I’m dealing with Firebase
authentication for web.
The documentation states that
Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.
If not, the request would fail with error code auth/requires-recent-login
and I should manage the case by prompting the user to re-insert her credentials. Once I have done that, I could easily re-authenticate the user with the following code:
firebase.auth().currentUser.reauthenticate(credential)
In the API reference there’s some details more. It turns out credential
is actually an object of type firebase.auth.AuthCredential
. That being said, I still have a bunch of questions to which I couldn’t find answer on the docs:
- How do I create the
AuthCredential
object? - More importantly, how do I deal with providers (Google, Facebook, …). I agree that changing email/password doesn’t make sense for providers, because this is not the right place to change them, so re-authentication does not apply in this case. However, deleting a user is still an action requiring re-authentication, and this could be performed regardless of the authentication method. How do I re-authenticate a user that logged in with a provider?
- The documentation states that the user must have logged in recently. I couldn’t find any definition of recent in the docs.
2
Answers
auth
backend could change that. You shouldn’t hard code this value. Instead try to catch that error and act appropriately when it happens.You should reauthenticate with the provider;
and when you get the
auth/requires-recent-login
error call that function;