I'm curious if it's possible in firestore to block the user's gmail or email account and prevent that user from signing in or registering again
If you go to authentication and disable that user, they will not be able to sign in or register
You can disable the user to prevent further access. You can't disable user using client SDK(react in your case), must use firebase admin API to do this. Something like this:
admin.auth().updateUser(uid, {
disabled: true
});
For more info:
https://stackoverflow.com/a/43141780/8087468
Related
I am using Azure AD with React JS. When I am signed in using multiple accounts and call msal logout, then it is showing me an option to select an account that needs to be signed out. I just want to show the logout option for the currently active account, rather than all signed-in users.
I have tried to pass an active account using the below snippet but still, I am getting an option to logout all signed-in accounts. Can you please let me know how can I get an option to logout only active account, rather than all signed-in accounts?
const myMsal = new PublicClientApplication(config);
// you can select which account application should sign out
const logoutRequest = {
account: myMsal.getAccountByHomeId(homeAccountId)
}
myMsal.logoutRedirect(logoutRequest);
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-sign-in?tabs=javascript2#sign-out-with-a-redirect
You can use Prompt-less Logout:
const currentAccount = msalInstance.getAccountByHomeId(homeAccountId);
// The account's ID Token must contain the login_hint optional claim to avoid the account picker
await msalInstance.logoutRedirect({ account: currentAccount});
You will need to add login_hint claim to token optional claims in your application's Token configuration on Azure Portal:
msal logout it is shows an option to select an account that
needs to be signed out
The logout prompt you're seeing comes from the AAD service, because it needs to know which user to terminate the session for on the authentication server side
Unfortunately, this is a known issue with the AAD service. At this time, there is no way to bypass the logout account selection screen on logout
According to this document : https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md and code descriptions, MSAL is clear the cache and session data on the client side (browser)
There is github issue you can refer it for more details :
https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2922
I have 3 applications:
An IdentityServer4 API which provides Google authentication and also provides an access token to authorize the resource API.
A simple Resource API which provides some data from DB.
A simple Client in React which have 4 buttons:
Login, for Google auth
Logout
Get data - a simple request with the access token to the Resource API and gets the data from Db
Get user data - returns user profile and token (for debug purpose)
I didn't put any sample code because my problem is not code related, it's knowledge that I'm missing and I ask for guidance.
The workflow is working just fine: the user press the Login button, it is redirected to IdentityServer4 API for Google Auth. From there it is redirected to a Callback Page from the Client and from there to the Index page. I receive the user data and the token, I can request data from the Resource API and it's working.
My problem is: How do I give a Role to the Google Users ?
I don't have users saved in DB. I want three types of Users: SuperAdmin, Admin, Viewer and each of these roles have limited Endpoints which can access.
For limiting their access I saw that I can use Claims-based authorization or Role-based authorization.
So, my question is how ca I give a Google User who wants to login in my app, a specific Claim/Role ? What is the workflow ? I must save it first in DB ? Or there exists a service from Google where I can add an email address and select a Role for that address ?
Thank you very much !
After you get the response from Google in your callback you can handle the user and do what ever you want to do with it. Below are the some typical tasks that you can do in callback that I took from documentation page of identityserver4 link:
Handling the callback and signing in the user
On the callback page your typical tasks are:
inspect the identity returned by the external provider.
make a decision how you want to deal with that user. This might be
different based on the fact if this is a new user or a returning
user.
new users might need additional steps and UI before they are allowed
in.
probably create a new internal user account that is linked to the
external provider.
store the external claims that you want to keep.
delete the temporary cookie
sign-in the user
What I would do is creating an new internal user account that is linked to the external provider and add a role to that user.
If you don't want to save users in db, you can add an extra claim to user in callback method and use that claim in token. and i think this link will help with that.
I am building a react project and I want to know how to use the "VERIFY_EMAIL" request type to send email verification and verify if the user is verified or not.
If you have the user logged in, you could just grab the user = auth().currentUser, where there is a emailVerfied boolean. Then you just do user.sendEmailVerification(). See their docs: https://firebase.google.com/docs/reference/js/firebase.auth.Auth
If you want to know if they are verified before logging in (by their email), you would need firebase admin setup: https://firebase.google.com/docs/admin/setup. This is the admin docs: https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth
Want to logout from all other session(s) when user logs in other browser.
I am able to delete the PersistedGrants but cookies are still present.
When user refreshes the page a new access_token is generated due to refresh_token.
So basically we want only one concurrent session of user.
Any help would be appreciated.
By default IdSrv persists user session in a cookie. You can change that by implementing IUserSession and registering in DI. Doing so you get access to logged in clients within one session. Having that knowledge, you can register your custom middleware with the check: when authenticated, i.e. has auth cookie, and no other session for the same user id then ok, else handle the collision: the one who logged in earlier logs out. Just an idea, but should work. See my customization of the DefaultUserSession - backing it to Redis, used for another purpose, but should be enough to demonstrate the approach.
I'm a Salesforce system administrator and I would like to use the Web Services API on behalf of (ie: impersonate) a Salesforce user that is part of my company.
More precisely, I'm looking for a feature similar to what Google Docs already provides: https://developers.google.com/google-apps/documents-list/#using_google_apps_administrative_access_to_impersonate_other_domain_users
Can this be done ?
Thanks !
The only way to do this is to authenticate with the API using the other user's credentials. This is a security feature that cannot be avoided.
This is should be possible if you have login access for that user and a tool to inspect a browser cookies.
When you're logged in as the test user open a cookie browser and grab the value in the "sid" cookie. This is a session id for that user and can be set in the headers of an api request instead of doing a login call.
I've haven't tried this. It's possible that this session id may only be valid for the browser and not the API. In that case you should probably just create a test user with the same profile and your email. If all else fails just ask the user to temporarily change their password and share it with you.