Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ilan Diamond
    @ilibilibom
    token
    jwt
    illuminist
    @illuminist
    I still can call auth().createUserWithEmailAndPassword(email, password) without any token or jwt
    And that's how I get token without getting username
    Ilan Diamond
    @ilibilibom
    right ok - so what are you suggesting here ?
    illuminist
    @illuminist
    Make username optional
    Display user id instead if username isn't set
    Ilan Diamond
    @ilibilibom
    how is username related to the abuse of createUserWithEmailAndPassword ?
    illuminist
    @illuminist
    createUserWithEmailAndPassword can be called on client and require only email and password. If your app require username on registering, someone can bypass that and go straight for only email and password
    Ilan Diamond
    @ilibilibom
    ok I see what you mean
    But In that case I don’t care about the username anyway - it’s a nefarious behaviour
    illuminist
    @illuminist
    Even though, what should be the username input flow if someone signin with social account?
    Ilan Diamond
    @ilibilibom
    With social register I get an object with user data
    I just use it
    illuminist
    @illuminist
    Does that include username?
    Ilan Diamond
    @ilibilibom
    Yes
    illuminist
    @illuminist
    Are you sure that isn't display name?
    Ilan Diamond
    @ilibilibom
    Yes I mean display name
    not username
    That’s What I need
    illuminist
    @illuminist
    Those are totally different things
    Username and display name
    Ilan Diamond
    @ilibilibom
    ok
    illuminist
    @illuminist
    Username is meant to be unique to each user and cannot be change
    Ilan Diamond
    @ilibilibom
    ok
    illuminist
    @illuminist
    And that's more security involving into username system
    For display name, there is no rule at all
    Ilan Diamond
    @ilibilibom
    ok now I see what you referring to in terms of security
    Is there a way to send display name on email pass register ?
    illuminist
    @illuminist
    Still no
    Ilan Diamond
    @ilibilibom
    ok
    so only after register ?
    illuminist
    @illuminist
    As I mention before someone can bypass this
    Ilan Diamond
    @ilibilibom
    well display name has no security issues
    illuminist
    @illuminist
    It has less than username but there's some
    Ilan Diamond
    @ilibilibom
    like ?
    illuminist
    @illuminist
    You should think more about how to deal with user without display name
    Ilan Diamond
    @ilibilibom
    It’s just for display - nothing else
    illuminist
    @illuminist
    Then it should be optional
    Ilan Diamond
    @ilibilibom
    ok
    or use only social login
    illuminist
    @illuminist
    Or you will display dialog to input display name for first login or if detect missing display name is up to you
    Still, can display name be changed?
    illuminist
    @illuminist
    Or intended to be able to change or not?
    Ilan Diamond
    @ilibilibom
    not intended to be changed
    Marko Elez
    @markoelez
    @illuminist when you say you implement it yourself in the function, do you create your own HOC? Or do you do it differently? If you could provide me with a quick example that would be great, thanks in advance
    steve
    @b08502_gitlab
    @illuminist Do you use profile population in your own projects? Is it possible to create a custom signup action (where your profile is populated through a cloud function) and still be able to access your information through the profile selector?
    And by profile selector I mean const profile = useSelector(state => state.firebase.profile)
    illuminist
    @illuminist
    @b08502_gitlab You can have a cloud function triggered on user creation. However, it still lacks of essential user profile on cloud function call. To set user profile, you probably need second registration step for user to input their profile after account creation with email/password or logging in with social account.
    illuminist
    @illuminist

    @markoelez As I had tried different way, it can be as simple as

    const user = useSelector(state => state.firebase.profile)
    return user?.isAdmin ? <AdminPage /> : <Redirect to="/" />

    which probably is the base implementation of many auth protection route out there. It mainly consists of

    1. The page it need to protect
    2. The action if not authorize
    3. The condition to check if authorize
      and every component will have these same pattern. With this pattern, you can create a HOC to accept these 3 things to prevent code duplication and will be easier to change in the future