/SafeFirebasePasswordReset

A drop-in replacement for Firebase's auth mini-app, in particular fixing its insecurity around password resets.

Primary LanguageTypeScript

SafeFirebasePasswordReset

Firebase Auth's default password reset app is insecure, as it allows users to enter insecure passwords. This project provides a drop-in replacement.

SafeFirebasePasswordReset ensures that users enter a secure password:

Demo of SafeFirebasePasswordReset

...Whereas Firebase's default mechanism will accept any 6-character combination:

Demo of insecure mechanism allowing password 'aaaaaa'

Further information on this insecurity is in this blog.

Development prerequisites

  • NodeJS >= 16
  • Firebase CLI

Adding into to your Firebase project

  1. Find your Firebase project config by going to Settings (cog icon) --> Project settings in your Firebase console, then click Add App. Follow the steps to see a screen like this:
    Firebase project config.
    Your project config is in the red box. Paste this into src/firebaseConfig.ts where indicated by comments.

  2. Build the project:
    npm run build
    The build files will be created in the build directory.

  3. Upload the build directory to any hosting service. If you want to use Firebase Hosting, just run firebase init, select Hosting, and answer the questions as follows:
    Firebase Hosting questions

  4. In your Firebase console, select Authentication, then Templates (tab), then press the pencil edit icon, then click Customise action URL. Paste in the URL from your hosting service plus #. So if your hosting URL is https​://my-app.com/resetpassword/, enter https://my-app.com/resetpassword/#. This directs password reset emails to your newly uploaded app.

The app is written using React and can be easily branded or customised.

Comments, questions, etc

Please open an issue, I will try to respond quickly.

Contributions

Any and all contributions very welcome but I recommend opening an issue before submitting a pull request.

License

MIT