0

When an user signs up on my site, I call firebase.auth().createUserWithEmailAndPassword(email, password) and their user has successfully been created.

I basically want a "Do I have an account" on my page. If they enter their e-mail address, it should send a request to Firebase with ONLY their e-mail, and Firebase should then return with true/false (or something similar).

A "workaround" I have found is trying to create an user or simply signing into Firebase with an empty password. I assume Firebase would return "wrong password" (meaning they have an account). firebase.auth().fetchProvidersForEmail("[email protected]") could also work, but I haven't been able to figure out how it works.

Alternatively I store all emails in an array. Push to that array when a new user signs up, but that seems very insecure and like a lot of work (as I don't think you can just push an email and forget the ID, basically making it impossible to iterate through all emails).

Here's what I have come up with that works:

firebase.auth().signInWithEmailAndPassword(this.username, " ").catch(function(error) { if(error.code === "auth/wrong-password") { console.log("USER HAS AN ACCOUNT"); } else if(error.code === "auth/user-not-found"){ console.log("NEW USER"); } });

Simply sign in with a password that doesn't work.

Improve this question
22
  • FWIW "do I have an account" is generally not the best security practice. The way someone should figure out if they have an account is by successfully logging in or failing to do so. Otherwise, bad actors can use the "do I have an account" feature to determine users of your app and (in worst-case scenarios) devise spear-phishing campaigns based on your service. Commented Dec 15, 2016 at 18:53
  • @MichaelBleigh I don't need a lecture on account security. Thanks for your concerns, though. Commented Dec 15, 2016 at 18:54
  • @MichaelBleigh Sorry if that came out rude. That was not my intention :) I'm trying out a new authentication system (almost like Microsoft), where you start entering your email address, then it checks whether or not you have an user on blur. Commented Dec 15, 2016 at 19:05
  • @MichaelBleigh I see you're a Firebase Engineer. Do you know if this is possible at all? :) Commented Dec 15, 2016 at 19:44
  • You could store the email in the firebase database when the user signs up. Commented Dec 15, 2016 at 20:41

1 Answer 1

Reset to default
1

Here's one way you might approach it: when a user first signs up, encode their email in a key-friendly way and stick it in the Realtime Database:

firebase.database().ref('accountCheck') .child(user.email.replace(/\./g, '%2E')).set(true)

Then write security rules such that the list of emails can be accessed individually but not collectively:

{ "rules": { "accountCheck": { ".read": false, ".write": false, "$encoded": { ".read": true, ".write": "$encoded === auth.token.email.replace('.', '%2E') && newData.val() === true" } } } }

Now your blur check would be to take the value of the input and see if it exists in the DB:

firebase.database().ref('accountCheck') .child(input.value.replace(/\./g, '%2E')) .once('value').then(snap => { if (snap.exists()) { // account exists } });
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi, Michael! Thanks a lot for the suggestion. If I do this, I would have to sync the list with users and emails, right? I assume this is the only other way, except doing it like I posted at the bottom of my post.
Yep, those are the only two ways I can think of at the moment.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.