Updating Firebase Authentication password using user.reauthenticate

To update a user’s password in Firebase Authentication you must re-authenticate : https://firebase.google.com/docs/reference/android/com/google/firebase/auth/FirebaseUser#reauthenticate(com.google.firebase.auth.AuthCredential)

Yet this function does not seem to double check if the currentPassword is correct before actually re-authenticating. I believe this may be because Firebase does not require re-authentication until after a set period of time, and will bypass this if it is still within that timeframe.

Here’s what I have thus far:

        FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
        AuthCredential credential = EmailAuthProvider
                .getCredential(mAuth.getInstance().getCurrentUser().getEmail(), currentPass.getText().toString());
        user.reauthenticate(credential)
                .addOnCompleteListener(new OnCompleteListener<Void>() {
                    @Override
                    public void onComplete(@NonNull Task<Void> task) {
                        Log.d(TAG, "User re-authenticated.");
                        FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser();
                        user.updatePassword(newPass1.getText().toString())
                                .addOnCompleteListener(new OnCompleteListener<Void>() {
                                    @Override
                                    public void onComplete(@NonNull Task<Void> task) {
                                                if (task.isSuccessful()) {
                                                    dialog.dismiss();
                                                    Toast.makeText(manageAccount.this, "Password updated!", Toast.LENGTH_LONG).show();
                                                }else {

                                    }
                                        }

                            });
                        }
                    });

It seems that the currentPass field can be equal to absolutely anything and the app will continue through and change the password. Is there a way in which you can force Firebase to actually check if the currentPass is equal to the actual current password? Of course one way would be to save the password when first signing in within the client, but this would of course be very bad practice in security terms.

Answer

Malcolm from the Firebase team here! There are a few things to note here:

• You need to be checking if the task in your onCompleteListener is successful before attempting to update the password. We definitely are checking if the supplied currentPassword is correct, but you might be missing the error we return in the task 🙂
• To check for reauthenticate() errors, you can use task.isSuccessful() in your current method, or you can split your code into an onSuccessListener and onFailureListener if you want a clearer semantic flow.
• If you’re seeing success despite an incorrect first password (ignoring the fact that reauthenticate will fail), it’s because your user session is still relatively new. We check sessions against a timer (right now that’s 5 minutes but that’s subject to change) to make sure that the user has logged in recently before allowing them to update their password or do other account-altering operations. If your first login is recent enough it doesn’t matter if you fail a reauthentication, because the currentUser still passes the serverside timer check.

I think that that about covers it – if you need any more clarification, just add a comment and I’ll try to get back to you.

~Malcolm