防止“找不到电子邮件";调用“发送密码重置电子邮件"方法时,Firebase出现错误 [英] Preventing "Email not found" error from Firebase when calling Send Password Reset Email method
问题描述
我正在为我的Web应用程序使用Firebase身份验证和Javascript客户端库,以允许用户登录和注销.我已经实现了忘记密码"表单,以允许用户重设密码.提交此表单后,它将调用 sendPasswordResetEmail 方法.一切正常,密码已成功重置.
I'm using Firebase Authentication and the Javascript client library for my web app to allow users to log in and out. I've implemented a "Forgot Password" form to allow a user to reset their password. When this form submits, it calls the sendPasswordResetEmail method. This all works fine, the password is successfully reset.
handleSubmit = event => {
event.preventDefault();
firebase.auth().sendPasswordResetEmail(this.state.email)
.then(() => {
console.log("Success");
})
.catch(() => {
console.log("Shhhhh");
});
};
但是,如果我输入尚未注册的电子邮件,则会收到控制台错误,该错误记录了Firebase的400响应.开发工具中的网络"标签基本上说明未找到该电子邮件.据我了解,向用户提供此信息通常被认为是不良的安全做法(如果我错了,请纠正我).捕获错误(如我在上面所做的尝试)不会阻止此信息的记录.我还在生产环境中运行了代码,并得到了相同的结果.
However, if I enter an email that hasn't signed up yet, I get a console error that logs the 400 response from Firebase. The network tab in the dev-tools basically spells out that the email wasn't found. It's my understanding that surfacing this information to the user is generally considered poor security practice(please correct me if I'm wrong). Catching the error (as I've attempted to do above) does not prevent the logging of this information. I've also run the code in a production environment and gotten the same result.
这使我想到,在调用 sendPasswordResetEmail 方法之前,应该先检查电子邮件.但是,在SO中寻找类似问题时,似乎并没有商定在注册流程之外检查用户是否存在的最佳方法.您可以使用管理SDK 检查用户是否存在,但这需要特权环境(例如服务器).
The leads me to thinking that I should check for the email first before calling the sendPasswordResetEmail method. However, in searching SO for similar issues, there doesn't seem to be agreement on the best way to check for a users existence outside of the sign-up flow. You can check if a user exists using the Admin SDK, but this requires a privileged environment (like a server).
所以我想我的主要问题有两个:我可以/应该取消firebase sendPasswordResetEmail 方法中的找不到电子邮件"错误消息吗?如果是,怎么办?如果不是,确定电子邮件地址是否已用于登录Firebase应用程序的最佳方法是什么?
So I guess my main question is two-fold: Can/Should I suppress the "Email Not Found" error message from the firebase sendPasswordResetEmail method? If yes, how? If no, what is the best way of determining if an email address has already been used to sign in to my firebase app?
推荐答案
Big thanks to @Alchemist Shahed who pointed me to the fetchSignInMethodsForEmail method, which returns an array of signin methods for a given email. If the array is empty, then they have not signed in yet. I modified my above code to look like the following:
handleSubmit = event => {
event.preventDefault();
firebase.auth().fetchSignInMethodsForEmail(this.state.email)
.then(result => {
if (result.length > 0) {
firebase.auth().sendPasswordResetEmail(this.state.email).catch((error) => {
console.log("Error Sending Email", error);
});
}
.catch((error) => {
console.log("Error Reaching Firebase: ", error);
});
};
顺便说一句,Admin SDK显然没有 sendPasswordResetEmail 方法.但是,如果您希望从API调用 sendPasswordResetEmail ,则可以在服务器
As an aside, the Admin SDK apparently doesn't have a sendPasswordResetEmail method. However, if your preference is to call the sendPasswordResetEmail from an API, you can use both the Javascript SDK and Node.js SDK together on a server as described in this answer.
这篇关于防止“找不到电子邮件";调用“发送密码重置电子邮件"方法时,Firebase出现错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
