I'am developing Api's for Reset Password :-
1st One :- validating email or phone and Send OTP.
2nd One :- validating OTP.
3rd One :- Reset Password.
Problems:-
1.How I can maintain OTP at api side to validate it.
2.If a person directly hit my reset password Api,then he/she could change password, which is a security breach.
Please answer!!!Thanx in advance
1.How I can maintain OTP at api side to validate it.
OTP for password reset should be random, time limited and bound to a username. So yes, you need to maintain the OTPs persistently
Option one - you either build a database where you store the generated OTPs with their validity.
Option two - you can generate OTP in form of signed jwt so the validation algorithm just validates the timestamp and signature (this OTP password is longer, so feasible only for email)
2.If a person directly hit my reset password Api,then he/she could change password, which is a security breach.
There is no point of exposing a separate validation service. The reset service itself should validate the otp and reset the password or not (as one operation)
Related
I'm using Firebase-UI auth and I want to implement delete account functionality for my application.
Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.
To delete a user, the user must have signed in recently, See Re-authenticate a user.
FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
// Get auth credentials from the user for re-authentication. The example below shows
// email and password credentials but there are multiple possible providers,
// such as GoogleAuthProvider or FacebookAuthProvider.
AuthCredential credential = EmailAuthProvider
.getCredential(user.getEmail(), );//how can i get password of the user
// Prompt the user to re-provide their sign-in credentials
user.reauthenticate(credential)
.addOnCompleteListener(new OnCompleteListener<Void>() {
#Override
public void onComplete(#NonNull Task<Void> task) {
Log.d(TAG, "User re-authenticated.");
}
});
is there any way to get the current password from the user or any other solution?
I search all the documentation and I can't find a method that gives me the current password of the user.
Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.
Yes, that's correct. As soon as 5 minutes have passed since the last log-in, the delete account operation cannot be performed, as it is considered a sensitive operation.
Is there any way to get the current password from the user or any other solution?
No, there is no way you can get the password of the logged-in user. Nobody will ever provide that. When a user tries to delete the account when 5 minutes have already passed since the last log-in, then you have two options available:
You provide in the UI the possibility to sign out. In this way, the user will be redirected to a sign-in screen. As soon as it lands on the sign-in screen the user will be able to restart the authentication process.
You can keep the user logged in but you'll need to provide an option to type the password again. As soon as you have the password, then you can call FirebaseUser#getEmail() to get the email of the logged-in user. Right after that, you can call EmailAuthProvider#getCredential(String email, String password) to get an object of type AuthCredential. Having such an object, you can call then call FirebaseUser#reauthenticate(AuthCredential credential) to reauthenticate with its own credentials.
No matter what option you choose, right after a successful authentication or a successful reauthentication, the user will be able to delete the account in a 5 minutes time frame.
Personally, I prefer the first option as it needs only a sign-out option. But it's up to you to decide which is better for your use case. In code, it looks like this.
In Firebase, I register the user with e-mail on the authentication side and after registration I send e-mail verification to this user, but in addition to this, I define some other features in my system, such as name, phone number while registering. I will combine these features and keep them in user collections in firestore. At the same time, I want to send an sms-code to the phone number of the data whose e-mail and password are matched in the user collections with the e-mail and password entered by the user while logging in to the system, and I will instantly verify this every time for the user to log in. Is it possible for me to do something like this or should I just choose one over email or phone?
Yes absolutely it is possible, use both authentication method one by one (email first then phone OTP) and while registering after creating user with email and password and sending otp to the user, instead of doing createUserWithCredentials use linkUserWithCredentials. This will create one user with both email and phone number authentication instead of creating two separate users for two different credentials.
My app uses Firebase authentication with two providers(email/password and Google SignIn) but I require all my users to have a password so they can use any of these providers to sign in, now my problem is I want that each user that sign in using a provider different from email/password should be prompted to create a password immediately but I cannot find any method in the SDK to check if a user has a password.
I tried using the method below to check that but from my observation, this checks only for the provider the user used to Sign Up.
for(UserInfo info : currentUser.getProviderData()) {
if(!info.getProviderId().equals("password")) {
ShowUpdateUserPasswordDialog("CREATE",currentUser);
} else {
MoveToMainActivity();
}
break;
}
I require all my users to have a password so they can use any of these providers to sign in
Firebase authentication with email and password is a totally different authentication mechanism than the authentication with the Google provider.
now my problem is I want that each user that sign in using a provider different from email/password should be prompted to create a password immediately
If the user has chosen to sign-in with Google, why would you force him to enter a password? That's the whole idea, not to use a password anymore. Besides that, you let the user choose even from the beginning what kind of authentication to use. It's some kind of a bad user experience to force the user to choose one, or the other, or both.
However, if you still want to force the user the choose a password, you first need to sign-out the user from Google and Firebase so it can be signed in again with email and password. You can do that silently, but how about the situation in which the user wants to choose a password for the Gmail account that is already in use? In that situation you'll get an error, saying the account with that particular email already exists.
but I cannot find any method in the SDK to check if a user has a password
You didn't find something like that because something like that doesn't exist.
IMHO, some kind of operation might be considered bad practices and I cannot see any reason for doing that. You should let the user choose the type of authentication according to their own will.
I'm using Java - Apache Directory Client API for accessing Apache DS Ldap Server using ldapConnectionTemplate.
I'm trying to implement a feature which allows the user to reset/change the password. My password policy has a password history attribute value of 5. So user will not be able to use any of the previous 5 passwords.
When I'm using the modifyPassword method for changing the password(i.e. as a user by passing current and new password), it respects the password history policy. i.e I'm not allowed to use any of the previous 5 passwords and getting password exception as expected. But when using the reset option(i.e. - only new password), it does not honor the password policy. It accepts any value(including current one) and updates the password.
How to make the reset password scenario honor the password history policy? Any ideas, suggestions and solutions are welcome.
I don't believe the behaviour you desire is specified anywhere.
The idea of a 'reset' in the sense you mean is that the admin sets it to something known, tells the user what it is, and the pwdReset attribute is set to TRUE so that the user is forced to immediately change it on next login - which you have to enforce yourself by using the PasswordPolicy request control and inspecting any PasswordPolicyResponse for CHANGE_AFTER_RESET.
There's no particular reason why the admin should be constrained by the pwdHistory, and anyway the user is going to be forced to change the password again anyway, at which time he will be constrained by pwdHistory.
I am trying to implement the scenario in which a new user has been created in my application by Admin.
1st step will be
user has allotted by a temporary password
and receives the email with an activation link
User will just by clicking on that link taken to the create new password page , he creates his new password and thats it.
Now my query is how will the application knows that which user is this ,just by clicking that activation link in his email
Activation links carry a long token, such as activate.jsp?tok=98357627272357852786276258763427934579342579342793426734279. This token can be randomly selected, and stored in a database. When the page is loaded, the token is looked up, and the correct user gets authenticated. The token may then be deleted from the database.