skip to Main Content

I’m dealing with Firebase authentication for web.
The documentation states that

Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.

If not, the request would fail with error code auth/requires-recent-login and I should manage the case by prompting the user to re-insert her credentials. Once I have done that, I could easily re-authenticate the user with the following code:

firebase.auth().currentUser.reauthenticate(credential)

In the API reference there’s some details more. It turns out credential is actually an object of type firebase.auth.AuthCredential. That being said, I still have a bunch of questions to which I couldn’t find answer on the docs:

  1. How do I create the AuthCredential object?
  2. More importantly, how do I deal with providers (Google, Facebook, …). I agree that changing email/password doesn’t make sense for providers, because this is not the right place to change them, so re-authentication does not apply in this case. However, deleting a user is still an action requiring re-authentication, and this could be performed regardless of the authentication method. How do I re-authenticate a user that logged in with a provider?
  3. The documentation states that the user must have logged in recently. I couldn’t find any definition of recent in the docs.

2

Answers


    1. You can initialize a credential by calling credential static method on any provider (include email/password provider):
    
    firebase.auth.FacebookAuthProvider.credential(fbAccessToken);
    
    
    1. To reauthenticate an OAuth provider, you can call in a browser signInWithPopup or redirect. This will return an object with 2 fields: user and credential. You can use that credential directly. Here is a simplified example:
    
    var tempApp = firebase.initializeApp(originalConfig, 'temp');
        var provider = new firebase.auth.FacebookAuthProvider();
        tempApp.signInWithPopup(provider).then(function(result)) {
        tempApp.auth().signOut();
          originalApp.auth().currentUser.reauthenticate(credential);
    });
    
    1. That doesn’t matter, as the firebase auth backend could change that. You shouldn’t hard code this value. Instead try to catch that error and act appropriately when it happens.
    Login or Signup to reply.
  1. You should reauthenticate with the provider;

    import { getAuth, signInWithPopup, reauthenticateWithPopup, GoogleAuthProvider } from "firebase/auth";
    
    const loginAuth = getAuth();
    const googleProvider = new GoogleAuthProvider();
    
    function reauthWithGoogle() {
        return reauthenticateWithPopup(loginAuth, googleProvider)
    }
    

    and when you get the auth/requires-recent-login error call that function;

    updatePassword(currentUser, "new password")
    .catch(e => reauthWithGoogle()) //better check if the error is auth/requires-recent-login
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search