Firebase reset password link not working

23
votes

I am using firebase to authenticate users in my android app. I provide user an option to reset password in login window. When user click on button, it sends email successfully. However when user clicks on link, it always showing

"Try resetting your password again. Your request to reset your password has expired or the link has already been used"

enter image description here

Anyone knows where I'm Wrong ? I tried login with different email IDs from different devices. Still not working. I am using 'com.google.firebase:firebase-auth:9.2.0'.

UPDATE on 31 August 2016

I got in touch with firebase support and it looks like there was some bug with API key. If you change your browser API key, it was not getting updated. Now this bug is fixed and reset password function is working properly.

7
androidfirebasefirebase-authentication
I just tested reset password and it is working as expected. I speculate the api key being used here is incorrect. I do not know why. The api key is appended to the reset password link '&apiKey=API_KEY'. Think of some change you may have made in the FIrebase console while configuring your project. I would start there. You could check the web auth snippet code. It has an api key in the app initialization. Try using the browser api key from that snippet with the one being appended to the reset password link.bojeil
@bojeil there was no such field for "API_KEY". Are we suppose to add API key field ? If yes , where ? In email template ?Dexter
Having the same issue here. I haven't touched the email templates. The link includes &apiKey=CORRECT_KEY at the end but that parameter does not appear in the template.Travis Christian
@TravisChristian Exactly, there is no field for api_key. And my template %LINK% value is "myappname.firebaseapp.com/__/auth/action" I have not modified anything there. I just added "reply to" email and changed name of sender in template. Rest of the settings is untouched.Dexter
@bojeil , yes. it is there. Link in the email look likes this. "https : // appname.firebaseapp.com/__/auth/action?mode=resetPassword&oobCode=someCharacters&apiKey=someCharacters " (space is added for readability) But whenever we click, you get message as reported in this question.Dexter

7 Answers

28
votes

If you've listed any HTTP referrers for your app's API key in the Google API console, you need to include the app itself which is where the emails originate: <app-name>.firebaseapp.com. Otherwise this domain is not valid for your app's key.

4
votes

I had the same issue and solve it. But the protocol should be https.

And in the end of URL I have to add the /* as there will be token, api_key and other parameters added by firebase here.

https://Project ID.firebaseapp.com/* (I get my Project ID from the firebase console)

2
votes

I discovered what the issue was in my case...

For me, it had nothing to do with the credentials settings. It was simply that under Authentication/Sign-in method in the Console, I had Email/Password provider disabled. Once I turned that on, reset email links began working properly again.

1
votes

Temporarily I've solved the issue by leaving only one unrestricted API key at Google API Console

enter image description here

1
votes

This is how I solved, a slightly different approach from the top answer : First indeed check which API KEY is being used in the email link, in my case was the PROD one even if I was starting the project with the DEV(unrestricted) one.

The most important thing: it's not enough to add <app-name>.firebaseapp.com. in the Website restrictions section of your API KEY : you need to add the fully qualified domain including https: https://<app-name>.firebaseapp.com. This solved the issue for me.

0
votes

I also experienced the same issue, and for me, the cause was sending multiple password reset emails, and I got only the first one.

Make sure you send the reset password email just once or if you did it multiple times, wait for the multiple emails to arrive and use the latest email.

0
votes

I was able to fix it by removing the Link option from the email (access without password)enter image description here