search

firebase / firebase-admin-node

Firebase Admin Node.js SDK
https://firebase.google.com/docs/admin/setup
Apache License 2.0
1.62k stars 367 forks source link

Request Auth method to generate a "revoke email address change" link #1614

Open Hivemind9000 opened 2 years ago

Hivemind9000 commented 2 years ago

Environment:

I have a cloud function that calls the admin auth function "updateUser" to change the email address for a user. This method of changing a user's email address does not trigger the automated "Email address change" email, which is what I want, as the standard Firebase email templates do not look very professional.

I would like to send my own formatted email, but need a function to generate the revocation link, in the same way I generate links for password resets (admin.auth().generatePasswordResetLink) and verify email address (admin.auth().generateEmailVerificationLink), but there doesn't seem to be one.

I would like to make a feature request for such a function (unless there is some other way of generating it?).

Thanks

lahirumaramba commented 2 years ago

Hi @Hivemind9000 are you looking for a way to generate a link to verify and change the email at the same time? If so, I think this is a duplicate of #1475

Hivemind9000 commented 2 years ago

Hey @lahirumaramba no that is a slightly different request. I simply want to generate the link that revokes/reverses the email change (that is embedded in the "Email address change" template).

I use custom email templates for all my other emails (via Postmark), so I just want to be able to do the same for the "Email address change" (notification to old email address of the change and option to revoke). It's basically the only missing link generation function to enable us to completely replace the default email templates.

lahirumaramba commented 2 years ago

I see. I am not sure if the backend API supports that. Hi @prameshj, do you know if the REST API currently support this use case? Thank you!

davisios commented 2 years ago

Hi guys, Been googling a lot of how to send a customized email with the verifyBeforeUpdateEmail. I know we can use the generateEmailVerificationLink and send the link in a customized email, so I was hopping to find the same for the verifyBeforeUpdateEmail. I hoppe this request gets done , would be really helpful.

For those who needs this feature, I came to the conclusion that this could be a good approach.

  1. create a new auth user with the new email ( the one you going to update in the profile)
  2. use the generateEmailVerificationLink and send a custom email to the above email
  3. using custom action handlers, https://firebase.google.com/docs/auth/custom-email-handler verify the new user and then make an api call that verify the user is verified, then delete that user and use the email to update the required user ( you would need to pass somehow the user id, guess you can send it as query params and make your own validation) Not sure if this is the best approach but it works
whats-a-handle commented 2 years ago

It takes some effort, but you can roll your own revocation functionality if you need to.

Here's a rough example of what you could do:

  1. Create a Cloud Function/API Endpoint that accepts a unique, custom resetCode secret and (optionally) a user id as a URL parameter e.g. mycoolapi.example.com/auth/actions?resetCode=123456abc&userId=123. You will be generating this resetCode and sending this to your user's old email.
  2. When a user initiates an email update, generate your unique resetCode secret on the backend and store this value in your database for the specific user.
  3. Send this reset url with code to the original/old email address e.g. mycoolapi.example.com/auth/actions?resetCode=123456abc&userId=123 through your own email service.
  4. When a user clicks the URL in the email, your Cloud Function or custom API endpoint should query your database for the user and verify the resetCode that is saved for them from the URL params
  5. If the code matches, the Cloud Function/Custom API should reset the email to the previous email via the firebase-admin sdk. You can set email_verified value on the Firebase Auth User with the same updateUser() method of the firebase-admin sdk. You should also delete the saved resetCode secret and use some sort of expiration - dont reuse these secrets, obviously.

For this to work, you'll need to keep track of the user's original email. I hope this helps!

Hivemind9000 commented 2 years ago

Thanks @whats-a-handle, that's how I was thinking to handle it too. I was just hoping that the SDK would have this functionality baked in, as it seems to be a missing feature.

whats-a-handle commented 2 years ago

No prob @Hivemind9000 , I was running into a similar situation and totally agree 👍🏽 Having this functionality would really help!

Joepock123 commented 1 year ago

+1 for this feature request on the Admin SDK. Having a generateEmailChangeResetLink would be very useful.

CalvinJamesHeath commented 1 year ago

Why does Firebase have a handleRecoverEmail function HANDLER but not one for actually sending the request to an email address with a link along with the oobCode and key? Like the sendEmailVerification and sendPasswordResetEmail functions... It seems counterintuitive!

talonmd commented 1 year ago

Also want to throw in my +1 for this feature. I need to send my own custom email for password reset, email verification, and revoke email update, due to the issue preventing emails from being delivered. Without this, the revoke email update will never arrive at it's destination.