How to verify users current password?

23
votes

So, maybe I missed this somewhere in the docs but I couldn't find anything of the sort.

I wan't my users to have to type in their current password to be able to create a new one. From what I understand if the user is authenticated he is able to update his password without providing his current one.

Even if this might be somewhat secure I would rather have him type his old one to prevent people from going on already authenticated sessions from say family members or so and changing the pw.

Is there any way to do this?

(I have no problem using the Admin SDK since I already set up a server for these kind of things)

1
firebasefirebase-authenticationfirebase-admin
You would generally enforce this behavior in code. Are you allowing users to access the console? What's your code base?Jay
As far as I know firebase won't provide me the users password, which is understandable, I just need verification. No my users only have email/password and authenticate themselves normally via firebase method signInWithEmailAndPassword(). I'm using Node on server side and react on client side if that matters any.ThatBrianDude

1 Answers

33
votes

UPDATE: (Use - reauthenticateWithCredential)

var user = firebaseApp.auth().currentUser;
var credential = firebase.auth.EmailAuthProvider.credential(
  firebase.auth().currentUser.email,
  providedPassword
);

// Prompt the user to re-provide their sign-in credentials

user.reauthenticateWithCredential(credential).then(function() {
  // User re-authenticated.
}).catch(function(error) {
  // An error happened.
});

PREVIOUS VERSION

you can use reauthenticate API to do so. I am assuming you want to verify a current user's password before allowing the user to update it. So in web you do something like the following:

reauthenticateAndRetrieveDataWithCredential- DEPRECATED

firebase.auth().currentUser.reauthenticateAndRetrieveDataWithCredential(
  firebase.auth.EmailAuthProvider.credential(
    firebase.auth().currentUser.email, 
    providedPassword
  )
);

If this succeeds, then you can call 

firebase.auth().currentUser.updatePassword(newPassword);