Say the following happens:
User logs into my app with fb, creates some objects
User logs out
User logs in with email/password, creates some objects
User auth's with fb and ParseUser.getCurrentUser() is linked to fb account
User logs out
User logs in with fb.
Which parseobjects will now be loaded for ParseUser.getCurrentUser()? the original objects that were linked to the fb account? or the objects that were linked to the email/pass login account? or both?
Parse.com has special object (class) called "User"
This class has special field - "authData" where you can link your Facebook or Twitter account. (Please, see snapshot attached).
There are different mechanism for login your current Parse user:
1) via username and password
[PFUser logInWithUsernameInBackground:#"User Name"
password:#"Password"
2) via Facebook
[PFFacebookUtils logInWithPermissions:permissionsArray block:
for link PFUser with FB:
[PFFacebookUtils linkUser:[PFUser currentUser] permissions:permissionsArray block:
So, return to your question, this scenario should be avoided on "Sign Up/Sign In" phase. During registration you can ask "email/phone number" and use this data as starting point.
OR
Sign Up via Facebook than ask email (or move this possibility to User Profile Settings).
In other case, you will have 2 users (PFUser class) without possibility to merge them.
Related
Initially I was having phone OTP verification method to login into my application, later i have added Email / Password method to access the application. How do i merge or link or connect initial phone verified account data to new Email / Password account for the same user?
I want to access same user account by Phone verification and Email / password authentication in firebase realtime database. Is it possible to do?
My firebase structure is like:
- users
-uid
-name: "sam"
-contact: 9999900000
-age: 22
- books
-uid
-bookid
-bookname: "FOCUS"
-price: 355
I should be able to access same uid instead of creating new one by different sign in method. Please help me to do this.
And i also want to avoid everytime login using phone verification, want just by using email password method. phone should not be mandatory
I am trying to access the Twitter username after logging in via firebase to Twitter, but the .getDisplayName method returns the user's name, not the #
Any ideas?
I have tried this
FirebaseAuth.getInstance().getCurrentUser().getDisplayName()
But it doesnt give me the #
This information is available in AdditionalUserInfo.getUsername(), which you can get from the AuthResult when the user signs in.
It is not available from FirebaseAuth.getInstance().getCurrentUser().
My app have two user( buyer and seller).
I am tring to get current user email which is buyers but when i run the below code, it shows previously logged in user email which is the seller's one.
String userID= FirebaseAuth.getInstance().getCurrentUser().getEmail();
How to write firebase code to get current active user email.
Use this code snippet FirebaseAuth.getInstance().signOut(); to sign out the current user properly, after successfully signed out you can repopulate your user model from Firebase Auth/login in new user. Hope your problem will be solved with this.
When you go to the Auth > Sign-In Methods page of your project in the Firebase console. do you have One account per email address on or off? If you allow multiple accounts per email address, you will get null for FirebaseUser.getEmail()
I have been using Firebase Authentication in my app, and have noticed an issue with a particular use case.
I have enabled account linking sign up flow for my app, and thus I can attach multiple providers associated with a single email address.
Scenario 1: (Works fine)
The user has signed up with Google initially and sometime later, signs in in with Facebook or registers with email and password.
The account linking works fine and Facebook and/or Email is added in the provider list.
So, I can have 2 or 3 providers for the email, Google (initially), Facebook and Password (after that).
Scenario 2: (The bug)
The user has signed up with Facebook and/or Email initially and later signs in with Google, now the account linking doesn't work. Google replaces the previous providers present.
Account linking fails, and I just have Google as the sole provider associated with the email address and the others are gone.
In the second scenario, while signing in with Google, it should fail and throw FirebaseAuthCollisionException but it doesn't and succeeds. This is the main issue.
I can't paste the whole code here, but just a snippet for sure.
firebaseAuth
.signInWithCredential(credential)
.addOnFailureListener(exception -> {
if (exception instanceof FirebaseAuthUserCollisionException) {
mCredentialToLinkWith = credential;
if (mProviderList.size() == 1) {
if (mProviderList.contains(EmailAuthProvider.PROVIDER_ID)) {
mRegisterProviderPresenter.linkWithEmailProvider(credential, email);
} else {
linkProviderAccounts(email, AuthenticationHelper.getProviderToLinkAccounts(mWeakActivity, mProviderList));
}
} else {
linkProviderAccounts(email, AuthenticationHelper.getProviderToLinkAccounts(mWeakActivity, mProviderList));
}
} else {
Timber.d("Failed in signInWithCredential and unexpected exception %s", exception.getLocalizedMessage());
mRegisterProviderPresenter.onRegistrationFailed(new ErrorBundle(ErrorBundle.FIREBASE_ERROR, exception.getLocalizedMessage()));
}
})
.addOnSuccessListener(authResult -> {
Timber.d("Success: signInCred");
FirebaseUser firebaseUser = authResult.getUser();
/**
* Store the user details only for first time registration
* and not while acc linking
*/
storeUserCredentials(firebaseUser);
AuthenticationHelper.logUserDetails(firebaseUser);
mRegisterProviderPresenter.onRegistrationSuccess(mAlreadyRegistered);
});
Hope someone can come up with some help.
Facebook is a social identity provider and it doesn't own the emails. If an email is hacked, Facebook can't detect it and disable the account registered by this email. While Google is an email provider, its accounts are considered to be more secure.
Based on this theory, scenario 2 is different from 1. In scenario 1, the user has proved the ownership of this email by signing with Google first. So the user is allowed to add Facebook account using the same email. In scenario 2, Facebook sign in happens first and this provider record is untrusted, so it's removed when user signs in with another trusted provider.
Your code behavior is correct in both scenarios.
I faced the same issue and this is a supplemental answer for the question in the comment i.e.
Why is that after initially registering with a email & password, and then with Google, Google still replaces it?
I did some more exploration and found the answer here.
Pasting the relevant snippet.
If there is an existing account with the same email address but created with non-trusted credentials (e.g. non-trusted provider or password), the previous credentials are removed for security reason. A phisher (who is not the email address owner) might create the initial account - removing the initial credential would prevent the phisher from accessing the account afterwards.
The solution to handle this, i.e. to prevent Google from replacing the existing provider with Google, is to verify the email of the user.
So, after the user creates the account with email & password, or logs in with Facebook (or any other provider), send an email verification link to the user.
After the user verifies his/her email, then the subsequent Sign-in with Google will NOT replace the existing providers.
just use the email and password auth for the moment or a 3rd party plugin no solution so far
I am writing an Android 2.2 app for my company. The app simply sends http get/put/post requests to perform certain operations. There is no real login procedure as the username and password have to be included in each http request.
I could see that there is AccountManager in Android. But since the username and password (instead of some auth token) are needed for each http request, how can it fit in? Obviously, I want to make it similar to other Android apps so that the user only needs to login once for the very first time and it won't prompt for username/password again when the app is re-launched.
Any suggestion is appreciated. Thanks!
I have developed an application like that, so here is how I solved it, in psuedocode.
But since the username and password
(instead of some auth token) are
needed for each http request, how can
it fit in?
1#: Make a first page, a login page. Let this View include two EditTexts (username and password) and one Button (login button).
2#: Make a login request on the Button click to see if you're getting a correct Cookie with HTTP header names that is corresponding with the values you are getting when you're logged in. Locate valid information via a network tool, like WireShark. For more information about the login procedure, check out my other answer here.
3#: If the username and password resulted in correct Cookie information, save the username and password in a SharedPreferences and make their values available through your application by assigning it into an Application class, read this for more info regarding global variables. If the values were incorrect and you did not get a valid Cookie, show it to the user via a message (Toast?).
4#: When you are trying to reach the authorized information, make a request by using the saved information in the Application class.
5#: Next time you're starting your application, make a check in onCreate() where you are checking if SharedPreferences contains user information, if so: see step 6#, otherwise wait for the user to start entering information.
6#: If the login page has determined user information, assign the SharedPreferences to the global Application state, finish the login Activity and start the authorized Activity instead. This will happen very fast, so the user wouldn't notice that the "login page" was displayed.
7# (extra step): In the authorized Activity, make sure to grab the user information from the Application instance. When doing the first request towards authorized content, validate the task as you did in step #3 in order to control if the user has changed the password on the website. If the user hasn't changed any information, start grabbing the response and you are free to do whatever you want.