33

So, maybe I missed this somewhere in the docs but I couldn't find anything of the sort.

I wan't my users to have to type in their current password to be able to create a new one. From what I understand if the user is authenticated he is able to update his password without providing his current one.

Even if this might be somewhat secure I would rather have him type his old one to prevent people from going on already authenticated sessions from say family members or so and changing the pw.

Is there any way to do this?

(I have no problem using the Admin SDK since I already set up a server for these kind of things)

ThatBrianDude
  • 2,952
  • 3
  • 16
  • 42
  • You would generally enforce this behavior in code. Are you allowing users to access the console? What's your code base? – Jay Dec 12 '16 at 19:41
  • As far as I know firebase won't provide me the users password, which is understandable, I just need verification. No my users only have email/password and authenticate themselves normally via firebase method `signInWithEmailAndPassword()`. I'm using Node on server side and react on client side if that matters any. – ThatBrianDude Dec 12 '16 at 21:00

2 Answers2

46

UPDATE: (Use - reauthenticateWithCredential)

var user = firebaseApp.auth().currentUser;
var credential = firebase.auth.EmailAuthProvider.credential(
  firebase.auth().currentUser.email,
  providedPassword
);

// Prompt the user to re-provide their sign-in credentials

user.reauthenticateWithCredential(credential).then(function() {
  // User re-authenticated.
}).catch(function(error) {
  // An error happened.
});

PREVIOUS VERSION

you can use reauthenticate API to do so. I am assuming you want to verify a current user's password before allowing the user to update it. So in web you do something like the following:

reauthenticateAndRetrieveDataWithCredential- DEPRECATED

firebase.auth().currentUser.reauthenticateAndRetrieveDataWithCredential(
  firebase.auth.EmailAuthProvider.credential(
    firebase.auth().currentUser.email, 
    providedPassword
  )
);

If this succeeds, then you can call 

firebase.auth().currentUser.updatePassword(newPassword);
bojeil
  • 29,642
  • 4
  • 69
  • 76
  • 1
    firebase.User.prototype.reauthenticate has been removed in favour of firebase.User.prototype.reauthenticateWithCredential. So use reauthenticateWithCredential – Shyam Sep 20 '17 at 16:17
  • 1
    It's so enjoyable to copy-paste a snippet like that... Thank you :) – Jeremy Belolo Dec 27 '18 at 23:20
  • reauthenticateAndRetrieveDataWithCredential is now deprecated. Use reauthenticateWithCredential – alaswer Apr 07 '20 at 21:02
  • What if the account is blocked with too many wrong attempts ? And the user can't sign in your application anymore just because he wanted to change his password – Tom3652 Nov 23 '20 at 17:07
  • Doesnt this still leave the option open for the client to update his password through the firebase api without hitting up my server? (via the api and not over my UI). Does this solution really enforce the user to provide the old password? – ThatBrianDude Sep 30 '21 at 01:54
  • 1
    FYI, in the new v9 API this method is no longer available on the user object, you should import it separately: https://firebase.google.com/docs/reference/js/auth#reauthenticatewithcredential – Slavik Shynkarenko Oct 17 '21 at 09:57
0

The main answer didn't work for me. I think it's outdated. This is what worked for me.

Step 1: Get Auth

import { initializeApp } from "firebase/app";
import { getAuth } from "firebase/auth";

const app = initializeApp({
  apiKey: "Enter your Api key",
  authDomain: "Enter your Auth domain",
  projectId: "Enter your Project id",
  storageBucket: "Enter your Storage bucket",
  messagingSenderId: "Enter Message Sender Id",
  appId: "Enter your App Id",
});

const auth = getAuth(app);

Step 2: Get Credential

import { EmailAuthProvider } from "firebase/auth";

const user = auth.currentUser
const passwordEnteredByUser = formPassword //get password from user using a form
const credential = EmailAuthProvider.credential(
  user.email,
  passwordEnteredByUser
);

Step 3: Verify password with credential

import { reauthenticateWithCredential } from "firebase/auth";

reauthenticateWithCredential(user, credential)
.then((result) => {
   //Password entered is correct
   console.log(result)
})
.catch((error) => {
   //Incorrect password or some other error
   console.log(error)
});
Francis
  • 21
  • 3