Using Firebase’s REST Auth API for password change

Solution for Using Firebase’s REST Auth API for password change
is Given Below:

I’ve been using Firebase’s REST Auth API and everything’s been great so far.

I’m trying to implement a password change feature (not reset, change), and I want to ask the user for the current password, validate it, then allow them to set their new password. Reading over the documentation, I see two approaches I can take:

  1. Use the password to re-login and check for a 200 return code. The issue with this is that the previous idToken will expire and I’ll have to reset my Redux state—which isn’t too bad.

  2. I know I can obtain the user’s password hash , and if there’s a way I can obtain Firebase’s hashing algorithm, apply it, and compare to the database’s password hash, I can also verify the password. This method just seems like a lot of work.

Is there a more straightforward approach, or am I best off sticking with option 1?

Approach 1:

Asking user to enter their password sounds good but that’s redundant and the API call of resetting password does not depend on that. So anyone can just make a direct API request to change the password.

Approach 2:

This kind of sounds overkill to me. Also you’ll have to deal with complex flow with scrypt and chances of someone bypassing it still exists.

I would go with approach one but to prevent someone from bypassing it, I’ll perform the password reset part in a Cloud function. Because you are getting a new token which is just generated after user has entered the password, you can compare the timestamp of token creation (auth_time property) in the Cloud function. If it is older than N minutes, ask the user to enter password again.

The auth_time property of decoded id token is the time, in seconds since the Unix epoch, when the end-user authentication occurred. You could also use iat which is the time at which this ID token was issued but that token could be of the older session (when user had not entered the password).

You can then update user’s password using Firebase Admin SDK’s updateUser method.

Do note that this does not prevent anyone who gets the ID Token from a device where a user is already logged in from changing the password using REST API directly. This is just a workaround to get the desired password change flow. It’s up to the user to prevent any malicious user from getting physical access to their device.