Firebase: recent login requested

Question

I'm dealing with Firebase authentication for web. The documentation states that

Some security-sensitive actions—such as deleting an account, setting a primary email address, and changing a password—require that the user has recently signed in.

If not, the request would fail with error code auth/requires-recent-login and I should manage the case by prompting the user to re-insert her credentials. Once I have done that, I could easily re-authenticate the user with the following code:

firebase.auth().currentUser.reauthenticate(credential)

In the API reference there's some details more. It turns out credential is actually an object of type firebase.auth.AuthCredential . That being said, I still have a bunch of questions to which I couldn't find answer on the docs:

1. How do I create the AuthCredential object?
2. More importantly, how do I deal with providers (Google, Facebook, ...). I agree that changing email/password doesn't make sense for providers, because this is not the right place to change them, so re-authentication does not apply in this case. However, deleting a user is still an action requiring re-authentication, and this could be performed regardless of the authentication method. How do I re-authenticate a user that logged in with a provider?
3. The documentation states that the user must have logged in recently . I couldn't find any definition of recent in the docs.

Answer 1

1. You can initialize a credential by calling credential static method on any provider (include email/password provider): firebase.auth.FacebookAuthProvider.credential(fbAccessToken);

2. To reauthenticate an OAuth provider, you can call in a browser signInWithPopup or redirect. This will return an object with 2 fields: user and credential. You can use that credential directly. Here is a simplified example:

   var tempApp = firebase.initializeApp(originalConfig, 'temp'); var provider = new firebase.auth.FacebookAuthProvider(); tempApp.signInWithPopup(provider).then(function(result)) { tempApp.auth().signOut(); originalApp.auth().currentUser.reauthenticate(credential); });

3. That doesn't matter, as the firebase auth backend could change that. You shouldn't hard code this value. Instead try to catch that error and act appropriately when it happens.

Answer 2

You should reauthenticate with the provider;

import { getAuth, signInWithPopup, reauthenticateWithPopup, GoogleAuthProvider } from "firebase/auth";

const loginAuth = getAuth();
const googleProvider = new GoogleAuthProvider();

function reauthWithGoogle() {
    return reauthenticateWithPopup(loginAuth, googleProvider)
}

and when you get the auth/requires-recent-login error call that function;

updatePassword(currentUser, "new password")
.catch(e => reauthWithGoogle()) //better check if the error is auth/requires-recent-login