How to verify users current password?

22.8k views Asked by At

So, maybe I missed this somewhere in the docs but I couldn't find anything of the sort.

I wan't my users to have to type in their current password to be able to create a new one. From what I understand if the user is authenticated he is able to update his password without providing his current one.

Even if this might be somewhat secure I would rather have him type his old one to prevent people from going on already authenticated sessions from say family members or so and changing the pw.

Is there any way to do this?

(I have no problem using the Admin SDK since I already set up a server for these kind of things)

2

There are 2 answers

6
bojeil On BEST ANSWER

UPDATE: (Use - reauthenticateWithCredential)

var user = firebaseApp.auth().currentUser;
var credential = firebase.auth.EmailAuthProvider.credential(
  firebase.auth().currentUser.email,
  providedPassword
);

// Prompt the user to re-provide their sign-in credentials

user.reauthenticateWithCredential(credential).then(function() {
  // User re-authenticated.
}).catch(function(error) {
  // An error happened.
});

PREVIOUS VERSION

you can use reauthenticate API to do so. I am assuming you want to verify a current user's password before allowing the user to update it. So in web you do something like the following:

reauthenticateAndRetrieveDataWithCredential- DEPRECATED

firebase.auth().currentUser.reauthenticateAndRetrieveDataWithCredential(
  firebase.auth.EmailAuthProvider.credential(
    firebase.auth().currentUser.email, 
    providedPassword
  )
);

If this succeeds, then you can call

firebase.auth().currentUser.updatePassword(newPassword);
0
Francis On

The main answer didn't work for me. I think it's outdated. This is what worked for me.

Step 1: Get Auth

import { initializeApp } from "firebase/app";
import { getAuth } from "firebase/auth";

const app = initializeApp({
  apiKey: "Enter your Api key",
  authDomain: "Enter your Auth domain",
  projectId: "Enter your Project id",
  storageBucket: "Enter your Storage bucket",
  messagingSenderId: "Enter Message Sender Id",
  appId: "Enter your App Id",
});

const auth = getAuth(app);

Step 2: Get Credential

import { EmailAuthProvider } from "firebase/auth";

const user = auth.currentUser
const passwordEnteredByUser = formPassword //get password from user using a form
const credential = EmailAuthProvider.credential(
  user.email,
  passwordEnteredByUser
);

Step 3: Verify password with credential

import { reauthenticateWithCredential } from "firebase/auth";

reauthenticateWithCredential(user, credential)
.then((result) => {
   //Password entered is correct
   console.log(result)
})
.catch((error) => {
   //Incorrect password or some other error
   console.log(error)
});