I create a Firebase Auth user with an email and password
User logs in
User decides to add a phone number to their profile
I call verifyPhoneNumber with an intent to receive a code, call PhoneAuthProvider.getCredential(...) and link resulting AuthCredential to the email and password.
Instead, Android auto retrieves the code, user automatically sign-ins with phone number, their UID changes (it's a new user) and there's no way to link phone credentials back to the original email/password user. To perform a successful link I need to see the SMS code, which is nowhere to be found in case of successful auto sign-in.
????
NO PROFIT.
Any ideas? I tried to set the timeout to 0 for verifyPhoneNumber but auto login still works. Accepting defeat and just link EmailAndPassword credentials to phone number instead of vice versa is not an option, because it will require a massive copying of data from old user record into new, changing all references to this UID everywhere, etc.
verifyPhoneNumber resolves with a PhoneAuthCredential.
It doesn't matter whether the code is auto-retrieved or instant validation occurs. A PhoneAuthCredential is outputted on verifyPhoneNumber completion.
That credential can either be used to signInWithCredential for sign-in or to link to an existing user via linkWithCredential.
Related
I am developing Android app using Firebase. Because of that, I want to use Firebase Auth. I have following requirements:
Register/Log in using Facebook
Register/Log in using Email/Password
Register/Log in using Phone Number/Password
The first two are OK, I followed basic tutorials. However, Phone Number / Password is the problem here. Firebase supports only Phone Number/SMS Token for this (its called Phone Auth), but there is no mention about my case. I do not want to hack Firebase and use its realtime database instead of Auth 'database'. Is there any better way to achieve this?
Thank you.
If you have both email and phone of your user and you can use Admin SDK, then perhaps you could exchange users phone number to his email and login with email and password in the background.
Something like this (node.js)
admin.auth().getUserByPhoneNumber(phoneNumber)
.then(user => {
firebase.auth().signInWithEmailAndPassword(user.email, password);
});
Firebase phone authentication is using OTP(one time password). This way there is no hassle for the user to remember the password. Once authenticated, you will be registered. The sms code acts as a password. But that is for one time. Usually , users prefer such behaviour in which you dont have to remember the passwords. If you are still looking for the way you want, see this link and create a custom authentication method.
https://firebase.google.com/docs/auth/android/custom-auth
I had a similar problem -
I combined firebase auth(email + password) with (phone+otp) to get phone+password auth -
https://medium.com/#shivampesitbng/firebase-phone-password-auth-in-vue-b94f15b8fb3d
Use Fake Email:
Well, Firebase doesn't support sign in with mobile number and password but it supports email and password. So you can create a fake email with your mobile number.
Ie: 78******69#yourdomain.com
Also, you can create a complete Authentication system using it.
Registration:
Input user mobile and password and proceed to the next page.
Now use Firebase Phone Auth (OTP) to createUser. If process success, link fake email, password credentials in background.
AuthCredential credential = EmailAuthProvider.getCredential(email, password);
auth.getCurrentUser().linkWithCredential(credential);
Login:
Input mobile and password to login. Convert the mobile in fake email and then signInWithEmailAndPassword().
Forget Password:
Redirect the user to a new Page and user Phone Auth to verify the user. If successful, input a new password and change the password of the Email Auth.
So i have this confirm activity. In the activity i have two buttons (submit & resend code). You press the submit button when you typed in the code you got via email or phone number through cognito. And you press "resend" when you have not received any code and would cognito to resend the verification code.
Question:
Is there a line of code to resend a verification code to aws cognito via android?
If not:
currently, i have this line of code:
cognitoUser.deleteUser(handler);
And then, I would recreate the user in cognito.
userPool.signUpInBackground(username, password, userAttributes, null, signupCallback);
But the exception that it throws when i try to delete user, is that the user is not authorized. So i cannot delete the user.
How do i handle the "resend code"? A reference to a documentation or the line(s) of code would be helpful!
You should be able to resend the confirmation code (if we are talking about the signup confirmation code) by calling resendConfirmationCodeInBackground on a cognitoUser
https://github.com/awslabs/aws-sdk-android-samples/blob/8957e9402cf7490bfa9c3939eabc92f1b7d4572e/AmazonCognitoYourUserPoolsDemo/app/src/main/java/com/amazonaws/youruserpools/SignUpConfirm.java#L199
deleteUser is an authenticated operation so you would need to authenticate the user first before calling deleteUser.
If you are talking about an attribute verification code, calling getUserAttributeVerificationCode would send the code and verifyUserAttribute would verify the sent code.
I encountered a very strange error when signing up a user using android 6 on a specific device.
The signup process works perfectly and the user is registered on Parse database. The code checks and if ParseUser.getCurrentUser() != null then the app sends the user to the main page and this all works till here.
However, I noticed that user is not able to send any requests to the server and it all rejects in the main activity and user can't even logout. The error I receive when logging out is:
com.parse.ParseRequest $ParseRequestException: This user is not allowed to add a field to _User. You can change this setting in the Data Browser.
It seems like the authenticated user object is not matched with the original user's token on server and that is why this user get ACL errors.
I am using Parse default signup and login functions and this has happened only on one device using android 6 so far. Any guess on what could cause this issue and how can I resolve this issue?
ParseACL roleACL = new ParseACL();
roleACL.setPublicReadAccess(true);
Add these lines after the user Parse.initialize() function. It allow user to create column in the table from mobile. Make sure the user is logged in otherwise it gives error.
I was successfully making an FQL query earlier today. Now when I try to make the same query I am getting the following message.
"error_code":190,"error_msg":"Error validating access token: The session has been invalidated because the user has changed the password."
I am making the query on my own account, and my password has not been changed. Any suggestions for why this may be happening?
Now I am getting this error.
"Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons."
Based on above comments, this will be this issue.
The Single Sign On (SSO) in Android allows a user to authorise your app, and once they have done that they will be signed straight in on subsequent visits if they've signed in to Facebook for any application on the phone/tablet.
The downside of this is that the SSO remembers the token and if the token becomes invalidated (by a user de-authorising the app or by them changing password or other details), it will try to use it anyway. You MUST check for those two errors specifically as "isSessionValid() will return true, even though it's not. If you catch one of those two errors, you call the authorize method again.
So, in your case, trap that error, and call authorize().
Documentation from Facebook: http://developers.facebook.com/docs/mobile/android/build/#sso
I am writing an Android 2.2 app for my company. The app simply sends http get/put/post requests to perform certain operations. There is no real login procedure as the username and password have to be included in each http request.
I could see that there is AccountManager in Android. But since the username and password (instead of some auth token) are needed for each http request, how can it fit in? Obviously, I want to make it similar to other Android apps so that the user only needs to login once for the very first time and it won't prompt for username/password again when the app is re-launched.
Any suggestion is appreciated. Thanks!
I have developed an application like that, so here is how I solved it, in psuedocode.
But since the username and password
(instead of some auth token) are
needed for each http request, how can
it fit in?
1#: Make a first page, a login page. Let this View include two EditTexts (username and password) and one Button (login button).
2#: Make a login request on the Button click to see if you're getting a correct Cookie with HTTP header names that is corresponding with the values you are getting when you're logged in. Locate valid information via a network tool, like WireShark. For more information about the login procedure, check out my other answer here.
3#: If the username and password resulted in correct Cookie information, save the username and password in a SharedPreferences and make their values available through your application by assigning it into an Application class, read this for more info regarding global variables. If the values were incorrect and you did not get a valid Cookie, show it to the user via a message (Toast?).
4#: When you are trying to reach the authorized information, make a request by using the saved information in the Application class.
5#: Next time you're starting your application, make a check in onCreate() where you are checking if SharedPreferences contains user information, if so: see step 6#, otherwise wait for the user to start entering information.
6#: If the login page has determined user information, assign the SharedPreferences to the global Application state, finish the login Activity and start the authorized Activity instead. This will happen very fast, so the user wouldn't notice that the "login page" was displayed.
7# (extra step): In the authorized Activity, make sure to grab the user information from the Application instance. When doing the first request towards authorized content, validate the task as you did in step #3 in order to control if the user has changed the password on the website. If the user hasn't changed any information, start grabbing the response and you are free to do whatever you want.