Home > Enterprise >  Re-authenticate a user. with FirebaseUI auth for Android
Re-authenticate a user. with FirebaseUI auth for Android

Time:01-14

I'm using Firebase-UI auth and I want to implement delete account functionality for my application.

Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.

To delete a user, the user must have signed in recently, See Re-authenticate a user.

FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();

// Get auth credentials from the user for re-authentication. The example below shows
// email and password credentials but there are multiple possible providers,
// such as GoogleAuthProvider or FacebookAuthProvider.
AuthCredential credential = EmailAuthProvider
        .getCredential(user.getEmail(), );//how can i get password of the user 

// Prompt the user to re-provide their sign-in credentials
user.reauthenticate(credential)
        .addOnCompleteListener(new OnCompleteListener<Void>() {
            @Override
            public void onComplete(@NonNull Task<Void> task) {
                Log.d(TAG, "User re-authenticated.");
            }
        });

is there any way to get the current password from the user or any other solution?

I search all the documentation and I can't find a method that gives me the current password of the user.

CodePudding user response:

Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.

Yes, that's correct. As soon as 5 minutes have passed since the last log-in, the delete account operation cannot be performed, as it is considered a sensitive operation.

Is there any way to get the current password from the user or any other solution?

No, there is no way you can get the password of the logged-in user. Nobody will ever provide that. When a user tries to delete the account when 5 minutes have already passed since the last log-in, then you have two options available:

  1. You provide in the UI the possibility to sign out. In this way, the user will be redirected to a sign-in screen. As soon as it lands on the sign-in screen the user will be able to restart the authentication process.

  2. You can keep the user logged in but you'll need to provide an option to type the password again. As soon as you have the password, then you can call FirebaseUser#getEmail() to get the email of the logged-in user. Right after that, you can call EmailAuthProvider#getCredential(String email, String password) to get an object of type AuthCredential. Having such an object, you can call then call FirebaseUser#reauthenticate(AuthCredential credential) to reauthenticate with its own credentials.

No matter what option you choose, right after a successful authentication or a successful reauthentication, the user will be able to delete the account in a 5 minutes time frame.

Personally, I prefer the first option as it needs only a sign-out option. But it's up to you to decide which is better for your use case. In code, it looks like this.

  • Related