0
votes

We're building an employee engagement survey platform with Ember JS and Firebase as the backend.

And we're using Firebase's Email and Password authentication to store our users' passwords. We're not storing the passwords in our firebase.

The application flows like this:

  1. Admin creates a survey and adds questions
  2. Admin adds users to the survey(with name, email and password)
  3. Admin sends emails to users
  4. Users login and respond to the survey

As can be seen from the workflow above, one of the features we need is an "Email Manager" which sends an email to users based on their survey status (ex: "Survey Not Started", "Survey Partially Completed" etc.)

In the email that we send we need to send the user's login credentials (i.e. email and password) to enable them to login. A sample email would look like this:

"

Please login to your survey at this URL - www.voiceupsurvey.com using the following access details:

Email: bobtony@yourcompany.com

Password: XA3kdt3

"

Would you have any suggestion as to how we can do this?

Specifically, I'm not sure how to query for a users password from the Firebase authentication store.

2
I don't know Firebase, but if it is any good, you cannot query a user's password. Storing users' passwords is one of the worst ideas ever, and no good software will do that. If you are generating the user account, get the generated password at that point and send the mail, then discard it. - spectras
@spectras - thanks. Yes ... I'm not storing the user passwords since firebase handles that part for us with their Email and Password authentication service. - learningMachine

2 Answers

6
votes

Firebase does not store the user's password, that would be a huge security risk.

Instead what you can do is send the user a password reset email. This email will contain a link that they can click to reset their password.

Your application's flow would be:

  1. Admin creates a survey and adds questions
  2. Admin adds users to the survey (with name, email and a random password)
  3. Admin sends password reset emails to users
  4. Users login and respond to the survey

Note that the password in step 2 is never used, so make it long and unguessable to again reduce the security risk.

4
votes

First - you cannot query user password from Firebase.

Second - it sounds better to add users to survey only with name & mail or even only with mail, and let the users login/register himself.

What should happen if admin add same user to more then one survey?

You can have another password for entering the specific survey , but that should be in separate place , not connected to the user authentication details.

If you don't want to let any user login, you can provide some token with the link in the email, to validate if user can register.