上的电子邮件地址,即NodeJS.我的/verifyEmail 处理程序应该执行此操作.根据此答案,Firebase管理员SDK无法再验证操作代码.建议使用 Firebase管理REST API ,它说可以有效地做到:
Then the user opens the email and follows the sign-in link. Ideally it deep links back to the app, but in case that doesn't happen (e.g. they do it on a different device), I still need it to verify their email address on my server, which is NodeJS. My /verifyEmail handler should do that. According to this answer, the Firebase admin SDK can't verify action codes anymore. It suggests using the Firebase admin REST API, which says to effectively do:
curl 'https://identitytoolkit.googleapis.com/v1/accounts:update?key=AIzaSyCrFbTvuObVGlmGv9MK2sZ9MyS-VCkN--8' \
-H 'Content-Type: application/json' --data-binary '{"oobCode":"9LRoycB4fFrycmyLreYnjcAzxsGnwIpd9ub5tkpX_EQAAAF2-d9GoQ"}'
但是我得到的结果是 INVALID_OOB_CODE .为了进行测试,我将电子邮件链接中的OOB代码直接复制到了该cURL命令中,而没有单击它.
But I'm getting INVALID_OOB_CODE as a result. To test, I copied the OOB code from the email link, without clicking it, directly into that cURL command.
我做错了什么?查看Javascript客户端SDK的源代码,applyActionCode似乎以相同的方式调用了我在此处调用的相同端点.我在想这种方法可能仅适用于验证电子邮件/密码注册,但是如果是这样,我该如何在没有密码的情况下注册某人?
What am I doing wrong? Looking at the Javascript client SDK's source, it seems that applyActionCode calls the same endpoint I'm calling here in the same way. I'm thinking maybe this method only works for verifying an email/password signup, but if so, how do I sign up someone without a password?
我唯一想到的解决方法是在/verifyEmail 中对oobCode进行哈希处理,将哈希值截断为用户友好的验证代码,将验证链接存储在服务器端,并要求用户在应用程序中输入该代码,以检索要与 EmailAuthProvider.credentialWithLink 一起使用的验证链接.如果时间过多,请拒绝.这是不可取的.
The only workaround I can think of is in /verifyEmail to hash the oobCode, truncate the hash down to a user-friendly verification code, store the verification link on the server side, and ask the user to input that code in the app in order to retrieve the verification link to be used with EmailAuthProvider.credentialWithLink. And reject if too much time passes. That's undesirable.
推荐答案
我最终做了帖子最后一段中提到的解决方法.它有效,一个缺点是用户必须复制代码.它是oobCode SHA256的哈希值,已被截断并截断为6位十六进制字符串.在我的5分钟到期时间后,攻击者必须每秒猜测 16 ^ 6/(5 * 60)=〜55924 来破解.对我的应用程序足够好;这不是高风险的情况.
I ended up doing the workaround mentioned in the last paragraph of the post. It works, and the one downside is that the user has to copy the code. It's the oobCode SHA256 hashed and truncated to a 6-digit hexadecimal string. With my 5 minute expiration time, an attacker would have to make 16^6 / (5 * 60) = ~55924 guesses per second to crack it. Good enough for my app; it's not a high-stakes situation.
在Firebase中,这确实很容易实现.我应该只能在后端调用他们的API,以检查电子邮件验证代码的有效性.
This really needs to be easier from Firebase. I should just be able to call their API on my backend to check the validity of the email verification code.
这篇关于在Firebase Admin中验证无密码电子邮件注册的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
