Login/Register
Can I reset a user's password using the Firebase Admin SDK for Node?
Asked Answered
Solved node.jsfirebasefirebase-admin
I

3

15

The docs from Firebase suggest that the API offers the same features as the console:

It is not always convenient to have to visit the Firebase console in order to manage your Firebase users. The admin user management API provides programmatic access to those same users. It even allows you to do things the Firebase console cannot, such as retrieving a user's full data and changing a user's password, email address or phone number.

But the reference docs don't list a function to reset a user's password. Am I missing something?

Intreat answered 25/9, 2017 at 12:1 Comment(0)
F
39

EDIT: This answer is now out of date, see Andrea's answer below for how to send a password reset link through the Firebase SDK.

It depends on which definition of 'reset' you're using.

If you mean reset as in 'change', then yes - the updateUser function allows you to provide a new password. See the following example from the docs:

admin.auth().updateUser(uid, {
  email: "[email protected]",
  phoneNumber: "+11234567890",
  emailVerified: true,
  password: "newPassword",
  displayName: "Jane Doe",
  photoURL: "http://www.example.com/12345678/photo.png",
  disabled: true
})
  .then(function(userRecord) {
    // See the UserRecord reference doc for the contents of userRecord.
    console.log("Successfully updated user", userRecord.toJSON());
  })
  .catch(function(error) {
    console.log("Error updating user:", error);
  });

If, on the other hand, you mean reset as in 'send a password reset email', then no, there doesn't seem to be a simple way of doing so via the Admin SDK.

Freeze answered 25/9, 2017 at 12:5 Comment(6)
I'm surprised that option - to edit the password in plain text - is even there. Doesn't seem like a credible reset scenario to me which is why I thought I'd missed something but I guess not.Intreat
@OliverLloyd: Yeah, seems like a weird omission.Freeze
@OliverLloyd: Follow-up - the answer to this question could probably be adapted to your needs, as the standard client API allows you to send a password reset email.Freeze
@JoeClay so i would assume it would be up to us, and good practice, to encrypt/hashWithSalt the password prior to storing it in this case? I am using phone auth to sign in my users and then prompting them to create a password as an extra level of security after a successful phone verification.Ptolemy
I think that would lead to it being double-hashed on the Firebase server, which would prevent people from logging in. Not sure though!Freeze
is it possible can we change other user email and password in android native appScupper
P
10

Yes, you can. To generate a password reset link, you provide the existing user's email. Then you can use any email service you like to send the actual email. Link to documentation.

// Admin SDK API to generate the password reset link.
const userEmail = '[email protected]';
admin.auth().generatePasswordResetLink(userEmail, actionCodeSettings)
  .then((link) => {
    // Construct password reset email template, embed the link and send
    // using custom SMTP server.
    return sendCustomPasswordResetEmail(email, displayName, link);
  })
.catch((error) => {
  // Some error occurred.
});
Pryer answered 1/9, 2020 at 10:21 Comment(1)
As much as I appreciate that it is possible to generate the reset password link, why in the world can't the Firebase admin SDK trigger the same password reset flow that the standard user firebase SDK can? Why do I need to construct an email template, embed the link, and send using my own SMTP server instead of just calling a simple function that Firebase obviously already has? WHY, FIREBASE, WHY DO YOU DO THIS?Rubberneck
R
0

There are significant problems with the accepted answer:

  • It completely sidesteps the Firebase Console settings for password resets. If you have configured a custom email template or settings in the Firebase Console, those settings & template must be manually recreated in your implementation using generatePasswordResetLink. And now you are perpetually forced to keep your custom implementation in lockstep with your Firebase Console settings. This is not a great solution long-term.
  • Your server must generate the temporary password for the user. This means that a user's login credentials can be known by someone other than the user themselves. Any Firebase admin, or developer with access to these APIs, could log into Firebase with these credentials and start commiting actions on behalf of the actual user. This is an unacceptable security practice, even temporarily. I am shocked that the Firebase SDKs even provide this functionality.

So here's an answer that, while technically not what the question asks for, does solve both of these problems with minimal fuss. Run npm install firebase. Then run the below snippet:

import { FirebaseApp, initializeApp } from 'firebase/app'
import { Auth, getAuth, sendPasswordResetEmail } from 'firebase/auth'

const run = async ():Promise<boolean> => {
  const firebaseApp:FirebaseApp = initializeApp({
    apiKey: '**********', // Pull these values from your Firebase console
    authDomain: '**********',
    projectId: '**********',
    storageBucket: '**********',
    messagingSenderId: '**********',
    appId: '**********',
    measurementId: '**********'
  })

  const firebaseAuth:Auth = getAuth(firebaseApp)
  let success:boolean = false
  try {
    await sendPasswordResetEmail(firebaseAuth, '[email protected]')
    success = true
  }
  catch (e) {
    console.error(e)
  }

  return success
}

run()

This will send the regular password reset email that is configured in the Firebase Console settings directly to the user themselves. Your server has no knowledge of the password reset details. No setting up a custom email templater, no custom SMTP settings; everything runs from what is configured in the single source of truth: Firebase Console.

I know the question specifically asks about the firebase-admin SDK and the other answers do correctly call out that this functionality still does not exist there as of April 2024, but I am compelled to answer that this functionality is possible using the standard user firebase SDK. If the developer has access to the firebase-admin SDK settings, they likely will have access to the firebase SDK settings as well.

Rubberneck answered 19/4, 2024 at 15:57 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.