How to verify users current password?

ThatBrianDude picture ThatBrianDude · Dec 12, 2016 · Viewed 12.4k times · Source

So, maybe I missed this somewhere in the docs but I couldn't find anything of the sort.

I wan't my users to have to type in their current password to be able to create a new one. From what I understand if the user is authenticated he is able to update his password without providing his current one.

Even if this might be somewhat secure I would rather have him type his old one to prevent people from going on already authenticated sessions from say family members or so and changing the pw.

Is there any way to do this?

(I have no problem using the Admin SDK since I already set up a server for these kind of things)

Answer

bojeil picture bojeil · Dec 13, 2016

UPDATE: (Use - reauthenticateWithCredential)

var user = firebaseApp.auth().currentUser;
var credential = firebase.auth.EmailAuthProvider.credential(
  firebase.auth().currentUser.email,
  providedPassword
);

// Prompt the user to re-provide their sign-in credentials

user.reauthenticateWithCredential(credential).then(function() {
  // User re-authenticated.
}).catch(function(error) {
  // An error happened.
});

PREVIOUS VERSION

you can use reauthenticate API to do so. I am assuming you want to verify a current user's password before allowing the user to update it. So in web you do something like the following:

reauthenticateAndRetrieveDataWithCredential- DEPRECATED

firebase.auth().currentUser.reauthenticateAndRetrieveDataWithCredential(
  firebase.auth.EmailAuthProvider.credential(
    firebase.auth().currentUser.email, 
    providedPassword
  )
);

If this succeeds, then you can call

firebase.auth().currentUser.updatePassword(newPassword);