This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Identity Platform reset password without making api key public

Posted on 05-16-2024 02:07 PM
StephenT
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have set up my application so that users can request to reset their password.  I do this by calling https://identitytoolkit.googleapis.com/v1/accounts:sendOobCode and it has convenient out-of-the-box functionality to email the user with a link to reset their password. 

This link is in the format https://<my-project-id>.firebaseapp.com/__/auth/action?mode=resetPassword&oobCode=<my-oob-code>apiKey=<my-api-key>&lang=en which means that the user who gets the link can see the API key. Even if I restrict this API key to access only Identity Platform, this is still not an ideal situation because a malicious user could still use that API key to try to exploit API calls to Identity Platform in my GCP project.

I would rather host a page myself, which takes only the oobCode as a parameter and then makes a server-side call to the Google API with the oobCode and the API key so that the user does not see the API key.  I see in this thread that it's possible to change the email link URL, but the generated email still adds the same parameters to whatever URL you provide there, including the API key.

Has anyone found a way around this please?

Thanks
Stephen

1 1 1,119
1 REPLY 1

Posted on --/--/---- --:-- AM
Willbin
Staff
Reply posted on --/--/---- --:-- AM

Hello @StephenT,

Welcome to Google Cloud Community!

This approach eliminates the exposure of the API key in the password reset link and maintains control over the user experience on your custom password reset page. But you're right. Firebase currently doesn't offer a way to completely prevent the API key from appearing in the email body when using a custom password reset URL. While you can't directly remove the API key from the email itself, you might want to:

  1. Leverage Firebase Dynamic Links
    • Explore using Firebase Dynamic Links. These links can be configured to redirect to your custom password reset page upon being clicked.
    • While the original password reset link with the API key might appear in the email, the user would be automatically redirected to your custom page, where the API key wouldn't be visible.
  2. Consider Third-Party Solutions
    • Evaluate third-party password reset services that integrate with Firebase Authentication. Some solutions might offer more granular control over the email content, potentially allowing you to mask the API key.

It will still depend on your specific security requirements and preferences. If complete elimination of the API key from the email is critical, consider a third-party solution or re-evaluating your custom password reset approach. If some level of exposure is acceptable with mitigation strategies,  using Dynamic Links could be a viable option.

Top Labels in this Space
Top Solution Authors
View all